summaryrefslogtreecommitdiff
path: root/meta-openbmc-mods/meta-common/recipes-core/glibc
diff options
context:
space:
mode:
Diffstat (limited to 'meta-openbmc-mods/meta-common/recipes-core/glibc')
-rw-r--r--meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0036-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch54
-rw-r--r--meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0036-sunrpc-use-snprintf-to-guard-against-buffer-overflow.patch35
-rw-r--r--meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0037-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch52
-rw-r--r--meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend3
4 files changed, 144 insertions, 0 deletions
diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0036-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0036-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch
new file mode 100644
index 000000000..5e1bc958b
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0036-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch
@@ -0,0 +1,54 @@
+From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Thu, 27 May 2021 12:49:47 +0200
+Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
+
+Make a deep copy of the pthread attribute object to remove a potential
+use-after-free issue.
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index cc575a0cdd..f7ddfe5a6c 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -133,8 +133,11 @@ helper_thread (void *arg)
+ (void) __pthread_barrier_wait (&notify_barrier);
+ }
+ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+- /* The only state we keep is the copy of the thread attributes. */
+- free (data.attr);
++ {
++ /* The only state we keep is the copy of the thread attributes. */
++ pthread_attr_destroy (data.attr);
++ free (data.attr);
++ }
+ }
+ return NULL;
+ }
+@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ if (data.attr == NULL)
+ return -1;
+
+- memcpy (data.attr, notification->sigev_notify_attributes,
+- sizeof (pthread_attr_t));
++ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+ }
+
+ /* Construct the new request. */
+@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+
+ /* If it failed, free the allocated memory. */
+ if (__glibc_unlikely (retval != 0))
+- free (data.attr);
++ {
++ pthread_attr_destroy (data.attr);
++ free (data.attr);
++ }
+
+ return retval;
+ }
+--
+2.27.0
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0036-sunrpc-use-snprintf-to-guard-against-buffer-overflow.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0036-sunrpc-use-snprintf-to-guard-against-buffer-overflow.patch
new file mode 100644
index 000000000..079ce0faa
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0036-sunrpc-use-snprintf-to-guard-against-buffer-overflow.patch
@@ -0,0 +1,35 @@
+From 174f4391195960b0b728fb5ee4959fcb9e12d59a Mon Sep 17 00:00:00 2001
+From: Philipp Tomsich <philipp.tomsich@vrull.eu>
+Date: Wed, 2 Dec 2020 20:04:11 +0100
+Subject: [PATCH] sunrpc: use snprintf to guard against buffer overflow
+
+GCC11 has improved detection of buffer overflows detectable through the analysis
+of format strings and parameters, which identifies the following issue:
+ netname.c:52:28: error: '%s' directive writing up to 255 bytes into a region
+ of size between 239 and 249 [-Werror=format-overflow=]
+
+This rewrites user2netname() to use snprintf to guard against overflows.
+---
+ sunrpc/netname.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/sunrpc/netname.c b/sunrpc/netname.c
+index ceed23b1a72d..1a18b7a39453 100644
+--- a/sunrpc/netname.c
++++ b/sunrpc/netname.c
+@@ -49,8 +49,10 @@ user2netname (char netname[MAXNETNAMELEN + 1], const uid_t uid,
+ if ((strlen (dfltdom) + OPSYS_LEN + 3 + MAXIPRINT) > (size_t) MAXNETNAMELEN)
+ return 0;
+
+- sprintf (netname, "%s.%d@%s", OPSYS, uid, dfltdom);
+- i = strlen (netname);
++ i = snprintf (netname, MAXNETNAMELEN + 1, "%s.%d@%s", OPSYS, uid, dfltdom);
++ if (i > (size_t) MAXNETNAMELEN)
++ return 0;
++
+ if (netname[i - 1] == '.')
+ netname[i - 1] = '\0';
+ return 1;
+--
+2.17.1
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0037-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0037-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch
new file mode 100644
index 000000000..447943a46
--- /dev/null
+++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc/0037-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch
@@ -0,0 +1,52 @@
+From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 1 Jun 2021 17:51:41 +0200
+Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
+
+__pthread_attr_copy can fail and does not initialize the attribute
+structure in that case.
+
+If __pthread_attr_copy is never called and there is no allocated
+attribute, pthread_attr_destroy should not be called, otherwise
+there is a null pointer dereference in rt/tst-mqueue6.
+
+Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
+("Use __pthread_attr_copy in mq_notify (bug 27896)").
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++--
+ 1 file changed, 9 insertions(+), 2 deletions(-)
+
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index f7ddfe5a6c..6f46d29d1d 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ if (data.attr == NULL)
+ return -1;
+
+- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
++ int ret = __pthread_attr_copy (data.attr,
++ notification->sigev_notify_attributes);
++ if (ret != 0)
++ {
++ free (data.attr);
++ __set_errno (ret);
++ return -1;
++ }
+ }
+
+ /* Construct the new request. */
+@@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+
+ /* If it failed, free the allocated memory. */
+- if (__glibc_unlikely (retval != 0))
++ if (retval != 0 && data.attr != NULL)
+ {
+ pthread_attr_destroy (data.attr);
+ free (data.attr);
+--
+2.27.0
+
diff --git a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend
index 327c1ce64..77cd9ce46 100644
--- a/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend
+++ b/meta-openbmc-mods/meta-common/recipes-core/glibc/glibc_%.bbappend
@@ -2,4 +2,7 @@ FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
SRC_URI += " \
file://0035-Fix-build-error.patch \
+ file://0036-sunrpc-use-snprintf-to-guard-against-buffer-overflow.patch \
+ file://0036-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch \
+ file://0037-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch \
"
generated by cgit v1.2.3 (git 2.39.0) at 2024-08-26 07:46:44 +0300