diff options
Diffstat (limited to 'poky/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch')
| -rw-r--r-- | poky/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch | 51 |
1 files changed, 51 insertions, 0 deletions
diff --git a/poky/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch b/poky/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch new file mode 100644 index 000000000..26c5c0d2a --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch @@ -0,0 +1,51 @@ +From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00 2001 +From: DJ Delorie <dj@redhat.com> +Date: Thu, 25 Feb 2021 16:08:21 -0500 +Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ #27462] + +In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free +was fixed, but this led to an occasional double-free. This patch +tracks the "live" allocation better. + +Tested manually by a third party. + +Related: RHBZ 1927877 + +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Reviewed-by: Carlos O'Donell <carlos@redhat.com> + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673] + +CVE: CVE-2021-27645 + +Reviewed-by: Carlos O'Donell <carlos@redhat.com> +Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamaluddin@intel.com> +--- + nscd/netgroupcache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index dba6ceec1b..ad2daddafd 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + : NULL); + ndomain = (ndomain ? newbuf + ndomaindiff + : NULL); +- buffer = newbuf; ++ *tofreep = buffer = newbuf; + } + + nhost = memcpy (buffer + bufused, +@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE) + { + buflen *= 2; +- buffer = xrealloc (buffer, buflen); ++ *tofreep = buffer = xrealloc (buffer, buflen); + } + else if (status == NSS_STATUS_RETURN + || status == NSS_STATUS_NOTFOUND +-- +2.27.0 + |