glibc: Fix CVE-2021-33574

CVE: CVE-2021-33574 (From OE-Core rev: ede353df06a07d35dc66d024e2c7bd1b250d9761) Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> 2021-07-21 11:22:03 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-06 09:59:14 +0100
commit: 463dd6b8063f99c41cb8be9c2e07d767b2a9c00b (patch)
tree: c8c58ded90839e328039bfc8845f40b839b085f5 /meta/recipes-core
parent: 44ab3f9719affa80b95c27c55312c1c66b06d586 (diff)
download: poky-463dd6b8063f99c41cb8be9c2e07d767b2a9c00b.tar.gz
3 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
new file mode 100644
index 0000000000..21f07ac303
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
@@ -0,0 +1,76 @@
+From 709674ec86c3c6da4f0995897f6b0205c16d049d Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Thu, 27 May 2021 12:49:47 +0200
+Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
+Make a deep copy of the pthread attribute object to remove a potential
+use-after-free issue.
+Upstream-Status: Backport
+[https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb]
+CVE:
+CVE-2021-33574
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ NEWS                                |  4 ++++
+ sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+diff --git a/NEWS b/NEWS
+index 71f5d20324..017d656433 100644
+--- a/NEWS
+++ b/NEWS
+@@ -118,6 +118,10 @@ Security related changes:
+   CVE-2019-25013: A buffer overflow has been fixed in the iconv function when
+   invoked with EUC-KR input containing invalid multibyte input sequences.
+ 
+  CVE-2021-33574: The mq_notify function has a potential use-after-free
+  issue when using a notification type of SIGEV_THREAD and a thread
+  attribute with a non-default affinity mask.
+
+ The following bugs are resolved with this release:
+ 
+   [10635] libc: realpath portability patches
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index cc575a0cdd..f7ddfe5a6c 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -133,8 +133,11 @@ helper_thread (void *arg)
+            (void) __pthread_barrier_wait (&notify_barrier);
+        }
+       else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+-       /* The only state we keep is the copy of the thread attributes.  */
+-       free (data.attr);
+       {
+         /* The only state we keep is the copy of the thread attributes.  */
+         pthread_attr_destroy (data.attr);
+         free (data.attr);
+       }
+     }
+   return NULL;
+ }
+@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+       if (data.attr == NULL)
+        return -1;
+ 
+-      memcpy (data.attr, notification->sigev_notify_attributes,
+-             sizeof (pthread_attr_t));
+      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+     }
+ 
+   /* Construct the new request.  */
+@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ 
+   /* If it failed, free the allocated memory.  */
+   if (__glibc_unlikely (retval != 0))
+-    free (data.attr);
+    {
+      pthread_attr_destroy (data.attr);
+      free (data.attr);
+    }
+ 
+   return retval;
+ }
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
new file mode 100644
index 0000000000..befccd7ac7
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
@@ -0,0 +1,61 @@
+From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 1 Jun 2021 17:51:41 +0200
+Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
+__pthread_attr_copy can fail and does not initialize the attribute
+structure in that case.
+If __pthread_attr_copy is never called and there is no allocated
+attribute, pthread_attr_destroy should not be called, otherwise
+there is a null pointer dereference in rt/tst-mqueue6.
+Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
+("Use __pthread_attr_copy in mq_notify (bug 27896)").
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Upstream-Status: Backport
+[https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091]
+CVE:
+CVE-2021-33574
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index f7ddfe5a6c..6f46d29d1d 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+       if (data.attr == NULL)
+        return -1;
+ 
+-      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+      int ret = __pthread_attr_copy (data.attr,
+                                    notification->sigev_notify_attributes);
+      if (ret != 0)
+       {
+         free (data.attr);
+         __set_errno (ret);
+         return -1;
+       }
+     }
+ 
+   /* Construct the new request.  */
+@@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+   int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+ 
+   /* If it failed, free the allocated memory.  */
+-  if (__glibc_unlikely (retval != 0))
+  if (retval != 0 && data.attr != NULL)
+     {
+       pthread_attr_destroy (data.attr);
+       free (data.attr);
+-- 
+2.27.0
diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb
index 75a1f36d6b..bb35c50c98 100644
--- a/meta/recipes-core/glibc/glibc_2.33.bb
+++ b/meta/recipes-core/glibc/glibc_2.33.bb
@@ -61,6 +61,8 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch \
           file://CVE-2021-27645.patch \
           file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \
+           file://CVE-2021-33574_1.patch \
+           file://CVE-2021-33574_2.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>	2021-07-21 11:22:03 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-06 09:59:14 +0100
commit	463dd6b8063f99c41cb8be9c2e07d767b2a9c00b (patch)
tree	c8c58ded90839e328039bfc8845f40b839b085f5 /meta/recipes-core
parent	44ab3f9719affa80b95c27c55312c1c66b06d586 (diff)
download	poky-463dd6b8063f99c41cb8be9c2e07d767b2a9c00b.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch new file mode 100644 index 0000000000..21f07ac303 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
@@ -0,0 +1,76 @@
		1	From 709674ec86c3c6da4f0995897f6b0205c16d049d Mon Sep 17 00:00:00 2001
		2	From: Andreas Schwab <schwab@linux-m68k.org>
		3	Date: Thu, 27 May 2021 12:49:47 +0200
		4	Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
		5
		6	Make a deep copy of the pthread attribute object to remove a potential
		7	use-after-free issue.
		8
		9	Upstream-Status: Backport
		10	[https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb]
		11
		12	CVE:
		13	CVE-2021-33574
		14
		15	Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
		16	Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
		17	---
		18	NEWS \| 4 ++++
		19	sysdeps/unix/sysv/linux/mq_notify.c \| 15 ++++++++++-----
		20	2 files changed, 14 insertions(+), 5 deletions(-)
		21
		22	diff --git a/NEWS b/NEWS
		23	index 71f5d20324..017d656433 100644
		24	--- a/NEWS
		25	+++ b/NEWS
		26	@@ -118,6 +118,10 @@ Security related changes:
		27	CVE-2019-25013: A buffer overflow has been fixed in the iconv function when
		28	invoked with EUC-KR input containing invalid multibyte input sequences.
		29
		30	+ CVE-2021-33574: The mq_notify function has a potential use-after-free
		31	+ issue when using a notification type of SIGEV_THREAD and a thread
		32	+ attribute with a non-default affinity mask.
		33	+
		34	The following bugs are resolved with this release:
		35
		36	[10635] libc: realpath portability patches
		37	diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
		38	index cc575a0cdd..f7ddfe5a6c 100644
		39	--- a/sysdeps/unix/sysv/linux/mq_notify.c
		40	+++ b/sysdeps/unix/sysv/linux/mq_notify.c
		41	@@ -133,8 +133,11 @@ helper_thread (void *arg)
		42	(void) __pthread_barrier_wait (&notify_barrier);
		43	}
		44	else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
		45	- /* The only state we keep is the copy of the thread attributes. */
		46	- free (data.attr);
		47	+ {
		48	+ /* The only state we keep is the copy of the thread attributes. */
		49	+ pthread_attr_destroy (data.attr);
		50	+ free (data.attr);
		51	+ }
		52	}
		53	return NULL;
		54	}
		55	@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
		56	if (data.attr == NULL)
		57	return -1;
		58
		59	- memcpy (data.attr, notification->sigev_notify_attributes,
		60	- sizeof (pthread_attr_t));
		61	+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
		62	}
		63
		64	/* Construct the new request. */
		65	@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
		66
		67	/* If it failed, free the allocated memory. */
		68	if (__glibc_unlikely (retval != 0))
		69	- free (data.attr);
		70	+ {
		71	+ pthread_attr_destroy (data.attr);
		72	+ free (data.attr);
		73	+ }
		74
		75	return retval;
		76	}


diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch new file mode 100644 index 0000000000..befccd7ac7 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
@@ -0,0 +1,61 @@
		1	From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Tue, 1 Jun 2021 17:51:41 +0200
		4	Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
		5
		6	__pthread_attr_copy can fail and does not initialize the attribute
		7	structure in that case.
		8
		9	If __pthread_attr_copy is never called and there is no allocated
		10	attribute, pthread_attr_destroy should not be called, otherwise
		11	there is a null pointer dereference in rt/tst-mqueue6.
		12
		13	Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
		14	("Use __pthread_attr_copy in mq_notify (bug 27896)").
		15
		16	Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
		17
		18	Upstream-Status: Backport
		19	[https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091]
		20
		21	CVE:
		22	CVE-2021-33574
		23
		24	Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
		25	Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
		26	---
		27	sysdeps/unix/sysv/linux/mq_notify.c \| 11 +++++++++--
		28	1 file changed, 9 insertions(+), 2 deletions(-)
		29
		30	diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
		31	index f7ddfe5a6c..6f46d29d1d 100644
		32	--- a/sysdeps/unix/sysv/linux/mq_notify.c
		33	+++ b/sysdeps/unix/sysv/linux/mq_notify.c
		34	@@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
		35	if (data.attr == NULL)
		36	return -1;
		37
		38	- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
		39	+ int ret = __pthread_attr_copy (data.attr,
		40	+ notification->sigev_notify_attributes);
		41	+ if (ret != 0)
		42	+ {
		43	+ free (data.attr);
		44	+ __set_errno (ret);
		45	+ return -1;
		46	+ }
		47	}
		48
		49	/* Construct the new request. */
		50	@@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
		51	int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
		52
		53	/* If it failed, free the allocated memory. */
		54	- if (__glibc_unlikely (retval != 0))
		55	+ if (retval != 0 && data.attr != NULL)
		56	{
		57	pthread_attr_destroy (data.attr);
		58	free (data.attr);
		59	--
		60	2.27.0
		61


diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb index 75a1f36d6b..bb35c50c98 100644 --- a/meta/recipes-core/glibc/glibc_2.33.bb +++ b/meta/recipes-core/glibc/glibc_2.33.bb
@@ -61,6 +61,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
61	file://0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch \	61	file://0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch \
62	file://CVE-2021-27645.patch \	62	file://CVE-2021-27645.patch \
63	file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \	63	file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \
		64	file://CVE-2021-33574_1.patch \
		65	file://CVE-2021-33574_2.patch \
64	"	66	"
65	S = "${WORKDIR}/git"	67	S = "${WORKDIR}/git"
66	B = "${WORKDIR}/build-${TARGET_SYS}"	68	B = "${WORKDIR}/build-${TARGET_SYS}"