diff --git a/Linux-Fix-fcntl-ioctl-prctl-redirects-for-_TIME_BITS.patch b/Linux-Fix-fcntl-ioctl-prctl-redirects-for-_TIME_BITS.patch new file mode 100644 index 0000000000000000000000000000000000000000..b33981de0a23215e05069e5251e4d5a825799c83 --- /dev/null +++ b/Linux-Fix-fcntl-ioctl-prctl-redirects-for-_TIME_BITS.patch @@ -0,0 +1,72 @@ +From c87fcacc50505d550f1bb038382bcc7ea73a5926 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Fri, 6 Aug 2021 09:51:38 +0200 +Subject: [PATCH] Linux: Fix fcntl, ioctl, prctl redirects for _TIME_BITS=64 + (bug 28182) + +__REDIRECT and __THROW are not compatible with C++ due to the ordering of the +__asm__ alias and the throw specifier. __REDIRECT_NTH has to be used +instead. + +Fixes commit 8a40aff86ba5f64a3a84883e539cb67b ("io: Add time64 alias +for fcntl"), commit 82c395d91ea4f69120d453aeec398e30 ("misc: Add +time64 alias for ioctl"), commit b39ffab860cd743a82c91946619f1b8158 +("Linux: Add time64 alias for prctl"). + +Reviewed-by: Carlos O'Donell +--- + io/fcntl.h | 8 ++++---- + misc/sys/ioctl.h | 4 ++-- + sysdeps/unix/sysv/linux/sys/prctl.h | 2 +- + 3 files changed, 7 insertions(+), 7 deletions(-) + +diff --git a/io/fcntl.h b/io/fcntl.h +index 8917a73..1c96f98 100644 +--- a/io/fcntl.h ++++ b/io/fcntl.h +@@ -187,10 +187,10 @@ extern int fcntl64 (int __fd, int __cmd, ...); + # endif + #else /* __USE_TIME_BITS64 */ + # ifdef __REDIRECT +-extern int __REDIRECT (fcntl, (int __fd, int __request, ...), +- __fcntl_time64) __THROW; +-extern int __REDIRECT (fcntl64, (int __fd, int __request, ...), +- __fcntl_time64) __THROW; ++extern int __REDIRECT_NTH (fcntl, (int __fd, int __request, ...), ++ __fcntl_time64); ++extern int __REDIRECT_NTH (fcntl64, (int __fd, int __request, ...), ++ __fcntl_time64); + # else + extern int __fcntl_time64 (int __fd, int __request, ...) __THROW; + # define fcntl64 __fcntl_time64 +diff --git a/misc/sys/ioctl.h b/misc/sys/ioctl.h +index 6884d99..9945c1e 100644 +--- a/misc/sys/ioctl.h ++++ b/misc/sys/ioctl.h +@@ -42,8 +42,8 @@ __BEGIN_DECLS + extern int ioctl (int __fd, unsigned long int __request, ...) __THROW; + #else + # ifdef __REDIRECT +-extern int __REDIRECT (ioctl, (int __fd, unsigned long int __request, ...), +- __ioctl_time64) __THROW; ++extern int __REDIRECT_NTH (ioctl, (int __fd, unsigned long int __request, ...), ++ __ioctl_time64); + # else + extern int __ioctl_time64 (int __fd, unsigned long int __request, ...) __THROW; + # define ioctl __ioctl_time64 +diff --git a/sysdeps/unix/sysv/linux/sys/prctl.h b/sysdeps/unix/sysv/linux/sys/prctl.h +index db88938..f0e0d2f 100644 +--- a/sysdeps/unix/sysv/linux/sys/prctl.h ++++ b/sysdeps/unix/sysv/linux/sys/prctl.h +@@ -42,7 +42,7 @@ __BEGIN_DECLS + extern int prctl (int __option, ...) __THROW; + #else + # ifdef __REDIRECT +-extern int __REDIRECT (prctl, (int __option, ...), __prctl_time64) __THROW; ++extern int __REDIRECT_NTH (prctl, (int __option, ...), __prctl_time64); + # else + extern int __prctl_time64 (int __option,d ...) __THROW; + # define ioctl __prctl_time64 +-- +1.8.3.1 + diff --git a/copy_and_spawn_sgid-Avoid-double-calls-to-close.patch b/copy_and_spawn_sgid-Avoid-double-calls-to-close.patch new file mode 100644 index 0000000000000000000000000000000000000000..0f4799037f3950a526eb0e7357c75c5f4c6bbb7b --- /dev/null +++ b/copy_and_spawn_sgid-Avoid-double-calls-to-close.patch @@ -0,0 +1,28 @@ +From 45caed9d67a00af917d8b5b88d4b5eb1225b7aef Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Tue, 3 Aug 2021 21:10:53 +0530 +Subject: [PATCH] copy_and_spawn_sgid: Avoid double calls to close() + +If close() on infd and outfd succeeded, reset the fd numbers so that +we don't attempt to close them again. + +Reviewed-by: Arjun Shankar +--- + support/support_capture_subprocess.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/support/support_capture_subprocess.c b/support/support_capture_subprocess.c +index 27bfd19..0bacf6d 100644 +--- a/support/support_capture_subprocess.c ++++ b/support/support_capture_subprocess.c +@@ -170,6 +170,7 @@ copy_and_spawn_sgid (char *child_id, gid_t gid) + support_subprogram because we only want the program exit status, not the + contents. */ + ret = 0; ++ infd = outfd = -1; + + char * const args[] = {execname, child_id, NULL}; + +-- +1.8.3.1 + diff --git a/gaiconf_init-Avoid-double-free-in-label-and-preceden.patch b/gaiconf_init-Avoid-double-free-in-label-and-preceden.patch new file mode 100644 index 0000000000000000000000000000000000000000..7ebc183cfe5c2c5e11ca8a8db56c61cab02ede10 --- /dev/null +++ b/gaiconf_init-Avoid-double-free-in-label-and-preceden.patch @@ -0,0 +1,36 @@ +From 77a34079d8f3d63b61543bf3af93043f8674e4c4 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Tue, 3 Aug 2021 21:11:03 +0530 +Subject: [PATCH] gaiconf_init: Avoid double-free in label and precedence lists + +labellist and precedencelist could get freed a second time if there +are allocation failures, so set them to NULL to avoid a double-free. + +Reviewed-by: Arjun Shankar +--- + sysdeps/posix/getaddrinfo.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 838a68f..43dfc67 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -2008,6 +2008,7 @@ gaiconf_init (void) + l = l->next; + } + free_prefixlist (labellist); ++ labellist = NULL; + + /* Sort the entries so that the most specific ones are at + the beginning. */ +@@ -2046,6 +2047,7 @@ gaiconf_init (void) + l = l->next; + } + free_prefixlist (precedencelist); ++ precedencelist = NULL; + + /* Sort the entries so that the most specific ones are at + the beginning. */ +-- +1.8.3.1 + diff --git a/gconv_parseconfdir-Fix-memory-leak.patch b/gconv_parseconfdir-Fix-memory-leak.patch new file mode 100644 index 0000000000000000000000000000000000000000..de306cccbb58dc9dab731c59c05d4337266708fb --- /dev/null +++ b/gconv_parseconfdir-Fix-memory-leak.patch @@ -0,0 +1,37 @@ +From 5f9b78fe35d08739b6da1e5b356786d41116c108 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Tue, 3 Aug 2021 21:10:20 +0530 +Subject: [PATCH] gconv_parseconfdir: Fix memory leak + +The allocated `conf` would leak if we have to skip over the file due +to the underlying filesystem not supporting dt_type. + +Reviewed-by: Arjun Shankar +--- + iconv/gconv_parseconfdir.h | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +diff --git a/iconv/gconv_parseconfdir.h b/iconv/gconv_parseconfdir.h +index a4153e5..2f06268 100644 +--- a/iconv/gconv_parseconfdir.h ++++ b/iconv/gconv_parseconfdir.h +@@ -153,12 +153,11 @@ gconv_parseconfdir (const char *dir, size_t dir_len) + struct stat64 st; + if (asprintf (&conf, "%s/%s", buf, ent->d_name) < 0) + continue; +- if (ent->d_type == DT_UNKNOWN +- && (lstat64 (conf, &st) == -1 +- || !S_ISREG (st.st_mode))) +- continue; + +- found |= read_conf_file (conf, dir, dir_len); ++ if (ent->d_type != DT_UNKNOWN ++ || (lstat64 (conf, &st) != -1 && S_ISREG (st.st_mode))) ++ found |= read_conf_file (conf, dir, dir_len); ++ + free (conf); + } + } +-- +1.8.3.1 + diff --git a/gethosts-Remove-unused-argument-_type.patch b/gethosts-Remove-unused-argument-_type.patch new file mode 100644 index 0000000000000000000000000000000000000000..1fb60e7c2db97c282a8ae87745083d32c72eebc0 --- /dev/null +++ b/gethosts-Remove-unused-argument-_type.patch @@ -0,0 +1,44 @@ +From b17e842a60819098d2a203ecc8b8371b7e1d6c65 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Wed, 4 Aug 2021 02:21:01 +0530 +Subject: [PATCH] gethosts: Remove unused argument _type + +The generated code is unchanged. +--- + sysdeps/posix/getaddrinfo.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 43dfc67..9f1cde2 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -239,7 +239,7 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, + return true; + } + +-#define gethosts(_family, _type) \ ++#define gethosts(_family) \ + { \ + struct hostent th; \ + char *localcanon = NULL; \ +@@ -829,7 +829,7 @@ gaih_inet (const char *name, const struct gaih_service *service, + if (req->ai_family == AF_INET6 + || req->ai_family == AF_UNSPEC) + { +- gethosts (AF_INET6, struct in6_addr); ++ gethosts (AF_INET6); + no_inet6_data = no_data; + inet6_status = status; + } +@@ -841,7 +841,7 @@ gaih_inet (const char *name, const struct gaih_service *service, + know we are not going to need them. */ + && ((req->ai_flags & AI_ALL) || !got_ipv6))) + { +- gethosts (AF_INET, struct in_addr); ++ gethosts (AF_INET); + + if (req->ai_family == AF_INET) + { +-- +1.8.3.1 + diff --git a/glibc.spec b/glibc.spec index 61dc9419329872c5a40144b35c130871df00e234..a4158e576bf4a637a2b23f2471689ca4ebc4b7a8 100644 --- a/glibc.spec +++ b/glibc.spec @@ -63,7 +63,7 @@ ############################################################################## Name: glibc Version: 2.34 -Release: 3 +Release: 4 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -81,6 +81,15 @@ Patch0: glibc-1070416.patch Patch1: glibc-c-utf8-locale.patch Patch2: backport-CVE-2021-38604-0001-librt-add-test-bug-28213.patch Patch3: backport-CVE-2021-38604-0002-librt-fix-NULL-pointer-dereference-bug-28213.patch +Patch4: copy_and_spawn_sgid-Avoid-double-calls-to-close.patch +Patch5: gaiconf_init-Avoid-double-free-in-label-and-preceden.patch +Patch6: gconv_parseconfdir-Fix-memory-leak.patch +Patch7: gethosts-Remove-unused-argument-_type.patch +Patch8: iconv_charmap-Close-output-file-when-done.patch +Patch9: ldconfig-avoid-leak-on-empty-paths-in-config-file.patch +Patch10: Linux-Fix-fcntl-ioctl-prctl-redirects-for-_TIME_BITS.patch +Patch11: nis-Fix-leak-on-realloc-failure-in-nis_getnames-BZ-2.patch +Patch12: rt-Set-the-correct-message-queue-for-tst-mqueue10.patch #Patch9000: turn-REP_STOSB_THRESHOLD-from-2k-to-1M.patch Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch @@ -1172,6 +1181,9 @@ fi %doc hesiod/README.hesiod %changelog +* Fri Sep 17 2021 Qingqing Li - 2.34-4 +- backport upstream patches to fix some memory leak and double free bugs + * Tue Sep 14 2021 Yang Yanchao - 2.34-3 - add --enable-static-pie in aarch64 diff --git a/iconv_charmap-Close-output-file-when-done.patch b/iconv_charmap-Close-output-file-when-done.patch new file mode 100644 index 0000000000000000000000000000000000000000..a96692223ccbd7427bc30fa3dcde6250e7b43fc8 --- /dev/null +++ b/iconv_charmap-Close-output-file-when-done.patch @@ -0,0 +1,26 @@ +From 1e0e6d656db9dfa12ef7eb67976385d3deb0d4ff Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Tue, 3 Aug 2021 21:10:29 +0530 +Subject: [PATCH] iconv_charmap: Close output file when done + +Reviewed-by: Arjun Shankar +--- + iconv/iconv_charmap.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/iconv/iconv_charmap.c b/iconv/iconv_charmap.c +index e2d53fe..a8b6b56 100644 +--- a/iconv/iconv_charmap.c ++++ b/iconv/iconv_charmap.c +@@ -234,6 +234,8 @@ charmap_conversion (const char *from_code, struct charmap_t *from_charmap, + while (++remaining < argc); + + /* All done. */ ++ if (output != stdout) ++ fclose (output); + free_table (cvtbl); + return status; + } +-- +1.8.3.1 + diff --git a/ldconfig-avoid-leak-on-empty-paths-in-config-file.patch b/ldconfig-avoid-leak-on-empty-paths-in-config-file.patch new file mode 100644 index 0000000000000000000000000000000000000000..c415a470f20ad525d8eaf44e8025ef1804d888ad --- /dev/null +++ b/ldconfig-avoid-leak-on-empty-paths-in-config-file.patch @@ -0,0 +1,30 @@ +From b0234d79e7d82475d1666f25326ec045c045b3ed Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Tue, 3 Aug 2021 21:10:10 +0530 +Subject: [PATCH] ldconfig: avoid leak on empty paths in config file + +Reviewed-by: Arjun Shankar +--- + elf/ldconfig.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/elf/ldconfig.c b/elf/ldconfig.c +index 1037e8d..b889363 100644 +--- a/elf/ldconfig.c ++++ b/elf/ldconfig.c +@@ -503,7 +503,11 @@ add_dir_1 (const char *line, const char *from_file, int from_line) + entry->path[--i] = '\0'; + + if (i == 0) +- return; ++ { ++ free (entry->path); ++ free (entry); ++ return; ++ } + + char *path = entry->path; + if (opt_chroot != NULL) +-- +1.8.3.1 + diff --git a/nis-Fix-leak-on-realloc-failure-in-nis_getnames-BZ-2.patch b/nis-Fix-leak-on-realloc-failure-in-nis_getnames-BZ-2.patch new file mode 100644 index 0000000000000000000000000000000000000000..b72b47476112e7583629e61aeada649eadf423d2 --- /dev/null +++ b/nis-Fix-leak-on-realloc-failure-in-nis_getnames-BZ-2.patch @@ -0,0 +1,46 @@ +From 60698263122b7c54ded3f70a466176e17a529480 Mon Sep 17 00:00:00 2001 +From: Robbie Harwood +Date: Wed, 28 Jul 2021 14:23:32 -0400 +Subject: [PATCH] nis: Fix leak on realloc failure in nis_getnames [BZ #28150] + +If pos >= count but realloc fails, tmp will not have been placed in +getnames[pos] yet, and so will not be freed in free_null. Detected +by Coverity. + +Also remove misleading comment from nis_getnames(), since it actually +did properly release getnames when out of memory. + +Tested-by: Carlos O'Donell +--- + nis/nis_subr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/nis/nis_subr.c b/nis/nis_subr.c +index dd0e300..6784fc3 100644 +--- a/nis/nis_subr.c ++++ b/nis/nis_subr.c +@@ -103,9 +103,6 @@ count_dots (const_nis_name str) + return count; + } + +-/* If we run out of memory, we don't give already allocated memory +- free. The overhead for bringing getnames back in a safe state to +- free it is to big. */ + nis_name * + nis_getnames (const_nis_name name) + { +@@ -271,7 +268,10 @@ nis_getnames (const_nis_name name) + nis_name *newp = realloc (getnames, + (count + 1) * sizeof (char *)); + if (__glibc_unlikely (newp == NULL)) +- goto free_null; ++ { ++ free (tmp); ++ goto free_null; ++ } + getnames = newp; + } + getnames[pos] = tmp; +-- +1.8.3.1 + diff --git a/rt-Set-the-correct-message-queue-for-tst-mqueue10.patch b/rt-Set-the-correct-message-queue-for-tst-mqueue10.patch new file mode 100644 index 0000000000000000000000000000000000000000..700045ab8e3b9fc9e48bdae7197fc34394659656 --- /dev/null +++ b/rt-Set-the-correct-message-queue-for-tst-mqueue10.patch @@ -0,0 +1,35 @@ +From 3d9a539ee66165148b2b9e08b46e03a5f58f65d2 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella +Date: Wed, 4 Aug 2021 17:14:46 -0300 +Subject: [PATCH] rt: Set the correct message queue for tst-mqueue10 + +Checked on x86_64-linux-gnu. +--- + rt/tst-mqueue10.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/rt/tst-mqueue10.c b/rt/tst-mqueue10.c +index 1879580..0bf64d7 100644 +--- a/rt/tst-mqueue10.c ++++ b/rt/tst-mqueue10.c +@@ -25,7 +25,7 @@ + #include + #include + +-static char name[sizeof "/tst-mqueue2-" + INT_BUFSIZE_BOUND (pid_t)]; ++static char name[sizeof "/tst-mqueue10-" + INT_BUFSIZE_BOUND (pid_t)]; + + static void + do_cleanup (void) +@@ -37,7 +37,7 @@ do_cleanup (void) + static int + do_test (void) + { +- snprintf (name, sizeof (name), "/tst-mqueue2-%u", getpid ()); ++ snprintf (name, sizeof (name), "/tst-mqueue10-%u", getpid ()); + + char msg[8] = { 0x55 }; + +-- +1.8.3.1 +