diff options
author | Armin Kuster <akuster@mvista.com> | 2021-08-19 22:27:26 -0700 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-09-01 16:27:08 +0100 |
commit | e2cb601ab6f6a402da303b86e2fb3f13bb9ba1bc (patch) | |
tree | 9911e53e8a71988fa26c4a5a9c8875bd3f33d57f /meta/recipes-core | |
parent | ed4791c8b05d02edb783359656376216b98c1c49 (diff) | |
download | poky-e2cb601ab6f6a402da303b86e2fb3f13bb9ba1bc.tar.gz |
glibc: Security fix CVE-2021-33574
Source: glibc.org
MR: 111508
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/glibc.git
ChangeID: 815edc154adc45d08d00995862409f13014f885f
Description:
This version of glibc does not have __pthread_attr_setaffinity_np so an adapted patch was taken from 2.28 (https://sourceware.org/bugzilla/attachment.cgi?id=13497) and https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb
(From OE-Core rev: d468eb9c0fa5f8fbd15abda6d0f04e3d25c50c26)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch | 72 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch | 73 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.31.bb | 2 |
3 files changed, 147 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch new file mode 100644 index 0000000000..cef0ce54ed --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch | |||
@@ -0,0 +1,72 @@ | |||
1 | From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Schwab <schwab@linux-m68k.org> | ||
3 | Date: Thu, 27 May 2021 12:49:47 +0200 | ||
4 | Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896) | ||
5 | |||
6 | Make a deep copy of the pthread attribute object to remove a potential | ||
7 | use-after-free issue. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2021-33574 patch#1 | ||
11 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
12 | |||
13 | --- | ||
14 | NEWS | 4 ++++ | ||
15 | sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++----- | ||
16 | 2 files changed, 14 insertions(+), 5 deletions(-) | ||
17 | |||
18 | Index: git/NEWS | ||
19 | =================================================================== | ||
20 | --- git.orig/NEWS | ||
21 | +++ git/NEWS | ||
22 | @@ -7,6 +7,10 @@ using `glibc' in the "product" field. | ||
23 | |||
24 | Version 2.31.1 | ||
25 | |||
26 | + CVE-2021-33574: The mq_notify function has a potential use-after-free | ||
27 | + issue when using a notification type of SIGEV_THREAD and a thread | ||
28 | + attribute with a non-default affinity mask. | ||
29 | + | ||
30 | The following bugs are resolved with this release: | ||
31 | [19519] iconv(1) with -c option hangs on illegal multi-byte sequences | ||
32 | (CVE-2016-10228) | ||
33 | Index: git/sysdeps/unix/sysv/linux/mq_notify.c | ||
34 | =================================================================== | ||
35 | --- git.orig/sysdeps/unix/sysv/linux/mq_notify.c | ||
36 | +++ git/sysdeps/unix/sysv/linux/mq_notify.c | ||
37 | @@ -135,8 +135,11 @@ helper_thread (void *arg) | ||
38 | (void) __pthread_barrier_wait (¬ify_barrier); | ||
39 | } | ||
40 | else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) | ||
41 | - /* The only state we keep is the copy of the thread attributes. */ | ||
42 | - free (data.attr); | ||
43 | + { | ||
44 | + /* The only state we keep is the copy of the thread attributes. */ | ||
45 | + pthread_attr_destroy (data.attr); | ||
46 | + free (data.attr); | ||
47 | + } | ||
48 | } | ||
49 | return NULL; | ||
50 | } | ||
51 | @@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sig | ||
52 | if (data.attr == NULL) | ||
53 | return -1; | ||
54 | |||
55 | - memcpy (data.attr, notification->sigev_notify_attributes, | ||
56 | - sizeof (pthread_attr_t)); | ||
57 | + __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); | ||
58 | } | ||
59 | |||
60 | /* Construct the new request. */ | ||
61 | @@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sig | ||
62 | |||
63 | /* If it failed, free the allocated memory. */ | ||
64 | if (__glibc_unlikely (retval != 0)) | ||
65 | - free (data.attr); | ||
66 | + { | ||
67 | + pthread_attr_destroy (data.attr); | ||
68 | + free (data.attr); | ||
69 | + } | ||
70 | |||
71 | return retval; | ||
72 | } | ||
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch new file mode 100644 index 0000000000..396cd7fc0e --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Tue, 1 Jun 2021 17:51:41 +0200 | ||
4 | Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896) | ||
5 | |||
6 | __pthread_attr_copy can fail and does not initialize the attribute | ||
7 | structure in that case. | ||
8 | |||
9 | If __pthread_attr_copy is never called and there is no allocated | ||
10 | attribute, pthread_attr_destroy should not be called, otherwise | ||
11 | there is a null pointer dereference in rt/tst-mqueue6. | ||
12 | |||
13 | Fixes commit 42d359350510506b87101cf77202fefcbfc790cb | ||
14 | ("Use __pthread_attr_copy in mq_notify (bug 27896)"). | ||
15 | |||
16 | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
17 | |||
18 | https://sourceware.org/bugzilla/attachment.cgi?id=13497 | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | CVE: CVE-2021-33574 patch#2 | ||
22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
23 | |||
24 | --- | ||
25 | Index: git/sysdeps/unix/sysv/linux/mq_notify.c | ||
26 | =================================================================== | ||
27 | --- git.orig/sysdeps/unix/sysv/linux/mq_notify.c | ||
28 | +++ git/sysdeps/unix/sysv/linux/mq_notify.c | ||
29 | @@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sig | ||
30 | if (data.attr == NULL) | ||
31 | return -1; | ||
32 | |||
33 | - __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); | ||
34 | + memcpy (data.attr, notification->sigev_notify_attributes, | ||
35 | + sizeof (pthread_attr_t)); | ||
36 | + | ||
37 | + struct pthread_attr *source = | ||
38 | + (struct pthread_attr *) (notification->sigev_notify_attributes); | ||
39 | + struct pthread_attr *target = (struct pthread_attr *) (data.attr); | ||
40 | + cpu_set_t *newp; | ||
41 | + cpu_set_t *cpuset = source->cpuset; | ||
42 | + size_t cpusetsize = source->cpusetsize; | ||
43 | + | ||
44 | + /* alloc a new memory for cpuset to avoid use after free */ | ||
45 | + if (cpuset != NULL && cpusetsize > 0) | ||
46 | + { | ||
47 | + newp = (cpu_set_t *) malloc (cpusetsize); | ||
48 | + if (newp == NULL) | ||
49 | + { | ||
50 | + free(data.attr); | ||
51 | + return -1; | ||
52 | + } | ||
53 | + | ||
54 | + memcpy (newp, cpuset, cpusetsize); | ||
55 | + target->cpuset = newp; | ||
56 | + } | ||
57 | + else | ||
58 | + { | ||
59 | + target->cpuset = NULL; | ||
60 | + target->cpusetsize = 0; | ||
61 | + } | ||
62 | } | ||
63 | |||
64 | /* Construct the new request. */ | ||
65 | @@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sig | ||
66 | int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se); | ||
67 | |||
68 | /* If it failed, free the allocated memory. */ | ||
69 | - if (__glibc_unlikely (retval != 0)) | ||
70 | + if (retval != 0 && data.attr != NULL) | ||
71 | { | ||
72 | pthread_attr_destroy (data.attr); | ||
73 | free (data.attr); | ||
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb index 8742efc36f..2e950dfeda 100644 --- a/meta/recipes-core/glibc/glibc_2.31.bb +++ b/meta/recipes-core/glibc/glibc_2.31.bb | |||
@@ -67,6 +67,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
67 | file://0028-inject-file-assembly-directives.patch \ | 67 | file://0028-inject-file-assembly-directives.patch \ |
68 | file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ | 68 | file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \ |
69 | file://CVE-2020-29573.patch \ | 69 | file://CVE-2020-29573.patch \ |
70 | file://CVE-2021-33574_1.patch \ | ||
71 | file://CVE-2021-33574_2.patch \ | ||
70 | " | 72 | " |
71 | S = "${WORKDIR}/git" | 73 | S = "${WORKDIR}/git" |
72 | B = "${WORKDIR}/build-${TARGET_SYS}" | 74 | B = "${WORKDIR}/build-${TARGET_SYS}" |