fix CVE-2021-33574
(cherry picked from commit 4297578f6cf7814cfeace0841be643edb5869e43)
This commit is contained in:
liqingqing_1229
openeuler-sync-bot
parent
3be50fb541
commit
15893e323a
73
backport-CVE-2021-33574-0001-Fix-mq_notify-bug-27896.patch
Normal file
73
backport-CVE-2021-33574-0001-Fix-mq_notify-bug-27896.patch
Normal file
@ -0,0 +1,73 @@
|
||||
From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
|
||||
From: Andreas Schwab <schwab@linux-m68k.org>
|
||||
Date: Thu, 27 May 2021 12:49:47 +0200
|
||||
Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
|
||||
|
||||
Make a deep copy of the pthread attribute object to remove a potential
|
||||
use-after-free issue.
|
||||
Conflict:NA
|
||||
Reference:https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb
|
||||
|
||||
---
|
||||
NEWS | 4 ++++
|
||||
sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
|
||||
2 files changed, 14 insertions(+), 5 deletions(-)
|
||||
|
||||
diff --git a/NEWS b/NEWS
|
||||
index eb31aca6..9dff5e82 100644
|
||||
--- a/NEWS
|
||||
+++ b/NEWS
|
||||
@@ -224,6 +224,10 @@ Changes to build and runtime requirements:
|
||||
|
||||
Security related changes:
|
||||
|
||||
+ CVE-2021-33574: The mq_notify function has a potential use-after-free
|
||||
+ issue when using a notification type of SIGEV_THREAD and a thread
|
||||
+ attribute with a non-default affinity mask.
|
||||
+
|
||||
CVE-2016-6261, CVE-2016-6263, CVE-2017-14062: Various vulnerabilities have
|
||||
been fixed by removing the glibc-internal IDNA implementation and using
|
||||
the system-provided libidn2 library instead. Originally reported by Hanno
|
||||
diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
|
||||
index 3563e82c..c4091169 100644
|
||||
--- a/sysdeps/unix/sysv/linux/mq_notify.c
|
||||
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
|
||||
@@ -135,8 +135,11 @@ helper_thread (void *arg)
|
||||
(void) __pthread_barrier_wait (¬ify_barrier);
|
||||
}
|
||||
else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
|
||||
- /* The only state we keep is the copy of the thread attributes. */
|
||||
- free (data.attr);
|
||||
+ {
|
||||
+ /* The only state we keep is the copy of the thread attributes. */
|
||||
+ pthread_attr_destroy (data.attr);
|
||||
+ free (data.attr);
|
||||
+ }
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
|
||||
if (data.attr == NULL)
|
||||
return -1;
|
||||
|
||||
- memcpy (data.attr, notification->sigev_notify_attributes,
|
||||
- sizeof (pthread_attr_t));
|
||||
+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
|
||||
}
|
||||
|
||||
/* Construct the new request. */
|
||||
@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
|
||||
|
||||
/* If it failed, free the allocated memory. */
|
||||
if (__glibc_unlikely (retval != 0))
|
||||
- free (data.attr);
|
||||
+ {
|
||||
+ pthread_attr_destroy (data.attr);
|
||||
+ free (data.attr);
|
||||
+ }
|
||||
|
||||
return retval;
|
||||
}
|
||||
--
|
||||
2.23.0
|
||||
|
||||
77
backport-CVE-2021-33574-0002-Fix-mq_notify-bug-27896.patch
Normal file
77
backport-CVE-2021-33574-0002-Fix-mq_notify-bug-27896.patch
Normal file
@ -0,0 +1,77 @@
|
||||
From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001
|
||||
From: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Tue, 1 Jun 2021 17:51:41 +0200
|
||||
Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896)
|
||||
|
||||
__pthread_attr_copy can fail and does not initialize the attribute
|
||||
structure in that case.
|
||||
|
||||
If __pthread_attr_copy is never called and there is no allocated
|
||||
attribute, pthread_attr_destroy should not be called, otherwise
|
||||
there is a null pointer dereference in rt/tst-mqueue6.
|
||||
|
||||
Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
|
||||
("Use __pthread_attr_copy in mq_notify (bug 27896)").
|
||||
|
||||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
|
||||
note that this patch has few modifications to adapt glibc2.28
|
||||
|
||||
Conflict:NA
|
||||
Reference:https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091
|
||||
---
|
||||
sysdeps/unix/sysv/linux/mq_notify.c | 31 +++++++++++++++++++++++++++--
|
||||
1 file changed, 29 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
|
||||
index c4091169..76963567 100644
|
||||
--- a/sysdeps/unix/sysv/linux/mq_notify.c
|
||||
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
|
||||
@@ -260,7 +260,34 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
|
||||
if (data.attr == NULL)
|
||||
return -1;
|
||||
|
||||
- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
|
||||
+ memcpy (data.attr, notification->sigev_notify_attributes,
|
||||
+ sizeof (pthread_attr_t));
|
||||
+
|
||||
+ struct pthread_attr *source =
|
||||
+ (struct pthread_attr *) (notification->sigev_notify_attributes);
|
||||
+ struct pthread_attr *target = (struct pthread_attr *) (data.attr);
|
||||
+ cpu_set_t *newp;
|
||||
+ cpu_set_t *cpuset = source->cpuset;
|
||||
+ size_t cpusetsize = source->cpusetsize;
|
||||
+
|
||||
+ /* alloc a new memory for cpuset to avoid use after free */
|
||||
+ if (cpuset != NULL && cpusetsize > 0)
|
||||
+ {
|
||||
+ newp = (cpu_set_t *) malloc (cpusetsize);
|
||||
+ if (newp == NULL)
|
||||
+ {
|
||||
+ free(data.attr);
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ memcpy (newp, cpuset, cpusetsize);
|
||||
+ target->cpuset = newp;
|
||||
+ }
|
||||
+ else
|
||||
+ {
|
||||
+ target->cpuset = NULL;
|
||||
+ target->cpusetsize = 0;
|
||||
+ }
|
||||
}
|
||||
|
||||
/* Construct the new request. */
|
||||
@@ -273,7 +300,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
|
||||
int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
|
||||
|
||||
/* If it failed, free the allocated memory. */
|
||||
- if (__glibc_unlikely (retval != 0))
|
||||
+ if (retval != 0 && data.attr != NULL)
|
||||
{
|
||||
pthread_attr_destroy (data.attr);
|
||||
free (data.attr);
|
||||
--
|
||||
2.23.0
|
||||
|
||||
@ -59,7 +59,7 @@
|
||||
##############################################################################
|
||||
Name: glibc
|
||||
Version: 2.28
|
||||
Release: 67
|
||||
Release: 68
|
||||
Summary: The GNU libc libraries
|
||||
License: %{all_license}
|
||||
URL: http://www.gnu.org/software/glibc/
|
||||
@ -124,6 +124,8 @@ Patch40: backport-0002-nptl-Add-clockid-parameter-to-futex-timed-wait-calls.patc
|
||||
Patch41: backport-0003-support-Add-timespec.h-xtime.h.patch
|
||||
Patch42: backport-0004-nptl-Add-POSIX-proposed-pthread_cond_clockwait.patch
|
||||
Patch43: backport-rtld-Avoid-using-up-static-TLS-surplus-for-optimizat.patch
|
||||
Patch44: backport-CVE-2021-33574-0001-Fix-mq_notify-bug-27896.patch
|
||||
Patch45: backport-CVE-2021-33574-0002-Fix-mq_notify-bug-27896.patch
|
||||
|
||||
Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)
|
||||
|
||||
@ -1148,6 +1150,10 @@ fi
|
||||
%doc hesiod/README.hesiod
|
||||
|
||||
%changelog
|
||||
* Sat Jun 5 2021 Qingqing Li<liqingqing3@huawei.com> - 2.28-68
|
||||
- fix CVE-2021-33574, fix use of __pthread_attr_copy in mq_notify (bug 27896)
|
||||
https://sourceware.org/bugzilla/show_bug.cgi?id=27896
|
||||
|
||||
* Mon May 17 2021 xujing<17826839720@163.com> - 2.28-67
|
||||
- Avoid using up static TLS surplus to fix graphical install error
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user