From 1b592645f60067e65eb6bed09fefc0fb827eaa08 Mon Sep 17 00:00:00 2001 From: Lv Ying Date: Thu, 27 Jan 2022 18:14:47 -0800 Subject: [PATCH] fix CVE-2019-1010023 Signed-off-by: Lv Ying --- fix-CVE-2019-1010023.patch | 66 ++++++++++++++++++++++++++++++++++++++ glibc.spec | 6 +++- 2 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 fix-CVE-2019-1010023.patch diff --git a/fix-CVE-2019-1010023.patch b/fix-CVE-2019-1010023.patch new file mode 100644 index 0000000..efa322e --- /dev/null +++ b/fix-CVE-2019-1010023.patch @@ -0,0 +1,66 @@ +From fe1ffef2eec9c6634a1e9af951eb68f0f5614470 Mon Sep 17 00:00:00 2001 +From: xujing +Date: Thu, 2 Dec 2021 11:41:46 +0800 +Subject: [PATCH] glibc: fix CVE-2019-1010023 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +| PT_LOAD +| +| […] Loadable segment entries in the program header table appear in +| ascending order, sorted on the p_vaddr member. + +http://www.sco.com/developers/gabi/latest/ch5.pheader.html + +Some check needed to fix vulnerability in load commands mapping reported by + +https://sourceware.org/bugzilla/show_bug.cgi?id=22851 + +Signed-off-by: lvying +Signed-off-by: xujing +--- + elf/dl-map-segments.h | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/elf/dl-map-segments.h b/elf/dl-map-segments.h +index 084076a2..a41ae73b 100644 +--- a/elf/dl-map-segments.h ++++ b/elf/dl-map-segments.h +@@ -33,6 +33,7 @@ _dl_map_segments (struct link_map *l, int fd, + struct link_map *loader) + { + const struct loadcmd *c = loadcmds; ++ ElfW(Addr) l_map_end_aligned; + + if (__glibc_likely (type == ET_DYN)) + { +@@ -61,6 +62,8 @@ _dl_map_segments (struct link_map *l, int fd, + return DL_MAP_SEGMENTS_ERROR_MAP_SEGMENT; + + l->l_map_end = l->l_map_start + maplength; ++ l_map_end_aligned = ((l->l_map_end + GLRO(dl_pagesize) - 1) ++ & ~(GLRO(dl_pagesize) - 1)); + l->l_addr = l->l_map_start - c->mapstart; + + if (has_holes) +@@ -85,10 +88,16 @@ _dl_map_segments (struct link_map *l, int fd, + /* Remember which part of the address space this object uses. */ + l->l_map_start = c->mapstart + l->l_addr; + l->l_map_end = l->l_map_start + maplength; ++ l_map_end_aligned = ((l->l_map_end + GLRO(dl_pagesize) - 1) ++ & ~(GLRO(dl_pagesize) - 1)); + l->l_contiguous = !has_holes; + + while (c < &loadcmds[nloadcmds]) + { ++ if ((l->l_addr + c->mapend) > l_map_end_aligned || ++ (l->l_addr + c->mapstart) < l->l_map_start) ++ return DL_MAP_SEGMENTS_ERROR_MAP_SEGMENT; ++ + if (c->mapend > c->mapstart + /* Map the segment contents from the file. */ + && (__mmap ((void *) (l->l_addr + c->mapstart), +-- +2.23.0 + diff --git a/glibc.spec b/glibc.spec index eb533f7..94a258b 100644 --- a/glibc.spec +++ b/glibc.spec @@ -66,7 +66,7 @@ ############################################################################## Name: glibc Version: 2.34 -Release: 47 +Release: 48 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -174,6 +174,7 @@ Patch86: Linux-Detect-user-namespace-support-in-io-tst-getcwd.patch Patch87: Disable-debuginfod-in-printer-tests-BZ-28757.patch Patch88: i386-Remove-broken-CAN_USE_REGISTER_ASM_EBP-bug-2877.patch Patch89: x86-use-default-cache-size-if-it-cannot-be-determine.patch +Patch90: fix-CVE-2019-1010023.patch Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch @@ -1377,6 +1378,9 @@ fi %endif %changelog +* Fri Jan 28 2022 Lv Ying - 2.34-48 +- fix CVE-2019-1010023 + * Tue Jan 25 2022 Chuang Fang - 2.34-47 - Disable debuginfod in printer tests [BZ #28757] - i386: Remove broken CAN_USE_REGISTER_ASM_EBP (bug 28771) -- Gitee