From c4003466f628defde8a3661a760663a04d1bf60e Mon Sep 17 00:00:00 2001
From: liqingqing_1229 <liqingqing3@huawei.com>
Date: Sat, 5 Jun 2021 16:04:23 +0800
Subject: [PATCH] fix CVE-2021-33574

(cherry picked from commit 4297578f6cf7814cfeace0841be643edb5869e43)
---
 ...1-33574-0001-Fix-mq_notify-bug-27896.patch | 73 ++++++++++++++++++
 ...1-33574-0002-Fix-mq_notify-bug-27896.patch | 77 +++++++++++++++++++
 glibc.spec                                    |  8 +-
 3 files changed, 157 insertions(+), 1 deletion(-)
 create mode 100644 backport-CVE-2021-33574-0001-Fix-mq_notify-bug-27896.patch
 create mode 100644 backport-CVE-2021-33574-0002-Fix-mq_notify-bug-27896.patch

diff --git a/backport-CVE-2021-33574-0001-Fix-mq_notify-bug-27896.patch b/backport-CVE-2021-33574-0001-Fix-mq_notify-bug-27896.patch
new file mode 100644
index 0000000..8ee364a
--- /dev/null
+++ b/backport-CVE-2021-33574-0001-Fix-mq_notify-bug-27896.patch
@@ -0,0 +1,73 @@
+From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Thu, 27 May 2021 12:49:47 +0200
+Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
+
+Make a deep copy of the pthread attribute object to remove a potential
+use-after-free issue.
+Conflict:NA
+Reference:https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb
+
+---
+ NEWS                                |  4 ++++
+ sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
+ 2 files changed, 14 insertions(+), 5 deletions(-)
+
+diff --git a/NEWS b/NEWS
+index eb31aca6..9dff5e82 100644
+--- a/NEWS
++++ b/NEWS
+@@ -224,6 +224,10 @@ Changes to build and runtime requirements:
+ 
+ Security related changes:
+ 
++  CVE-2021-33574: The mq_notify function has a potential use-after-free
++  issue when using a notification type of SIGEV_THREAD and a thread
++  attribute with a non-default affinity mask.
++
+   CVE-2016-6261, CVE-2016-6263, CVE-2017-14062: Various vulnerabilities have
+   been fixed by removing the glibc-internal IDNA implementation and using
+   the system-provided libidn2 library instead.  Originally reported by Hanno
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index 3563e82c..c4091169 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -135,8 +135,11 @@ helper_thread (void *arg)
+ 	    (void) __pthread_barrier_wait (&notify_barrier);
+ 	}
+       else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+-	/* The only state we keep is the copy of the thread attributes.  */
+-	free (data.attr);
++	{
++	  /* The only state we keep is the copy of the thread attributes.  */
++	  pthread_attr_destroy (data.attr);
++	  free (data.attr);
++	}
+     }
+   return NULL;
+ }
+@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+       if (data.attr == NULL)
+ 	return -1;
+ 
+-      memcpy (data.attr, notification->sigev_notify_attributes,
+-	      sizeof (pthread_attr_t));
++      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+     }
+ 
+   /* Construct the new request.  */
+@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ 
+   /* If it failed, free the allocated memory.  */
+   if (__glibc_unlikely (retval != 0))
+-    free (data.attr);
++    {
++      pthread_attr_destroy (data.attr);
++      free (data.attr);
++    }
+ 
+   return retval;
+ }
+-- 
+2.23.0
+
diff --git a/backport-CVE-2021-33574-0002-Fix-mq_notify-bug-27896.patch b/backport-CVE-2021-33574-0002-Fix-mq_notify-bug-27896.patch
new file mode 100644
index 0000000..9ab91e7
--- /dev/null
+++ b/backport-CVE-2021-33574-0002-Fix-mq_notify-bug-27896.patch
@@ -0,0 +1,77 @@
+From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Tue, 1 Jun 2021 17:51:41 +0200
+Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
+
+__pthread_attr_copy can fail and does not initialize the attribute
+structure in that case.
+
+If __pthread_attr_copy is never called and there is no allocated
+attribute, pthread_attr_destroy should not be called, otherwise
+there is a null pointer dereference in rt/tst-mqueue6.
+
+Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
+("Use __pthread_attr_copy in mq_notify (bug 27896)").
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+note that this patch has few modifications to adapt glibc2.28
+
+Conflict:NA
+Reference:https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 31 +++++++++++++++++++++++++++--
+ 1 file changed, 29 insertions(+), 2 deletions(-)
+
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index c4091169..76963567 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+       if (data.attr == NULL)
+ 	return -1;
+ 
+-      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
++      memcpy (data.attr, notification->sigev_notify_attributes,
++	     sizeof (pthread_attr_t));
++
++      struct pthread_attr *source =
++	  (struct pthread_attr *) (notification->sigev_notify_attributes);
++      struct pthread_attr *target = (struct pthread_attr *) (data.attr);
++      cpu_set_t *newp;
++      cpu_set_t *cpuset = source->cpuset;
++      size_t cpusetsize = source->cpusetsize;
++
++      /* alloc a new memory for cpuset to avoid use after free */
++      if (cpuset != NULL && cpusetsize > 0)
++	{
++	  newp = (cpu_set_t *) malloc (cpusetsize);
++	  if (newp == NULL)
++	    {
++	      free(data.attr);
++	      return -1;
++	    }
++
++	  memcpy (newp, cpuset, cpusetsize);
++	  target->cpuset = newp;
++	}
++      else
++	{
++	  target->cpuset = NULL;
++	  target->cpusetsize = 0;
++	}
+     }
+ 
+   /* Construct the new request.  */
+@@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+   int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+ 
+   /* If it failed, free the allocated memory.  */
+-  if (__glibc_unlikely (retval != 0))
++  if (retval != 0 && data.attr != NULL)
+     {
+       pthread_attr_destroy (data.attr);
+       free (data.attr);
+-- 
+2.23.0
+
diff --git a/glibc.spec b/glibc.spec
index 3e1b239..4712287 100644
--- a/glibc.spec
+++ b/glibc.spec
@@ -59,7 +59,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.28
-Release: 	67
+Release: 	68
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -124,6 +124,8 @@ Patch40: backport-0002-nptl-Add-clockid-parameter-to-futex-timed-wait-calls.patc
 Patch41: backport-0003-support-Add-timespec.h-xtime.h.patch
 Patch42: backport-0004-nptl-Add-POSIX-proposed-pthread_cond_clockwait.patch
 Patch43: backport-rtld-Avoid-using-up-static-TLS-surplus-for-optimizat.patch
+Patch44: backport-CVE-2021-33574-0001-Fix-mq_notify-bug-27896.patch
+Patch45: backport-CVE-2021-33574-0002-Fix-mq_notify-bug-27896.patch
 
 Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)
 
@@ -1148,6 +1150,10 @@ fi
 %doc hesiod/README.hesiod
 
 %changelog
+* Sat Jun 5 2021 Qingqing Li<liqingqing3@huawei.com> - 2.28-68
+- fix CVE-2021-33574, fix use of __pthread_attr_copy in mq_notify (bug 27896)
+  https://sourceware.org/bugzilla/show_bug.cgi?id=27896
+
 * Mon May 17 2021 xujing<17826839720@163.com> - 2.28-67
 - Avoid using up static TLS surplus to fix graphical install error
 
-- 
Gitee