main/musl: security fix in i386 math asm (CVE-2019-14697)

fixes #10709

2 files changed, 238 insertions, 1 deletions

diff --git a/main/musl/APKBUILD b/main/musl/APKBUILD
index e4556fff495..321bb89f4c9 100644
--- a/main/musl/APKBUILD
+++ b/main/musl/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Timo Teräs <timo.teras@iki.fi>
 pkgname=musl
 pkgver=1.1.20
-pkgrel=4
+pkgrel=5
 pkgdesc="the musl c library (libc) implementation"
 url="http://www.musl-libc.org/"
 arch="all"
@@ -14,6 +14,7 @@ nolibc) ;;
 *)	subpackages="$subpackages $pkgname-utils";;
 esac
 source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz
+	CVE-2019-14697.patch
 	2000-pthread-internals-increase-DEFAULT_GUARD_SIZE-to-2-p.patch
 	handle-aux-at_base.patch
 	0001-fix-race-condition-in-file-locking.patch
@@ -28,6 +29,8 @@ source="http://www.musl-libc.org/releases/musl-$pkgver.tar.gz
 	"
 
 # secfixes:
+#   1.1.22-r3:
+#     - CVE-2019-14697
 #   1.1.15-r4:
 #     - CVE-2016-8859
 
@@ -148,6 +151,7 @@ compat() {
 }
 
 sha512sums="d3a7a30aa375ca50d7dcfbd618581d59e1aa5378417f50a0ca5510099336fd74cc9db468e05c93dda3067abd890f6bd47af226c3446bb833adf0a5054bff2e5d  musl-1.1.20.tar.gz
+37ab61c96b940848e4114de105d87754c7039f52eb2fc19d8bf59c27f484bffbac8b4740e9478207eae03bd7416f7036e04197d0efe30ee5293b17d6d5c1cc15  CVE-2019-14697.patch
 2c8e1dde1834238097b2ee8a7bfb53471a0d9cff4a5e38b55f048b567deff1cdd47c170d0578a67b1a039f95a6c5fbb8cff369c75b6a3e4d7ed171e8e86ebb8c  2000-pthread-internals-increase-DEFAULT_GUARD_SIZE-to-2-p.patch
 6a7ff16d95b5d1be77e0a0fbb245491817db192176496a57b22ab037637d97a185ea0b0d19da687da66c2a2f5578e4343d230f399d49fe377d8f008410974238  handle-aux-at_base.patch
 ab34509cec7419c11352094ed6acf14e5766b314bd2b96506a0d0203e61e90e85ea9a121f1fefc0d00bcba381778d579ea2c02325605344530420305fcf1a0d0  0001-fix-race-condition-in-file-locking.patch
diff --git a/main/musl/CVE-2019-14697.patch b/main/musl/CVE-2019-14697.patch
new file mode 100644
index 00000000000..eae91a00f9c
--- /dev/null
+++ b/main/musl/CVE-2019-14697.patch
@@ -0,0 +1,233 @@
+From f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Mon, 5 Aug 2019 18:41:47 -0400
+Subject: fix x87 stack imbalance in corner cases of i386 math asm
+
+commit 31c5fb80b9eae86f801be4f46025bc6532a554c5 introduced underflow
+code paths for the i386 math asm, along with checks on the fpu status
+word to skip the underflow-generation instructions if the underflow
+flag was already raised. unfortunately, at least one such path, in
+log1p, returned with 2 items on the x87 stack rather than just 1 item
+for the return value. this is a violation of the ABI's calling
+convention, and could cause subsequent floating point code to produce
+NANs due to x87 stack overflow. if floating point results are used in
+flow control, this can lead to runaway wrong code execution.
+
+rather than reviewing each "underflow already raised" code path for
+correctness, remove them all. they're likely slower than just
+performing the underflow code unconditionally, and significantly more
+complex.
+
+all of this code should be ripped out and replaced by C source files
+with inline asm. doing so would preclude this kind of error by having
+the compiler perform all x87 stack register allocation and stack
+manipulation, and would produce comparable or better code. however
+such a change is a much larger project.
+---
+ src/math/i386/asin.s   | 10 ++--------
+ src/math/i386/atan.s   |  7 ++-----
+ src/math/i386/atan2.s  |  5 +----
+ src/math/i386/atan2f.s |  5 +----
+ src/math/i386/atanf.s  |  7 ++-----
+ src/math/i386/exp.s    | 10 ++--------
+ src/math/i386/log1p.s  |  7 ++-----
+ src/math/i386/log1pf.s |  7 ++-----
+ 8 files changed, 14 insertions(+), 44 deletions(-)
+
+diff --git a/src/math/i386/asin.s b/src/math/i386/asin.s
+index a9f691bf..920d967a 100644
+--- a/src/math/i386/asin.s
++++ b/src/math/i386/asin.s
+@@ -7,13 +7,10 @@ asinf:
+ 	cmp $0x01000000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+ 	fld %st(0)
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-2:	ret
++	ret
+ 
+ .global asinl
+ .type asinl,@function
+@@ -30,11 +27,8 @@ asin:
+ 	cmp $0x00200000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+ 	fsts 4(%esp)
+-2:	ret
++	ret
+ 1:	fld %st(0)
+ 	fld1
+ 	fsub %st(0),%st(1)
+diff --git a/src/math/i386/atan.s b/src/math/i386/atan.s
+index d73137b2..a26feae1 100644
+--- a/src/math/i386/atan.s
++++ b/src/math/i386/atan.s
+@@ -10,8 +10,5 @@ atan:
+ 	fpatan
+ 	ret
+ 		# subnormal x, return x with underflow
+-1:	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+-	fsts 4(%esp)
+-2:	ret
++1:	fsts 4(%esp)
++	ret
+diff --git a/src/math/i386/atan2.s b/src/math/i386/atan2.s
+index a7d2979b..1fa0524d 100644
+--- a/src/math/i386/atan2.s
++++ b/src/math/i386/atan2.s
+@@ -10,8 +10,5 @@ atan2:
+ 	cmp $0x00200000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 1f
+ 	fsts 4(%esp)
+-1:	ret
++	ret
+diff --git a/src/math/i386/atan2f.s b/src/math/i386/atan2f.s
+index 14b88ce5..0b264726 100644
+--- a/src/math/i386/atan2f.s
++++ b/src/math/i386/atan2f.s
+@@ -10,10 +10,7 @@ atan2f:
+ 	cmp $0x01000000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 1f
+ 	fld %st(0)
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-1:	ret
++	ret
+diff --git a/src/math/i386/atanf.s b/src/math/i386/atanf.s
+index 8caddefa..893beac5 100644
+--- a/src/math/i386/atanf.s
++++ b/src/math/i386/atanf.s
+@@ -10,10 +10,7 @@ atanf:
+ 	fpatan
+ 	ret
+ 		# subnormal x, return x with underflow
+-1:	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+-	fld %st(0)
++1:	fld %st(0)
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-2:	ret
++	ret
+diff --git a/src/math/i386/exp.s b/src/math/i386/exp.s
+index c7aa5b6e..df87c497 100644
+--- a/src/math/i386/exp.s
++++ b/src/math/i386/exp.s
+@@ -7,13 +7,10 @@ expm1f:
+ 	cmp $0x01000000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+ 	fld %st(0)
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-2:	ret
++	ret
+ 
+ .global expm1l
+ .type expm1l,@function
+@@ -30,11 +27,8 @@ expm1:
+ 	cmp $0x00200000,%eax
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+-	fnstsw %ax
+-	and $16,%ax
+-	jnz 2f
+ 	fsts 4(%esp)
+-2:	ret
++	ret
+ 1:	fldl2e
+ 	fmulp
+ 	mov $0xc2820000,%eax
+diff --git a/src/math/i386/log1p.s b/src/math/i386/log1p.s
+index 6b6929c7..354f391a 100644
+--- a/src/math/i386/log1p.s
++++ b/src/math/i386/log1p.s
+@@ -16,9 +16,6 @@ log1p:
+ 	fyl2x
+ 	ret
+ 		# subnormal x, return x with underflow
+-2:	fnstsw %ax
+-	and $16,%ax
+-	jnz 1f
+-	fsts 4(%esp)
++2:	fsts 4(%esp)
+ 	fstp %st(1)
+-1:	ret
++	ret
+diff --git a/src/math/i386/log1pf.s b/src/math/i386/log1pf.s
+index c0bcd30f..4d3484cd 100644
+--- a/src/math/i386/log1pf.s
++++ b/src/math/i386/log1pf.s
+@@ -16,10 +16,7 @@ log1pf:
+ 	fyl2x
+ 	ret
+ 		# subnormal x, return x with underflow
+-2:	fnstsw %ax
+-	and $16,%ax
+-	jnz 1f
+-	fxch
++2:	fxch
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-1:	ret
++	ret
+-- 
+cgit v1.2.1
+
+From 6818c31c9bc4bbad5357f1de14bedf781e5b349e Mon Sep 17 00:00:00 2001
+From: Rich Felker <dalias@aerifal.cx>
+Date: Mon, 5 Aug 2019 19:57:07 -0400
+Subject: fix build regression in i386 asm for atan2, atan2f
+
+commit f3ed8bfe8a82af1870ddc8696ed4cc1d5aa6b441 inadvertently removed
+labels that were still needed.
+---
+ src/math/i386/atan2.s  | 2 +-
+ src/math/i386/atan2f.s | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/math/i386/atan2.s b/src/math/i386/atan2.s
+index 1fa0524d..76b95f31 100644
+--- a/src/math/i386/atan2.s
++++ b/src/math/i386/atan2.s
+@@ -11,4 +11,4 @@ atan2:
+ 	jae 1f
+ 		# subnormal x, return x with underflow
+ 	fsts 4(%esp)
+-	ret
++1:	ret
+diff --git a/src/math/i386/atan2f.s b/src/math/i386/atan2f.s
+index 0b264726..c9408a90 100644
+--- a/src/math/i386/atan2f.s
++++ b/src/math/i386/atan2f.s
+@@ -13,4 +13,4 @@ atan2f:
+ 	fld %st(0)
+ 	fmul %st(1)
+ 	fstps 4(%esp)
+-	ret
++1:	ret
+-- 
+cgit v1.2.1
+