From 1e8491e670522b7bee31785080afb13ca36b41bd Mon Sep 17 00:00:00 2001 From: lvying6 Date: Tue, 29 Nov 2022 17:34:08 +0800 Subject: [PATCH] elf: Fix alloca size in _dl_debug_vdprintf Signed-off-by: lvying6 (cherry picked from commit 9b2f121d729ab002d75baa22a57b031e1fd0fdbf) --- ...ix-alloca-size-in-_dl_debug_vdprintf.patch | 43 +++++++++++++++++++ glibc.spec | 6 ++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 backport-elf-Fix-alloca-size-in-_dl_debug_vdprintf.patch diff --git a/backport-elf-Fix-alloca-size-in-_dl_debug_vdprintf.patch b/backport-elf-Fix-alloca-size-in-_dl_debug_vdprintf.patch new file mode 100644 index 0000000..9f80a9a --- /dev/null +++ b/backport-elf-Fix-alloca-size-in-_dl_debug_vdprintf.patch @@ -0,0 +1,43 @@ +From 442387b8712c2b6ba92689d4702aa2c9899527d0 Mon Sep 17 00:00:00 2001 +From: Szabolcs Nagy +Date: Tue, 11 Oct 2022 14:22:35 +0100 +Subject: [PATCH] elf: Fix alloca size in _dl_debug_vdprintf + +Reference: https://sourceware.org/git/?p=glibc.git;a=commit;h=eef17d4d9fcd38c5cbb9bc9515ba72d1773b67a2 +Conflict: _dl_debug_vdprintf is in elf/dl-misc.c, update here + +The alloca size did not consider the optional width parameter for +padding which could cause buffer underflow. The width is currently used +e.g. by _dl_map_object_from_fd which passes 2 * sizeof(void *) which +can be larger than the alloca buffer size on targets where +sizeof(void *) >= 2 * sizeof(unsigned long). + +Even if large width is not used on existing targets it is better to fix +the formatting code to avoid surprises. + +Reviewed-by: Florian Weimer +--- + elf/dl-misc.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/elf/dl-misc.c b/elf/dl-misc.c +index b256d792..a11d11d5 100644 +--- a/elf/dl-misc.c ++++ b/elf/dl-misc.c +@@ -206,8 +206,11 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg) + /* We use alloca() to allocate the buffer with the most + pessimistic guess for the size. Using alloca() allows + having more than one integer formatting in a call. */ +- char *buf = (char *) alloca (1 + 3 * sizeof (unsigned long int)); +- char *endp = &buf[1 + 3 * sizeof (unsigned long int)]; ++ int size = 1 + 3 * sizeof (unsigned long int); ++ if (width + 1 > size) ++ size = width + 1; ++ char *buf = (char *) alloca (size); ++ char *endp = &buf[size]; + char *cp = _itoa (num, endp, *fmt == 'x' ? 16 : 10, 0); + + /* Pad to the width the user specified. */ +-- +2.38.1 + diff --git a/glibc.spec b/glibc.spec index cc2a1a5..6a27841 100644 --- a/glibc.spec +++ b/glibc.spec @@ -66,7 +66,7 @@ ############################################################################## Name: glibc Version: 2.34 -Release: 100 +Release: 101 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -238,6 +238,7 @@ Patch150: socket-Fix-mistyped-define-statement-in-socket-sys-s.patch Patch151: elf-Call-__libc_early_init-for-reused-namespaces-bug.patch Patch152: dlfcn-Pass-caller-pointer-to-static-dlopen-implement.patch Patch153: elf-Fix-hwcaps-string-size-overestimation.patch +Patch154: backport-elf-Fix-alloca-size-in-_dl_debug_vdprintf.patch Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch @@ -1419,6 +1420,9 @@ fi %endif %changelog +* Tue Nov 29 2022 Lv Ying - 2.34-101 +- elf: Fix alloca size in _dl_debug_vdprintf + * Sat Oct 22 2022 xujing - 2.34-100 - elf: Fix hwcaps string size overestimation -- Gitee