glibc: Security fix CVE-2021-33574

Source: glibc.org MR: 111508 Type: Security Fix Disposition: Backport from https://sourceware.org/git/glibc.git ChangeID: 815edc154adc45d08d00995862409f13014f885f Description: This version of glibc does not have __pthread_attr_setaffinity_np so an adapted patch was taken from 2.28 (https://sourceware.org/bugzilla/attachment.cgi?id=13497) and https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb (From OE-Core rev: d468eb9c0fa5f8fbd15abda6d0f04e3d25c50c26) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2021-08-19 22:27:26 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-09-01 16:27:08 +0100
commit: e2cb601ab6f6a402da303b86e2fb3f13bb9ba1bc (patch)
tree: 9911e53e8a71988fa26c4a5a9c8875bd3f33d57f
parent: ed4791c8b05d02edb783359656376216b98c1c49 (diff)
download: poky-e2cb601ab6f6a402da303b86e2fb3f13bb9ba1bc.tar.gz
3 files changed, 147 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
new file mode 100644
index 0000000000..cef0ce54ed
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
@@ -0,0 +1,72 @@
+From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Thu, 27 May 2021 12:49:47 +0200
+Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
+Make a deep copy of the pthread attribute object to remove a potential
+use-after-free issue.
+Upstream-Status: Backport
+CVE: CVE-2021-33574 patch#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ NEWS                                |  4 ++++
+ sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -7,6 +7,10 @@ using `glibc' in the "product" field.
+ 
+ Version 2.31.1
+ 
+  CVE-2021-33574: The mq_notify function has a potential use-after-free
+  issue when using a notification type of SIGEV_THREAD and a thread
+  attribute with a non-default affinity mask.
+
+ The following bugs are resolved with this release:
+   [19519] iconv(1) with -c option hangs on illegal multi-byte sequences
+     (CVE-2016-10228)
+Index: git/sysdeps/unix/sysv/linux/mq_notify.c
+===================================================================
+--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
+++ git/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -135,8 +135,11 @@ helper_thread (void *arg)
+            (void) __pthread_barrier_wait (&notify_barrier);
+        }
+       else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+-       /* The only state we keep is the copy of the thread attributes.  */
+-       free (data.attr);
+       {
+         /* The only state we keep is the copy of the thread attributes.  */
+         pthread_attr_destroy (data.attr);
+         free (data.attr);
+       }
+     }
+   return NULL;
+ }
+@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sig
+       if (data.attr == NULL)
+        return -1;
+ 
+-      memcpy (data.attr, notification->sigev_notify_attributes,
+-             sizeof (pthread_attr_t));
+      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+     }
+ 
+   /* Construct the new request.  */
+@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sig
+ 
+   /* If it failed, free the allocated memory.  */
+   if (__glibc_unlikely (retval != 0))
+-    free (data.attr);
+    {
+      pthread_attr_destroy (data.attr);
+      free (data.attr);
+    }
+ 
+   return retval;
+ }
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
new file mode 100644
index 0000000000..396cd7fc0e
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
@@ -0,0 +1,73 @@
+From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 1 Jun 2021 17:51:41 +0200
+Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
+__pthread_attr_copy can fail and does not initialize the attribute
+structure in that case.
+If __pthread_attr_copy is never called and there is no allocated
+attribute, pthread_attr_destroy should not be called, otherwise
+there is a null pointer dereference in rt/tst-mqueue6.
+Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
+("Use __pthread_attr_copy in mq_notify (bug 27896)").
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+https://sourceware.org/bugzilla/attachment.cgi?id=13497
+Upstream-Status: Backport
+CVE: CVE-2021-33574 patch#2
+Signed-off-by: Armin Kuster &lt;akuster@mvista.com&gt;
+---
+Index: git/sysdeps/unix/sysv/linux/mq_notify.c
+===================================================================
+--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
+++ git/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sig
+       if (data.attr == NULL)
+        return -1;
+ 
+-      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+      memcpy (data.attr, notification->sigev_notify_attributes,
+        sizeof (pthread_attr_t));
+
+      struct pthread_attr *source =
+     (struct pthread_attr *) (notification->sigev_notify_attributes);
+      struct pthread_attr *target = (struct pthread_attr *) (data.attr);
+      cpu_set_t *newp;
+      cpu_set_t *cpuset = source->cpuset;
+      size_t cpusetsize = source->cpusetsize;
+
+      /* alloc a new memory for cpuset to avoid use after free */
+      if (cpuset != NULL && cpusetsize > 0)
+   {
+     newp = (cpu_set_t *) malloc (cpusetsize);
+     if (newp == NULL)
+       {
+         free(data.attr);
+         return -1;
+       }
+
+     memcpy (newp, cpuset, cpusetsize);
+     target->cpuset = newp;
+   }
+      else
+   {
+     target->cpuset = NULL;
+     target->cpusetsize = 0;
+   }
+     }
+ 
+   /* Construct the new request.  */
+@@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sig
+   int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+ 
+   /* If it failed, free the allocated memory.  */
+-  if (__glibc_unlikely (retval != 0))
+   if (retval != 0 && data.attr != NULL)
+     {
+       pthread_attr_destroy (data.attr);
+       free (data.attr);
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 8742efc36f..2e950dfeda 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -67,6 +67,8 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0028-inject-file-assembly-directives.patch \
           file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
           file://CVE-2020-29573.patch \
+           file://CVE-2021-33574_1.patch \
+           file://CVE-2021-33574_2.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Armin Kuster <akuster@mvista.com>	2021-08-19 22:27:26 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-09-01 16:27:08 +0100
commit	e2cb601ab6f6a402da303b86e2fb3f13bb9ba1bc (patch)
tree	9911e53e8a71988fa26c4a5a9c8875bd3f33d57f
parent	ed4791c8b05d02edb783359656376216b98c1c49 (diff)
download	poky-e2cb601ab6f6a402da303b86e2fb3f13bb9ba1bc.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch new file mode 100644 index 0000000000..cef0ce54ed --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
@@ -0,0 +1,72 @@
		1	From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
		2	From: Andreas Schwab <schwab@linux-m68k.org>
		3	Date: Thu, 27 May 2021 12:49:47 +0200
		4	Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
		5
		6	Make a deep copy of the pthread attribute object to remove a potential
		7	use-after-free issue.
		8
		9	Upstream-Status: Backport
		10	CVE: CVE-2021-33574 patch#1
		11	Signed-off-by: Armin Kuster <akuster@mvista.com>
		12
		13	---
		14	NEWS \| 4 ++++
		15	sysdeps/unix/sysv/linux/mq_notify.c \| 15 ++++++++++-----
		16	2 files changed, 14 insertions(+), 5 deletions(-)
		17
		18	Index: git/NEWS
		19	===================================================================
		20	--- git.orig/NEWS
		21	+++ git/NEWS
		22	@@ -7,6 +7,10 @@ using `glibc' in the "product" field.
		23
		24	Version 2.31.1
		25
		26	+ CVE-2021-33574: The mq_notify function has a potential use-after-free
		27	+ issue when using a notification type of SIGEV_THREAD and a thread
		28	+ attribute with a non-default affinity mask.
		29	+
		30	The following bugs are resolved with this release:
		31	[19519] iconv(1) with -c option hangs on illegal multi-byte sequences
		32	(CVE-2016-10228)
		33	Index: git/sysdeps/unix/sysv/linux/mq_notify.c
		34	===================================================================
		35	--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
		36	+++ git/sysdeps/unix/sysv/linux/mq_notify.c
		37	@@ -135,8 +135,11 @@ helper_thread (void *arg)
		38	(void) __pthread_barrier_wait (&notify_barrier);
		39	}
		40	else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
		41	- /* The only state we keep is the copy of the thread attributes. */
		42	- free (data.attr);
		43	+ {
		44	+ /* The only state we keep is the copy of the thread attributes. */
		45	+ pthread_attr_destroy (data.attr);
		46	+ free (data.attr);
		47	+ }
		48	}
		49	return NULL;
		50	}
		51	@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sig
		52	if (data.attr == NULL)
		53	return -1;
		54
		55	- memcpy (data.attr, notification->sigev_notify_attributes,
		56	- sizeof (pthread_attr_t));
		57	+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
		58	}
		59
		60	/* Construct the new request. */
		61	@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sig
		62
		63	/* If it failed, free the allocated memory. */
		64	if (__glibc_unlikely (retval != 0))
		65	- free (data.attr);
		66	+ {
		67	+ pthread_attr_destroy (data.attr);
		68	+ free (data.attr);
		69	+ }
		70
		71	return retval;
		72	}


diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch new file mode 100644 index 0000000000..396cd7fc0e --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
@@ -0,0 +1,73 @@
		1	From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Tue, 1 Jun 2021 17:51:41 +0200
		4	Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
		5
		6	__pthread_attr_copy can fail and does not initialize the attribute
		7	structure in that case.
		8
		9	If __pthread_attr_copy is never called and there is no allocated
		10	attribute, pthread_attr_destroy should not be called, otherwise
		11	there is a null pointer dereference in rt/tst-mqueue6.
		12
		13	Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
		14	("Use __pthread_attr_copy in mq_notify (bug 27896)").
		15
		16	Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
		17
		18	https://sourceware.org/bugzilla/attachment.cgi?id=13497
		19
		20	Upstream-Status: Backport
		21	CVE: CVE-2021-33574 patch#2
		22	Signed-off-by: Armin Kuster <akuster@mvista.com>
		23
		24	---
		25	Index: git/sysdeps/unix/sysv/linux/mq_notify.c
		26	===================================================================
		27	--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
		28	+++ git/sysdeps/unix/sysv/linux/mq_notify.c
		29	@@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sig
		30	if (data.attr == NULL)
		31	return -1;
		32
		33	- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
		34	+ memcpy (data.attr, notification->sigev_notify_attributes,
		35	+ sizeof (pthread_attr_t));
		36	+
		37	+ struct pthread_attr *source =
		38	+ (struct pthread_attr *) (notification->sigev_notify_attributes);
		39	+ struct pthread_attr target = (struct pthread_attr ) (data.attr);
		40	+ cpu_set_t *newp;
		41	+ cpu_set_t *cpuset = source->cpuset;
		42	+ size_t cpusetsize = source->cpusetsize;
		43	+
		44	+ /* alloc a new memory for cpuset to avoid use after free */
		45	+ if (cpuset != NULL && cpusetsize > 0)
		46	+ {
		47	+ newp = (cpu_set_t *) malloc (cpusetsize);
		48	+ if (newp == NULL)
		49	+ {
		50	+ free(data.attr);
		51	+ return -1;
		52	+ }
		53	+
		54	+ memcpy (newp, cpuset, cpusetsize);
		55	+ target->cpuset = newp;
		56	+ }
		57	+ else
		58	+ {
		59	+ target->cpuset = NULL;
		60	+ target->cpusetsize = 0;
		61	+ }
		62	}
		63
		64	/* Construct the new request. */
		65	@@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sig
		66	int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
		67
		68	/* If it failed, free the allocated memory. */
		69	- if (__glibc_unlikely (retval != 0))
		70	+ if (retval != 0 && data.attr != NULL)
		71	{
		72	pthread_attr_destroy (data.attr);
		73	free (data.attr);


diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 8742efc36f..2e950dfeda 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -67,6 +67,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
67	file://0028-inject-file-assembly-directives.patch \	67	file://0028-inject-file-assembly-directives.patch \
68	file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \	68	file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
69	file://CVE-2020-29573.patch \	69	file://CVE-2020-29573.patch \
		70	file://CVE-2021-33574_1.patch \
		71	file://CVE-2021-33574_2.patch \
70	"	72	"
71	S = "${WORKDIR}/git"	73	S = "${WORKDIR}/git"
72	B = "${WORKDIR}/build-${TARGET_SYS}"	74	B = "${WORKDIR}/build-${TARGET_SYS}"