diff --git a/add-enable-cve-security.patch b/add-enable-cve-security.patch new file mode 100644 index 0000000000000000000000000000000000000000..7bd9a02bf6ae145b2102bdb8d214c34c70655d8c --- /dev/null +++ b/add-enable-cve-security.patch @@ -0,0 +1,89 @@ +From f550587d01c47ae509ee86285bf5660e5d2ed057 Mon Sep 17 00:00:00 2001 +From: Yangyanchao +Date: Fri, 23 Aug 2024 16:05:20 +0800 +Subject: [PATCH 1/4] add --enable-cve-security + +use --enable-cve-security to fix some CVEs that may affect performance. + +Signed-off-by: Yangyanchao +--- + configure | 23 ++++++++++++++++++++--- + configure.ac | 10 ++++++++++ + 2 files changed, 30 insertions(+), 3 deletions(-) + +diff --git a/configure b/configure +index be2277b1..0b8529d0 100755 +--- a/configure ++++ b/configure +@@ -792,8 +792,9 @@ enable_pt_chown + enable_tunables + enable_mathvec + enable_cet +-enable_hugepage_shared_library + enable_scv ++enable_hugepage_shared_library ++enable_cve_security + with_cpu + ' + ac_precious_vars='build_alias +@@ -1466,11 +1467,13 @@ Optional Features: + depends on architecture] + --enable-cet enable Intel Control-flow Enforcement Technology + (CET), x86 only ++ --disable-scv syscalls will not use scv instruction, even if the ++ kernel supports it, powerpc only + --enable-hugepage-shared-library + enable shared library use huge page to decrease TLB + miss, x86_64 aarch64 only +- --disable-scv syscalls will not use scv instruction, even if the +- kernel supports it, powerpc only ++ --enable-cve-security Turn on some of the code that fixes the CVE. Note ++ that this may affect performance! + + Optional Packages: + --with-PACKAGE[=ARG] use PACKAGE [ARG=yes] +@@ -3870,6 +3873,20 @@ else + fi + + ++fi ++ ++# Check whether --enable-cve-security was given. ++if test "${enable_cve_security+set}" = set; then : ++ enableval=$enable_cve_security; enable_cve_security=$enableval ++else ++ enable_cve_security=no ++fi ++ ++config_vars="$config_vars ++enable-cve-security = $enable_cve_security" ++if test "$enable_cve_security" = yes; then ++ $as_echo "#define CVE_SECURITY 1" >>confdefs.h ++ + fi + + # We keep the original values in `$config_*' and never modify them, so we +diff --git a/configure.ac b/configure.ac +index fa34af26..04480104 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -492,6 +492,16 @@ if test "$enable_hugepage_shared_library" = yes; then + AC_SUBST(have_hugetlb_dir) + fi + ++AC_ARG_ENABLE([cve-security], ++ AC_HELP_STRING([--enable-cve-security], ++ [Turn on some of the code that fixes the CVE. Note that this may affect performance!]), ++ [enable_cve_security=$enableval], ++ [enable_cve_security=no]) ++LIBC_CONFIG_VAR([enable-cve-security], [$enable_cve_security]) ++if test "$enable_cve_security" = yes; then ++ AC_DEFINE(CVE_SECURITY) ++fi ++ + # We keep the original values in `$config_*' and never modify them, so we + # can write them unchanged into config.make. Everything else uses + # $machine, $vendor, and $os, and changes them whenever convenient. +-- +2.27.0 + diff --git a/fix-CVE-2019-1010022-BZ-22850.patch b/fix-CVE-2019-1010022-BZ-22850.patch new file mode 100644 index 0000000000000000000000000000000000000000..b2cbcd8e4e77ac0af03707816423a5ea3c178db1 --- /dev/null +++ b/fix-CVE-2019-1010022-BZ-22850.patch @@ -0,0 +1,35 @@ +From d3e7d0aae1c87ed05f076a2270c51c67dc25e3bf Mon Sep 17 00:00:00 2001 +From: Yangyanchao +Date: Fri, 23 Aug 2024 14:41:54 +0800 +Subject: [PATCH 2/4] fix CVE-2019-1010022[#BZ 22850] + +In the x86 architecture, delete thr marco THREAD_SET_STACK_GUARD, so +that the stack protection variable can use the global variable instead +of the local variable to avoid CVE-2019-1010022. + +Signed-off-by: Yangyanchao +--- + sysdeps/x86_64/nptl/tls.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/sysdeps/x86_64/nptl/tls.h b/sysdeps/x86_64/nptl/tls.h +index 3af1836e..300fea41 100644 +--- a/sysdeps/x86_64/nptl/tls.h ++++ b/sysdeps/x86_64/nptl/tls.h +@@ -198,11 +198,13 @@ _Static_assert (offsetof (tcbhead_t, __glibc_unused2) == 0x80, + # include + + /* Set the stack guard field in TCB head. */ ++#if !CVE_SECURITY + # define THREAD_SET_STACK_GUARD(value) \ + THREAD_SETMEM (THREAD_SELF, header.stack_guard, value) + # define THREAD_COPY_STACK_GUARD(descr) \ + ((descr)->header.stack_guard \ + = THREAD_GETMEM (THREAD_SELF, header.stack_guard)) ++#endif + + + /* Set the pointer guard field in the TCB head. */ +-- +2.27.0 + diff --git a/fix-CVE-2019-1010024-BZ-22852.patch b/fix-CVE-2019-1010024-BZ-22852.patch new file mode 100644 index 0000000000000000000000000000000000000000..a492f9bce51f21da617662758ffc09569038e9b9 --- /dev/null +++ b/fix-CVE-2019-1010024-BZ-22852.patch @@ -0,0 +1,35 @@ +From f7e00e32656170684016bf3223ee280931bb44e1 Mon Sep 17 00:00:00 2001 +From: Yangyanchao +Date: Fri, 23 Aug 2024 16:54:02 +0800 +Subject: [PATCH 4/4] fix CVE-2019-1010024[#BZ 22852] + +Set __nptl_stack_cache_maxsize to zero to circumvent CVE-2019-1010024 +Another way to get around this is to set the environment variable +``` +export GLIBC_TUNABLES="glibc.pthread.stack_cache_size=0". +``` + +Signed-off-by: Yangyanchao +--- + nptl/nptl-stack.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/nptl/nptl-stack.c b/nptl/nptl-stack.c +index 3f33a4c2..e2112299 100644 +--- a/nptl/nptl-stack.c ++++ b/nptl/nptl-stack.c +@@ -21,7 +21,11 @@ + #include + #include + ++#if CVE_SECURITY ++size_t __nptl_stack_cache_maxsize = 0; ++#else + size_t __nptl_stack_cache_maxsize = 40 * 1024 * 1024; ++#endif + + void + __nptl_stack_list_del (list_t *elem) +-- +2.27.0 + diff --git a/fix-CVE-2019-1010025-BZ-22853.patch b/fix-CVE-2019-1010025-BZ-22853.patch new file mode 100644 index 0000000000000000000000000000000000000000..d2d4c844d8fa345de233d18dad40d8f889d01c29 --- /dev/null +++ b/fix-CVE-2019-1010025-BZ-22853.patch @@ -0,0 +1,98 @@ +From 074fa72fa6a4edb2f5378a1e05cb4c29bc1ccca2 Mon Sep 17 00:00:00 2001 +From: Yangyanchao +Date: Fri, 23 Aug 2024 15:01:05 +0800 +Subject: [PATCH 3/4] fix CVE-2019-1010025[#BZ 22853] + +removes the need to align arenas to HEAP_MAX_SIZE by +changing the macro heap_for_ptr(ptr). Arenas are randomized with the +same entropy than the rest of mmaped objects. The entropy to randomize +the thread's arenas is obtained from the ASLR value of the libraries, +by using the address of the __arena_rnd: + +__arena_rnd = ((unsigned long)&__arena_rnd) & (HEAP_MAX_SIZE-1) & + ~(pagesize-1); + +This way, if the user disables ASLR (via randomize_va_space, setarch +-R, or when using gdb), the entropy of the arena is also automatically +disabled. + +Summary of the patch features: + +*- Does not change the allocation policy. +*- Does not add new data structures (only a long variable). +*- The temporal overhead is almost undetectable (just 2 more cpu + instructions per free: one "add" and one "or"). malloc is not + affected. +*- It is fully backward compatible. +*- It restores completely, the ASLR entropy to thread's heaps. +--- + malloc/arena.c | 27 ++++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +diff --git a/malloc/arena.c b/malloc/arena.c +index e99596a9..d32ffa33 100644 +--- a/malloc/arena.c ++++ b/malloc/arena.c +@@ -150,11 +150,18 @@ static bool __malloc_initialized = false; + + /* find the heap and corresponding arena for a given ptr */ + ++#if CVE_SECURITY ++static unsigned long __arena_rnd; ++#endif + static inline heap_info * + heap_for_ptr (void *ptr) + { + size_t max_size = heap_max_size (); ++#if CVE_SECURITY ++ return ((heap_info *) ((((unsigned long) ptr - __arena_rnd) & ~(max_size - 1)) | __arena_rnd)); ++#else + return PTR_ALIGN_DOWN (ptr, max_size); ++#endif + } + + static inline struct malloc_state * +@@ -324,6 +331,13 @@ ptmalloc_init (void) + + __malloc_initialized = true; + ++#if CVE_SECURITY ++ size_t pagesize = GLRO (dl_pagesize); ++ /* Get the entropy from the already existing ASLR. */ ++ __arena_rnd = ((unsigned long)&__arena_rnd) & (heap_max_size () - 1) & ++ ~(pagesize - 1); ++#endif ++ + #if USE_TCACHE + tcache_key_initialize (); + #endif +@@ -527,6 +541,13 @@ alloc_new_heap (size_t size, size_t top_pad, size_t pagesize, + { + p2 = (char *) (((unsigned long) p1 + (max_size - 1)) + & ~(max_size - 1)); ++#if CVE_SECURITY ++ /* The heap_info is at a random offset from the alignment to ++ max_size. */ ++ p2 = (char *) ((unsigned long) p2 | __arena_rnd); ++ if (p1 + HEAP_MAX_SIZE <= p2) ++ p2 -= max_size; ++#endif + ul = p2 - p1; + if (ul) + __munmap (p1, ul); +@@ -542,7 +563,11 @@ alloc_new_heap (size_t size, size_t top_pad, size_t pagesize, + if (p2 == MAP_FAILED) + return 0; + +- if ((unsigned long) p2 & (max_size - 1)) ++ if ((unsigned long) p2 & (max_size - 1) ++#if CVE_SECURITY ++ != __arena_rnd ++#endif ++ ) + { + __munmap (p2, max_size); + return 0; +-- +2.27.0 + diff --git a/glibc.spec b/glibc.spec index f837071a51638f0196d5cc4797ce017ae6277828..15cd835b3780994d72ed17b75af20dc0dbafc735 100644 --- a/glibc.spec +++ b/glibc.spec @@ -71,7 +71,7 @@ ############################################################################## Name: glibc Version: 2.34 -Release: 157 +Release: 158 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -360,6 +360,10 @@ Patch9049: Check-the-validity-of-len-before-mmap.patch Patch9050: change-hugepageedit-from-dynamic-link-to-static-link.patch Patch9051: elf-the-hugepage-feature-of-dynamic-library-keep-com.patch Patch9052: elf-add-some-debug-info-for-dynamic-library-hugepage.patch +Patch9052: add-enable-cve-security.patch +Patch9053: fix-CVE-2019-1010022-BZ-22850.patch +Patch9054: fix-CVE-2019-1010025-BZ-22853.patch +Patch9055: fix-CVE-2019-1010024-BZ-22852.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -1535,6 +1539,12 @@ fi %endif %changelog +* Fri Aug 23 2024 Yang Yanchao - 2.34-158 +- Type:CVE +- ID:CVE-2019-1010022 CVE-2019-1010025 CVE-2019-1010024 +- SUG:NA +- DESC:add --enable-cve-security;fix CVE-2019-1010022,CVE-2019-1010024,CVE-2019-1010025 + * Tue Aug 20 2024 shixuantong - 2.34-157 - Type:bugfix - ID: