diff options
Diffstat (limited to 'poky/meta/recipes-core/glibc/glibc')
4 files changed, 272 insertions, 8 deletions
diff --git a/poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch b/poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch new file mode 100644 index 000000000..1e9404900 --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch @@ -0,0 +1,43 @@ +From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <npv1310@gmail.com> +Date: Mon, 9 Aug 2021 20:17:34 +0530 +Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213) + +Helper thread frees copied attribute on NOTIFY_REMOVED message +received from the OS kernel. Unfortunately, it fails to check whether +copied attribute actually exists (data.attr != NULL). This worked +earlier because free() checks passed pointer before actually +attempting to release corresponding memory. But +__pthread_attr_destroy assumes pointer is not NULL. + +So passing NULL pointer to __pthread_attr_destroy will result in +segmentation fault. This scenario is possible if +notification->sigev_notify_attributes == NULL (which means default +thread attributes should be used). + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8] +CVE: CVE-2021-38604 + +Signed-off-by: Nikita Popov <npv1310@gmail.com> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> +--- + sysdeps/unix/sysv/linux/mq_notify.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c +index 9799dcdaa4..eccae2e4c6 100644 +--- a/sysdeps/unix/sysv/linux/mq_notify.c ++++ b/sysdeps/unix/sysv/linux/mq_notify.c +@@ -131,7 +131,7 @@ helper_thread (void *arg) + to wait until it is done with it. */ + (void) __pthread_barrier_wait (¬ify_barrier); + } +- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) ++ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL) + { + /* The only state we keep is the copy of the thread attributes. */ + __pthread_attr_destroy (data.attr); +-- +2.31.1 + diff --git a/poky/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch b/poky/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch new file mode 100644 index 000000000..3283dd7ad --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0001-fix-create-thread-failed-in-unprivileged-process-BZ-.patch @@ -0,0 +1,79 @@ +From a8bc44936202692edcd82a48c07d7cf27d6ed8ee Mon Sep 17 00:00:00 2001 +From: Hongxu Jia <hongxu.jia@windriver.com> +Date: Sun, 29 Aug 2021 20:49:16 +0800 +Subject: [PATCH] fix create thread failed in unprivileged process [BZ #28287] + +Since commit [d8ea0d0168 Add an internal wrapper for clone, clone2 and clone3] +applied, start a unprivileged container (docker run without --privileged), +it creates a thread failed in container. + +In commit d8ea0d0168, it calls __clone3 if HAVE_CLONE3_WAPPER is defined. If +__clone3 returns -1 with ENOSYS, fall back to clone or clone2. + +As known from [1], cloneXXX fails with EPERM if CLONE_NEWCGROUP, +CLONE_NEWIPC, CLONE_NEWNET, CLONE_NEWNS, CLONE_NEWPID, or CLONE_NEWUTS +was specified by an unprivileged process (process without CAP_SYS_ADMIN) + +[1] https://man7.org/linux/man-pages/man2/clone3.2.html + +So if __clone3 returns -1 with EPERM, fall back to clone or clone2 could +fix the issue. Here are the test steps: + +1) Prepare test code +cat > conftest.c <<ENDOF + #include <pthread.h> + #include <stdio.h> + +int check_me = 0; +void* func(void* data) {check_me = 42; printf("start thread: check_me %d\n", check_me); return &check_me;} +int main() +{ + pthread_t t; + void *ret; + pthread_create (&t, 0, func, 0); + pthread_join (t, &ret); + printf("check_me %d, p %p\n", check_me, &ret); + return (check_me != 42 || ret != &check_me); +} + +ENDOF + +2) Compile +gcc -o conftest -pthread conftest.c + +3) Start a container with glibc 2.34 installed +[skip details] +docker run -it <container-image-name> bash + +4) Run conftest without this patch +$ ./conftest +check_me 0, p 0x7ffd91ccd400 + +5) Run conftest with this patch +$ ./conftest +start thread: check_me 42 +check_me 42, p 0x7ffe253c6f20 + +Upstream-Status: Submitted [libc-alpha@sourceware.org] + +Signed-off-by: Hongxu Jia <hongxu.jia@windriver.com> +--- + sysdeps/unix/sysv/linux/clone-internal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sysdeps/unix/sysv/linux/clone-internal.c b/sysdeps/unix/sysv/linux/clone-internal.c +index 979f7880be..97101994e8 100644 +--- a/sysdeps/unix/sysv/linux/clone-internal.c ++++ b/sysdeps/unix/sysv/linux/clone-internal.c +@@ -52,7 +52,7 @@ __clone_internal (struct clone_args *cl_args, + /* Try clone3 first. */ + int saved_errno = errno; + ret = __clone3 (cl_args, sizeof (*cl_args), func, arg); +- if (ret != -1 || errno != ENOSYS) ++ if (ret != -1 || (errno != ENOSYS && errno != EPERM)) + return ret; + + /* NB: Restore errno since errno may be checked against non-zero +-- +2.30.2 + diff --git a/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch new file mode 100644 index 000000000..9f71fecdd --- /dev/null +++ b/poky/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch @@ -0,0 +1,150 @@ +From 4cc79c217744743077bf7a0ec5e0a4318f1e6641 Mon Sep 17 00:00:00 2001 +From: Nikita Popov <npv1310@gmail.com> +Date: Thu, 12 Aug 2021 16:09:50 +0530 +Subject: [PATCH] librt: add test (bug 28213) + +This test implements following logic: +1) Create POSIX message queue. + Register a notification with mq_notify (using NULL attributes). + Then immediately unregister the notification with mq_notify. + Helper thread in a vulnerable version of glibc + should cause NULL pointer dereference after these steps. +2) Once again, register the same notification. + Try to send a dummy message. + Test is considered successfulif the dummy message + is successfully received by the callback function. + +Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641] +CVE: CVE-2021-38604 + +Signed-off-by: Nikita Popov <npv1310@gmail.com> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> +--- + rt/Makefile | 1 + + rt/tst-bz28213.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 102 insertions(+) + create mode 100644 rt/tst-bz28213.c + +diff --git a/rt/Makefile b/rt/Makefile +index 113cea03a5..910e775995 100644 +--- a/rt/Makefile ++++ b/rt/Makefile +@@ -74,6 +74,7 @@ tests := tst-shm tst-timer tst-timer2 \ + tst-aio7 tst-aio8 tst-aio9 tst-aio10 \ + tst-mqueue1 tst-mqueue2 tst-mqueue3 tst-mqueue4 \ + tst-mqueue5 tst-mqueue6 tst-mqueue7 tst-mqueue8 tst-mqueue9 \ ++ tst-bz28213 \ + tst-timer3 tst-timer4 tst-timer5 \ + tst-cpuclock2 tst-cputimer1 tst-cputimer2 tst-cputimer3 \ + tst-shm-cancel \ +diff --git a/rt/tst-bz28213.c b/rt/tst-bz28213.c +new file mode 100644 +index 0000000000..0c096b5a0a +--- /dev/null ++++ b/rt/tst-bz28213.c +@@ -0,0 +1,101 @@ ++/* Bug 28213: test for NULL pointer dereference in mq_notify. ++ Copyright (C) The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <sys/types.h> ++#include <sys/stat.h> ++#include <fcntl.h> ++#include <unistd.h> ++#include <mqueue.h> ++#include <signal.h> ++#include <stdlib.h> ++#include <string.h> ++#include <support/check.h> ++ ++static mqd_t m = -1; ++static const char msg[] = "hello"; ++ ++static void ++check_bz28213_cb (union sigval sv) ++{ ++ char buf[sizeof (msg)]; ++ ++ (void) sv; ++ ++ TEST_VERIFY_EXIT ((size_t) mq_receive (m, buf, sizeof (buf), NULL) ++ == sizeof (buf)); ++ TEST_VERIFY_EXIT (memcmp (buf, msg, sizeof (buf)) == 0); ++ ++ exit (0); ++} ++ ++static void ++check_bz28213 (void) ++{ ++ struct sigevent sev; ++ ++ memset (&sev, '\0', sizeof (sev)); ++ sev.sigev_notify = SIGEV_THREAD; ++ sev.sigev_notify_function = check_bz28213_cb; ++ ++ /* Step 1: Register & unregister notifier. ++ Helper thread should receive NOTIFY_REMOVED notification. ++ In a vulnerable version of glibc, NULL pointer dereference follows. */ ++ TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0); ++ TEST_VERIFY_EXIT (mq_notify (m, NULL) == 0); ++ ++ /* Step 2: Once again, register notification. ++ Try to send one message. ++ Test is considered successful, if the callback does exit (0). */ ++ TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0); ++ TEST_VERIFY_EXIT (mq_send (m, msg, sizeof (msg), 1) == 0); ++ ++ /* Wait... */ ++ pause (); ++} ++ ++static int ++do_test (void) ++{ ++ static const char m_name[] = "/bz28213_queue"; ++ struct mq_attr m_attr; ++ ++ memset (&m_attr, '\0', sizeof (m_attr)); ++ m_attr.mq_maxmsg = 1; ++ m_attr.mq_msgsize = sizeof (msg); ++ ++ m = mq_open (m_name, ++ O_RDWR | O_CREAT | O_EXCL, ++ 0600, ++ &m_attr); ++ ++ if (m < 0) ++ { ++ if (errno == ENOSYS) ++ FAIL_UNSUPPORTED ("POSIX message queues are not implemented\n"); ++ FAIL_EXIT1 ("Failed to create POSIX message queue: %m\n"); ++ } ++ ++ TEST_VERIFY_EXIT (mq_unlink (m_name) == 0); ++ ++ check_bz28213 (); ++ ++ return 0; ++} ++ ++#include <support/test-driver.c> +-- +2.31.1 + diff --git a/poky/meta/recipes-core/glibc/glibc/0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch b/poky/meta/recipes-core/glibc/glibc/0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch index 8e011699e..ece792509 100644 --- a/poky/meta/recipes-core/glibc/glibc/0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch +++ b/poky/meta/recipes-core/glibc/glibc/0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch @@ -46,14 +46,6 @@ copy to sysdeps/arm/bits/wordsize.h index 91da566b74..34fcdef1f1 100644 --- a/sysdeps/aarch64/bits/wordsize.h +++ b/sysdeps/arm/bits/wordsize.h -@@ -1,6 +1,6 @@ - /* Determine the wordsize from the preprocessor defines. - -- Copyright (C) 2016-2021 Free Software Foundation, Inc. -+ Copyright (C) 2016-2020 Free Software Foundation, Inc. - This file is part of the GNU C Library. - - The GNU C Library is free software; you can redistribute it and/or @@ -17,12 +17,16 @@ License along with the GNU C Library; if not, see <https://www.gnu.org/licenses/>. */ |