From bfe457207597a1eb3b46998e5be901c16d4a541b Mon Sep 17 00:00:00 2001 From: liqingqing_1229 Date: Wed, 3 Jan 2024 09:34:16 +0800 Subject: [PATCH] backport patches from glibc upstream 2.38 branch --- ...-Delete-excessively-allocated-memory.patch | 109 +++++++++ ...ug-fixes-for-29039-30694-30709-30721.patch | 27 +++ NEWS-Mention-bug-fixes-for-30745-30843.patch | 30 +++ ...d-TLS-modid-reuse-test-for-bug-29039.patch | 210 ++++++++++++++++++ ...d-reuse-generation-assignment-BZ-290.patch | 53 +++++ ...slate-ENOMEM-to-EAI_MEMORY-bug-31163.patch | 36 +++ glibc.spec | 14 +- ...ining-buffer-size-in-_IO_wdo_write-b.patch | 48 ++++ ...-the-dtv-field-load-for-x32-BZ-31184.patch | 68 ++++++ ...-the-tcb-field-load-for-x32-BZ-31185.patch | 69 ++++++ 10 files changed, 663 insertions(+), 1 deletion(-) create mode 100644 LoongArch-Delete-excessively-allocated-memory.patch create mode 100644 NEWS-Mention-bug-fixes-for-29039-30694-30709-30721.patch create mode 100644 NEWS-Mention-bug-fixes-for-30745-30843.patch create mode 100644 elf-Add-TLS-modid-reuse-test-for-bug-29039.patch create mode 100644 elf-Fix-TLS-modid-reuse-generation-assignment-BZ-290.patch create mode 100644 getaddrinfo-translate-ENOMEM-to-EAI_MEMORY-bug-31163.patch create mode 100644 libio-Check-remaining-buffer-size-in-_IO_wdo_write-b.patch create mode 100644 x86-64-Fix-the-dtv-field-load-for-x32-BZ-31184.patch create mode 100644 x86-64-Fix-the-tcb-field-load-for-x32-BZ-31185.patch diff --git a/LoongArch-Delete-excessively-allocated-memory.patch b/LoongArch-Delete-excessively-allocated-memory.patch new file mode 100644 index 0000000..f7d36a6 --- /dev/null +++ b/LoongArch-Delete-excessively-allocated-memory.patch @@ -0,0 +1,109 @@ +From 44f757a6364a546359809d48c76b3debd26e77d4 Mon Sep 17 00:00:00 2001 +From: caiyinyu +Date: Thu, 26 Oct 2023 17:27:21 +0800 +Subject: [PATCH 1/9] LoongArch: Delete excessively allocated memory. + +Backported from glibc 2.39 development. +--- + sysdeps/loongarch/dl-trampoline.h | 68 +++++++++++++++---------------- + 1 file changed, 34 insertions(+), 34 deletions(-) + +diff --git a/sysdeps/loongarch/dl-trampoline.h b/sysdeps/loongarch/dl-trampoline.h +index 02375286f8..99fcacab76 100644 +--- a/sysdeps/loongarch/dl-trampoline.h ++++ b/sysdeps/loongarch/dl-trampoline.h +@@ -19,9 +19,9 @@ + /* Assembler veneer called from the PLT header code for lazy loading. + The PLT header passes its own args in t0-t2. */ + #ifdef USE_LASX +-# define FRAME_SIZE (-((-9 * SZREG - 8 * SZFREG - 8 * SZXREG) & ALMASK)) ++# define FRAME_SIZE (-((-9 * SZREG - 8 * SZXREG) & ALMASK)) + #elif defined USE_LSX +-# define FRAME_SIZE (-((-9 * SZREG - 8 * SZFREG - 8 * SZVREG) & ALMASK)) ++# define FRAME_SIZE (-((-9 * SZREG - 8 * SZVREG) & ALMASK)) + #elif !defined __loongarch_soft_float + # define FRAME_SIZE (-((-9 * SZREG - 8 * SZFREG) & ALMASK)) + #else +@@ -44,23 +44,23 @@ ENTRY (_dl_runtime_resolve) + REG_S a7, sp, 8*SZREG + + #ifdef USE_LASX +- xvst xr0, sp, 9*SZREG + 8*SZFREG + 0*SZXREG +- xvst xr1, sp, 9*SZREG + 8*SZFREG + 1*SZXREG +- xvst xr2, sp, 9*SZREG + 8*SZFREG + 2*SZXREG +- xvst xr3, sp, 9*SZREG + 8*SZFREG + 3*SZXREG +- xvst xr4, sp, 9*SZREG + 8*SZFREG + 4*SZXREG +- xvst xr5, sp, 9*SZREG + 8*SZFREG + 5*SZXREG +- xvst xr6, sp, 9*SZREG + 8*SZFREG + 6*SZXREG +- xvst xr7, sp, 9*SZREG + 8*SZFREG + 7*SZXREG ++ xvst xr0, sp, 9*SZREG + 0*SZXREG ++ xvst xr1, sp, 9*SZREG + 1*SZXREG ++ xvst xr2, sp, 9*SZREG + 2*SZXREG ++ xvst xr3, sp, 9*SZREG + 3*SZXREG ++ xvst xr4, sp, 9*SZREG + 4*SZXREG ++ xvst xr5, sp, 9*SZREG + 5*SZXREG ++ xvst xr6, sp, 9*SZREG + 6*SZXREG ++ xvst xr7, sp, 9*SZREG + 7*SZXREG + #elif defined USE_LSX +- vst vr0, sp, 9*SZREG + 8*SZFREG + 0*SZVREG +- vst vr1, sp, 9*SZREG + 8*SZFREG + 1*SZVREG +- vst vr2, sp, 9*SZREG + 8*SZFREG + 2*SZVREG +- vst vr3, sp, 9*SZREG + 8*SZFREG + 3*SZVREG +- vst vr4, sp, 9*SZREG + 8*SZFREG + 4*SZVREG +- vst vr5, sp, 9*SZREG + 8*SZFREG + 5*SZVREG +- vst vr6, sp, 9*SZREG + 8*SZFREG + 6*SZVREG +- vst vr7, sp, 9*SZREG + 8*SZFREG + 7*SZVREG ++ vst vr0, sp, 9*SZREG + 0*SZVREG ++ vst vr1, sp, 9*SZREG + 1*SZVREG ++ vst vr2, sp, 9*SZREG + 2*SZVREG ++ vst vr3, sp, 9*SZREG + 3*SZVREG ++ vst vr4, sp, 9*SZREG + 4*SZVREG ++ vst vr5, sp, 9*SZREG + 5*SZVREG ++ vst vr6, sp, 9*SZREG + 6*SZVREG ++ vst vr7, sp, 9*SZREG + 7*SZVREG + #elif !defined __loongarch_soft_float + FREG_S fa0, sp, 9*SZREG + 0*SZFREG + FREG_S fa1, sp, 9*SZREG + 1*SZFREG +@@ -92,23 +92,23 @@ ENTRY (_dl_runtime_resolve) + REG_L a7, sp, 8*SZREG + + #ifdef USE_LASX +- xvld xr0, sp, 9*SZREG + 8*SZFREG + 0*SZXREG +- xvld xr1, sp, 9*SZREG + 8*SZFREG + 1*SZXREG +- xvld xr2, sp, 9*SZREG + 8*SZFREG + 2*SZXREG +- xvld xr3, sp, 9*SZREG + 8*SZFREG + 3*SZXREG +- xvld xr4, sp, 9*SZREG + 8*SZFREG + 4*SZXREG +- xvld xr5, sp, 9*SZREG + 8*SZFREG + 5*SZXREG +- xvld xr6, sp, 9*SZREG + 8*SZFREG + 6*SZXREG +- xvld xr7, sp, 9*SZREG + 8*SZFREG + 7*SZXREG ++ xvld xr0, sp, 9*SZREG + 0*SZXREG ++ xvld xr1, sp, 9*SZREG + 1*SZXREG ++ xvld xr2, sp, 9*SZREG + 2*SZXREG ++ xvld xr3, sp, 9*SZREG + 3*SZXREG ++ xvld xr4, sp, 9*SZREG + 4*SZXREG ++ xvld xr5, sp, 9*SZREG + 5*SZXREG ++ xvld xr6, sp, 9*SZREG + 6*SZXREG ++ xvld xr7, sp, 9*SZREG + 7*SZXREG + #elif defined USE_LSX +- vld vr0, sp, 9*SZREG + 8*SZFREG + 0*SZVREG +- vld vr1, sp, 9*SZREG + 8*SZFREG + 1*SZVREG +- vld vr2, sp, 9*SZREG + 8*SZFREG + 2*SZVREG +- vld vr3, sp, 9*SZREG + 8*SZFREG + 3*SZVREG +- vld vr4, sp, 9*SZREG + 8*SZFREG + 4*SZVREG +- vld vr5, sp, 9*SZREG + 8*SZFREG + 5*SZVREG +- vld vr6, sp, 9*SZREG + 8*SZFREG + 6*SZVREG +- vld vr7, sp, 9*SZREG + 8*SZFREG + 7*SZVREG ++ vld vr0, sp, 9*SZREG + 0*SZVREG ++ vld vr1, sp, 9*SZREG + 1*SZVREG ++ vld vr2, sp, 9*SZREG + 2*SZVREG ++ vld vr3, sp, 9*SZREG + 3*SZVREG ++ vld vr4, sp, 9*SZREG + 4*SZVREG ++ vld vr5, sp, 9*SZREG + 5*SZVREG ++ vld vr6, sp, 9*SZREG + 6*SZVREG ++ vld vr7, sp, 9*SZREG + 7*SZVREG + #elif !defined __loongarch_soft_float + FREG_L fa0, sp, 9*SZREG + 0*SZFREG + FREG_L fa1, sp, 9*SZREG + 1*SZFREG +-- +2.33.0 + diff --git a/NEWS-Mention-bug-fixes-for-29039-30694-30709-30721.patch b/NEWS-Mention-bug-fixes-for-29039-30694-30709-30721.patch new file mode 100644 index 0000000..3c6ba52 --- /dev/null +++ b/NEWS-Mention-bug-fixes-for-29039-30694-30709-30721.patch @@ -0,0 +1,27 @@ +From d25e2c8d5cb0778ae87ad43b1f4c301abe5a932b Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Sat, 23 Dec 2023 06:24:41 -0800 +Subject: [PATCH 6/9] NEWS: Mention bug fixes for 29039/30694/30709/30721 + +--- + NEWS | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/NEWS b/NEWS +index 6fbb8a9e1d..db4d6c8373 100644 +--- a/NEWS ++++ b/NEWS +@@ -31,6 +31,10 @@ Security related changes: + + The following bugs are resolved with this release: + ++ [29039] Corrupt DTV after reuse of a TLS module ID following dlclose with unused TLS ++ [30694] The iconv program no longer tells the user which given encoding name was wrong ++ [30709] nscd fails to build with cleanup handler if built with -fexceptions ++ [30721] x86_64: Fix build with --disable-multiarch + [30723] posix_memalign repeatedly scans long bin lists + [30789] sem_open will fail on multithreaded scenarios when semaphore + file doesn't exist (O_CREAT) +-- +2.33.0 + diff --git a/NEWS-Mention-bug-fixes-for-30745-30843.patch b/NEWS-Mention-bug-fixes-for-30745-30843.patch new file mode 100644 index 0000000..4148758 --- /dev/null +++ b/NEWS-Mention-bug-fixes-for-30745-30843.patch @@ -0,0 +1,30 @@ +From 27339a3eb8f987eebae72b854af80256c1588ebd Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Sat, 23 Dec 2023 06:27:50 -0800 +Subject: [PATCH 7/9] NEWS: Mention bug fixes for 30745/30843 + +--- + NEWS | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/NEWS b/NEWS +index db4d6c8373..905230b838 100644 +--- a/NEWS ++++ b/NEWS +@@ -36,11 +36,13 @@ The following bugs are resolved with this release: + [30709] nscd fails to build with cleanup handler if built with -fexceptions + [30721] x86_64: Fix build with --disable-multiarch + [30723] posix_memalign repeatedly scans long bin lists ++ [30745] Slight bug in cache info codes for x86 + [30789] sem_open will fail on multithreaded scenarios when semaphore + file doesn't exist (O_CREAT) + [30804] F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with + -D_FILE_OFFSET_BITS=64 + [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) ++ [30843] potential use-after-free in getcanonname (CVE-2023-4806) + [31184] FAIL: elf/tst-tlsgap + [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic + +-- +2.33.0 + diff --git a/elf-Add-TLS-modid-reuse-test-for-bug-29039.patch b/elf-Add-TLS-modid-reuse-test-for-bug-29039.patch new file mode 100644 index 0000000..2dddd8e --- /dev/null +++ b/elf-Add-TLS-modid-reuse-test-for-bug-29039.patch @@ -0,0 +1,210 @@ +From 0de9082ed8d8f149ca87d569a73692046e236c18 Mon Sep 17 00:00:00 2001 +From: Szabolcs Nagy +Date: Wed, 29 Nov 2023 11:31:37 +0000 +Subject: [PATCH 3/9] elf: Add TLS modid reuse test for bug 29039 + +This is a minimal regression test for bug 29039 which only affects +targets with TLSDESC and a reproducer requires that + +1) Have modid gaps (closed modules) with old generation. +2) Update a DTV to a newer generation (needs a newer dlopen). +3) But do not update the closed gap entry in that DTV. +4) Reuse the modid gap for a new module (another dlopen). +5) Use dynamic TLSDESC in that new module with old generation (bug). +6) Access TLS via this TLSDESC and the now outdated DTV. + +However step (3) in practice rarely happens: during DTV update the +entries for closed modids are initialized to "unallocated" and then +dynamic TLSDESC calls __tls_get_addr independently of its generation. +The only exception to this is DTV setup at thread creation (gaps are +initialized to NULL instead of unallocated) or DTV resize where the +gap entries are outside the previous DTV array (again NULL instead +of unallocated, and this requires loading > DTV_SURPLUS modules). + +So the bug can only cause NULL (+ offset) dereference, not use after +free. And the easiest way to get (3) is via thread creation. + +Note that step (5) requires that the newly loaded module has larger +TLS than the remaining optional static TLS. And for (6) there cannot +be other TLS access or dlopen in the thread that updates the DTV. + +Tested on aarch64-linux-gnu. + +Reviewed-by: Adhemerval Zanella +(cherry picked from commit 980450f12685326729d63ff72e93a996113bf073) + +Conflict: This adapt the context elf/Makefile due to BZ 31035. +--- + elf/Makefile | 15 +++++++ + elf/tst-tlsgap-mod0.c | 2 + + elf/tst-tlsgap-mod1.c | 2 + + elf/tst-tlsgap-mod2.c | 2 + + elf/tst-tlsgap.c | 92 +++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 113 insertions(+) + create mode 100644 elf/tst-tlsgap-mod0.c + create mode 100644 elf/tst-tlsgap-mod1.c + create mode 100644 elf/tst-tlsgap-mod2.c + create mode 100644 elf/tst-tlsgap.c + +diff --git a/elf/Makefile b/elf/Makefile +index 00ac7430..711f96fe 100644 +--- a/elf/Makefile ++++ b/elf/Makefile +@@ -460,6 +460,7 @@ tests += \ + tst-tls21 \ + tst-tlsalign \ + tst-tlsalign-extern \ ++ tst-tlsgap \ + tst-unique1 \ + tst-unique2 \ + tst-unwind-ctor \ +@@ -885,6 +886,9 @@ modules-names += \ + tst-tls20mod-bad \ + tst-tls21mod \ + tst-tlsalign-lib \ ++ tst-tlsgap-mod0 \ ++ tst-tlsgap-mod1 \ ++ tst-tlsgap-mod2 \ + tst-tlsmod1 \ + tst-tlsmod10 \ + tst-tlsmod11 \ +@@ -3002,3 +3006,14 @@ $(objpfx)tst-non-directory-path.out: tst-non-directory-path.sh \ + '$(test-wrapper-env)' '$(run_program_env)' \ + '$(rpath-link)' $(objpfx) > $@; \ + $(evaluate-test) ++ ++$(objpfx)tst-tlsgap: $(shared-thread-library) ++$(objpfx)tst-tlsgap.out: \ ++ $(objpfx)tst-tlsgap-mod0.so \ ++ $(objpfx)tst-tlsgap-mod1.so \ ++ $(objpfx)tst-tlsgap-mod2.so ++ifeq (yes,$(have-mtls-dialect-gnu2)) ++CFLAGS-tst-tlsgap-mod0.c += -mtls-dialect=gnu2 ++CFLAGS-tst-tlsgap-mod1.c += -mtls-dialect=gnu2 ++CFLAGS-tst-tlsgap-mod2.c += -mtls-dialect=gnu2 ++endif +diff --git a/elf/tst-tlsgap-mod0.c b/elf/tst-tlsgap-mod0.c +new file mode 100644 +index 00000000..1478b0be +--- /dev/null ++++ b/elf/tst-tlsgap-mod0.c +@@ -0,0 +1,2 @@ ++int __thread tls0; ++int *f0(void) { return &tls0; } +diff --git a/elf/tst-tlsgap-mod1.c b/elf/tst-tlsgap-mod1.c +new file mode 100644 +index 00000000..b10fc370 +--- /dev/null ++++ b/elf/tst-tlsgap-mod1.c +@@ -0,0 +1,2 @@ ++int __thread tls1[100]; /* Size > glibc.rtld.optional_static_tls / 2. */ ++int *f1(void) { return tls1; } +diff --git a/elf/tst-tlsgap-mod2.c b/elf/tst-tlsgap-mod2.c +new file mode 100644 +index 00000000..166c27d7 +--- /dev/null ++++ b/elf/tst-tlsgap-mod2.c +@@ -0,0 +1,2 @@ ++int __thread tls2; ++int *f2(void) { return &tls2; } +diff --git a/elf/tst-tlsgap.c b/elf/tst-tlsgap.c +new file mode 100644 +index 00000000..49328850 +--- /dev/null ++++ b/elf/tst-tlsgap.c +@@ -0,0 +1,92 @@ ++/* TLS modid gap reuse regression test for bug 29039. ++ Copyright (C) 2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++ ++static void *mod[3]; ++#define MOD(i) "tst-tlsgap-mod" #i ".so" ++static const char *modname[3] = { MOD(0), MOD(1), MOD(2) }; ++#undef MOD ++ ++static void ++open_mod (int i) ++{ ++ mod[i] = xdlopen (modname[i], RTLD_LAZY); ++ printf ("open %s\n", modname[i]); ++} ++ ++static void ++close_mod (int i) ++{ ++ xdlclose (mod[i]); ++ mod[i] = NULL; ++ printf ("close %s\n", modname[i]); ++} ++ ++static void ++access_mod (int i, const char *sym) ++{ ++ int *(*f) (void) = xdlsym (mod[i], sym); ++ int *p = f (); ++ printf ("access %s: %s() = %p\n", modname[i], sym, p); ++ TEST_VERIFY_EXIT (p != NULL); ++ ++*p; ++} ++ ++static void * ++start (void *arg) ++{ ++ /* The DTV generation is at the last dlopen of mod0 and the ++ entry for mod1 is NULL. */ ++ ++ open_mod (1); /* Reuse modid of mod1. Uses dynamic TLS. */ ++ ++ /* DTV is unchanged: dlopen only updates the DTV to the latest ++ generation if static TLS is allocated for a loaded module. ++ ++ With bug 29039, the TLSDESC relocation in mod1 uses the old ++ dlclose generation of mod1 instead of the new dlopen one so ++ DTV is not updated on TLS access. */ ++ ++ access_mod (1, "f1"); ++ ++ return arg; ++} ++ ++static int ++do_test (void) ++{ ++ open_mod (0); ++ open_mod (1); ++ open_mod (2); ++ close_mod (0); ++ close_mod (1); /* Create modid gap at mod1. */ ++ open_mod (0); /* Reuse modid of mod0, bump generation count. */ ++ ++ /* Create a thread where DTV of mod1 is NULL. */ ++ pthread_t t = xpthread_create (NULL, start, NULL); ++ xpthread_join (t); ++ return 0; ++} ++ ++#include +-- +2.33.0 + diff --git a/elf-Fix-TLS-modid-reuse-generation-assignment-BZ-290.patch b/elf-Fix-TLS-modid-reuse-generation-assignment-BZ-290.patch new file mode 100644 index 0000000..395a0a6 --- /dev/null +++ b/elf-Fix-TLS-modid-reuse-generation-assignment-BZ-290.patch @@ -0,0 +1,53 @@ +From ccdc4cba07684fe1397e1f5f134a0a827af98c04 Mon Sep 17 00:00:00 2001 +From: Hector Martin +Date: Tue, 28 Nov 2023 15:23:07 +0900 +Subject: [PATCH 2/9] elf: Fix TLS modid reuse generation assignment (BZ 29039) + +_dl_assign_tls_modid() assigns a slotinfo entry for a new module, but +does *not* do anything to the generation counter. The first time this +happens, the generation is zero and map_generation() returns the current +generation to be used during relocation processing. However, if +a slotinfo entry is later reused, it will already have a generation +assigned. If this generation has fallen behind the current global max +generation, then this causes an obsolete generation to be assigned +during relocation processing, as map_generation() returns this +generation if nonzero. _dl_add_to_slotinfo() eventually resets the +generation, but by then it is too late. This causes DTV updates to be +skipped, leading to NULL or broken TLS slot pointers and segfaults. + +Fix this by resetting the generation to zero in _dl_assign_tls_modid(), +so it behaves the same as the first time a slot is assigned. +_dl_add_to_slotinfo() will still assign the correct static generation +later during module load, but relocation processing will no longer use +an obsolete generation. + +Note that slotinfo entry (aka modid) reuse typically happens after a +dlclose and only TLS access via dynamic tlsdesc is affected. Because +tlsdesc is optimized to use the optional part of static TLS, dynamic +tlsdesc can be avoided by increasing the glibc.rtld.optional_static_tls +tunable to a large enough value, or by LD_PRELOAD-ing the affected +modules. + +Fixes bug 29039. + +Reviewed-by: Szabolcs Nagy +(cherry picked from commit 3921c5b40f293c57cb326f58713c924b0662ef59) +--- + elf/dl-tls.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/elf/dl-tls.c b/elf/dl-tls.c +index 99b83ca696..1f6f820819 100644 +--- a/elf/dl-tls.c ++++ b/elf/dl-tls.c +@@ -154,6 +154,7 @@ _dl_assign_tls_modid (struct link_map *l) + { + /* Mark the entry as used, so any dependency see it. */ + atomic_store_relaxed (&runp->slotinfo[result - disp].map, l); ++ atomic_store_relaxed (&runp->slotinfo[result - disp].gen, 0); + break; + } + +-- +2.33.0 + diff --git a/getaddrinfo-translate-ENOMEM-to-EAI_MEMORY-bug-31163.patch b/getaddrinfo-translate-ENOMEM-to-EAI_MEMORY-bug-31163.patch new file mode 100644 index 0000000..29a633d --- /dev/null +++ b/getaddrinfo-translate-ENOMEM-to-EAI_MEMORY-bug-31163.patch @@ -0,0 +1,36 @@ +From ae1e5217021e43e1f2de443d26e87ea3adfb221c Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Wed, 6 Dec 2023 14:48:22 +0100 +Subject: [PATCH 8/9] getaddrinfo: translate ENOMEM to EAI_MEMORY (bug 31163) + +When __resolv_context_get returns NULL due to out of memory, translate it +to a return value of EAI_MEMORY. + +(cherry picked from commit 5eabdb6a6ac1599d23dd5966a37417215950245f) +--- + sysdeps/posix/getaddrinfo.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 13082305d3..da573bea24 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -616,7 +616,14 @@ get_nss_addresses (const char *name, const struct addrinfo *req, + function variant. */ + res_ctx = __resolv_context_get (); + if (res_ctx == NULL) +- no_more = 1; ++ { ++ if (errno == ENOMEM) ++ { ++ result = -EAI_MEMORY; ++ goto out; ++ } ++ no_more = 1; ++ } + + while (!no_more) + { +-- +2.33.0 + diff --git a/glibc.spec b/glibc.spec index bc5973b..4f1a52d 100644 --- a/glibc.spec +++ b/glibc.spec @@ -67,7 +67,7 @@ ############################################################################## Name: glibc Version: 2.38 -Release: 15 +Release: 16 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -119,6 +119,15 @@ Patch30: 0003-Revert-elf-Move-l_init_called_next-to-old-place-of-l.patch Patch31: sysdeps-sem_open-Clear-O_CREAT-when-semaphore-file-i.patch Patch32: elf-Fix-wrong-break-removal-from-8ee878592c.patch Patch33: backport-elf-Handle-non-directory-name-in-search-path-BZ-3103.patch +Patch34: LoongArch-Delete-excessively-allocated-memory.patch +Patch35: elf-Fix-TLS-modid-reuse-generation-assignment-BZ-290.patch +Patch36: elf-Add-TLS-modid-reuse-test-for-bug-29039.patch +Patch37: x86-64-Fix-the-dtv-field-load-for-x32-BZ-31184.patch +Patch38: x86-64-Fix-the-tcb-field-load-for-x32-BZ-31185.patch +Patch39: NEWS-Mention-bug-fixes-for-29039-30694-30709-30721.patch +Patch40: NEWS-Mention-bug-fixes-for-30745-30843.patch +Patch41: getaddrinfo-translate-ENOMEM-to-EAI_MEMORY-bug-31163.patch +Patch42: libio-Check-remaining-buffer-size-in-_IO_wdo_write-b.patch Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch Patch9001: locale-delete-no-hard-link-to-avoid-all_language-pac.patch @@ -1332,6 +1341,9 @@ fi %endif %changelog +* Wed Jan 3 Qingqing Li - 2.38-16 +- backport patches from glibc upstream 2.38 branch + * Thu Dec 14 shixuantong - 2.38-15 - elf: Handle non-directory name in search path (BZ 31035) diff --git a/libio-Check-remaining-buffer-size-in-_IO_wdo_write-b.patch b/libio-Check-remaining-buffer-size-in-_IO_wdo_write-b.patch new file mode 100644 index 0000000..83f974e --- /dev/null +++ b/libio-Check-remaining-buffer-size-in-_IO_wdo_write-b.patch @@ -0,0 +1,48 @@ +From cfe121910013a46e2477562282c56ae8062089aa Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Tue, 2 Jan 2024 14:36:17 +0100 +Subject: [PATCH 9/9] libio: Check remaining buffer size in _IO_wdo_write (bug + 31183) + +The multibyte character needs to fit into the remaining buffer space, +not the already-written buffer space. Without the fix, we were never +moving the write pointer from the start of the buffer, always using +the single-character fallback buffer. + +Fixes commit 04b76b5aa8b2d1d19066e42dd1 ("Don't error out writing +a multibyte character to an unbuffered stream (bug 17522)"). + +(cherry picked from commit ecc7c3deb9f347649c2078fcc0f94d4cedf92d60) +--- + NEWS | 1 + + libio/wfileops.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index 905230b838..6768c2da6f 100644 +--- a/NEWS ++++ b/NEWS +@@ -43,6 +43,7 @@ The following bugs are resolved with this release: + -D_FILE_OFFSET_BITS=64 + [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) + [30843] potential use-after-free in getcanonname (CVE-2023-4806) ++ [31183] Wide stream buffer size reduced MB_LEN_MAX bytes after bug 17522 fix + [31184] FAIL: elf/tst-tlsgap + [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic + +diff --git a/libio/wfileops.c b/libio/wfileops.c +index f16f6db1c3..9ab8f2e7f3 100644 +--- a/libio/wfileops.c ++++ b/libio/wfileops.c +@@ -55,7 +55,7 @@ _IO_wdo_write (FILE *fp, const wchar_t *data, size_t to_do) + char mb_buf[MB_LEN_MAX]; + char *write_base, *write_ptr, *buf_end; + +- if (fp->_IO_write_ptr - fp->_IO_write_base < sizeof (mb_buf)) ++ if (fp->_IO_buf_end - fp->_IO_write_ptr < sizeof (mb_buf)) + { + /* Make sure we have room for at least one multibyte + character. */ +-- +2.33.0 + diff --git a/x86-64-Fix-the-dtv-field-load-for-x32-BZ-31184.patch b/x86-64-Fix-the-dtv-field-load-for-x32-BZ-31184.patch new file mode 100644 index 0000000..c55bdf9 --- /dev/null +++ b/x86-64-Fix-the-dtv-field-load-for-x32-BZ-31184.patch @@ -0,0 +1,68 @@ +From 35ea7549751d4f13a28c732e6ad68204f5e60a06 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Wed, 20 Dec 2023 16:31:43 -0800 +Subject: [PATCH 4/9] x86-64: Fix the dtv field load for x32 [BZ #31184] + +On x32, I got + +FAIL: elf/tst-tlsgap + +$ gdb elf/tst-tlsgap +... +open tst-tlsgap-mod1.so + +Thread 2 "tst-tlsgap" received signal SIGSEGV, Segmentation fault. +[Switching to LWP 2268754] +_dl_tlsdesc_dynamic () at ../sysdeps/x86_64/dl-tlsdesc.S:108 +108 movq (%rsi), %rax +(gdb) p/x $rsi +$4 = 0xf7dbf9005655fb18 +(gdb) + +This is caused by + +_dl_tlsdesc_dynamic: + _CET_ENDBR + /* Preserve call-clobbered registers that we modify. + We need two scratch regs anyway. */ + movq %rsi, -16(%rsp) + movq %fs:DTV_OFFSET, %rsi + +Since the dtv field in TCB is a pointer, %fs:DTV_OFFSET is a 32-bit +location, not 64-bit. Load the dtv field to RSI_LP instead of rsi. +This fixes BZ #31184. + +(cherry picked from commit 3502440397bbb840e2f7223734aa5cc2cc0e29b6) +--- + NEWS | 1 + + sysdeps/x86_64/dl-tlsdesc.S | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index 5ac488bf9b..71057e4793 100644 +--- a/NEWS ++++ b/NEWS +@@ -37,6 +37,7 @@ The following bugs are resolved with this release: + [30804] F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with + -D_FILE_OFFSET_BITS=64 + [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) ++ [31184] FAIL: elf/tst-tlsgap + + + Version 2.38 +diff --git a/sysdeps/x86_64/dl-tlsdesc.S b/sysdeps/x86_64/dl-tlsdesc.S +index 5593897e29..c4823547d7 100644 +--- a/sysdeps/x86_64/dl-tlsdesc.S ++++ b/sysdeps/x86_64/dl-tlsdesc.S +@@ -102,7 +102,7 @@ _dl_tlsdesc_dynamic: + /* Preserve call-clobbered registers that we modify. + We need two scratch regs anyway. */ + movq %rsi, -16(%rsp) +- movq %fs:DTV_OFFSET, %rsi ++ mov %fs:DTV_OFFSET, %RSI_LP + movq %rdi, -8(%rsp) + movq TLSDESC_ARG(%rax), %rdi + movq (%rsi), %rax +-- +2.33.0 + diff --git a/x86-64-Fix-the-tcb-field-load-for-x32-BZ-31185.patch b/x86-64-Fix-the-tcb-field-load-for-x32-BZ-31185.patch new file mode 100644 index 0000000..515db6d --- /dev/null +++ b/x86-64-Fix-the-tcb-field-load-for-x32-BZ-31185.patch @@ -0,0 +1,69 @@ +From 968c983d43bc51f719f3e7a0fcb1bb8669b5f7c4 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Wed, 20 Dec 2023 19:42:12 -0800 +Subject: [PATCH 5/9] x86-64: Fix the tcb field load for x32 [BZ #31185] + +_dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer +via the tcb field in TCB: + +_dl_tlsdesc_undefweak: + _CET_ENDBR + movq 8(%rax), %rax + subq %fs:0, %rax + ret + +_dl_tlsdesc_dynamic: + ... + subq %fs:0, %rax + movq -8(%rsp), %rdi + ret + +Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location, +not 64-bit. It should use "sub %fs:0, %RAX_LP" instead. Since +_dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic +returns void *, RAX_LP is appropriate here for x32 and x86-64. This +fixes BZ #31185. + +(cherry picked from commit 81be2a61dafc168327c1639e97b6dae128c7ccf3) +--- + NEWS | 1 + + sysdeps/x86_64/dl-tlsdesc.S | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/NEWS b/NEWS +index 71057e4793..6fbb8a9e1d 100644 +--- a/NEWS ++++ b/NEWS +@@ -38,6 +38,7 @@ The following bugs are resolved with this release: + -D_FILE_OFFSET_BITS=64 + [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) + [31184] FAIL: elf/tst-tlsgap ++ [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic + + + Version 2.38 +diff --git a/sysdeps/x86_64/dl-tlsdesc.S b/sysdeps/x86_64/dl-tlsdesc.S +index c4823547d7..4579424bf7 100644 +--- a/sysdeps/x86_64/dl-tlsdesc.S ++++ b/sysdeps/x86_64/dl-tlsdesc.S +@@ -61,7 +61,7 @@ _dl_tlsdesc_return: + _dl_tlsdesc_undefweak: + _CET_ENDBR + movq 8(%rax), %rax +- subq %fs:0, %rax ++ sub %fs:0, %RAX_LP + ret + cfi_endproc + .size _dl_tlsdesc_undefweak, .-_dl_tlsdesc_undefweak +@@ -116,7 +116,7 @@ _dl_tlsdesc_dynamic: + addq TLSDESC_MODOFF(%rdi), %rax + .Lret: + movq -16(%rsp), %rsi +- subq %fs:0, %rax ++ sub %fs:0, %RAX_LP + movq -8(%rsp), %rdi + ret + .Lslow: +-- +2.33.0 + -- Gitee