1 files changed, 73 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
new file mode 100644
index 0000000000..396cd7fc0e
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
@@ -0,0 +1,73 @@
+From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 1 Jun 2021 17:51:41 +0200
+Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
+__pthread_attr_copy can fail and does not initialize the attribute
+structure in that case.
+If __pthread_attr_copy is never called and there is no allocated
+attribute, pthread_attr_destroy should not be called, otherwise
+there is a null pointer dereference in rt/tst-mqueue6.
+Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
+("Use __pthread_attr_copy in mq_notify (bug 27896)").
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+https://sourceware.org/bugzilla/attachment.cgi?id=13497
+Upstream-Status: Backport
+CVE: CVE-2021-33574 patch#2
+Signed-off-by: Armin Kuster &lt;akuster@mvista.com&gt;
+---
+Index: git/sysdeps/unix/sysv/linux/mq_notify.c
+===================================================================
+--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
+++ git/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sig
+       if (data.attr == NULL)
+        return -1;
+ 
+-      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+      memcpy (data.attr, notification->sigev_notify_attributes,
+        sizeof (pthread_attr_t));
+
+      struct pthread_attr *source =
+     (struct pthread_attr *) (notification->sigev_notify_attributes);
+      struct pthread_attr *target = (struct pthread_attr *) (data.attr);
+      cpu_set_t *newp;
+      cpu_set_t *cpuset = source->cpuset;
+      size_t cpusetsize = source->cpusetsize;
+
+      /* alloc a new memory for cpuset to avoid use after free */
+      if (cpuset != NULL && cpusetsize > 0)
+   {
+     newp = (cpu_set_t *) malloc (cpusetsize);
+     if (newp == NULL)
+       {
+         free(data.attr);
+         return -1;
+       }
+
+     memcpy (newp, cpuset, cpusetsize);
+     target->cpuset = newp;
+   }
+      else
+   {
+     target->cpuset = NULL;
+     target->cpusetsize = 0;
+   }
+     }
+ 
+   /* Construct the new request.  */
+@@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sig
+   int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+ 
+   /* If it failed, free the allocated memory.  */
+-  if (__glibc_unlikely (retval != 0))
+   if (retval != 0 && data.attr != NULL)
+     {
+       pthread_attr_destroy (data.attr);
+       free (data.attr);

diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch new file mode 100644 index 0000000000..396cd7fc0e --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch
@@ -0,0 +1,73 @@
	1	From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
	2	From: Florian Weimer <fweimer@redhat.com>
	3	Date: Tue, 1 Jun 2021 17:51:41 +0200
	4	Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
	5
	6	__pthread_attr_copy can fail and does not initialize the attribute
	7	structure in that case.
	8
	9	If __pthread_attr_copy is never called and there is no allocated
	10	attribute, pthread_attr_destroy should not be called, otherwise
	11	there is a null pointer dereference in rt/tst-mqueue6.
	12
	13	Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
	14	("Use __pthread_attr_copy in mq_notify (bug 27896)").
	15
	16	Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
	17
	18	https://sourceware.org/bugzilla/attachment.cgi?id=13497
	19
	20	Upstream-Status: Backport
	21	CVE: CVE-2021-33574 patch#2
	22	Signed-off-by: Armin Kuster <akuster@mvista.com>
	23
	24	---
	25	Index: git/sysdeps/unix/sysv/linux/mq_notify.c
	26	===================================================================
	27	--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
	28	+++ git/sysdeps/unix/sysv/linux/mq_notify.c
	29	@@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sig
	30	if (data.attr == NULL)
	31	return -1;
	32
	33	- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
	34	+ memcpy (data.attr, notification->sigev_notify_attributes,
	35	+ sizeof (pthread_attr_t));
	36	+
	37	+ struct pthread_attr *source =
	38	+ (struct pthread_attr *) (notification->sigev_notify_attributes);
	39	+ struct pthread_attr target = (struct pthread_attr ) (data.attr);
	40	+ cpu_set_t *newp;
	41	+ cpu_set_t *cpuset = source->cpuset;
	42	+ size_t cpusetsize = source->cpusetsize;
	43	+
	44	+ /* alloc a new memory for cpuset to avoid use after free */
	45	+ if (cpuset != NULL && cpusetsize > 0)
	46	+ {
	47	+ newp = (cpu_set_t *) malloc (cpusetsize);
	48	+ if (newp == NULL)
	49	+ {
	50	+ free(data.attr);
	51	+ return -1;
	52	+ }
	53	+
	54	+ memcpy (newp, cpuset, cpusetsize);
	55	+ target->cpuset = newp;
	56	+ }
	57	+ else
	58	+ {
	59	+ target->cpuset = NULL;
	60	+ target->cpusetsize = 0;
	61	+ }
	62	}
	63
	64	/* Construct the new request. */
	65	@@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sig
	66	int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
	67
	68	/* If it failed, free the allocated memory. */
	69	- if (__glibc_unlikely (retval != 0))
	70	+ if (retval != 0 && data.attr != NULL)
	71	{
	72	pthread_attr_destroy (data.attr);
	73	free (data.attr);