diff options
Diffstat (limited to 'meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch | 68 |
1 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch new file mode 100644 index 0000000000..7561e87121 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch | |||
@@ -0,0 +1,68 @@ | |||
1 | From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001 | ||
2 | From: Andreas Schwab <schwab@linux-m68k.org> | ||
3 | Date: Thu, 27 May 2021 12:49:47 +0200 | ||
4 | Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896) | ||
5 | |||
6 | Make a deep copy of the pthread attribute object to remove a potential | ||
7 | use-after-free issue. | ||
8 | |||
9 | Upstream-Status: Backport | ||
10 | CVE: CVE-2021-33574 patch#1 | ||
11 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
12 | |||
13 | --- | ||
14 | diff --git a/NEWS b/NEWS | ||
15 | index 8a20d3c4e3..be489243ac 100644 | ||
16 | --- a/NEWS | ||
17 | +++ b/NEWS | ||
18 | @@ -7,6 +7,10 @@ using `glibc' in the "product" field. | ||
19 | |||
20 | Version 2.31.1 | ||
21 | |||
22 | + CVE-2021-33574: The mq_notify function has a potential use-after-free | ||
23 | + issue when using a notification type of SIGEV_THREAD and a thread | ||
24 | + attribute with a non-default affinity mask. | ||
25 | + | ||
26 | The following bugs are resolved with this release: | ||
27 | [14231] stdio-common tests memory requirements | ||
28 | [19519] iconv(1) with -c option hangs on illegal multi-byte sequences | ||
29 | diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c | ||
30 | index f288bac477..dd47f0b777 100644 | ||
31 | --- a/sysdeps/unix/sysv/linux/mq_notify.c | ||
32 | +++ b/sysdeps/unix/sysv/linux/mq_notify.c | ||
33 | @@ -135,8 +135,11 @@ helper_thread (void *arg) | ||
34 | (void) __pthread_barrier_wait (¬ify_barrier); | ||
35 | } | ||
36 | else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) | ||
37 | - /* The only state we keep is the copy of the thread attributes. */ | ||
38 | - free (data.attr); | ||
39 | + { | ||
40 | + /* The only state we keep is the copy of the thread attributes. */ | ||
41 | + pthread_attr_destroy (data.attr); | ||
42 | + free (data.attr); | ||
43 | + } | ||
44 | } | ||
45 | return NULL; | ||
46 | } | ||
47 | @@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | ||
48 | if (data.attr == NULL) | ||
49 | return -1; | ||
50 | |||
51 | - memcpy (data.attr, notification->sigev_notify_attributes, | ||
52 | - sizeof (pthread_attr_t)); | ||
53 | + __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); | ||
54 | } | ||
55 | |||
56 | /* Construct the new request. */ | ||
57 | @@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | ||
58 | |||
59 | /* If it failed, free the allocated memory. */ | ||
60 | if (__glibc_unlikely (retval != 0)) | ||
61 | - free (data.attr); | ||
62 | + { | ||
63 | + pthread_attr_destroy (data.attr); | ||
64 | + free (data.attr); | ||
65 | + } | ||
66 | |||
67 | return retval; | ||
68 | } | ||