glibc: stable 2.35 branch updates

Below commits on glibc-2.35 stable branch are updated. cbceb903c4 (HEAD -> release/2.35/master, origin/release/2.35/master) io: Fix F_GETLK, F_SETLK, and F_SETLKW for powerpc64 0967fb5861 io: Fix record locking contants on 32 bit arch with 64 bit default time_t 739de21d30 Document BZ #20975 fix 2b9906f9a0 __check_pf: Add a cancellation cleanup handler 7035f2174f gmon: Revert addition of tunables to preserve GLIBC_PRIVATE ABI e698e8bd8e gmon: fix memory corruption issues 9f81b8fa65 gmon: improve mcount overflow handling f2820e478c gmon: Fix allocated buffer overflow 413af1eb02 posix: Fix system blocks SIGCHLD erroneously CVE-2023-0687.patch is dropped (From OE-Core rev: afce7649180950b0a168771c2f95e7839382b02c) Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Deepthi Hemraj <deepadeepthi98@gmail.com> 2023-06-12 15:14:15 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-06-21 04:00:58 -1000
commit: 1e8fd09f78a3f327e1d11dac9df7fd339b18e95e (patch)
tree: ea3cee235828fa3f4b1d3ec06ddc1eebcfde94fa
parent: c4c9531c9b1c379184b01bd87e5df6ae6235dcc4 (diff)
download: poky-1e8fd09f78a3f327e1d11dac9df7fd339b18e95e.tar.gz
3 files changed, 1 insertions, 84 deletions
diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc
index 4d8d96cefb..01b1abef7d 100644
--- a/meta/recipes-core/glibc/glibc-version.inc
+++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
 SRCBRANCH ?= "release/2.35/master"
 PV = "2.35"
-SRCREV_glibc ?= "1c7f51c75ae300fe52ccb636e71b8e28cb20824c"
+SRCREV_glibc ?= "cbceb903c4d770acc7e4ba5641036516830ed69b"
 SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
 GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch
deleted file mode 100644
index 10c7e5666d..0000000000
--- a/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch
+++ /dev/null
@@ -1,82 +0,0 @@
-From 952aff5c00ad7c6b83c3f310f2643939538827f8 Mon Sep 17 00:00:00 2001
-From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?=
- =?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru>
-Date: Sat, 4 Feb 2023 14:41:38 +0300
-Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444)
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-The `__monstartup()` allocates a buffer used to store all the data
-accumulated by the monitor.
-The size of this buffer depends on the size of the internal structures
-used and the address range for which the monitor is activated, as well
-as on the maximum density of call instructions and/or callable functions
-that could be potentially on a segment of executable code.
-In particular a hash table of arcs is placed at the end of this buffer.
-The size of this hash table is calculated in bytes as
-   p->fromssize = p->textsize / HASHFRACTION;
-but actually should be
-   p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
-This results in writing beyond the end of the allocated buffer when an
-added arc corresponds to a call near from the end of the monitored
-address range, since `_mcount()` check the incoming caller address for
-monitored range but not the intermediate result hash-like index that
-uses to write into the table.
-It should be noted that when the results are output to `gmon.out`, the
-table is read to the last element calculated from the allocated size in
-bytes, so the arcs stored outside the buffer boundary did not fall into
-`gprof` for analysis. Thus this "feature" help me to found this bug
-during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438
-Just in case, I will explicitly note that the problem breaks the
-`make test t=gmon/tst-gmon-dso` added for Bug 29438.
-There, the arc of the `f3()` call disappears from the output, since in
-the DSO case, the call to `f3` is located close to the end of the
-monitored range.
-Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru>
-Another minor error seems a related typo in the calculation of
-`kcountsize`, but since kcounts are smaller than froms, this is
-actually to align the p->froms data.
-Co-authored-by: DJ Delorie <dj@redhat.com>
-Reviewed-by: Carlos O'Donell <carlos@redhat.com>
-Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc]
-CVE: CVE-2023-0687
-Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
---
- gmon/gmon.c | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-diff --git a/gmon/gmon.c b/gmon/gmon.c
-index dee6480..bf76358 100644
--- a/gmon/gmon.c
-+++ b/gmon/gmon.c
-@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc)
-   p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER));
-   p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER));
-   p->textsize = p->highpc - p->lowpc;
-+  /* This looks like a typo, but it's here to align the p->froms
-+     section.  */
-   p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms));
-   p->hashfraction = HASHFRACTION;
-   p->log_hashfraction = -1;
-@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc)
-         instead of integer division.  Precompute shift amount. */
-       p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1;
-   }
-  p->fromssize = p->textsize / HASHFRACTION;
-+  p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
-   p->tolimit = p->textsize * ARCDENSITY / 100;
-   if (p->tolimit < MINARCS)
-     p->tolimit = MINARCS;
--
-2.7.4
diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb
index 29fcb1d627..df847e76bf 100644
--- a/meta/recipes-core/glibc/glibc_2.35.bb
+++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -50,7 +50,6 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0024-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
           \
           file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \
-           file://CVE-2023-0687.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Deepthi Hemraj <deepadeepthi98@gmail.com>	2023-06-12 15:14:15 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-06-21 04:00:58 -1000
commit	1e8fd09f78a3f327e1d11dac9df7fd339b18e95e (patch)
tree	ea3cee235828fa3f4b1d3ec06ddc1eebcfde94fa
parent	c4c9531c9b1c379184b01bd87e5df6ae6235dcc4 (diff)
download	poky-1e8fd09f78a3f327e1d11dac9df7fd339b18e95e.tar.gz

diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 4d8d96cefb..01b1abef7d 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc
@@ -1,6 +1,6 @@
1	SRCBRANCH ?= "release/2.35/master"	1	SRCBRANCH ?= "release/2.35/master"
2	PV = "2.35"	2	PV = "2.35"
3	SRCREV_glibc ?= "1c7f51c75ae300fe52ccb636e71b8e28cb20824c"	3	SRCREV_glibc ?= "cbceb903c4d770acc7e4ba5641036516830ed69b"
4	SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"	4	SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
5		5
6	GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"	6	GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"


diff --git a/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch b/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch deleted file mode 100644 index 10c7e5666d..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2023-0687.patch +++ /dev/null
@@ -1,82 +0,0 @@
1	From 952aff5c00ad7c6b83c3f310f2643939538827f8 Mon Sep 17 00:00:00 2001
2	From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?=
3	=?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru>
4	Date: Sat, 4 Feb 2023 14:41:38 +0300
5	Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444)
6	MIME-Version: 1.0
7	Content-Type: text/plain; charset=UTF-8
8	Content-Transfer-Encoding: 8bit
9
10	The `__monstartup()` allocates a buffer used to store all the data
11	accumulated by the monitor.
12
13	The size of this buffer depends on the size of the internal structures
14	used and the address range for which the monitor is activated, as well
15	as on the maximum density of call instructions and/or callable functions
16	that could be potentially on a segment of executable code.
17
18	In particular a hash table of arcs is placed at the end of this buffer.
19	The size of this hash table is calculated in bytes as
20	p->fromssize = p->textsize / HASHFRACTION;
21
22	but actually should be
23	p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
24
25	This results in writing beyond the end of the allocated buffer when an
26	added arc corresponds to a call near from the end of the monitored
27	address range, since `_mcount()` check the incoming caller address for
28	monitored range but not the intermediate result hash-like index that
29	uses to write into the table.
30
31	It should be noted that when the results are output to `gmon.out`, the
32	table is read to the last element calculated from the allocated size in
33	bytes, so the arcs stored outside the buffer boundary did not fall into
34	`gprof` for analysis. Thus this "feature" help me to found this bug
35	during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438
36
37	Just in case, I will explicitly note that the problem breaks the
38	`make test t=gmon/tst-gmon-dso` added for Bug 29438.
39	There, the arc of the `f3()` call disappears from the output, since in
40	the DSO case, the call to `f3` is located close to the end of the
41	monitored range.
42
43	Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru>
44
45	Another minor error seems a related typo in the calculation of
46	`kcountsize`, but since kcounts are smaller than froms, this is
47	actually to align the p->froms data.
48
49	Co-authored-by: DJ Delorie <dj@redhat.com>
50	Reviewed-by: Carlos O'Donell <carlos@redhat.com>
51
52	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc]
53	CVE: CVE-2023-0687
54	Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
55	---
56	gmon/gmon.c \| 4 +++-
57	1 file changed, 3 insertions(+), 1 deletion(-)
58
59	diff --git a/gmon/gmon.c b/gmon/gmon.c
60	index dee6480..bf76358 100644
61	--- a/gmon/gmon.c
62	+++ b/gmon/gmon.c
63	@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc)
64	p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER));
65	p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER));
66	p->textsize = p->highpc - p->lowpc;
67	+ /* This looks like a typo, but it's here to align the p->froms
68	+ section. */
69	p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms));
70	p->hashfraction = HASHFRACTION;
71	p->log_hashfraction = -1;
72	@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc)
73	instead of integer division. Precompute shift amount. */
74	p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1;
75	}
76	- p->fromssize = p->textsize / HASHFRACTION;
77	+ p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
78	p->tolimit = p->textsize * ARCDENSITY / 100;
79	if (p->tolimit < MINARCS)
80	p->tolimit = MINARCS;
81	--
82	2.7.4


diff --git a/meta/recipes-core/glibc/glibc_2.35.bb b/meta/recipes-core/glibc/glibc_2.35.bb index 29fcb1d627..df847e76bf 100644 --- a/meta/recipes-core/glibc/glibc_2.35.bb +++ b/meta/recipes-core/glibc/glibc_2.35.bb
@@ -50,7 +50,6 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
50	file://0024-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \	50	file://0024-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
51	\	51	\
52	file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \	52	file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \
53	file://CVE-2023-0687.patch \
54	"	53	"
55	S = "${WORKDIR}/git"	54	S = "${WORKDIR}/git"
56	B = "${WORKDIR}/build-${TARGET_SYS}"	55	B = "${WORKDIR}/build-${TARGET_SYS}"