1 files changed, 68 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
new file mode 100644
index 0000000000..7561e87121
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
@@ -0,0 +1,68 @@
+From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Thu, 27 May 2021 12:49:47 +0200
+Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
+Make a deep copy of the pthread attribute object to remove a potential
+use-after-free issue.
+Upstream-Status: Backport
+CVE: CVE-2021-33574 patch#1
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+diff --git a/NEWS b/NEWS
+index 8a20d3c4e3..be489243ac 100644
+--- a/NEWS
+++ b/NEWS
+@@ -7,6 +7,10 @@ using `glibc' in the "product" field.
+ 
+ Version 2.31.1
+ 
+  CVE-2021-33574: The mq_notify function has a potential use-after-free
+  issue when using a notification type of SIGEV_THREAD and a thread
+  attribute with a non-default affinity mask.
+
+ The following bugs are resolved with this release:
+   [14231] stdio-common tests memory requirements
+   [19519] iconv(1) with -c option hangs on illegal multi-byte sequences
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index f288bac477..dd47f0b777 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -135,8 +135,11 @@ helper_thread (void *arg)
+            (void) __pthread_barrier_wait (&notify_barrier);
+        }
+       else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+-       /* The only state we keep is the copy of the thread attributes.  */
+-       free (data.attr);
+       {
+         /* The only state we keep is the copy of the thread attributes.  */
+         pthread_attr_destroy (data.attr);
+         free (data.attr);
+       }
+     }
+   return NULL;
+ }
+@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+       if (data.attr == NULL)
+        return -1;
+ 
+-      memcpy (data.attr, notification->sigev_notify_attributes,
+-             sizeof (pthread_attr_t));
+      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+     }
+ 
+   /* Construct the new request.  */
+@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ 
+   /* If it failed, free the allocated memory.  */
+   if (__glibc_unlikely (retval != 0))
+-    free (data.attr);
+    {
+      pthread_attr_destroy (data.attr);
+      free (data.attr);
+    }
+ 
+   return retval;
+ }

diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch new file mode 100644 index 0000000000..7561e87121 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch
@@ -0,0 +1,68 @@
	1	From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
	2	From: Andreas Schwab <schwab@linux-m68k.org>
	3	Date: Thu, 27 May 2021 12:49:47 +0200
	4	Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
	5
	6	Make a deep copy of the pthread attribute object to remove a potential
	7	use-after-free issue.
	8
	9	Upstream-Status: Backport
	10	CVE: CVE-2021-33574 patch#1
	11	Signed-off-by: Armin Kuster <akuster@mvista.com>
	12
	13	---
	14	diff --git a/NEWS b/NEWS
	15	index 8a20d3c4e3..be489243ac 100644
	16	--- a/NEWS
	17	+++ b/NEWS
	18	@@ -7,6 +7,10 @@ using `glibc' in the "product" field.
	19
	20	Version 2.31.1
	21
	22	+ CVE-2021-33574: The mq_notify function has a potential use-after-free
	23	+ issue when using a notification type of SIGEV_THREAD and a thread
	24	+ attribute with a non-default affinity mask.
	25	+
	26	The following bugs are resolved with this release:
	27	[14231] stdio-common tests memory requirements
	28	[19519] iconv(1) with -c option hangs on illegal multi-byte sequences
	29	diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
	30	index f288bac477..dd47f0b777 100644
	31	--- a/sysdeps/unix/sysv/linux/mq_notify.c
	32	+++ b/sysdeps/unix/sysv/linux/mq_notify.c
	33	@@ -135,8 +135,11 @@ helper_thread (void *arg)
	34	(void) __pthread_barrier_wait (&notify_barrier);
	35	}
	36	else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
	37	- /* The only state we keep is the copy of the thread attributes. */
	38	- free (data.attr);
	39	+ {
	40	+ /* The only state we keep is the copy of the thread attributes. */
	41	+ pthread_attr_destroy (data.attr);
	42	+ free (data.attr);
	43	+ }
	44	}
	45	return NULL;
	46	}
	47	@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
	48	if (data.attr == NULL)
	49	return -1;
	50
	51	- memcpy (data.attr, notification->sigev_notify_attributes,
	52	- sizeof (pthread_attr_t));
	53	+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
	54	}
	55
	56	/* Construct the new request. */
	57	@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
	58
	59	/* If it failed, free the allocated memory. */
	60	if (__glibc_unlikely (retval != 0))
	61	- free (data.attr);
	62	+ {
	63	+ pthread_attr_destroy (data.attr);
	64	+ free (data.attr);
	65	+ }
	66
	67	return retval;
	68	}