diff options
Diffstat (limited to 'meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch')
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch new file mode 100644 index 0000000000..396cd7fc0e --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch | |||
@@ -0,0 +1,73 @@ | |||
1 | From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Tue, 1 Jun 2021 17:51:41 +0200 | ||
4 | Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896) | ||
5 | |||
6 | __pthread_attr_copy can fail and does not initialize the attribute | ||
7 | structure in that case. | ||
8 | |||
9 | If __pthread_attr_copy is never called and there is no allocated | ||
10 | attribute, pthread_attr_destroy should not be called, otherwise | ||
11 | there is a null pointer dereference in rt/tst-mqueue6. | ||
12 | |||
13 | Fixes commit 42d359350510506b87101cf77202fefcbfc790cb | ||
14 | ("Use __pthread_attr_copy in mq_notify (bug 27896)"). | ||
15 | |||
16 | Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> | ||
17 | |||
18 | https://sourceware.org/bugzilla/attachment.cgi?id=13497 | ||
19 | |||
20 | Upstream-Status: Backport | ||
21 | CVE: CVE-2021-33574 patch#2 | ||
22 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
23 | |||
24 | --- | ||
25 | Index: git/sysdeps/unix/sysv/linux/mq_notify.c | ||
26 | =================================================================== | ||
27 | --- git.orig/sysdeps/unix/sysv/linux/mq_notify.c | ||
28 | +++ git/sysdeps/unix/sysv/linux/mq_notify.c | ||
29 | @@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sig | ||
30 | if (data.attr == NULL) | ||
31 | return -1; | ||
32 | |||
33 | - __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); | ||
34 | + memcpy (data.attr, notification->sigev_notify_attributes, | ||
35 | + sizeof (pthread_attr_t)); | ||
36 | + | ||
37 | + struct pthread_attr *source = | ||
38 | + (struct pthread_attr *) (notification->sigev_notify_attributes); | ||
39 | + struct pthread_attr *target = (struct pthread_attr *) (data.attr); | ||
40 | + cpu_set_t *newp; | ||
41 | + cpu_set_t *cpuset = source->cpuset; | ||
42 | + size_t cpusetsize = source->cpusetsize; | ||
43 | + | ||
44 | + /* alloc a new memory for cpuset to avoid use after free */ | ||
45 | + if (cpuset != NULL && cpusetsize > 0) | ||
46 | + { | ||
47 | + newp = (cpu_set_t *) malloc (cpusetsize); | ||
48 | + if (newp == NULL) | ||
49 | + { | ||
50 | + free(data.attr); | ||
51 | + return -1; | ||
52 | + } | ||
53 | + | ||
54 | + memcpy (newp, cpuset, cpusetsize); | ||
55 | + target->cpuset = newp; | ||
56 | + } | ||
57 | + else | ||
58 | + { | ||
59 | + target->cpuset = NULL; | ||
60 | + target->cpusetsize = 0; | ||
61 | + } | ||
62 | } | ||
63 | |||
64 | /* Construct the new request. */ | ||
65 | @@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sig | ||
66 | int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se); | ||
67 | |||
68 | /* If it failed, free the allocated memory. */ | ||
69 | - if (__glibc_unlikely (retval != 0)) | ||
70 | + if (retval != 0 && data.attr != NULL) | ||
71 | { | ||
72 | pthread_attr_destroy (data.attr); | ||
73 | free (data.attr); | ||