glibc: Update to tip of 2.26

This will make it easy to backport to rocko if needed after 2.27 is landed in master plus it fixes the aarch64 build issue seen with binutils 2.30 (From OE-Core rev: 774e372d95c9082766477ea6dbfcd10c48ac4658) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Khem Raj <raj.khem@gmail.com> 2018-02-20 19:12:49 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-02-24 10:31:48 +0000
commit: 06a1b9be8a681a507678af58537320f6a127099f (patch)
tree: d86ba4a4fe90ab6e8564c33f55966175b261abf3 /meta
parent: 389fcc6c4007b9d28038ae24eab97ecf810489c6 (diff)
download: poky-06a1b9be8a681a507678af58537320f6a127099f.tar.gz
6 files changed, 2 insertions, 447 deletions
diff --git a/meta/recipes-core/glibc/cross-localedef-native_2.26.bb b/meta/recipes-core/glibc/cross-localedef-native_2.26.bb
index fc5d70dbb9..af02a0ce1d 100644
--- a/meta/recipes-core/glibc/cross-localedef-native_2.26.bb
+++ b/meta/recipes-core/glibc/cross-localedef-native_2.26.bb
@@ -21,7 +21,7 @@ SRCBRANCH ?= "release/${PV}/master"
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
 UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)"
-SRCREV_glibc ?= "1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369"
+SRCREV_glibc ?= "d300041c533a3d837c9f37a099bcc95466860e98"
 SRCREV_localedef ?= "dfb4afe551c6c6e94f9cc85417bd1f582168c843"
 SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
diff --git a/meta/recipes-core/glibc/glibc/0029-malloc-add-missing-arena-lock-in-malloc-info.patch b/meta/recipes-core/glibc/glibc/0029-malloc-add-missing-arena-lock-in-malloc-info.patch
deleted file mode 100644
index 626e0e9039..0000000000
--- a/meta/recipes-core/glibc/glibc/0029-malloc-add-missing-arena-lock-in-malloc-info.patch
+++ /dev/null
@@ -1,172 +0,0 @@
-From: Florian Weimer <fweimer@redhat.com>
-Date: Wed, 15 Nov 2017 11:39:01 +0100
-Subject: [PATCH] malloc: Add missing arena lock in malloc_info [BZ #22408]
-Obtain the size information while the arena lock is acquired, and only
-print it later.
-Upstream-Status: Backport
-Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
-Index: git/malloc/Makefile
-===================================================================
--- git.orig/malloc/Makefile    2017-09-04 17:34:06.758018978 +0800
-+++ git/malloc/Makefile 2017-11-20 14:57:43.440337572 +0800
-@@ -35,6 +35,7 @@
-         tst-interpose-thread \
-         tst-alloc_buffer \
-         tst-malloc-tcache-leak \
-+        tst-malloc_info \
- 
- tests-static := \
-         tst-interpose-static-nothread \
-@@ -245,3 +246,5 @@
-        $(evaluate-test)
- 
- $(objpfx)tst-malloc-tcache-leak: $(shared-thread-library)
-+
-+$(objpfx)tst-malloc_info: $(shared-thread-library)
-Index: git/malloc/malloc.c
-===================================================================
--- git.orig/malloc/malloc.c    2017-09-04 17:34:06.758018978 +0800
-+++ git/malloc/malloc.c 2017-11-20 15:01:02.412338959 +0800
-@@ -5547,6 +5547,15 @@
-          avail += sizes[NFASTBINS - 1 + i].total;
-        }
- 
-+      size_t heap_size = 0;
-+      size_t heap_mprotect_size = 0;
-+      if (ar_ptr != &main_arena)
-+       {
-+         heap_info *heap = heap_for_ptr (top (ar_ptr));
-+         heap_size = heap->size;
-+         heap_mprotect_size = heap->mprotect_size;
-+       }
-+
-       __libc_lock_unlock (ar_ptr->mutex);
- 
-       total_nfastblocks += nfastblocks;
-@@ -5580,13 +5589,12 @@
- 
-       if (ar_ptr != &main_arena)
-        {
-         heap_info *heap = heap_for_ptr (top (ar_ptr));
-          fprintf (fp,
-                   "<aspace type=\"total\" size=\"%zu\"/>\n"
-                   "<aspace type=\"mprotect\" size=\"%zu\"/>\n",
-                  heap->size, heap->mprotect_size);
-         total_aspace += heap->size;
-         total_aspace_mprotect += heap->mprotect_size;
-+                  heap_size, heap_mprotect_size);
-+         total_aspace += heap_size;
-+         total_aspace_mprotect += heap_mprotect_size;
-        }
-       else
-        {
-Index: git/malloc/tst-malloc_info.c
-===================================================================
--- /dev/null   1970-01-01 00:00:00.000000000 +0000
-+++ git/malloc/tst-malloc_info.c        2017-11-20 15:02:03.208339383 +0800
-@@ -0,0 +1,101 @@
-+/* Smoke test for malloc_info.
-+   Copyright (C) 2017 Free Software Foundation, Inc.
-+   This file is part of the GNU C Library.
-+
-+   The GNU C Library is free software; you can redistribute it and/or
-+   modify it under the terms of the GNU Lesser General Public
-+   License as published by the Free Software Foundation; either
-+   version 2.1 of the License, or (at your option) any later version.
-+
-+   The GNU C Library is distributed in the hope that it will be useful,
-+   but WITHOUT ANY WARRANTY; without even the implied warranty of
-+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-+   Lesser General Public License for more details.
-+
-+   You should have received a copy of the GNU Lesser General Public
-+   License along with the GNU C Library; if not, see
-+   <http://www.gnu.org/licenses/>.  */
-+
-+/* The purpose of this test is to provide a quick way to run
-+   malloc_info in a multi-threaded process.  */
-+
-+#include <array_length.h>
-+#include <malloc.h>
-+#include <stdlib.h>
-+#include <support/support.h>
-+#include <support/xthread.h>
-+
-+/* This barrier is used to have the main thread wait until the helper
-+   threads have performed their allocations.  */
-+static pthread_barrier_t barrier;
-+
-+enum
-+  {
-+    /* Number of threads performing allocations.  */
-+    thread_count  = 4,
-+
-+    /* Amount of memory allocation per thread.  This should be large
-+       enough to cause the allocation of multiple heaps per arena.  */
-+    per_thread_allocations
-+      = sizeof (void *) == 4 ? 16 * 1024 * 1024 : 128 * 1024 * 1024,
-+  };
-+
-+static void *
-+allocation_thread_function (void *closure)
-+{
-+  struct list
-+  {
-+    struct list *next;
-+    long dummy[4];
-+  };
-+
-+  struct list *head = NULL;
-+  size_t allocated = 0;
-+  while (allocated < per_thread_allocations)
-+    {
-+      struct list *new_head = xmalloc (sizeof (*new_head));
-+      allocated += sizeof (*new_head);
-+      new_head->next = head;
-+      head = new_head;
-+    }
-+
-+  xpthread_barrier_wait (&barrier);
-+
-+  /* Main thread prints first statistics here.  */
-+
-+  xpthread_barrier_wait (&barrier);
-+
-+  while (head != NULL)
-+    {
-+      struct list *next_head = head->next;
-+      free (head);
-+      head = next_head;
-+    }
-+
-+  return NULL;
-+}
-+
-+static int
-+do_test (void)
-+{
-+  xpthread_barrier_init (&barrier, NULL, thread_count + 1);
-+
-+  pthread_t threads[thread_count];
-+  for (size_t i = 0; i < array_length (threads); ++i)
-+    threads[i] = xpthread_create (NULL, allocation_thread_function, NULL);
-+
-+  xpthread_barrier_wait (&barrier);
-+  puts ("info: After allocation:");
-+  malloc_info (0, stdout);
-+
-+  xpthread_barrier_wait (&barrier);
-+  for (size_t i = 0; i < array_length (threads); ++i)
-+    xpthread_join (threads[i]);
-+
-+  puts ("\ninfo: After deallocation:");
-+  malloc_info (0, stdout);
-+
-+  return 0;
-+}
-+
-+#include <support/test-driver.c>
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
deleted file mode 100644
index 9a08784106..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch
+++ /dev/null
@@ -1,65 +0,0 @@
-From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001
-From: Paul Eggert <eggert@cs.ucla.edu>
-Date: Sun, 22 Oct 2017 10:00:57 +0200
-Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
- #22332]
-(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
-Upstream-Status: Backport
-CVE: CVE-2017-15671
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- ChangeLog    | 6 ++++++
- NEWS         | 4 ++++
- posix/glob.c | 4 ++--
- 3 files changed, 12 insertions(+), 2 deletions(-)
-Index: git/NEWS
-===================================================================
--- git.orig/NEWS
-+++ git/NEWS
-@@ -20,6 +20,10 @@ Security related changes:
-   on the stack or the heap, depending on the length of the user name).
-   Reported by Tim Rühsen.
- 
-+  The glob function, when invoked with GLOB_TILDE and without
-+  GLOB_NOESCAPE, could write past the end of a buffer while
-+  unescaping user names.  Reported by Tim Rühsen.
-+
- The following bugs are resolved with this release:
- 
-   [16750] ldd: Never run file directly.
-Index: git/posix/glob.c
-===================================================================
--- git.orig/posix/glob.c
-+++ git/posix/glob.c
-@@ -850,11 +850,11 @@ glob (const char *pattern, int flags, in
-                  char *p = mempcpy (newp, dirname + 1,
-                                     unescape - dirname - 1);
-                  char *q = unescape;
-                 while (*q != '\0')
-+                 while (q != end_name)
-                    {
-                      if (*q == '\\')
-                        {
-                         if (q[1] == '\0')
-+                         if (q + 1 == end_name)
-                            {
-                              /* "~fo\\o\\" unescape to user_name "foo\\",
-                                 but "~fo\\o\\/" unescape to user_name
-Index: git/ChangeLog
-===================================================================
--- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,9 @@
-+2017-10-22  Paul Eggert <eggert@cs.ucla.edu>
-+
-+       [BZ #22332]
-+       * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
-+       unescaping.
-+
- 2017-10-13  James Clarke  <jrtc27@jrtc27.com>
- 
-        * sysdeps/powerpc/powerpc32/dl-machine.h (elf_machine_rela):
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
deleted file mode 100644
index d9bde7f20a..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
+++ /dev/null
@@ -1,151 +0,0 @@
-From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001
-From: Aurelien Jarno <aurelien@aurel32.net>
-Date: Sat, 30 Dec 2017 10:54:23 +0100
-Subject: [PATCH] elf: Check for empty tokens before dynamic string token
- expansion [BZ #22625]
-The fillin_rpath function in elf/dl-load.c loops over each RPATH or
-RUNPATH tokens and interprets empty tokens as the current directory
-("./"). In practice the check for empty token is done *after* the
-dynamic string token expansion. The expansion process can return an
-empty string for the $ORIGIN token if __libc_enable_secure is set
-or if the path of the binary can not be determined (/proc not mounted).
-Fix that by moving the check for empty tokens before the dynamic string
-token expansion. In addition, check for NULL pointer or empty strings
-return by expand_dynamic_string_token.
-The above changes highlighted a bug in decompose_rpath, an empty array
-is represented by the first element being NULL at the fillin_rpath
-level, but by using a -1 pointer in decompose_rpath and other functions.
-Changelog:
-        [BZ #22625]
-        * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
-        string token expansion. Check for NULL pointer or empty string possibly
-        returned by expand_dynamic_string_token.
-        (decompose_rpath): Check for empty path after dynamic string
-        token expansion.
-(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
-Upstream-Status: Backport
-CVE: CVE-2017-16997
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- ChangeLog     | 10 ++++++++++
- NEWS          |  4 ++++
- elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
- 3 files changed, 47 insertions(+), 16 deletions(-)
-Index: git/NEWS
-===================================================================
--- git.orig/NEWS
-+++ git/NEWS
-@@ -211,6 +211,10 @@ Security related changes:
-   on the stack or the heap, depending on the length of the user name).
-   Reported by Tim Rühsen.
- 
-+  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
-+  for AT_SECURE or SUID binaries could be used to load libraries from the
-+  current directory.
-+
- The following bugs are resolved with this release:
- 
-   [984] network: Respond to changed resolv.conf in gethostbyname
-Index: git/elf/dl-load.c
-===================================================================
--- git.orig/elf/dl-load.c
-+++ git/elf/dl-load.c
-@@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear
- {
-   char *cp;
-   size_t nelems = 0;
-  char *to_free;
- 
-   while ((cp = __strsep (&rpath, sep)) != NULL)
-     {
-       struct r_search_path_elem *dirp;
-+      char *to_free = NULL;
-+      size_t len = 0;
- 
-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
-+      /* `strsep' can pass an empty string.  */
-+      if (*cp != '\0')
-+       {
-+         to_free = cp = expand_dynamic_string_token (l, cp, 1);
- 
-      size_t len = strlen (cp);
-+         /* expand_dynamic_string_token can return NULL in case of empty
-+            path or memory allocation failure.  */
-+         if (cp == NULL)
-+           continue;
-+
-+         /* Compute the length after dynamic string token expansion and
-+            ignore empty paths.  */
-+         len = strlen (cp);
-+         if (len == 0)
-+           {
-+             free (to_free);
-+             continue;
-+           }
- 
-      /* `strsep' can pass an empty string.  This has to be
-        interpreted as `use the current directory'. */
-      if (len == 0)
-       {
-         static const char curwd[] = "./";
-         cp = (char *) curwd;
-+         /* Remove trailing slashes (except for "/").  */
-+         while (len > 1 && cp[len - 1] == '/')
-+           --len;
-+
-+         /* Now add one if there is none so far.  */
-+         if (len > 0 && cp[len - 1] != '/')
-+           cp[len++] = '/';
-        }
- 
-      /* Remove trailing slashes (except for "/").  */
-      while (len > 1 && cp[len - 1] == '/')
-       --len;
-
-      /* Now add one if there is none so far.  */
-      if (len > 0 && cp[len - 1] != '/')
-       cp[len++] = '/';
-
-       /* Make sure we don't use untrusted directories if we run SUID.  */
-       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
-        {
-@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st
-      necessary.  */
-   free (copy);
- 
-+  /* There is no path after expansion.  */
-+  if (result[0] == NULL)
-+    {
-+      free (result);
-+      sps->dirs = (struct r_search_path_elem **) -1;
-+      return false;
-+    }
-+
-   sps->dirs = result;
-   /* The caller will change this value if we haven't used a real malloc.  */
-   sps->malloced = 1;
-Index: git/ChangeLog
-===================================================================
--- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,13 @@
-+2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
-+           Dmitry V. Levin  <ldv@altlinux.org>
-+
-+       [BZ #22625]
-+       * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
-+       string token expansion. Check for NULL pointer or empty string possibly
-+       returned by expand_dynamic_string_token.
-+       (decompose_rpath): Check for empty path after dynamic string
-+       token expansion.
-+
- 2017-10-22  Paul Eggert <eggert@cs.ucla.edu>
- 
-        [BZ #22332]
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
deleted file mode 100644
index bfa58bc1d6..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch
+++ /dev/null
@@ -1,53 +0,0 @@
-From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001
-From: Arjun Shankar <arjun@redhat.com>
-Date: Thu, 30 Nov 2017 13:31:45 +0100
-Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
- #22375]
-When the per-thread cache is enabled, __libc_malloc uses request2size (which
-does not perform an overflow check) to calculate the chunk size from the
-requested allocation size. This leads to an integer overflow causing malloc
-to incorrectly return the last successfully allocated block when called with
-a very large size argument (close to SIZE_MAX).
-This commit uses checked_request2size instead, removing the overflow.
-Upstream-Status: Backport
-CVE: CVE-2017-17426
-Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
-Rebase on new master
-Signed-off-by: Armin Kuster <akuster@mvista.com>
---
- ChangeLog       | 6 ++++++
- malloc/malloc.c | 3 ++-
- 2 files changed, 8 insertions(+), 1 deletion(-)
-Index: git/malloc/malloc.c
-===================================================================
--- git.orig/malloc/malloc.c
-+++ git/malloc/malloc.c
-@@ -3064,7 +3064,8 @@ __libc_malloc (size_t bytes)
-     return (*hook)(bytes, RETURN_ADDRESS (0));
- #if USE_TCACHE
-   /* int_free also calls request2size, be careful to not pad twice.  */
-  size_t tbytes = request2size (bytes);
-+  size_t tbytes;
-+  checked_request2size (bytes, tbytes);
-   size_t tc_idx = csize2tidx (tbytes);
- 
-   MAYBE_INIT_TCACHE ();
-Index: git/ChangeLog
-===================================================================
--- git.orig/ChangeLog
-+++ git/ChangeLog
-@@ -1,3 +1,9 @@
-+2017-11-30  Arjun Shankar  <arjun@redhat.com>
-+
-+       [BZ #22375]
-+       * malloc/malloc.c (__libc_malloc): Use checked_request2size
-+       instead of request2size.
-+
- 2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
-            Dmitry V. Levin  <ldv@altlinux.org>
- 
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 7eb56b328a..464b65434e 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
 DEPENDS += "gperf-native bison-native"
-SRCREV ?= "77f921dac17c5fa99bd9e926d926c327982895f7"
+SRCREV ?= "d300041c533a3d837c9f37a099bcc95466860e98"
 SRCBRANCH ?= "release/${PV}/master"
@@ -42,10 +42,6 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0025-locale-fix-hard-coded-reference-to-gcc-E.patch \
           file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
           file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
-           file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
-           file://CVE-2017-15671.patch \
-           file://CVE-2017-16997.patch \
-           file://CVE-2017-17426.patch \
 "
 NATIVESDKFIXES ?= ""
author	Khem Raj <raj.khem@gmail.com>	2018-02-20 19:12:49 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-02-24 10:31:48 +0000
commit	06a1b9be8a681a507678af58537320f6a127099f (patch)
tree	d86ba4a4fe90ab6e8564c33f55966175b261abf3 /meta
parent	389fcc6c4007b9d28038ae24eab97ecf810489c6 (diff)
download	poky-06a1b9be8a681a507678af58537320f6a127099f.tar.gz

diff --git a/meta/recipes-core/glibc/cross-localedef-native_2.26.bb b/meta/recipes-core/glibc/cross-localedef-native_2.26.bb index fc5d70dbb9..af02a0ce1d 100644 --- a/meta/recipes-core/glibc/cross-localedef-native_2.26.bb +++ b/meta/recipes-core/glibc/cross-localedef-native_2.26.bb
@@ -21,7 +21,7 @@ SRCBRANCH ?= "release/${PV}/master"
21	GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"	21	GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
22	UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)"	22	UPSTREAM_CHECK_GITTAGREGEX = "(?P<pver>\d+\.\d+(\.\d+)*)"
23		23
24	SRCREV_glibc ?= "1c9a5c270d8b66f30dcfaf1cb2d6cf39d3e18369"	24	SRCREV_glibc ?= "d300041c533a3d837c9f37a099bcc95466860e98"
25	SRCREV_localedef ?= "dfb4afe551c6c6e94f9cc85417bd1f582168c843"	25	SRCREV_localedef ?= "dfb4afe551c6c6e94f9cc85417bd1f582168c843"
26		26
27	SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \	27	SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \


diff --git a/meta/recipes-core/glibc/glibc/0029-malloc-add-missing-arena-lock-in-malloc-info.patch b/meta/recipes-core/glibc/glibc/0029-malloc-add-missing-arena-lock-in-malloc-info.patch deleted file mode 100644 index 626e0e9039..0000000000 --- a/meta/recipes-core/glibc/glibc/0029-malloc-add-missing-arena-lock-in-malloc-info.patch +++ /dev/null
@@ -1,172 +0,0 @@
1	From: Florian Weimer <fweimer@redhat.com>
2	Date: Wed, 15 Nov 2017 11:39:01 +0100
3	Subject: [PATCH] malloc: Add missing arena lock in malloc_info [BZ #22408]
4
5	Obtain the size information while the arena lock is acquired, and only
6	print it later.
7
8	Upstream-Status: Backport
9
10	Signed-off-by: Zhixiong Chi <zhixiong.chi@windriver.com>
11
12	Index: git/malloc/Makefile
13	===================================================================
14	--- git.orig/malloc/Makefile 2017-09-04 17:34:06.758018978 +0800
15	+++ git/malloc/Makefile 2017-11-20 14:57:43.440337572 +0800
16	@@ -35,6 +35,7 @@
17	tst-interpose-thread \
18	tst-alloc_buffer \
19	tst-malloc-tcache-leak \
20	+ tst-malloc_info \
21
22	tests-static := \
23	tst-interpose-static-nothread \
24	@@ -245,3 +246,5 @@
25	$(evaluate-test)
26
27	$(objpfx)tst-malloc-tcache-leak: $(shared-thread-library)
28	+
29	+$(objpfx)tst-malloc_info: $(shared-thread-library)
30	Index: git/malloc/malloc.c
31	===================================================================
32	--- git.orig/malloc/malloc.c 2017-09-04 17:34:06.758018978 +0800
33	+++ git/malloc/malloc.c 2017-11-20 15:01:02.412338959 +0800
34	@@ -5547,6 +5547,15 @@
35	avail += sizes[NFASTBINS - 1 + i].total;
36	}
37
38	+ size_t heap_size = 0;
39	+ size_t heap_mprotect_size = 0;
40	+ if (ar_ptr != &main_arena)
41	+ {
42	+ heap_info *heap = heap_for_ptr (top (ar_ptr));
43	+ heap_size = heap->size;
44	+ heap_mprotect_size = heap->mprotect_size;
45	+ }
46	+
47	__libc_lock_unlock (ar_ptr->mutex);
48
49	total_nfastblocks += nfastblocks;
50	@@ -5580,13 +5589,12 @@
51
52	if (ar_ptr != &main_arena)
53	{
54	- heap_info *heap = heap_for_ptr (top (ar_ptr));
55	fprintf (fp,
56	"<aspace type=\"total\" size=\"%zu\"/>\n"
57	"<aspace type=\"mprotect\" size=\"%zu\"/>\n",
58	- heap->size, heap->mprotect_size);
59	- total_aspace += heap->size;
60	- total_aspace_mprotect += heap->mprotect_size;
61	+ heap_size, heap_mprotect_size);
62	+ total_aspace += heap_size;
63	+ total_aspace_mprotect += heap_mprotect_size;
64	}
65	else
66	{
67	Index: git/malloc/tst-malloc_info.c
68	===================================================================
69	--- /dev/null 1970-01-01 00:00:00.000000000 +0000
70	+++ git/malloc/tst-malloc_info.c 2017-11-20 15:02:03.208339383 +0800
71	@@ -0,0 +1,101 @@
72	+/* Smoke test for malloc_info.
73	+ Copyright (C) 2017 Free Software Foundation, Inc.
74	+ This file is part of the GNU C Library.
75	+
76	+ The GNU C Library is free software; you can redistribute it and/or
77	+ modify it under the terms of the GNU Lesser General Public
78	+ License as published by the Free Software Foundation; either
79	+ version 2.1 of the License, or (at your option) any later version.
80	+
81	+ The GNU C Library is distributed in the hope that it will be useful,
82	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
83	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
84	+ Lesser General Public License for more details.
85	+
86	+ You should have received a copy of the GNU Lesser General Public
87	+ License along with the GNU C Library; if not, see
88	+ <http://www.gnu.org/licenses/>. */
89	+
90	+/* The purpose of this test is to provide a quick way to run
91	+ malloc_info in a multi-threaded process. */
92	+
93	+#include <array_length.h>
94	+#include <malloc.h>
95	+#include <stdlib.h>
96	+#include <support/support.h>
97	+#include <support/xthread.h>
98	+
99	+/* This barrier is used to have the main thread wait until the helper
100	+ threads have performed their allocations. */
101	+static pthread_barrier_t barrier;
102	+
103	+enum
104	+ {
105	+ /* Number of threads performing allocations. */
106	+ thread_count = 4,
107	+
108	+ /* Amount of memory allocation per thread. This should be large
109	+ enough to cause the allocation of multiple heaps per arena. */
110	+ per_thread_allocations
111	+ = sizeof (void ) == 4 ? 16 1024 * 1024 : 128 * 1024 * 1024,
112	+ };
113	+
114	+static void *
115	+allocation_thread_function (void *closure)
116	+{
117	+ struct list
118	+ {
119	+ struct list *next;
120	+ long dummy[4];
121	+ };
122	+
123	+ struct list *head = NULL;
124	+ size_t allocated = 0;
125	+ while (allocated < per_thread_allocations)
126	+ {
127	+ struct list new_head = xmalloc (sizeof (new_head));
128	+ allocated += sizeof (*new_head);
129	+ new_head->next = head;
130	+ head = new_head;
131	+ }
132	+
133	+ xpthread_barrier_wait (&barrier);
134	+
135	+ /* Main thread prints first statistics here. */
136	+
137	+ xpthread_barrier_wait (&barrier);
138	+
139	+ while (head != NULL)
140	+ {
141	+ struct list *next_head = head->next;
142	+ free (head);
143	+ head = next_head;
144	+ }
145	+
146	+ return NULL;
147	+}
148	+
149	+static int
150	+do_test (void)
151	+{
152	+ xpthread_barrier_init (&barrier, NULL, thread_count + 1);
153	+
154	+ pthread_t threads[thread_count];
155	+ for (size_t i = 0; i < array_length (threads); ++i)
156	+ threads[i] = xpthread_create (NULL, allocation_thread_function, NULL);
157	+
158	+ xpthread_barrier_wait (&barrier);
159	+ puts ("info: After allocation:");
160	+ malloc_info (0, stdout);
161	+
162	+ xpthread_barrier_wait (&barrier);
163	+ for (size_t i = 0; i < array_length (threads); ++i)
164	+ xpthread_join (threads[i]);
165	+
166	+ puts ("\ninfo: After deallocation:");
167	+ malloc_info (0, stdout);
168	+
169	+ return 0;
170	+}
171	+
172	+#include <support/test-driver.c>


diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch b/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch deleted file mode 100644 index 9a08784106..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2017-15671.patch +++ /dev/null
@@ -1,65 +0,0 @@
1	From f1cf98b583787cfb6278baea46e286a0ee7567fd Mon Sep 17 00:00:00 2001
2	From: Paul Eggert <eggert@cs.ucla.edu>
3	Date: Sun, 22 Oct 2017 10:00:57 +0200
4	Subject: [PATCH] glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ
5	#22332]
6
7	(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)
8
9	Upstream-Status: Backport
10	CVE: CVE-2017-15671
11	Signed-off-by: Armin Kuster <akuster@mvista.com>
12
13	---
14	ChangeLog \| 6 ++++++
15	NEWS \| 4 ++++
16	posix/glob.c \| 4 ++--
17	3 files changed, 12 insertions(+), 2 deletions(-)
18
19	Index: git/NEWS
20	===================================================================
21	--- git.orig/NEWS
22	+++ git/NEWS
23	@@ -20,6 +20,10 @@ Security related changes:
24	on the stack or the heap, depending on the length of the user name).
25	Reported by Tim Rühsen.
26
27	+ The glob function, when invoked with GLOB_TILDE and without
28	+ GLOB_NOESCAPE, could write past the end of a buffer while
29	+ unescaping user names. Reported by Tim Rühsen.
30	+
31	The following bugs are resolved with this release:
32
33	[16750] ldd: Never run file directly.
34	Index: git/posix/glob.c
35	===================================================================
36	--- git.orig/posix/glob.c
37	+++ git/posix/glob.c
38	@@ -850,11 +850,11 @@ glob (const char *pattern, int flags, in
39	char *p = mempcpy (newp, dirname + 1,
40	unescape - dirname - 1);
41	char *q = unescape;
42	- while (*q != '\0')
43	+ while (q != end_name)
44	{
45	if (*q == '\\')
46	{
47	- if (q[1] == '\0')
48	+ if (q + 1 == end_name)
49	{
50	/* "~fo\\o\\" unescape to user_name "foo\\",
51	but "~fo\\o\\/" unescape to user_name
52	Index: git/ChangeLog
53	===================================================================
54	--- git.orig/ChangeLog
55	+++ git/ChangeLog
56	@@ -1,3 +1,9 @@
57	+2017-10-22 Paul Eggert <eggert@cs.ucla.edu>
58	+
59	+ [BZ #22332]
60	+ * posix/glob.c (__glob): Fix buffer overflow during GLOB_TILDE
61	+ unescaping.
62	+
63	2017-10-13 James Clarke <jrtc27@jrtc27.com>
64
65	* sysdeps/powerpc/powerpc32/dl-machine.h (elf_machine_rela):


diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch deleted file mode 100644 index d9bde7f20a..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch +++ /dev/null
@@ -1,151 +0,0 @@
1	From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001
2	From: Aurelien Jarno <aurelien@aurel32.net>
3	Date: Sat, 30 Dec 2017 10:54:23 +0100
4	Subject: [PATCH] elf: Check for empty tokens before dynamic string token
5	expansion [BZ #22625]
6
7	The fillin_rpath function in elf/dl-load.c loops over each RPATH or
8	RUNPATH tokens and interprets empty tokens as the current directory
9	("./"). In practice the check for empty token is done after the
10	dynamic string token expansion. The expansion process can return an
11	empty string for the $ORIGIN token if __libc_enable_secure is set
12	or if the path of the binary can not be determined (/proc not mounted).
13
14	Fix that by moving the check for empty tokens before the dynamic string
15	token expansion. In addition, check for NULL pointer or empty strings
16	return by expand_dynamic_string_token.
17
18	The above changes highlighted a bug in decompose_rpath, an empty array
19	is represented by the first element being NULL at the fillin_rpath
20	level, but by using a -1 pointer in decompose_rpath and other functions.
21
22	Changelog:
23	[BZ #22625]
24	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
25	string token expansion. Check for NULL pointer or empty string possibly
26	returned by expand_dynamic_string_token.
27	(decompose_rpath): Check for empty path after dynamic string
28	token expansion.
29	(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
30
31	Upstream-Status: Backport
32	CVE: CVE-2017-16997
33	Signed-off-by: Armin Kuster <akuster@mvista.com>
34
35	---
36	ChangeLog \| 10 ++++++++++
37	NEWS \| 4 ++++
38	elf/dl-load.c \| 49 +++++++++++++++++++++++++++++++++----------------
39	3 files changed, 47 insertions(+), 16 deletions(-)
40
41	Index: git/NEWS
42	===================================================================
43	--- git.orig/NEWS
44	+++ git/NEWS
45	@@ -211,6 +211,10 @@ Security related changes:
46	on the stack or the heap, depending on the length of the user name).
47	Reported by Tim Rühsen.
48
49	+ CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
50	+ for AT_SECURE or SUID binaries could be used to load libraries from the
51	+ current directory.
52	+
53	The following bugs are resolved with this release:
54
55	[984] network: Respond to changed resolv.conf in gethostbyname
56	Index: git/elf/dl-load.c
57	===================================================================
58	--- git.orig/elf/dl-load.c
59	+++ git/elf/dl-load.c
60	@@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear
61	{
62	char *cp;
63	size_t nelems = 0;
64	- char *to_free;
65
66	while ((cp = __strsep (&rpath, sep)) != NULL)
67	{
68	struct r_search_path_elem *dirp;
69	+ char *to_free = NULL;
70	+ size_t len = 0;
71
72	- to_free = cp = expand_dynamic_string_token (l, cp, 1);
73	+ /* `strsep' can pass an empty string. */
74	+ if (*cp != '\0')
75	+ {
76	+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
77
78	- size_t len = strlen (cp);
79	+ /* expand_dynamic_string_token can return NULL in case of empty
80	+ path or memory allocation failure. */
81	+ if (cp == NULL)
82	+ continue;
83	+
84	+ /* Compute the length after dynamic string token expansion and
85	+ ignore empty paths. */
86	+ len = strlen (cp);
87	+ if (len == 0)
88	+ {
89	+ free (to_free);
90	+ continue;
91	+ }
92
93	- /* `strsep' can pass an empty string. This has to be
94	- interpreted as `use the current directory'. */
95	- if (len == 0)
96	- {
97	- static const char curwd[] = "./";
98	- cp = (char *) curwd;
99	+ /* Remove trailing slashes (except for "/"). */
100	+ while (len > 1 && cp[len - 1] == '/')
101	+ --len;
102	+
103	+ /* Now add one if there is none so far. */
104	+ if (len > 0 && cp[len - 1] != '/')
105	+ cp[len++] = '/';
106	}
107
108	- /* Remove trailing slashes (except for "/"). */
109	- while (len > 1 && cp[len - 1] == '/')
110	- --len;
111	-
112	- /* Now add one if there is none so far. */
113	- if (len > 0 && cp[len - 1] != '/')
114	- cp[len++] = '/';
115	-
116	/* Make sure we don't use untrusted directories if we run SUID. */
117	if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
118	{
119	@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st
120	necessary. */
121	free (copy);
122
123	+ /* There is no path after expansion. */
124	+ if (result[0] == NULL)
125	+ {
126	+ free (result);
127	+ sps->dirs = (struct r_search_path_elem **) -1;
128	+ return false;
129	+ }
130	+
131	sps->dirs = result;
132	/* The caller will change this value if we haven't used a real malloc. */
133	sps->malloced = 1;
134	Index: git/ChangeLog
135	===================================================================
136	--- git.orig/ChangeLog
137	+++ git/ChangeLog
138	@@ -1,3 +1,13 @@
139	+2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
140	+ Dmitry V. Levin <ldv@altlinux.org>
141	+
142	+ [BZ #22625]
143	+ * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
144	+ string token expansion. Check for NULL pointer or empty string possibly
145	+ returned by expand_dynamic_string_token.
146	+ (decompose_rpath): Check for empty path after dynamic string
147	+ token expansion.
148	+
149	2017-10-22 Paul Eggert <eggert@cs.ucla.edu>
150
151	[BZ #22332]


diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch b/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch deleted file mode 100644 index bfa58bc1d6..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2017-17426.patch +++ /dev/null
@@ -1,53 +0,0 @@
1	From 34697694e8a93b325b18f25f7dcded55d6baeaf6 Mon Sep 17 00:00:00 2001
2	From: Arjun Shankar <arjun@redhat.com>
3	Date: Thu, 30 Nov 2017 13:31:45 +0100
4	Subject: [PATCH] Fix integer overflow in malloc when tcache is enabled [BZ
5	#22375]
6
7	When the per-thread cache is enabled, __libc_malloc uses request2size (which
8	does not perform an overflow check) to calculate the chunk size from the
9	requested allocation size. This leads to an integer overflow causing malloc
10	to incorrectly return the last successfully allocated block when called with
11	a very large size argument (close to SIZE_MAX).
12
13	This commit uses checked_request2size instead, removing the overflow.
14
15	Upstream-Status: Backport
16	CVE: CVE-2017-17426
17	Signed-off-by: Huang Qiyu <huangqy.fnst@cn.fujitsu.com>
18	Rebase on new master
19	Signed-off-by: Armin Kuster <akuster@mvista.com>
20
21	---
22	ChangeLog \| 6 ++++++
23	malloc/malloc.c \| 3 ++-
24	2 files changed, 8 insertions(+), 1 deletion(-)
25
26	Index: git/malloc/malloc.c
27	===================================================================
28	--- git.orig/malloc/malloc.c
29	+++ git/malloc/malloc.c
30	@@ -3064,7 +3064,8 @@ __libc_malloc (size_t bytes)
31	return (*hook)(bytes, RETURN_ADDRESS (0));
32	#if USE_TCACHE
33	/* int_free also calls request2size, be careful to not pad twice. */
34	- size_t tbytes = request2size (bytes);
35	+ size_t tbytes;
36	+ checked_request2size (bytes, tbytes);
37	size_t tc_idx = csize2tidx (tbytes);
38
39	MAYBE_INIT_TCACHE ();
40	Index: git/ChangeLog
41	===================================================================
42	--- git.orig/ChangeLog
43	+++ git/ChangeLog
44	@@ -1,3 +1,9 @@
45	+2017-11-30 Arjun Shankar <arjun@redhat.com>
46	+
47	+ [BZ #22375]
48	+ * malloc/malloc.c (__libc_malloc): Use checked_request2size
49	+ instead of request2size.
50	+
51	2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
52	Dmitry V. Levin <ldv@altlinux.org>
53


diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index 7eb56b328a..464b65434e 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -7,7 +7,7 @@ LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
7		7
8	DEPENDS += "gperf-native bison-native"	8	DEPENDS += "gperf-native bison-native"
9		9
10	SRCREV ?= "77f921dac17c5fa99bd9e926d926c327982895f7"	10	SRCREV ?= "d300041c533a3d837c9f37a099bcc95466860e98"
11		11
12	SRCBRANCH ?= "release/${PV}/master"	12	SRCBRANCH ?= "release/${PV}/master"
13		13
@@ -42,10 +42,6 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
42	file://0025-locale-fix-hard-coded-reference-to-gcc-E.patch \	42	file://0025-locale-fix-hard-coded-reference-to-gcc-E.patch \
43	file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \	43	file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
44	file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \	44	file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
45	file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
46	file://CVE-2017-15671.patch \
47	file://CVE-2017-16997.patch \
48	file://CVE-2017-17426.patch \
49	"	45	"
50		46
51	NATIVESDKFIXES ?= ""	47	NATIVESDKFIXES ?= ""