summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorKhairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>2021-07-21 11:22:03 +0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2021-08-06 09:59:14 +0100
commit463dd6b8063f99c41cb8be9c2e07d767b2a9c00b (patch)
treec8c58ded90839e328039bfc8845f40b839b085f5 /meta/recipes-core
parent44ab3f9719affa80b95c27c55312c1c66b06d586 (diff)
downloadpoky-463dd6b8063f99c41cb8be9c2e07d767b2a9c00b.tar.gz
glibc: Fix CVE-2021-33574
CVE: CVE-2021-33574 (From OE-Core rev: ede353df06a07d35dc66d024e2c7bd1b250d9761) Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> Signed-off-by: Anuj Mittal <anuj.mittal@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch76
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch61
-rw-r--r--meta/recipes-core/glibc/glibc_2.33.bb2
3 files changed, 139 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
new file mode 100644
index 0000000000..21f07ac303
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
@@ -0,0 +1,76 @@
1From 709674ec86c3c6da4f0995897f6b0205c16d049d Mon Sep 17 00:00:00 2001
2From: Andreas Schwab <schwab@linux-m68k.org>
3Date: Thu, 27 May 2021 12:49:47 +0200
4Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
5
6Make a deep copy of the pthread attribute object to remove a potential
7use-after-free issue.
8
9Upstream-Status: Backport
10[https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb]
11
12CVE:
13CVE-2021-33574
14
15Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
16Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
17---
18 NEWS | 4 ++++
19 sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
20 2 files changed, 14 insertions(+), 5 deletions(-)
21
22diff --git a/NEWS b/NEWS
23index 71f5d20324..017d656433 100644
24--- a/NEWS
25+++ b/NEWS
26@@ -118,6 +118,10 @@ Security related changes:
27 CVE-2019-25013: A buffer overflow has been fixed in the iconv function when
28 invoked with EUC-KR input containing invalid multibyte input sequences.
29
30+ CVE-2021-33574: The mq_notify function has a potential use-after-free
31+ issue when using a notification type of SIGEV_THREAD and a thread
32+ attribute with a non-default affinity mask.
33+
34 The following bugs are resolved with this release:
35
36 [10635] libc: realpath portability patches
37diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
38index cc575a0cdd..f7ddfe5a6c 100644
39--- a/sysdeps/unix/sysv/linux/mq_notify.c
40+++ b/sysdeps/unix/sysv/linux/mq_notify.c
41@@ -133,8 +133,11 @@ helper_thread (void *arg)
42 (void) __pthread_barrier_wait (&notify_barrier);
43 }
44 else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
45- /* The only state we keep is the copy of the thread attributes. */
46- free (data.attr);
47+ {
48+ /* The only state we keep is the copy of the thread attributes. */
49+ pthread_attr_destroy (data.attr);
50+ free (data.attr);
51+ }
52 }
53 return NULL;
54 }
55@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
56 if (data.attr == NULL)
57 return -1;
58
59- memcpy (data.attr, notification->sigev_notify_attributes,
60- sizeof (pthread_attr_t));
61+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
62 }
63
64 /* Construct the new request. */
65@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
66
67 /* If it failed, free the allocated memory. */
68 if (__glibc_unlikely (retval != 0))
69- free (data.attr);
70+ {
71+ pthread_attr_destroy (data.attr);
72+ free (data.attr);
73+ }
74
75 return retval;
76 }
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
new file mode 100644
index 0000000000..befccd7ac7
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
@@ -0,0 +1,61 @@
1From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
2From: Florian Weimer <fweimer@redhat.com>
3Date: Tue, 1 Jun 2021 17:51:41 +0200
4Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
5
6__pthread_attr_copy can fail and does not initialize the attribute
7structure in that case.
8
9If __pthread_attr_copy is never called and there is no allocated
10attribute, pthread_attr_destroy should not be called, otherwise
11there is a null pointer dereference in rt/tst-mqueue6.
12
13Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
14("Use __pthread_attr_copy in mq_notify (bug 27896)").
15
16Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
17
18Upstream-Status: Backport
19[https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091]
20
21CVE:
22CVE-2021-33574
23
24Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
25Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com>
26---
27 sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++--
28 1 file changed, 9 insertions(+), 2 deletions(-)
29
30diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
31index f7ddfe5a6c..6f46d29d1d 100644
32--- a/sysdeps/unix/sysv/linux/mq_notify.c
33+++ b/sysdeps/unix/sysv/linux/mq_notify.c
34@@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
35 if (data.attr == NULL)
36 return -1;
37
38- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
39+ int ret = __pthread_attr_copy (data.attr,
40+ notification->sigev_notify_attributes);
41+ if (ret != 0)
42+ {
43+ free (data.attr);
44+ __set_errno (ret);
45+ return -1;
46+ }
47 }
48
49 /* Construct the new request. */
50@@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
51 int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
52
53 /* If it failed, free the allocated memory. */
54- if (__glibc_unlikely (retval != 0))
55+ if (retval != 0 && data.attr != NULL)
56 {
57 pthread_attr_destroy (data.attr);
58 free (data.attr);
59--
602.27.0
61
diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb
index 75a1f36d6b..bb35c50c98 100644
--- a/meta/recipes-core/glibc/glibc_2.33.bb
+++ b/meta/recipes-core/glibc/glibc_2.33.bb
@@ -61,6 +61,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
61 file://0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch \ 61 file://0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch \
62 file://CVE-2021-27645.patch \ 62 file://CVE-2021-27645.patch \
63 file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \ 63 file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \
64 file://CVE-2021-33574_1.patch \
65 file://CVE-2021-33574_2.patch \
64 " 66 "
65S = "${WORKDIR}/git" 67S = "${WORKDIR}/git"
66B = "${WORKDIR}/build-${TARGET_SYS}" 68B = "${WORKDIR}/build-${TARGET_SYS}"