mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-04-03 02:02:21 +02:00
Code Issues Packages Projects Releases Wiki Activity

glibc: Security fix CVE-2021-33574

Browse Source 
Source: glibc.org
MR: 111508
Type: Security Fix
Disposition: Backport from  https://sourceware.org/git/glibc.git
ChangeID: 815edc154adc45d08d00995862409f13014f885f
Description:

This version of glibc does not have __pthread_attr_setaffinity_np so an adapted patch was taken from 2.28  (https://sourceware.org/bugzilla/attachment.cgi?id=13497) and https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb

(From OE-Core rev: d468eb9c0fa5f8fbd15abda6d0f04e3d25c50c26)

Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Armin Kuster
2021-08-19 22:27:26 -07:00
committed by Richard Purdie
parent ed4791c8b0
commit e2cb601ab6
3 changed files with 147 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

72
meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch Normal file
View File

@@ -0,0 +1,72 @@
From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@linux-m68k.org>
Date: Thu, 27 May 2021 12:49:47 +0200
Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
Make a deep copy of the pthread attribute object to remove a potential
use-after-free issue.
Upstream-Status: Backport
CVE: CVE-2021-33574 patch#1
Signed-off-by: Armin Kuster <akuster@mvista.com>
---
NEWS | 4 ++++
sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
2 files changed, 14 insertions(+), 5 deletions(-)
Index: git/NEWS
===================================================================
--- git.orig/NEWS
+++ git/NEWS
@@ -7,6 +7,10 @@ using `glibc' in the "product" field.
Version 2.31.1
+ CVE-2021-33574: The mq_notify function has a potential use-after-free
+ issue when using a notification type of SIGEV_THREAD and a thread
+ attribute with a non-default affinity mask.
+
The following bugs are resolved with this release:
[19519] iconv(1) with -c option hangs on illegal multi-byte sequences
(CVE-2016-10228)
Index: git/sysdeps/unix/sysv/linux/mq_notify.c
===================================================================
--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
+++ git/sysdeps/unix/sysv/linux/mq_notify.c
@@ -135,8 +135,11 @@ helper_thread (void *arg)
(void) __pthread_barrier_wait (&notify_barrier);
}
else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
- /* The only state we keep is the copy of the thread attributes. */
- free (data.attr);
+ {
+ /* The only state we keep is the copy of the thread attributes. */
+ pthread_attr_destroy (data.attr);
+ free (data.attr);
+ }
}
return NULL;
}
@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sig
if (data.attr == NULL)
return -1;
- memcpy (data.attr, notification->sigev_notify_attributes,
- sizeof (pthread_attr_t));
+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
}
/* Construct the new request. */
@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sig
/* If it failed, free the allocated memory. */
if (__glibc_unlikely (retval != 0))
- free (data.attr);
+ {
+ pthread_attr_destroy (data.attr);
+ free (data.attr);
+ }
return retval;
}

73
meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch Normal file
View File

@@ -0,0 +1,73 @@
From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Tue, 1 Jun 2021 17:51:41 +0200
Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
__pthread_attr_copy can fail and does not initialize the attribute
structure in that case.
If __pthread_attr_copy is never called and there is no allocated
attribute, pthread_attr_destroy should not be called, otherwise
there is a null pointer dereference in rt/tst-mqueue6.
Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
("Use __pthread_attr_copy in mq_notify (bug 27896)").
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
https://sourceware.org/bugzilla/attachment.cgi?id=13497
Upstream-Status: Backport
CVE: CVE-2021-33574 patch#2
Signed-off-by: Armin Kuster &lt;akuster@mvista.com&gt;
---
Index: git/sysdeps/unix/sysv/linux/mq_notify.c
===================================================================
--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
+++ git/sysdeps/unix/sysv/linux/mq_notify.c
@@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sig
if (data.attr == NULL)
return -1;
- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+ memcpy (data.attr, notification->sigev_notify_attributes,
+ sizeof (pthread_attr_t));
+
+ struct pthread_attr *source =
+ (struct pthread_attr *) (notification->sigev_notify_attributes);
+ struct pthread_attr *target = (struct pthread_attr *) (data.attr);
+ cpu_set_t *newp;
+ cpu_set_t *cpuset = source->cpuset;
+ size_t cpusetsize = source->cpusetsize;
+
+ /* alloc a new memory for cpuset to avoid use after free */
+ if (cpuset != NULL && cpusetsize > 0)
+ {
+ newp = (cpu_set_t *) malloc (cpusetsize);
+ if (newp == NULL)
+ {
+ free(data.attr);
+ return -1;
+ }
+
+ memcpy (newp, cpuset, cpusetsize);
+ target->cpuset = newp;
+ }
+ else
+ {
+ target->cpuset = NULL;
+ target->cpusetsize = 0;
+ }
}
/* Construct the new request. */
@@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sig
int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
/* If it failed, free the allocated memory. */
- if (__glibc_unlikely (retval != 0))
+ if (retval != 0 && data.attr != NULL)
{
pthread_attr_destroy (data.attr);
free (data.attr);

2
meta/recipes-core/glibc/glibc_2.31.bb
View File

@@ -67,6 +67,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0028-inject-file-assembly-directives.patch \
file://0029-locale-prevent-maybe-uninitialized-errors-with-Os-BZ.patch \
file://CVE-2020-29573.patch \
file://CVE-2021-33574_1.patch \
file://CVE-2021-33574_2.patch \
"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}"