glibc: Fix CVE-2021-38604

Source: https://sourceware.org/git/glibc.git Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Backported upstream commits b805aebd42364fe696e417808a700fdb9800c9e8 and 4cc79c217744743077bf7a0ec5e0a4318f1e6641 to glibc-2.34 source. Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8] Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641] (From OE-Core rev: 014c6b0a1188d5dfb32790246491973ea91017d8) Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Vinay Kumar <vinay.m.engg@gmail.com> 2021-08-18 08:31:41 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-20 08:53:03 +0100
commit: 901b82a4c8b343b378293956420ad5a4943b6be7 (patch)
tree: e850352e21142970b129939961f2be39cb1ad5b5 /meta/recipes-core/glibc/glibc
parent: ec1894938b127c1d8472b805b34d1776748df290 (diff)
download: poky-901b82a4c8b343b378293956420ad5a4943b6be7.tar.gz
2 files changed, 193 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch
new file mode 100644
index 0000000000..1e94049004
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch
@@ -0,0 +1,43 @@
+From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <npv1310@gmail.com>
+Date: Mon, 9 Aug 2021 20:17:34 +0530
+Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
+Helper thread frees copied attribute on NOTIFY_REMOVED message
+received from the OS kernel.  Unfortunately, it fails to check whether
+copied attribute actually exists (data.attr != NULL).  This worked
+earlier because free() checks passed pointer before actually
+attempting to release corresponding memory.  But
+__pthread_attr_destroy assumes pointer is not NULL.
+So passing NULL pointer to __pthread_attr_destroy will result in
+segmentation fault.  This scenario is possible if
+notification->sigev_notify_attributes == NULL (which means default
+thread attributes should be used).
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8]
+CVE: CVE-2021-38604
+Signed-off-by: Nikita Popov <npv1310@gmail.com>
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index 9799dcdaa4..eccae2e4c6 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -131,7 +131,7 @@ helper_thread (void *arg)
+               to wait until it is done with it.  */
+            (void) __pthread_barrier_wait (&notify_barrier);
+        }
+-      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
+        {
+          /* The only state we keep is the copy of the thread attributes.  */
+          __pthread_attr_destroy (data.attr);
+-- 
+2.31.1
diff --git a/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch
new file mode 100644
index 0000000000..9f71fecddb
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch
@@ -0,0 +1,150 @@
+From 4cc79c217744743077bf7a0ec5e0a4318f1e6641 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <npv1310@gmail.com>
+Date: Thu, 12 Aug 2021 16:09:50 +0530
+Subject: [PATCH] librt: add test (bug 28213)
+This test implements following logic:
+1) Create POSIX message queue.
+   Register a notification with mq_notify (using NULL attributes).
+   Then immediately unregister the notification with mq_notify.
+   Helper thread in a vulnerable version of glibc
+   should cause NULL pointer dereference after these steps.
+2) Once again, register the same notification.
+   Try to send a dummy message.
+   Test is considered successfulif the dummy message
+   is successfully received by the callback function.
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641]
+CVE: CVE-2021-38604
+Signed-off-by: Nikita Popov <npv1310@gmail.com>
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
+---
+ rt/Makefile      |   1 +
+ rt/tst-bz28213.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 102 insertions(+)
+ create mode 100644 rt/tst-bz28213.c
+diff --git a/rt/Makefile b/rt/Makefile
+index 113cea03a5..910e775995 100644
+--- a/rt/Makefile
+++ b/rt/Makefile
+@@ -74,6 +74,7 @@ tests := tst-shm tst-timer tst-timer2 \
+         tst-aio7 tst-aio8 tst-aio9 tst-aio10 \
+         tst-mqueue1 tst-mqueue2 tst-mqueue3 tst-mqueue4 \
+         tst-mqueue5 tst-mqueue6 tst-mqueue7 tst-mqueue8 tst-mqueue9 \
+        tst-bz28213 \
+         tst-timer3 tst-timer4 tst-timer5 \
+         tst-cpuclock2 tst-cputimer1 tst-cputimer2 tst-cputimer3 \
+         tst-shm-cancel \
+diff --git a/rt/tst-bz28213.c b/rt/tst-bz28213.c
+new file mode 100644
+index 0000000000..0c096b5a0a
+--- /dev/null
+++ b/rt/tst-bz28213.c
+@@ -0,0 +1,101 @@
+/* Bug 28213: test for NULL pointer dereference in mq_notify.
+   Copyright (C) The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <mqueue.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <string.h>
+#include <support/check.h>
+
+static mqd_t m = -1;
+static const char msg[] = "hello";
+
+static void
+check_bz28213_cb (union sigval sv)
+{
+  char buf[sizeof (msg)];
+
+  (void) sv;
+
+  TEST_VERIFY_EXIT ((size_t) mq_receive (m, buf, sizeof (buf), NULL)
+                   == sizeof (buf));
+  TEST_VERIFY_EXIT (memcmp (buf, msg, sizeof (buf)) == 0);
+
+  exit (0);
+}
+
+static void
+check_bz28213 (void)
+{
+  struct sigevent sev;
+
+  memset (&sev, '\0', sizeof (sev));
+  sev.sigev_notify = SIGEV_THREAD;
+  sev.sigev_notify_function = check_bz28213_cb;
+
+  /* Step 1: Register & unregister notifier.
+     Helper thread should receive NOTIFY_REMOVED notification.
+     In a vulnerable version of glibc, NULL pointer dereference follows. */
+  TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0);
+  TEST_VERIFY_EXIT (mq_notify (m, NULL) == 0);
+
+  /* Step 2: Once again, register notification.
+     Try to send one message.
+     Test is considered successful, if the callback does exit (0). */
+  TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0);
+  TEST_VERIFY_EXIT (mq_send (m, msg, sizeof (msg), 1) == 0);
+
+  /* Wait... */
+  pause ();
+}
+
+static int
+do_test (void)
+{
+  static const char m_name[] = "/bz28213_queue";
+  struct mq_attr m_attr;
+
+  memset (&m_attr, '\0', sizeof (m_attr));
+  m_attr.mq_maxmsg = 1;
+  m_attr.mq_msgsize = sizeof (msg);
+
+  m = mq_open (m_name,
+               O_RDWR | O_CREAT | O_EXCL,
+               0600,
+               &m_attr);
+
+  if (m < 0)
+    {
+      if (errno == ENOSYS)
+        FAIL_UNSUPPORTED ("POSIX message queues are not implemented\n");
+      FAIL_EXIT1 ("Failed to create POSIX message queue: %m\n");
+    }
+
+  TEST_VERIFY_EXIT (mq_unlink (m_name) == 0);
+
+  check_bz28213 ();
+
+  return 0;
+}
+
+#include <support/test-driver.c>
+-- 
+2.31.1
author	Vinay Kumar <vinay.m.engg@gmail.com>	2021-08-18 08:31:41 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-20 08:53:03 +0100
commit	901b82a4c8b343b378293956420ad5a4943b6be7 (patch)
tree	e850352e21142970b129939961f2be39cb1ad5b5 /meta/recipes-core/glibc/glibc
parent	ec1894938b127c1d8472b805b34d1776748df290 (diff)
download	poky-901b82a4c8b343b378293956420ad5a4943b6be7.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch new file mode 100644 index 0000000000..1e94049004 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch
@@ -0,0 +1,43 @@
	1	From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001
	2	From: Nikita Popov <npv1310@gmail.com>
	3	Date: Mon, 9 Aug 2021 20:17:34 +0530
	4	Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
	5
	6	Helper thread frees copied attribute on NOTIFY_REMOVED message
	7	received from the OS kernel. Unfortunately, it fails to check whether
	8	copied attribute actually exists (data.attr != NULL). This worked
	9	earlier because free() checks passed pointer before actually
	10	attempting to release corresponding memory. But
	11	__pthread_attr_destroy assumes pointer is not NULL.
	12
	13	So passing NULL pointer to __pthread_attr_destroy will result in
	14	segmentation fault. This scenario is possible if
	15	notification->sigev_notify_attributes == NULL (which means default
	16	thread attributes should be used).
	17
	18	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8]
	19	CVE: CVE-2021-38604
	20
	21	Signed-off-by: Nikita Popov <npv1310@gmail.com>
	22	Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
	23	Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
	24	---
	25	sysdeps/unix/sysv/linux/mq_notify.c \| 2 +-
	26	1 file changed, 1 insertion(+), 1 deletion(-)
	27
	28	diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
	29	index 9799dcdaa4..eccae2e4c6 100644
	30	--- a/sysdeps/unix/sysv/linux/mq_notify.c
	31	+++ b/sysdeps/unix/sysv/linux/mq_notify.c
	32	@@ -131,7 +131,7 @@ helper_thread (void *arg)
	33	to wait until it is done with it. */
	34	(void) __pthread_barrier_wait (&notify_barrier);
	35	}
	36	- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
	37	+ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
	38	{
	39	/* The only state we keep is the copy of the thread attributes. */
	40	__pthread_attr_destroy (data.attr);
	41	--
	42	2.31.1
	43


diff --git a/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch new file mode 100644 index 0000000000..9f71fecddb --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch
@@ -0,0 +1,150 @@
	1	From 4cc79c217744743077bf7a0ec5e0a4318f1e6641 Mon Sep 17 00:00:00 2001
	2	From: Nikita Popov <npv1310@gmail.com>
	3	Date: Thu, 12 Aug 2021 16:09:50 +0530
	4	Subject: [PATCH] librt: add test (bug 28213)
	5
	6	This test implements following logic:
	7	1) Create POSIX message queue.
	8	Register a notification with mq_notify (using NULL attributes).
	9	Then immediately unregister the notification with mq_notify.
	10	Helper thread in a vulnerable version of glibc
	11	should cause NULL pointer dereference after these steps.
	12	2) Once again, register the same notification.
	13	Try to send a dummy message.
	14	Test is considered successfulif the dummy message
	15	is successfully received by the callback function.
	16
	17	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641]
	18	CVE: CVE-2021-38604
	19
	20	Signed-off-by: Nikita Popov <npv1310@gmail.com>
	21	Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
	22	Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
	23	---
	24	rt/Makefile \| 1 +
	25	rt/tst-bz28213.c \| 101 +++++++++++++++++++++++++++++++++++++++++++++++
	26	2 files changed, 102 insertions(+)
	27	create mode 100644 rt/tst-bz28213.c
	28
	29	diff --git a/rt/Makefile b/rt/Makefile
	30	index 113cea03a5..910e775995 100644
	31	--- a/rt/Makefile
	32	+++ b/rt/Makefile
	33	@@ -74,6 +74,7 @@ tests := tst-shm tst-timer tst-timer2 \
	34	tst-aio7 tst-aio8 tst-aio9 tst-aio10 \
	35	tst-mqueue1 tst-mqueue2 tst-mqueue3 tst-mqueue4 \
	36	tst-mqueue5 tst-mqueue6 tst-mqueue7 tst-mqueue8 tst-mqueue9 \
	37	+ tst-bz28213 \
	38	tst-timer3 tst-timer4 tst-timer5 \
	39	tst-cpuclock2 tst-cputimer1 tst-cputimer2 tst-cputimer3 \
	40	tst-shm-cancel \
	41	diff --git a/rt/tst-bz28213.c b/rt/tst-bz28213.c
	42	new file mode 100644
	43	index 0000000000..0c096b5a0a
	44	--- /dev/null
	45	+++ b/rt/tst-bz28213.c
	46	@@ -0,0 +1,101 @@
	47	+/* Bug 28213: test for NULL pointer dereference in mq_notify.
	48	+ Copyright (C) The GNU Toolchain Authors.
	49	+ This file is part of the GNU C Library.
	50	+
	51	+ The GNU C Library is free software; you can redistribute it and/or
	52	+ modify it under the terms of the GNU Lesser General Public
	53	+ License as published by the Free Software Foundation; either
	54	+ version 2.1 of the License, or (at your option) any later version.
	55	+
	56	+ The GNU C Library is distributed in the hope that it will be useful,
	57	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
	58	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
	59	+ Lesser General Public License for more details.
	60	+
	61	+ You should have received a copy of the GNU Lesser General Public
	62	+ License along with the GNU C Library; if not, see
	63	+ <https://www.gnu.org/licenses/>. */
	64	+
	65	+#include <errno.h>
	66	+#include <sys/types.h>
	67	+#include <sys/stat.h>
	68	+#include <fcntl.h>
	69	+#include <unistd.h>
	70	+#include <mqueue.h>
	71	+#include <signal.h>
	72	+#include <stdlib.h>
	73	+#include <string.h>
	74	+#include <support/check.h>
	75	+
	76	+static mqd_t m = -1;
	77	+static const char msg[] = "hello";
	78	+
	79	+static void
	80	+check_bz28213_cb (union sigval sv)
	81	+{
	82	+ char buf[sizeof (msg)];
	83	+
	84	+ (void) sv;
	85	+
	86	+ TEST_VERIFY_EXIT ((size_t) mq_receive (m, buf, sizeof (buf), NULL)
	87	+ == sizeof (buf));
	88	+ TEST_VERIFY_EXIT (memcmp (buf, msg, sizeof (buf)) == 0);
	89	+
	90	+ exit (0);
	91	+}
	92	+
	93	+static void
	94	+check_bz28213 (void)
	95	+{
	96	+ struct sigevent sev;
	97	+
	98	+ memset (&sev, '\0', sizeof (sev));
	99	+ sev.sigev_notify = SIGEV_THREAD;
	100	+ sev.sigev_notify_function = check_bz28213_cb;
	101	+
	102	+ /* Step 1: Register & unregister notifier.
	103	+ Helper thread should receive NOTIFY_REMOVED notification.
	104	+ In a vulnerable version of glibc, NULL pointer dereference follows. */
	105	+ TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0);
	106	+ TEST_VERIFY_EXIT (mq_notify (m, NULL) == 0);
	107	+
	108	+ /* Step 2: Once again, register notification.
	109	+ Try to send one message.
	110	+ Test is considered successful, if the callback does exit (0). */
	111	+ TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0);
	112	+ TEST_VERIFY_EXIT (mq_send (m, msg, sizeof (msg), 1) == 0);
	113	+
	114	+ /* Wait... */
	115	+ pause ();
	116	+}
	117	+
	118	+static int
	119	+do_test (void)
	120	+{
	121	+ static const char m_name[] = "/bz28213_queue";
	122	+ struct mq_attr m_attr;
	123	+
	124	+ memset (&m_attr, '\0', sizeof (m_attr));
	125	+ m_attr.mq_maxmsg = 1;
	126	+ m_attr.mq_msgsize = sizeof (msg);
	127	+
	128	+ m = mq_open (m_name,
	129	+ O_RDWR \| O_CREAT \| O_EXCL,
	130	+ 0600,
	131	+ &m_attr);
	132	+
	133	+ if (m < 0)
	134	+ {
	135	+ if (errno == ENOSYS)
	136	+ FAIL_UNSUPPORTED ("POSIX message queues are not implemented\n");
	137	+ FAIL_EXIT1 ("Failed to create POSIX message queue: %m\n");
	138	+ }
	139	+
	140	+ TEST_VERIFY_EXIT (mq_unlink (m_name) == 0);
	141	+
	142	+ check_bz28213 ();
	143	+
	144	+ return 0;
	145	+}
	146	+
	147	+#include <support/test-driver.c>
	148	--
	149	2.31.1
	150