diff options
author | Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> | 2021-07-21 11:22:03 +0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2021-08-06 09:59:14 +0100 |
commit | 463dd6b8063f99c41cb8be9c2e07d767b2a9c00b (patch) | |
tree | c8c58ded90839e328039bfc8845f40b839b085f5 /meta/recipes-core | |
parent | 44ab3f9719affa80b95c27c55312c1c66b06d586 (diff) | |
download | poky-463dd6b8063f99c41cb8be9c2e07d767b2a9c00b.tar.gz |
glibc: Fix CVE-2021-33574
CVE:
CVE-2021-33574
(From OE-Core rev: ede353df06a07d35dc66d024e2c7bd1b250d9761)
Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
Signed-off-by: Anuj Mittal <anuj.mittal@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch | 76 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch | 61 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.33.bb | 2 |
3 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch new file mode 100644 index 0000000000..21f07ac303 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch | |||
@@ -0,0 +1,76 @@ | |||
1 | From 709674ec86c3c6da4f0995897f6b0205c16d049d Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Schwab <schwab@linux-m68k.org> | ||
3 | Date: Thu, 27 May 2021 12:49:47 +0200 | ||
4 | Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896) | ||
5 | |||
6 | Make a deep copy of the pthread attribute object to remove a potential | ||
7 | use-after-free issue. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | [https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb] | ||
11 | |||
12 | CVE: | ||
13 | CVE-2021-33574 | ||
14 | |||
15 | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
16 | Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> | ||
17 | --- | ||
18 | NEWS | 4 ++++ | ||
19 | sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++----- | ||
20 | 2 files changed, 14 insertions(+), 5 deletions(-) | ||
21 | |||
22 | diff --git a/NEWS b/NEWS | ||
23 | index 71f5d20324..017d656433 100644 | ||
24 | --- a/NEWS | ||
25 | +++ b/NEWS | ||
26 | @@ -118,6 +118,10 @@ Security related changes: | ||
27 | CVE-2019-25013: A buffer overflow has been fixed in the iconv function when | ||
28 | invoked with EUC-KR input containing invalid multibyte input sequences. | ||
29 | |||
30 | + CVE-2021-33574: The mq_notify function has a potential use-after-free | ||
31 | + issue when using a notification type of SIGEV_THREAD and a thread | ||
32 | + attribute with a non-default affinity mask. | ||
33 | + | ||
34 | The following bugs are resolved with this release: | ||
35 | |||
36 | [10635] libc: realpath portability patches | ||
37 | diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c | ||
38 | index cc575a0cdd..f7ddfe5a6c 100644 | ||
39 | --- a/sysdeps/unix/sysv/linux/mq_notify.c | ||
40 | +++ b/sysdeps/unix/sysv/linux/mq_notify.c | ||
41 | @@ -133,8 +133,11 @@ helper_thread (void *arg) | ||
42 | (void) __pthread_barrier_wait (¬ify_barrier); | ||
43 | } | ||
44 | else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) | ||
45 | - /* The only state we keep is the copy of the thread attributes. */ | ||
46 | - free (data.attr); | ||
47 | + { | ||
48 | + /* The only state we keep is the copy of the thread attributes. */ | ||
49 | + pthread_attr_destroy (data.attr); | ||
50 | + free (data.attr); | ||
51 | + } | ||
52 | } | ||
53 | return NULL; | ||
54 | } | ||
55 | @@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | ||
56 | if (data.attr == NULL) | ||
57 | return -1; | ||
58 | |||
59 | - memcpy (data.attr, notification->sigev_notify_attributes, | ||
60 | - sizeof (pthread_attr_t)); | ||
61 | + __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); | ||
62 | } | ||
63 | |||
64 | /* Construct the new request. */ | ||
65 | @@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | ||
66 | |||
67 | /* If it failed, free the allocated memory. */ | ||
68 | if (__glibc_unlikely (retval != 0)) | ||
69 | - free (data.attr); | ||
70 | + { | ||
71 | + pthread_attr_destroy (data.attr); | ||
72 | + free (data.attr); | ||
73 | + } | ||
74 | |||
75 | return retval; | ||
76 | } | ||
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch new file mode 100644 index 0000000000..befccd7ac7 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch | |||
@@ -0,0 +1,61 @@ | |||
1 | From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Tue, 1 Jun 2021 17:51:41 +0200 | ||
4 | Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896) | ||
5 | |||
6 | __pthread_attr_copy can fail and does not initialize the attribute | ||
7 | structure in that case. | ||
8 | |||
9 | If __pthread_attr_copy is never called and there is no allocated | ||
10 | attribute, pthread_attr_destroy should not be called, otherwise | ||
11 | there is a null pointer dereference in rt/tst-mqueue6. | ||
12 | |||
13 | Fixes commit 42d359350510506b87101cf77202fefcbfc790cb | ||
14 | ("Use __pthread_attr_copy in mq_notify (bug 27896)"). | ||
15 | |||
16 | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | [https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091] | ||
20 | |||
21 | CVE: | ||
22 | CVE-2021-33574 | ||
23 | |||
24 | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
25 | Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> | ||
26 | --- | ||
27 | sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++-- | ||
28 | 1 file changed, 9 insertions(+), 2 deletions(-) | ||
29 | |||
30 | diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c | ||
31 | index f7ddfe5a6c..6f46d29d1d 100644 | ||
32 | --- a/sysdeps/unix/sysv/linux/mq_notify.c | ||
33 | +++ b/sysdeps/unix/sysv/linux/mq_notify.c | ||
34 | @@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | ||
35 | if (data.attr == NULL) | ||
36 | return -1; | ||
37 | |||
38 | - __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); | ||
39 | + int ret = __pthread_attr_copy (data.attr, | ||
40 | + notification->sigev_notify_attributes); | ||
41 | + if (ret != 0) | ||
42 | + { | ||
43 | + free (data.attr); | ||
44 | + __set_errno (ret); | ||
45 | + return -1; | ||
46 | + } | ||
47 | } | ||
48 | |||
49 | /* Construct the new request. */ | ||
50 | @@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | ||
51 | int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se); | ||
52 | |||
53 | /* If it failed, free the allocated memory. */ | ||
54 | - if (__glibc_unlikely (retval != 0)) | ||
55 | + if (retval != 0 && data.attr != NULL) | ||
56 | { | ||
57 | pthread_attr_destroy (data.attr); | ||
58 | free (data.attr); | ||
59 | -- | ||
60 | 2.27.0 | ||
61 | |||
diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb index 75a1f36d6b..bb35c50c98 100644 --- a/meta/recipes-core/glibc/glibc_2.33.bb +++ b/meta/recipes-core/glibc/glibc_2.33.bb | |||
@@ -61,6 +61,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
61 | file://0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch \ | 61 | file://0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch \ |
62 | file://CVE-2021-27645.patch \ | 62 | file://CVE-2021-27645.patch \ |
63 | file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \ | 63 | file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \ |
64 | file://CVE-2021-33574_1.patch \ | ||
65 | file://CVE-2021-33574_2.patch \ | ||
64 | " | 66 | " |
65 | S = "${WORKDIR}/git" | 67 | S = "${WORKDIR}/git" |
66 | B = "${WORKDIR}/build-${TARGET_SYS}" | 68 | B = "${WORKDIR}/build-${TARGET_SYS}" |