diff --git a/elf-Ignore-LD_LIBRARY_PATH-and-debug-env-var-for-set.patch b/elf-Ignore-LD_LIBRARY_PATH-and-debug-env-var-for-set.patch new file mode 100644 index 0000000000000000000000000000000000000000..88a14970391ce0fb3ff8549e6310457ae2a0c61f --- /dev/null +++ b/elf-Ignore-LD_LIBRARY_PATH-and-debug-env-var-for-set.patch @@ -0,0 +1,82 @@ +From 3be3728df2f1912c80abd3288bc6e3a25ad679e4 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella +Date: Mon, 6 Nov 2023 17:25:49 -0300 +Subject: [PATCH] elf: Ignore LD_LIBRARY_PATH and debug env var for setuid + for static + +It mimics the ld.so behavior. + +Checked on x86_64-linux-gnu. +Reviewed-by: Siddhesh Poyarekar + +(cherry picked from commit 5451fa962cd0a90a0e2ec1d8910a559ace02bba0) + +Changes: + + git/elf/dl-support.c + (missing commit 55f41ef8de4a4d0c5762d78659e11202d3c765d4 + ("elf: Remove LD_PROFILE for static binaries")) +--- + elf/dl-support.c | 32 ++++++++++++++++---------------- + 1 file changed, 16 insertions(+), 16 deletions(-) + +diff --git a/elf/dl-support.c b/elf/dl-support.c +index 44a54dea07..d57e650583 100644 +--- a/elf/dl-support.c ++++ b/elf/dl-support.c +@@ -276,8 +276,6 @@ _dl_non_dynamic_init (void) + _dl_main_map.l_phdr = GL(dl_phdr); + _dl_main_map.l_phnum = GL(dl_phnum); + +- _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1; +- + /* Set up the data structures for the system-supplied DSO early, + so they can influence _dl_init_paths. */ + setup_vdso (NULL, NULL); +@@ -285,6 +283,22 @@ _dl_non_dynamic_init (void) + /* With vDSO setup we can initialize the function pointers. */ + setup_vdso_pointers (); + ++ if (__libc_enable_secure) ++ { ++ static const char unsecure_envvars[] = ++ UNSECURE_ENVVARS ++ ; ++ const char *cp = unsecure_envvars; ++ ++ while (cp < unsecure_envvars + sizeof (unsecure_envvars)) ++ { ++ __unsetenv (cp); ++ cp = strchr (cp, '\0') + 1; ++ } ++ } ++ ++ _dl_verbose = *(getenv ("LD_WARN") ?: "") == '\0' ? 0 : 1; ++ + /* Initialize the data structures for the search paths for shared + objects. */ + _dl_init_paths (getenv ("LD_LIBRARY_PATH"), "LD_LIBRARY_PATH", +@@ -306,20 +320,6 @@ _dl_non_dynamic_init (void) + _dl_profile_output + = &"/var/tmp\0/var/profile"[__libc_enable_secure ? 9 : 0]; + +- if (__libc_enable_secure) +- { +- static const char unsecure_envvars[] = +- UNSECURE_ENVVARS +- ; +- const char *cp = unsecure_envvars; +- +- while (cp < unsecure_envvars + sizeof (unsecure_envvars)) +- { +- __unsetenv (cp); +- cp = strchr (cp, '\0') + 1; +- } +- } +- + #ifdef DL_PLATFORM_INIT + DL_PLATFORM_INIT; + #endif +-- +2.27.0 + diff --git a/elf-Test-case-for-bug-32976-CVE-2025-4802.patch b/elf-Test-case-for-bug-32976-CVE-2025-4802.patch new file mode 100644 index 0000000000000000000000000000000000000000..5d5978d72f671f06c0f49add9954aa20b41f2d73 --- /dev/null +++ b/elf-Test-case-for-bug-32976-CVE-2025-4802.patch @@ -0,0 +1,166 @@ +From 9d7b0a0f0b5efaa1c587e39b6d4437f87f50cbe3 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Wed, 21 May 2025 10:38:17 +0800 +Subject: [PATCH] elf: Test case for bug 32976 (CVE-2025-4802) + +Check that LD_LIBRARY_PATH is ignored for AT_SECURE statically +linked binaries, using support_capture_subprogram_self_sgid. + +Reviewed-by: Carlos O'Donell +(cherry picked from commit d8f7a79335b0d861c12c42aec94c04cd5bb181e2) + +Conflict: adapt the context for "$(objpfx)tst-dlopen-sgid.out:" +--- + elf/Makefile | 4 ++ + elf/tst-dlopen-sgid-mod.c | 1 + + elf/tst-dlopen-sgid.c | 104 ++++++++++++++++++++++++++++++++++++++ + 3 files changed, 109 insertions(+) + create mode 100644 elf/tst-dlopen-sgid-mod.c + create mode 100644 elf/tst-dlopen-sgid.c + +diff --git a/elf/Makefile b/elf/Makefile +index 14f6758a..70c3a139 100644 +--- a/elf/Makefile ++++ b/elf/Makefile +@@ -262,6 +262,7 @@ tests-static-normal := \ + tst-array1-static \ + tst-array5-static \ + tst-dl-iter-static \ ++ tst-dlopen-sgid \ + tst-dst-static \ + tst-env-setuid \ + tst-env-setuid-tunables \ +@@ -831,6 +832,7 @@ modules-names += \ + tst-dlmopen-twice-mod1 \ + tst-dlmopen-twice-mod2 \ + tst-dlmopen1mod \ ++ tst-dlopen-sgid-mod \ + tst-dlopenfaillinkmod \ + tst-dlopenfailmod1 \ + tst-dlopenfailmod2 \ +@@ -3073,3 +3075,5 @@ tst-rtld-no-malloc-audit-ENV = LD_AUDIT=$(objpfx)tst-auditmod1.so + + # Any shared object should do. + tst-rtld-no-malloc-preload-ENV = LD_PRELOAD=$(objpfx)tst-auditmod1.so ++ ++$(objpfx)tst-dlopen-sgid.out: $(objpfx)tst-dlopen-sgid-mod.so +diff --git a/elf/tst-dlopen-sgid-mod.c b/elf/tst-dlopen-sgid-mod.c +new file mode 100644 +index 00000000..5eb79eef +--- /dev/null ++++ b/elf/tst-dlopen-sgid-mod.c +@@ -0,0 +1 @@ ++/* Opening this object should not succeed. */ +diff --git a/elf/tst-dlopen-sgid.c b/elf/tst-dlopen-sgid.c +new file mode 100644 +index 00000000..47829a40 +--- /dev/null ++++ b/elf/tst-dlopen-sgid.c +@@ -0,0 +1,104 @@ ++/* Test case for ignored LD_LIBRARY_PATH in static startug (bug 32976). ++ Copyright (C) 2025 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* This is the name of our test object. Use a custom module for ++ testing, so that this object does not get picked up from the system ++ path. */ ++static const char dso_name[] = "tst-dlopen-sgid-mod.so"; ++ ++/* Used to mark the recursive invocation. */ ++static const char magic_argument[] = "run-actual-test"; ++ ++static int ++do_test (void) ++{ ++/* Pathname of the directory that receives the shared objects this ++ test attempts to load. */ ++ char *libdir = support_create_temp_directory ("tst-dlopen-sgid-"); ++ ++ /* This is supposed to be ignored and stripped. */ ++ TEST_COMPARE (setenv ("LD_LIBRARY_PATH", libdir, 1), 0); ++ ++ /* Copy of libc.so.6. */ ++ { ++ char *from = xasprintf ("%s/%s", support_objdir_root, LIBC_SO); ++ char *to = xasprintf ("%s/%s", libdir, LIBC_SO); ++ add_temp_file (to); ++ support_copy_file (from, to); ++ free (to); ++ free (from); ++ } ++ ++ /* Copy of the test object. */ ++ { ++ char *from = xasprintf ("%s/elf/%s", support_objdir_root, dso_name); ++ char *to = xasprintf ("%s/%s", libdir, dso_name); ++ add_temp_file (to); ++ support_copy_file (from, to); ++ free (to); ++ free (from); ++ } ++ ++ TEST_COMPARE (support_capture_subprogram_self_sgid (magic_argument), 0); ++ ++ free (libdir); ++ ++ return 0; ++} ++ ++static void ++alternative_main (int argc, char **argv) ++{ ++ if (argc == 2 && strcmp (argv[1], magic_argument) == 0) ++ { ++ if (getgid () == getegid ()) ++ /* This can happen if the file system is mounted nosuid. */ ++ FAIL_UNSUPPORTED ("SGID failed: GID and EGID match (%jd)\n", ++ (intmax_t) getgid ()); ++ ++ /* Should be removed due to SGID. */ ++ TEST_COMPARE_STRING (getenv ("LD_LIBRARY_PATH"), NULL); ++ ++ TEST_VERIFY (dlopen (dso_name, RTLD_NOW) == NULL); ++ { ++ const char *message = dlerror (); ++ TEST_COMPARE_STRING (message, ++ "tst-dlopen-sgid-mod.so:" ++ " cannot open shared object file:" ++ " No such file or directory"); ++ } ++ ++ support_record_failure_barrier (); ++ exit (EXIT_SUCCESS); ++ } ++} ++ ++#define PREPARE alternative_main ++#include +-- +2.27.0 + diff --git a/glibc.spec b/glibc.spec index da5b10264badce02d28975dea177a71e91f075c9..0db7a1e546137c6fe1c2451ac8c8300d07329689 100644 --- a/glibc.spec +++ b/glibc.spec @@ -67,7 +67,7 @@ ############################################################################## Name: glibc Version: 2.38 -Release: 57 +Release: 58 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -286,6 +286,11 @@ Patch196: math-Improve-layout-of-expf-data.patch Patch197: AArch64-Add-SVE-memset.patch Patch198: AArch64-Use-prefer_sve_ifuncs-for-SVE-memset.patch Patch199: math-Improve-layout-of-exp-exp10-data.patch +Patch200: elf-Ignore-LD_LIBRARY_PATH-and-debug-env-var-for-set.patch +Patch201: support-Use-const-char-argument-in-support_capture_s.patch +Patch202: support-Add-support_record_failure_barrier.patch +Patch203: elf-Test-case-for-bug-32976-CVE-2025-4802.patch +Patch204: x86_64-Fix-typo-in-ifunc-impl-list.c.patch #openEuler patch list Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch @@ -1510,6 +1515,13 @@ fi %endif %changelog +* Wed May 21 2025 Qingqing Li - 2.38-58 +- x86_64: Fix typo in ifunc-impl-list.c. +- elf: Test case for bug 32976 (CVE-2025-4802) +- support: Add support_record_failure_barrier +- support: Use const char * argument in support_capture_subprogram_self_sgid +- elf: Ignore LD_LIBRARY_PATH and debug env var for setuid for static + * Fri Mar 28 2025 Qingqing Li - 2.38-57 - math: Improve layout of exp/exp10 data - AArch64: Use prefer_sve_ifuncs for SVE memset diff --git a/support-Add-support_record_failure_barrier.patch b/support-Add-support_record_failure_barrier.patch new file mode 100644 index 0000000000000000000000000000000000000000..280c5a98c357a7304c068b9a07293356b30cc61d --- /dev/null +++ b/support-Add-support_record_failure_barrier.patch @@ -0,0 +1,49 @@ +From 4335cd9b58d1449abfba1bb5060970785940a399 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 23 Dec 2024 13:57:55 +0100 +Subject: [PATCH] support: Add support_record_failure_barrier + +This can be used to stop execution after a TEST_COMPARE_BLOB +failure, for example. + +(cherry picked from commit d0b8aa6de4529231fadfe604ac2c434e559c2d9e) +--- + support/check.h | 3 +++ + support/support_record_failure.c | 10 ++++++++++ + 2 files changed, 13 insertions(+) + +diff --git a/support/check.h b/support/check.h +index 0a9fff484f..632fe5298a 100644 +--- a/support/check.h ++++ b/support/check.h +@@ -207,6 +207,9 @@ void support_record_failure_reset (void); + failures or not. */ + int support_record_failure_is_failed (void); + ++/* Terminate the process if any failures have been encountered so far. */ ++void support_record_failure_barrier (void); ++ + __END_DECLS + + #endif /* SUPPORT_CHECK_H */ +diff --git a/support/support_record_failure.c b/support/support_record_failure.c +index 711f08801b..8466b895dc 100644 +--- a/support/support_record_failure.c ++++ b/support/support_record_failure.c +@@ -112,3 +112,13 @@ support_record_failure_is_failed (void) + synchronization for reliable test error reporting anyway. */ + return __atomic_load_n (&state->failed, __ATOMIC_RELAXED); + } ++ ++void ++support_record_failure_barrier (void) ++{ ++ if (__atomic_load_n (&state->failed, __ATOMIC_RELAXED)) ++ { ++ puts ("error: exiting due to previous errors"); ++ exit (1); ++ } ++} +-- +2.27.0 + diff --git a/support-Use-const-char-argument-in-support_capture_s.patch b/support-Use-const-char-argument-in-support_capture_s.patch new file mode 100644 index 0000000000000000000000000000000000000000..2cb103a07c6b6b97abd1840c9257dc2708acee5c --- /dev/null +++ b/support-Use-const-char-argument-in-support_capture_s.patch @@ -0,0 +1,64 @@ +From 454f24e9815ea52d48595506bf564f83902e67d4 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Tue, 20 May 2025 19:36:02 +0200 +Subject: [PATCH] support: Use const char * argument in + support_capture_subprogram_self_sgid + +The function does not modify the passed-in string, so make this clear +via the prototype. + +Reviewed-by: Carlos O'Donell +(cherry picked from commit f0c09fe61678df6f7f18fe1ebff074e62fa5ca7a) +--- + support/capture_subprocess.h | 3 +-- + support/support_capture_subprocess.c | 6 +++--- + 2 files changed, 4 insertions(+), 5 deletions(-) + +diff --git a/support/capture_subprocess.h b/support/capture_subprocess.h +index 99ab7b8ab3..098d63c6e3 100644 +--- a/support/capture_subprocess.h ++++ b/support/capture_subprocess.h +@@ -44,8 +44,7 @@ struct support_capture_subprocess support_capture_subprogram + /* Copy the running program into a setgid binary and run it with CHILD_ID + argument. If execution is successful, return the exit status of the child + program, otherwise return a non-zero failure exit code. */ +-int support_capture_subprogram_self_sgid +- (char *child_id); ++int support_capture_subprogram_self_sgid (const char *child_id); + + /* Deallocate the subprocess data captured by + support_capture_subprocess. */ +diff --git a/support/support_capture_subprocess.c b/support/support_capture_subprocess.c +index 2a8d37b284..4393210d68 100644 +--- a/support/support_capture_subprocess.c ++++ b/support/support_capture_subprocess.c +@@ -109,7 +109,7 @@ support_capture_subprogram (const char *file, char *const argv[]) + safely make it SGID with the TARGET group ID. Then runs the + executable. */ + static int +-copy_and_spawn_sgid (char *child_id, gid_t gid) ++copy_and_spawn_sgid (const char *child_id, gid_t gid) + { + char *dirname = xasprintf ("%s/tst-tunables-setuid.%jd", + test_dir, (intmax_t) getpid ()); +@@ -181,7 +181,7 @@ copy_and_spawn_sgid (char *child_id, gid_t gid) + ret = 0; + infd = outfd = -1; + +- char * const args[] = {execname, child_id, NULL}; ++ char * const args[] = {execname, (char *) child_id, NULL}; + + status = support_subprogram_wait (args[0], args); + +@@ -210,7 +210,7 @@ err: + } + + int +-support_capture_subprogram_self_sgid (char *child_id) ++support_capture_subprogram_self_sgid (const char *child_id) + { + gid_t target = 0; + const int count = 64; +-- +2.27.0 + diff --git a/x86_64-Fix-typo-in-ifunc-impl-list.c.patch b/x86_64-Fix-typo-in-ifunc-impl-list.c.patch new file mode 100644 index 0000000000000000000000000000000000000000..4d1953e2d091206d56c2d352229ec661c085d37d --- /dev/null +++ b/x86_64-Fix-typo-in-ifunc-impl-list.c.patch @@ -0,0 +1,38 @@ +From ca41fe44a552a78e78b1b5de6116c67ef712eb74 Mon Sep 17 00:00:00 2001 +From: Sunil K Pandey +Date: Tue, 20 May 2025 10:07:27 -0700 +Subject: [PATCH] x86_64: Fix typo in ifunc-impl-list.c. + +Fix wcsncpy and wcpncpy typo in ifunc-impl-list.c. + +Reviewed-by: H.J. Lu +(cherry picked from commit f2aeb6ff941dccc4c777b5621e77addea6cc076c) +--- + sysdeps/x86_64/multiarch/ifunc-impl-list.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/sysdeps/x86_64/multiarch/ifunc-impl-list.c b/sysdeps/x86_64/multiarch/ifunc-impl-list.c +index 5427ff1907..2cc2d81c66 100644 +--- a/sysdeps/x86_64/multiarch/ifunc-impl-list.c ++++ b/sysdeps/x86_64/multiarch/ifunc-impl-list.c +@@ -928,7 +928,7 @@ __libc_ifunc_impl_list (const char *name, struct libc_ifunc_impl *array, + (CPU_FEATURE_USABLE (AVX2) + && CPU_FEATURE_USABLE (BMI2)), + __wcsncpy_avx2) +- X86_IFUNC_IMPL_ADD_V2 (array, i, wcpncpy, ++ X86_IFUNC_IMPL_ADD_V2 (array, i, wcsncpy, + 1, + __wcsncpy_generic)) + +@@ -958,7 +958,7 @@ __libc_ifunc_impl_list (const char *name, struct libc_ifunc_impl *array, + (CPU_FEATURE_USABLE (AVX2) + && CPU_FEATURE_USABLE (BMI2)), + __wcpncpy_avx2) +- X86_IFUNC_IMPL_ADD_V2 (array, i, wcsncpy, ++ X86_IFUNC_IMPL_ADD_V2 (array, i, wcpncpy, + 1, + __wcpncpy_generic)) + +-- +2.27.0 +