diff --git a/backport-Fix-buffer-overrun-in-EUC-KR-conversion-module-bz-24.patch b/backport-Fix-buffer-overrun-in-EUC-KR-conversion-module-bz-24.patch new file mode 100644 index 0000000000000000000000000000000000000000..da9324d26a966bfa023867dca1aa15cec4c41ed7 --- /dev/null +++ b/backport-Fix-buffer-overrun-in-EUC-KR-conversion-module-bz-24.patch @@ -0,0 +1,137 @@ +From ee7a3144c9922808181009b7b3e50e852fb4999b Mon Sep 17 00:00:00 2001 +From: Andreas Schwab +Date: Mon, 21 Dec 2020 08:56:43 +0530 +Subject: [PATCH] Fix buffer overrun in EUC-KR conversion module (bz #24973) + +reason:Fix buffer overrun in EUC-KR conversion module (bz #24973) +Conflict:NA +Reference:https://sourceware.org/bugzilla/show_bug.cgi?id=24973 + +The byte 0xfe as input to the EUC-KR conversion denotes a user-defined +area and is not allowed. The from_euc_kr function used to skip two bytes +when told to skip over the unknown designation, potentially running over +the buffer end. +--- + iconvdata/Makefile | 3 ++- + iconvdata/bug-iconv13.c | 53 +++++++++++++++++++++++++++++++++++++++++ + iconvdata/euc-kr.c | 6 +---- + iconvdata/ksc5601.h | 6 ++--- + 4 files changed, 59 insertions(+), 9 deletions(-) + create mode 100644 iconvdata/bug-iconv13.c + +diff --git a/iconvdata/Makefile b/iconvdata/Makefile +index 97aaffa2..6790e0bd 100644 +--- a/iconvdata/Makefile ++++ b/iconvdata/Makefile +@@ -73,7 +73,8 @@ modules.so := $(addsuffix .so, $(modules)) + ifeq (yes,$(build-shared)) + tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ + tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ +- bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 ++ bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ ++ bug-iconv13 + ifeq ($(have-thread-library),yes) + tests += bug-iconv3 + endif +diff --git a/iconvdata/bug-iconv13.c b/iconvdata/bug-iconv13.c +new file mode 100644 +index 00000000..87aaff39 +--- /dev/null ++++ b/iconvdata/bug-iconv13.c +@@ -0,0 +1,53 @@ ++/* bug 24973: Test EUC-KR module ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ iconv_t cd = iconv_open ("UTF-8//IGNORE", "EUC-KR"); ++ TEST_VERIFY_EXIT (cd != (iconv_t) -1); ++ ++ /* 0xfe (->0x7e : row 94) and 0xc9 (->0x49 : row 41) are user-defined ++ areas, which are not allowed and should be skipped over due to ++ //IGNORE. The trailing 0xfe also is an incomplete sequence, which ++ should be checked first. */ ++ char input[4] = { '\xc9', '\xa1', '\0', '\xfe' }; ++ char *inptr = input; ++ size_t insize = sizeof (input); ++ char output[4]; ++ char *outptr = output; ++ size_t outsize = sizeof (output); ++ ++ /* This used to crash due to buffer overrun. */ ++ TEST_VERIFY (iconv (cd, &inptr, &insize, &outptr, &outsize) == (size_t) -1); ++ TEST_VERIFY (errno == EINVAL); ++ /* The conversion should produce one character, the converted null ++ character. */ ++ TEST_VERIFY (sizeof (output) - outsize == 1); ++ ++ TEST_VERIFY_EXIT (iconv_close (cd) != -1); ++ ++ return 0; ++} ++ ++#include +diff --git a/iconvdata/euc-kr.c b/iconvdata/euc-kr.c +index 73e02817..dc7eaa65 100644 +--- a/iconvdata/euc-kr.c ++++ b/iconvdata/euc-kr.c +@@ -80,11 +80,7 @@ euckr_from_ucs4 (uint32_t ch, unsigned char *cp) + \ + if (ch <= 0x9f) \ + ++inptr; \ +- /* 0xfe(->0x7e : row 94) and 0xc9(->0x59 : row 41) are \ +- user-defined areas. */ \ +- else if (__builtin_expect (ch == 0xa0, 0) \ +- || __builtin_expect (ch > 0xfe, 0) \ +- || __builtin_expect (ch == 0xc9, 0)) \ ++ else if (__glibc_unlikely (ch == 0xa0)) \ + { \ + /* This is illegal. */ \ + STANDARD_FROM_LOOP_ERR_HANDLER (1); \ +diff --git a/iconvdata/ksc5601.h b/iconvdata/ksc5601.h +index 5588d3a1..fa2d3067 100644 +--- a/iconvdata/ksc5601.h ++++ b/iconvdata/ksc5601.h +@@ -50,15 +50,15 @@ ksc5601_to_ucs4 (const unsigned char **s, size_t avail, unsigned char offset) + unsigned char ch2; + int idx; + ++ if (avail < 2) ++ return 0; ++ + /* row 94(0x7e) and row 41(0x49) are user-defined area in KS C 5601 */ + + if (ch < offset || (ch - offset) <= 0x20 || (ch - offset) >= 0x7e + || (ch - offset) == 0x49) + return __UNKNOWN_10646_CHAR; + +- if (avail < 2) +- return 0; +- + ch2 = (*s)[1]; + if (ch2 < offset || (ch2 - offset) <= 0x20 || (ch2 - offset) >= 0x7f) + return __UNKNOWN_10646_CHAR; +-- +2.23.0 + diff --git a/backport-aarch64-fix-stack-missing-after-sp-is-updated.patch b/backport-aarch64-fix-stack-missing-after-sp-is-updated.patch new file mode 100644 index 0000000000000000000000000000000000000000..afbb759e04481aadf09d56e0d2fd40dc62658c63 --- /dev/null +++ b/backport-aarch64-fix-stack-missing-after-sp-is-updated.patch @@ -0,0 +1,66 @@ +From cd6274089f7a7603cdaf2a24cef575fa61d3772e Mon Sep 17 00:00:00 2001 +From: Shuo Wang +Date: Mon, 4 Jan 2021 20:42:52 +0800 +Subject: [PATCH] aarch64: fix stack missing after sp is updated + +reason:aarch64: fix stack missing after sp is updated +Conflict:NA +Reference:https://sourceware.org/pipermail/libc-alpha/2021-January/121272.html + +After sp is updated, the CFA offset should be set before next instruction. +Tested in glibc-2.28: +Thread 2 "xxxxxxx" hit Breakpoint 1, _dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:149 +149 stp x1, x2, [sp, #-32]! +Missing separate debuginfos, use: dnf debuginfo-install libgcc-7.3.0-20190804.h24.aarch64 +(gdb) bt +#0 _dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:149 +#1 0x0000ffffbe4fbb44 in OurFunction (threadId=3194870184) + at /home/test/test_function.c:30 +#2 0x0000000000400c08 in initaaa () at thread.c:58 +#3 0x0000000000400c50 in thread_proc (param=0x0) at thread.c:71 +#4 0x0000ffffbf6918bc in start_thread (arg=0xfffffffff29f) at pthread_create.c:486 +#5 0x0000ffffbf5669ec in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78 +(gdb) ni +_dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:150 +150 stp x3, x4, [sp, #16] +(gdb) bt +#0 _dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:150 +#1 0x0000ffffbe4fbb44 in OurFunction (threadId=3194870184) + at /home/test/test_function.c:30 +#2 0x0000000000000000 in ?? () +Backtrace stopped: previous frame identical to this frame (corrupt stack?) +(gdb) ni +_dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:157 +157 mrs x4, tpidr_el0 +(gdb) bt +#0 _dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:157 +#1 0x0000ffffbe4fbb44 in OurFunction (threadId=3194870184) + at /home/test/test_function.c:30 +#2 0x0000000000400c08 in initaaa () at thread.c:58 +#3 0x0000000000400c50 in thread_proc (param=0x0) at thread.c:71 +#4 0x0000ffffbf6918bc in start_thread (arg=0xfffffffff29f) at pthread_create.c:486 +#5 0x0000ffffbf5669ec in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78 + +Signed-off-by: liqingqing +Signed-off-by: Shuo Wang +--- + sysdeps/aarch64/dl-tlsdesc.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sysdeps/aarch64/dl-tlsdesc.S b/sysdeps/aarch64/dl-tlsdesc.S +index 43a62ef3..39ef48e9 100644 +--- a/sysdeps/aarch64/dl-tlsdesc.S ++++ b/sysdeps/aarch64/dl-tlsdesc.S +@@ -147,8 +147,8 @@ _dl_tlsdesc_dynamic: + /* Save just enough registers to support fast path, if we fall + into slow path we will save additional registers. */ + stp x1, x2, [sp, #-32]! +- stp x3, x4, [sp, #16] + cfi_adjust_cfa_offset (32) ++ stp x3, x4, [sp, #16] + cfi_rel_offset (x1, 0) + cfi_rel_offset (x2, 8) + cfi_rel_offset (x3, 16) +-- +2.23.0 + diff --git a/backport-aarch64-push-the-set-of-rules-before-falling-into-sl.patch b/backport-aarch64-push-the-set-of-rules-before-falling-into-sl.patch new file mode 100644 index 0000000000000000000000000000000000000000..1b55ce82f0bf39a726a922f01c64ef4742e08279 --- /dev/null +++ b/backport-aarch64-push-the-set-of-rules-before-falling-into-sl.patch @@ -0,0 +1,89 @@ +From f5082c70101d5b6c10c312f86c9de7fecf0075b6 Mon Sep 17 00:00:00 2001 +From: Shuo Wang +Date: Tue, 5 Jan 2021 10:04:12 +0800 +Subject: [PATCH] aarch64: push the set of rules before falling into slow path + +reason:aarch64: push the set of rules before falling into slow path +Conflict:NA +Reference:https://sourceware.org/pipermail/libc-alpha/2021-January/121330.html + +It is supposed to save the rules for the instructions before falling into slow path. + +Tested in glibc-2.28 before fixing: +Thread 2 "xxxxxxx" hit Breakpoint 1, _dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:149 +149 stp x1, x2, [sp, #-32]! +Missing separate debuginfos, use: dnf debuginfo-install libgcc-7.3.0-20190804.h24.aarch64 +(gdb) ni +_dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:150 +150 stp x3, x4, [sp, #16] +(gdb) +_dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:157 +157 mrs x4, tpidr_el0 +(gdb) +158 ldr PTR_REG (1), [x0,#TLSDESC_ARG] +(gdb) +159 ldr PTR_REG (0), [x4,#TCBHEAD_DTV] +(gdb) +160 ldr PTR_REG (3), [x1,#TLSDESC_GEN_COUNT] +(gdb) +161 ldr PTR_REG (2), [x0,#DTV_COUNTER] +(gdb) +162 cmp PTR_REG (3), PTR_REG (2) +(gdb) +163 b.hi 2f +(gdb) +165 ldp PTR_REG (2), PTR_REG (3), [x1,#TLSDESC_MODID] +(gdb) +166 add PTR_REG (0), PTR_REG (0), PTR_REG (2), lsl #(PTR_LOG_SIZE + 1) +(gdb) +167 ldr PTR_REG (0), [x0] /* Load val member of DTV entry. */ +(gdb) +168 cmp PTR_REG (0), #TLS_DTV_UNALLOCATED +(gdb) +169 b.eq 2f +(gdb) bt +#0 _dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:169 +#1 0x0000ffffbe4fbb44 in OurFunction (threadId=4294967295) + at /home/test/test_function.c:30 +#2 0x0000000000400c08 in initaaa () at thread.c:58 +#3 0x0000000000400c50 in thread_proc (param=0x0) at thread.c:71 +#4 0x0000ffffbf6918bc in start_thread (arg=0xfffffffff29f) at pthread_create.c:486 +#5 0x0000ffffbf5669ec in thread_start () at ../sysdeps/unix/sysv/linux/aarch64/clone.S:78 +(gdb) ni +_dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:184 +184 stp x29, x30, [sp,#-16*NSAVEXREGPAIRS]! +(gdb) bt +#0 _dl_tlsdesc_dynamic () at ../sysdeps/aarch64/dl-tlsdesc.S:184 +#1 0x0000ffffbe4fbb44 in OurFunction (threadId=4294967295) + at /home/test/test_function.c:30 +#2 0x0000000000000000 in ?? () +Backtrace stopped: previous frame identical to this frame (corrupt stack?) + +Co-authored-by: liqingqing +--- + sysdeps/aarch64/dl-tlsdesc.S | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sysdeps/aarch64/dl-tlsdesc.S b/sysdeps/aarch64/dl-tlsdesc.S +index 39ef48e9..479a445b 100644 +--- a/sysdeps/aarch64/dl-tlsdesc.S ++++ b/sysdeps/aarch64/dl-tlsdesc.S +@@ -167,6 +167,7 @@ _dl_tlsdesc_dynamic: + ldr PTR_REG (0), [x0] /* Load val member of DTV entry. */ + cmp PTR_REG (0), #TLS_DTV_UNALLOCATED + b.eq 2f ++ cfi_remember_state + sub PTR_REG (3), PTR_REG (3), PTR_REG (4) + add PTR_REG (0), PTR_REG (0), PTR_REG (3) + 1: +@@ -180,6 +181,7 @@ _dl_tlsdesc_dynamic: + callee will trash. */ + + /* Save the remaining registers that we must treat as caller save. */ ++ cfi_restore_state + # define NSAVEXREGPAIRS 8 + stp x29, x30, [sp,#-16*NSAVEXREGPAIRS]! + cfi_adjust_cfa_offset (16*NSAVEXREGPAIRS) +-- +2.23.0 + diff --git a/backport-addmntent-Remove-unbounded-alloca-usage-from-getmnte.patch b/backport-addmntent-Remove-unbounded-alloca-usage-from-getmnte.patch new file mode 100644 index 0000000000000000000000000000000000000000..6c124b46f359791e1a89fb6328b055793728a9f4 --- /dev/null +++ b/backport-addmntent-Remove-unbounded-alloca-usage-from-getmnte.patch @@ -0,0 +1,276 @@ +From 9798906a426fc458b949271bcc9b8ad1608de867 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Tue, 22 Dec 2020 17:18:12 +0530 +Subject: [PATCH] addmntent: Remove unbounded alloca usage from getmntent + [BZ#27083] + +reason:Remove unbounded alloca usage from getmntent +Conflict:NA +Reference:https://sourceware.org/bugzilla/show_bug.cgi?id=27083 + +The addmntent function replicates elements of struct mnt on stack +using alloca, which is unsafe. Put characters directly into the +stream, escaping them as they're being written out. + +Also add a test to check all escaped characters with addmntent and +getmntent. +--- + misc/Makefile | 2 +- + misc/mntent_r.c | 111 ++++++++++++++------------------------- + misc/tst-mntent-escape.c | 101 +++++++++++++++++++++++++++++++++++ + 3 files changed, 140 insertions(+), 74 deletions(-) + create mode 100644 misc/tst-mntent-escape.c + +diff --git a/misc/Makefile b/misc/Makefile +index b7be2bc1..186d3f96 100644 +--- a/misc/Makefile ++++ b/misc/Makefile +@@ -84,7 +84,7 @@ tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \ + tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 \ + tst-mntent-blank-corrupt tst-mntent-blank-passno bug18240 \ + tst-preadvwritev tst-preadvwritev64 tst-makedev tst-empty \ +- tst-preadvwritev2 tst-preadvwritev64v2 ++ tst-preadvwritev2 tst-preadvwritev64v2 tst-mntent-escape + + tests-internal := tst-atomic tst-atomic-long tst-allocate_once + tests-static := tst-empty +diff --git a/misc/mntent_r.c b/misc/mntent_r.c +index 7a826586..440e4e57 100644 +--- a/misc/mntent_r.c ++++ b/misc/mntent_r.c +@@ -186,87 +186,52 @@ __getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz) + libc_hidden_def (__getmntent_r) + weak_alias (__getmntent_r, getmntent_r) + ++/* Write STR into STREAM, escaping whitespaces as we go. Do not check for ++ errors here; we check the stream status in __ADDMNTENT. */ ++static void ++write_string (FILE *stream, const char *str) ++{ ++ char c; ++ const char *encode_chars = " \t\n\\"; + +-/* We have to use an encoding for names if they contain spaces or tabs. +- To be able to represent all characters we also have to escape the +- backslash itself. This "function" must be a macro since we use +- `alloca'. */ +-#define encode_name(name) \ +- do { \ +- const char *rp = name; \ +- \ +- while (*rp != '\0') \ +- if (*rp == ' ' || *rp == '\t' || *rp == '\n' || *rp == '\\') \ +- break; \ +- else \ +- ++rp; \ +- \ +- if (*rp != '\0') \ +- { \ +- /* In the worst case the length of the string can increase to \ +- four times the current length. */ \ +- char *wp; \ +- \ +- rp = name; \ +- name = wp = (char *) alloca (strlen (name) * 4 + 1); \ +- \ +- do \ +- if (*rp == ' ') \ +- { \ +- *wp++ = '\\'; \ +- *wp++ = '0'; \ +- *wp++ = '4'; \ +- *wp++ = '0'; \ +- } \ +- else if (*rp == '\t') \ +- { \ +- *wp++ = '\\'; \ +- *wp++ = '0'; \ +- *wp++ = '1'; \ +- *wp++ = '1'; \ +- } \ +- else if (*rp == '\n') \ +- { \ +- *wp++ = '\\'; \ +- *wp++ = '0'; \ +- *wp++ = '1'; \ +- *wp++ = '2'; \ +- } \ +- else if (*rp == '\\') \ +- { \ +- *wp++ = '\\'; \ +- *wp++ = '\\'; \ +- } \ +- else \ +- *wp++ = *rp; \ +- while (*rp++ != '\0'); \ +- } \ +- } while (0) +- ++ while ((c = *str++) != '\0') ++ { ++ if (strchr (encode_chars, c) == NULL) ++ fputc_unlocked (c, stream); ++ else ++ { ++ fputc_unlocked ('\\', stream); ++ fputc_unlocked (((c & 0xc0) >> 6) + '0', stream); ++ fputc_unlocked (((c & 0x38) >> 3) + '0', stream); ++ fputc_unlocked (((c & 0x07) >> 0) + '0', stream); ++ } ++ } ++ fputc_unlocked (' ', stream); ++} + + /* Write the mount table entry described by MNT to STREAM. + Return zero on success, nonzero on failure. */ + int + __addmntent (FILE *stream, const struct mntent *mnt) + { +- struct mntent mntcopy = *mnt; ++ int ret = 1; ++ + if (fseek (stream, 0, SEEK_END)) +- return 1; +- +- /* Encode spaces and tabs in the names. */ +- encode_name (mntcopy.mnt_fsname); +- encode_name (mntcopy.mnt_dir); +- encode_name (mntcopy.mnt_type); +- encode_name (mntcopy.mnt_opts); +- +- return (fprintf (stream, "%s %s %s %s %d %d\n", +- mntcopy.mnt_fsname, +- mntcopy.mnt_dir, +- mntcopy.mnt_type, +- mntcopy.mnt_opts, +- mntcopy.mnt_freq, +- mntcopy.mnt_passno) < 0 +- || fflush (stream) != 0); ++ return ret; ++ ++ flockfile (stream); ++ ++ write_string (stream, mnt->mnt_fsname); ++ write_string (stream, mnt->mnt_dir); ++ write_string (stream, mnt->mnt_type); ++ write_string (stream, mnt->mnt_opts); ++ fprintf (stream, "%d %d\n", mnt->mnt_freq, mnt->mnt_passno); ++ ++ ret = ferror (stream) != 0 || fflush (stream) != 0; ++ ++ funlockfile (stream); ++ ++ return ret; + } + weak_alias (__addmntent, addmntent) + +diff --git a/misc/tst-mntent-escape.c b/misc/tst-mntent-escape.c +new file mode 100644 +index 00000000..c1db428a +--- /dev/null ++++ b/misc/tst-mntent-escape.c +@@ -0,0 +1,101 @@ ++/* Test mntent interface with escaped sequences. ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++ ++struct const_mntent ++{ ++ const char *mnt_fsname; ++ const char *mnt_dir; ++ const char *mnt_type; ++ const char *mnt_opts; ++ int mnt_freq; ++ int mnt_passno; ++ const char *expected; ++}; ++ ++struct const_mntent tests[] = ++{ ++ {"/dev/hda1", "/some dir", "ext2", "defaults", 1, 2, ++ "/dev/hda1 /some\\040dir ext2 defaults 1 2\n"}, ++ {"device name", "/some dir", "tmpfs", "defaults", 1, 2, ++ "device\\040name /some\\040dir tmpfs defaults 1 2\n"}, ++ {" ", "/some dir", "tmpfs", "defaults", 1, 2, ++ "\\040 /some\\040dir tmpfs defaults 1 2\n"}, ++ {"\t", "/some dir", "tmpfs", "defaults", 1, 2, ++ "\\011 /some\\040dir tmpfs defaults 1 2\n"}, ++ {"\\", "/some dir", "tmpfs", "defaults", 1, 2, ++ "\\134 /some\\040dir tmpfs defaults 1 2\n"}, ++}; ++ ++static int ++do_test (void) ++{ ++ for (int i = 0; i < sizeof (tests) / sizeof (struct const_mntent); i++) ++ { ++ char buf[128]; ++ struct mntent *ret, curtest; ++ FILE *fp = fmemopen (buf, sizeof (buf), "w+"); ++ ++ if (fp == NULL) ++ { ++ printf ("Failed to open file\n"); ++ return 1; ++ } ++ ++ curtest.mnt_fsname = strdupa (tests[i].mnt_fsname); ++ curtest.mnt_dir = strdupa (tests[i].mnt_dir); ++ curtest.mnt_type = strdupa (tests[i].mnt_type); ++ curtest.mnt_opts = strdupa (tests[i].mnt_opts); ++ curtest.mnt_freq = tests[i].mnt_freq; ++ curtest.mnt_passno = tests[i].mnt_passno; ++ ++ if (addmntent (fp, &curtest) != 0) ++ { ++ support_record_failure (); ++ continue; ++ } ++ ++ TEST_COMPARE_STRING (buf, tests[i].expected); ++ ++ rewind (fp); ++ ret = getmntent (fp); ++ if (ret == NULL) ++ { ++ support_record_failure (); ++ continue; ++ } ++ ++ TEST_COMPARE_STRING(tests[i].mnt_fsname, ret->mnt_fsname); ++ TEST_COMPARE_STRING(tests[i].mnt_dir, ret->mnt_dir); ++ TEST_COMPARE_STRING(tests[i].mnt_type, ret->mnt_type); ++ TEST_COMPARE_STRING(tests[i].mnt_opts, ret->mnt_opts); ++ TEST_COMPARE(tests[i].mnt_freq, ret->mnt_freq); ++ TEST_COMPARE(tests[i].mnt_passno, ret->mnt_passno); ++ ++ fclose (fp); ++ } ++ ++ return 0; ++} ++ ++#include +-- +2.23.0 + diff --git a/glibc.spec b/glibc.spec index fab68f18564d3565b4e8a051aedcc55f6259ef1e..f01fff70b4d30a35b983708475a390c42c6967b1 100644 --- a/glibc.spec +++ b/glibc.spec @@ -59,7 +59,7 @@ ############################################################################## Name: glibc Version: 2.28 -Release: 49 +Release: 50 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -101,6 +101,10 @@ Patch24: backport-x86-Use-one-ldbl2mpn.c-file-for-both-i386-and-x86_64.patch Patch25: backport-Fix-CVE-2020-29573-x86-Harden-printf-against-non-normal-long-double-val.patch Patch26: backport-Fix-iconv-buffer-handling-with-IGNORE-error-handler-.patch Patch27: backport-CVE-2020-29562-iconv-Fix-incorrect-UCS4-inner-loop-bounds-BZ-26923.patch +Patch28: backport-aarch64-fix-stack-missing-after-sp-is-updated.patch +Patch29: backport-aarch64-push-the-set-of-rules-before-falling-into-sl.patch +Patch30: backport-Fix-buffer-overrun-in-EUC-KR-conversion-module-bz-24.patch +Patch31: backport-addmntent-Remove-unbounded-alloca-usage-from-getmnte.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1096,6 +1100,15 @@ fi %doc hesiod/README.hesiod %changelog +* Wed Jan 6 2021 Wang Shuo - 2.28-50 +- Fix stack missing in _dl_tlsdesc_dynamic + Fix buffer overrun in EUC-KR conversion module (bz #24973) + Remove unbounded alloca usage from getmntent [BZ#27083] + https://sourceware.org/pipermail/libc-alpha/2021-January/121272.html + https://sourceware.org/pipermail/libc-alpha/2021-January/121330.html + https://sourceware.org/bugzilla/show_bug.cgi?id=24973 + https://sourceware.org/bugzilla/show_bug.cgi?id=27083 + * Mon Dec 21 2020 Wang Shuo - 2.28-49 - Fix CVE-2020-29562, Fix incorrect UCS4 inner loop bounds (BZ#26923) https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-29562