diff --git a/backport-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch b/backport-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch new file mode 100644 index 0000000000000000000000000000000000000000..447943a46b89c26e5e8a145e1633ab83411d79b3 --- /dev/null +++ b/backport-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch @@ -0,0 +1,52 @@ +From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Tue, 1 Jun 2021 17:51:41 +0200 +Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896) + +__pthread_attr_copy can fail and does not initialize the attribute +structure in that case. + +If __pthread_attr_copy is never called and there is no allocated +attribute, pthread_attr_destroy should not be called, otherwise +there is a null pointer dereference in rt/tst-mqueue6. + +Fixes commit 42d359350510506b87101cf77202fefcbfc790cb +("Use __pthread_attr_copy in mq_notify (bug 27896)"). + +Reviewed-by: Siddhesh Poyarekar +--- + sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c +index f7ddfe5a6c..6f46d29d1d 100644 +--- a/sysdeps/unix/sysv/linux/mq_notify.c ++++ b/sysdeps/unix/sysv/linux/mq_notify.c +@@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) + if (data.attr == NULL) + return -1; + +- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); ++ int ret = __pthread_attr_copy (data.attr, ++ notification->sigev_notify_attributes); ++ if (ret != 0) ++ { ++ free (data.attr); ++ __set_errno (ret); ++ return -1; ++ } + } + + /* Construct the new request. */ +@@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) + int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se); + + /* If it failed, free the allocated memory. */ +- if (__glibc_unlikely (retval != 0)) ++ if (retval != 0 && data.attr != NULL) + { + pthread_attr_destroy (data.attr); + free (data.attr); +-- +2.27.0 + diff --git a/backport-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch b/backport-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch new file mode 100644 index 0000000000000000000000000000000000000000..211e84732ad287b35a9d3f7523f319e137e79b5d --- /dev/null +++ b/backport-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch @@ -0,0 +1,69 @@ +From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Thu, 27 May 2021 12:49:47 +0200 +Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896) + +Make a deep copy of the pthread attribute object to remove a potential +use-after-free issue. +--- + NEWS | 3 +++ + sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++----- + 2 files changed, 13 insertions(+), 5 deletions(-) + +diff --git a/NEWS b/NEWS +index 71f5d20..9e5bcf4 100644 +--- a/NEWS ++++ b/NEWS +@@ -101,6 +101,9 @@ Changes to build and runtime requirements: + * s390x requires GCC 7.1 or newer. See gcc Bug 98269. + + Security related changes: ++ CVE-2021-33574: The mq_notify function has a potential use-after-free ++ issue when using a notification type of SIGEV_THREAD and a thread ++ attribute with a non-default affinity mask. + + CVE-2021-3326: An assertion failure during conversion from the + ISO-20220-JP-3 character set using the iconv function has been fixed. +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c +index cc575a0..f7ddfe5 100644 +--- a/sysdeps/unix/sysv/linux/mq_notify.c ++++ b/sysdeps/unix/sysv/linux/mq_notify.c +@@ -133,8 +133,11 @@ helper_thread (void *arg) + (void) __pthread_barrier_wait (¬ify_barrier); + } + else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) +- /* The only state we keep is the copy of the thread attributes. */ +- free (data.attr); ++ { ++ /* The only state we keep is the copy of the thread attributes. */ ++ pthread_attr_destroy (data.attr); ++ free (data.attr); ++ } + } + return NULL; + } +@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) + if (data.attr == NULL) + return -1; + +- memcpy (data.attr, notification->sigev_notify_attributes, +- sizeof (pthread_attr_t)); ++ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); + } + + /* Construct the new request. */ +@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) + + /* If it failed, free the allocated memory. */ + if (__glibc_unlikely (retval != 0)) +- free (data.attr); ++ { ++ pthread_attr_destroy (data.attr); ++ free (data.attr); ++ } + + return retval; + } +-- +1.8.3.1 + diff --git a/glibc.spec b/glibc.spec index a8db5419b33bf956beb8ddd6aabd8111790e9ea8..d075be38ba81dccb0cc5a0ab2b728c567f0904b9 100644 --- a/glibc.spec +++ b/glibc.spec @@ -60,7 +60,7 @@ ############################################################################## Name: glibc Version: 2.33 -Release: 3 +Release: 4 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -79,6 +79,8 @@ Patch1: glibc-c-utf8-locale.patch Patch2: Fix-the-inaccuracy-of-j0f-j1f-y0f-y1f-BZ.patch Patch6000: backport-posix-tst-rfc3484-Fix-compile-failure-linking-to-loc.patch +Patch6001: backport-Use-__pthread_attr_copy-in-mq_notify-bug-27896.patch +Patch6002: backport-Fix-use-of-__pthread_attr_copy-in-mq_notify-bug-27896.patch Patch9000: turn-REP_STOSB_THRESHOLD-from-2k-to-1M.patch Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch @@ -486,7 +488,7 @@ make %{?_smp_mflags} install_root=$RPM_BUILD_ROOT \ install-locale-files -C ../localedata objdir=`pwd` popd -python3 %{SOURCE7} $PRM_BUILD_ROOT/usr/lib/locale +python3 %{SOURCE7} $RPM_BUILD_ROOT/usr/lib/locale rm -f $RPM_BUILD_ROOT/%{_libdir}/libNoVersion* rm -f $RPM_BUILD_ROOT/%{_lib}/libNoVersion* @@ -1170,6 +1172,10 @@ fi %doc hesiod/README.hesiod %changelog +* Fri Jun 18 2021 Qingqing Li - 2.33-4 +- fix CVE-2021-33574(bug 27896) + https://sourceware.org/bugzilla/show_bug.cgi?id=27896 + * Tue Apr 27 2021 xuhuijie - 2.33-3 - Fix locales BEP inconsistence, use python to replace same file to hard link