Projects
Mega:23.09
glibc
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 3
View file
_service:tar_scm:glibc.spec
Changed
@@ -48,7 +48,7 @@ %undefine with_valgrind %endif -%global ENABLE_RELOC 0 +%global ENABLE_RELOC 1 # Only some architectures have static PIE support %define pie_arches %{ix86} x86_64 aarch64 @@ -67,7 +67,7 @@ ############################################################################## Name: glibc Version: 2.38 -Release: 8 +Release: 16 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -86,6 +86,50 @@ %endif Patch0: glibc-1070416.patch +Patch1: stdlib-Improve-tst-realpath-compatibility-with-sourc.patch +Patch2: 0001-x86-Fix-for-cache-computation-on-AMD-legacy-cpus.patch +Patch3: 0002-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch +Patch4: 0003-x86-Fix-incorrect-scope-of-setting-shared_per_thread.patch +Patch5: 0004-x86_64-Fix-build-with-disable-multiarch-BZ-30721.patch +Patch6: 0005-i686-Fix-build-with-disable-multiarch.patch +Patch7: 0006-malloc-Enable-merging-of-remainders-in-memalign-bug-.patch +Patch8: 0007-malloc-Remove-bin-scanning-from-memalign-bug-30723.patch +Patch9: 0008-sysdeps-tst-bz21269-fix-test-parameter.patch +Patch10: 0009-sysdeps-tst-bz21269-handle-ENOSYS-skip-appropriately.patch +Patch11: 0010-sysdeps-tst-bz21269-fix-Wreturn-type.patch +Patch12: 0011-io-Fix-record-locking-contants-for-powerpc64-with-__.patch +Patch13: 0012-libio-Fix-oversized-__io_vtables.patch +Patch14: 0001-elf-Do-not-run-constructors-for-proxy-objects.patch +Patch15: 0002-elf-Always-call-destructors-in-reverse-constructor-o.patch +Patch16: 0003-elf-Remove-unused-l_text_end-field-from-struct-link_.patch +Patch17: 0004-elf-Move-l_init_called_next-to-old-place-of-l_text_e.patch +Patch18: 0005-NEWS-Add-the-2.38.1-bug-list.patch +Patch19: CVE-2023-4527-Stack-read-overflow-with-large-TCP-res.patch +Patch20: 0001-getaddrinfo-Fix-use-after-free-in-getcanonname-CVE-2.patch +Patch21: 0002-iconv-restore-verbosity-with-unrecognized-encoding-n.patch +Patch22: 0003-string-Fix-tester-build-with-fortify-enable-with-gcc.patch +Patch23: 0004-manual-jobs.texi-Add-missing-item-EPERM-for-getpgid.patch +Patch24: 0001-Fix-leak-in-getaddrinfo-introduced-by-the-fix-for-CV.patch +Patch25: 0002-Document-CVE-2023-4806-and-CVE-2023-5156-in-NEWS.patch +Patch26: 0003-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch +Patch27: 0004-tunables-Terminate-if-end-of-input-is-reached-CVE-20.patch +Patch28: 0001-Revert-elf-Remove-unused-l_text_end-field-from-struc.patch +Patch29: 0002-Revert-elf-Always-call-destructors-in-reverse-constr.patch +Patch30: 0003-Revert-elf-Move-l_init_called_next-to-old-place-of-l.patch +Patch31: sysdeps-sem_open-Clear-O_CREAT-when-semaphore-file-i.patch +Patch32: elf-Fix-wrong-break-removal-from-8ee878592c.patch +Patch33: backport-elf-Handle-non-directory-name-in-search-path-BZ-3103.patch +Patch34: LoongArch-Delete-excessively-allocated-memory.patch +Patch35: elf-Fix-TLS-modid-reuse-generation-assignment-BZ-290.patch +Patch36: elf-Add-TLS-modid-reuse-test-for-bug-29039.patch +Patch37: x86-64-Fix-the-dtv-field-load-for-x32-BZ-31184.patch +Patch38: x86-64-Fix-the-tcb-field-load-for-x32-BZ-31185.patch +Patch39: NEWS-Mention-bug-fixes-for-29039-30694-30709-30721.patch +Patch40: NEWS-Mention-bug-fixes-for-30745-30843.patch +Patch41: getaddrinfo-translate-ENOMEM-to-EAI_MEMORY-bug-31163.patch +Patch42: libio-Check-remaining-buffer-size-in-_IO_wdo_write-b.patch +Patch43: elf-Add-a-way-to-check-if-tunable-is-set-BZ-27069.patch +Patch44: malloc-Improve-MAP_HUGETLB-with-glibc.malloc.hugetlb.patch Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch Patch9001: locale-delete-no-hard-link-to-avoid-all_language-pac.patch @@ -104,12 +148,13 @@ Patch9014: strcmp-delete-align-for-loop_aligned.patch Patch9015: add-pthread_cond_clockwait-GLIBC_2_28.patch Patch9016: add-GB18030-2022-charmap-BZ-30243.patch -Patch9017: 0001-Optimizing-__random-for-single-threaded-scenarios.patch +Patch9017: fix-Segmentation-fault-in-nss-module.patch +Patch9018: fix_nss_database_check_reload_and_get_memleak.patch +Patch9019: 0001-fix-glibc-build-error-on-x86.patch %if %{ENABLE_RELOC} -Patch9018: reserve-relocation-information-for-sysboost.patch +Patch9021: reserve-relocation-information-for-sysboost.patch %endif -Patch9019: 0001-fix-glibc-build-error-on-x86.patch Provides: ldconfig rtld(GNU_HASH) bundled(gnulib) @@ -495,6 +540,9 @@ { cat config.log; false; } make %{?_smp_mflags} -O -r %{glibc_make_flags} +%if %{ENABLE_RELOC} +objreloc libc.so.6 +%endif popd ############################################################################## @@ -688,6 +736,11 @@ -i $i done +%if %{ENABLE_RELOC} +mkdir -p ${RPM_BUILD_ROOT}/usr/lib/relocation/%{_libdir} +install -p ${RPM_BUILD_DIR}/%{name}-%{version}/build-%{target}/libc.so.6.relocation ${RPM_BUILD_ROOT}/usr/lib/relocation/%{_libdir} +%endif + touch master.filelist touch glibc.filelist touch common.filelist @@ -806,6 +859,7 @@ | grep -v '/lib\(\(c\|pthread\|nldbl\|mvec\)_nonshared\|g\|ieee\|mcheck\)\.a$' \ >> devel.filelist +sed -i '/.relocation/d' devel.filelist ############################################################################## # glibc "nscd" sub-package @@ -868,14 +922,6 @@ echo "%{_libdir}/libpthread_nonshared.a" >> compat-2.17.filelist %endif -%if %{ENABLE_RELOC} -pushd build-%{target} -objreloc libc.so.6 -mkdir -p ${RPM_BUILD_ROOT}/usr/lib/relocation/%{_libdir} -install -p ${RPM_BUILD_DIR}/%{name}-%{version}/build-%{target}/libc.so.6.relocation ${RPM_BUILD_ROOT}/usr/lib/relocation/%{_libdir} -popd -%endif - reliantlib="" function findReliantLib() @@ -1262,6 +1308,13 @@ %attr(0600,root,root) %verify(not md5 size mtime) %ghost %config(missingok,noreplace) /var/db/nscd/services %ghost %config(missingok,noreplace) /etc/sysconfig/nscd +%if %{ENABLE_RELOC} +%files relocation +%dir %attr(500, root, root) /usr/lib/relocation +%dir %attr(500, root, root) /usr/lib/relocation/%{_libdir} +%attr(400, root, root) /usr/lib/relocation/%{_libdir}/libc.so.6.relocation +%endif + %files -f nss_modules.filelist -n nss_modules /var/db/Makefile @@ -1289,29 +1342,55 @@ %files -f compat-2.17.filelist compat-2.17 %endif -%if %{ENABLE_RELOC} -%files relocation -%attr(400, root, root) /usr/lib/relocation/%{_libdir}/libc.so.6.relocation -%endif - %changelog -* Thu Sep 14 2023 yangpan<yangpan51@huawei.com> - 2.38-8 -- disable sysboost +* Sat Jan 13 Qingqing Li <liqingqing3@huawei.com> - 2.38-17 +- elf: Add a way to check if tunable is set (BZ 27069) +- malloc: Improve MAPE_HUGETLB with glibc.malloc.hugetlb=2 + +* Wed Jan 3 Qingqing Li <liqingqing3@huawei.com> - 2.38-16 +- backport patches from glibc upstream 2.38 branch + +* Thu Dec 14 shixuantong <shixuantong1@huawei.com> - 2.38-15 +- elf: Handle non-directory name in search path (BZ 31035) -* Tue Sep 12 2023 yangpan<yangpan51@huawei.com> - 2.38-7 -- revert fix issues about not stripped +* Fri Dec 8 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-14 +- elf: Fix wrong break removal from 8ee878592c -* Mon Sep 11 2023 yangpan<yangpan51@huawei.com> - 2.38-6 -- fix issues about not stripped +* Thu Dec 7 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-13 +- sysdeps: sem_open: Clear O_CREAT when semaphore file is + expected to exist BZ #30789 -* Mon Aug 28 2023 liutie<liutie4@huawei.com> - 2.38-5 -- fix issues about glibc-devel have libc.so.6.relocation +* Tue Oct 24 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-12 +- weekly backport patches from glibc upstream 2.38 branch + +* Sat Oct 7 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-11 +- backport patches from glibc upstream 2.38 branch + +* Sat Sep 16 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-10 +- backport patches from glibc upstream 2.38 branch +- revert some customization modification + +* Fri Sep 15 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-9 +- fix CVE-2023-4527 + +* Mon Sep 11 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-8 +- backport patches from glibc upstream 2.38 branch + +* Mon Sep 11 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-7 +- backport patches from glibc upstream 2.38 branch + +* Mon Sep 11 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-6
View file
_service:tar_scm:0001-Fix-leak-in-getaddrinfo-introduced-by-the-fix-for-CV.patch
Added
@@ -0,0 +1,98 @@ +From 5ee59ca371b99984232d7584fe2b1a758b4421d3 Mon Sep 17 00:00:00 2001 +From: Romain Geissler <romain.geissler@amadeus.com> +Date: Mon, 25 Sep 2023 01:21:51 +0100 +Subject: PATCH 1/4 Fix leak in getaddrinfo introduced by the fix for + CVE-2023-4806 BZ #30843 + +This patch fixes a very recently added leak in getaddrinfo. + +This was assigned CVE-2023-5156. + +Resolves: BZ #30884 +Related: BZ #30842 + +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +(cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796) +--- + nss/Makefile | 20 ++++++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.c | 3 +++ + sysdeps/posix/getaddrinfo.c | 4 +--- + 3 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/nss/Makefile b/nss/Makefile +index 8a5126ecf3..668ba34b18 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -149,6 +149,15 @@ endif + extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ + nss_test_gai_hv2_canonname.os + ++ifeq ($(run-built-tests),yes) ++ifneq (no,$(PERL)) ++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out ++endif ++endif ++ ++generated += mtrace-tst-nss-gai-hv2-canonname.out \ ++ tst-nss-gai-hv2-canonname.mtrace ++ + include ../Rules + + ifeq (yes,$(have-selinux)) +@@ -217,6 +226,17 @@ endif + $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so + $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so + ++tst-nss-gai-hv2-canonname-ENV = \ ++ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \ ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so ++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \ ++ $(objpfx)tst-nss-gai-hv2-canonname.out ++ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \ ++ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \ ++ && $(common-objpfx)malloc/mtrace \ ++ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \ ++ $(evaluate-test) ++ + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS + # functions can load testing NSS modules via DT_RPATH. + LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c +index d5f10c07d6..7db53cf09d 100644 +--- a/nss/tst-nss-gai-hv2-canonname.c ++++ b/nss/tst-nss-gai-hv2-canonname.c +@@ -21,6 +21,7 @@ + #include <netdb.h> + #include <stdlib.h> + #include <string.h> ++#include <mcheck.h> + #include <support/check.h> + #include <support/xstdio.h> + #include "nss/tst-nss-gai-hv2-canonname.h" +@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av) + static int + do_test (void) + { ++ mtrace (); ++ + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); + + struct addrinfo hints = {}; +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index b2236b105c..13082305d3 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -1196,9 +1196,7 @@ free_and_return: + if (malloc_name) + free ((char *) name); + free (addrmem); +- if (res.free_at) +- free (res.at); +- free (res.canon); ++ gaih_result_reset (&res); + + return result; + } +-- +2.33.0 +
View file
_service:tar_scm:0001-Optimizing-__random-for-single-threaded-scenarios.patch
Deleted
@@ -1,44 +0,0 @@ -From f54e1ddea12343991b402abf28be2b94ffbac2c5 Mon Sep 17 00:00:00 2001 -From: Tian Tao <tiantao6@hisilicon.com> -Date: Tue, 11 Jul 2023 08:42:56 +0800 -Subject: PATCH Optimizing __random for single-threaded scenarios - -The __random function does not need to be locked by __libc_lock_lock and -unlocked by __libc_lock_unlock in a single-threaded scenario, so we can -remove these locks in a single-threaded scenario to improve performance. - -Signed-off-by: Tian Tao <tiantao6@hisilicon.com> ---- - stdlib/random.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/stdlib/random.c b/stdlib/random.c -index 62f22fac8d..9035df8d18 100644 ---- a/stdlib/random.c -+++ b/stdlib/random.c -@@ -288,11 +288,19 @@ __random (void) - { - int32_t retval; - -- __libc_lock_lock (lock); -+ if (__libc_single_threaded) { - -- (void) __random_r (&unsafe_state, &retval); -+ (void) __random_r (&unsafe_state, &retval); - -- __libc_lock_unlock (lock); -+ } else { -+ -+ __libc_lock_lock (lock); -+ -+ (void) __random_r (&unsafe_state, &retval); -+ -+ __libc_lock_unlock (lock); -+ -+ } - - return retval; - } --- -2.33.0 -
View file
_service:tar_scm:0001-Revert-elf-Remove-unused-l_text_end-field-from-struc.patch
Added
@@ -0,0 +1,135 @@ +From e0b6c9706c91a642c781918eea52588ee8dc9f09 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Wed, 18 Oct 2023 14:22:59 +0200 +Subject: PATCH 1/3 Revert "elf: Remove unused l_text_end field from struct + link_map" + +This reverts commit 750f19526ae71aac801c77a3f7ef5374890c09b7. + +Reason for revert: Restore ABI after revert of commit a3189f66a5f. +--- + elf/dl-load.c | 2 +- + elf/dl-load.h | 7 +++++-- + elf/rtld.c | 6 ++++++ + elf/setup-vdso.h | 4 ++++ + include/link.h | 2 ++ + 5 files changed, 18 insertions(+), 3 deletions(-) + +diff --git a/elf/dl-load.c b/elf/dl-load.c +index 2923b1141d..9a87fda9c9 100644 +--- a/elf/dl-load.c ++++ b/elf/dl-load.c +@@ -1253,7 +1253,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, + + /* Now process the load commands and map segments into memory. + This is responsible for filling in: +- l_map_start, l_map_end, l_addr, l_contiguous, l_phdr ++ l_map_start, l_map_end, l_addr, l_contiguous, l_text_end, l_phdr + */ + errstring = _dl_map_segments (l, fd, header, type, loadcmds, nloadcmds, + maplength, has_holes, loader); +diff --git a/elf/dl-load.h b/elf/dl-load.h +index 1d5207694b..ecf6910c68 100644 +--- a/elf/dl-load.h ++++ b/elf/dl-load.h +@@ -83,11 +83,14 @@ struct loadcmd + + /* This is a subroutine of _dl_map_segments. It should be called for each + load command, some time after L->l_addr has been set correctly. It is +- responsible for setting the l_phdr fields */ ++ responsible for setting up the l_text_end and l_phdr fields. */ + static __always_inline void + _dl_postprocess_loadcmd (struct link_map *l, const ElfW(Ehdr) *header, + const struct loadcmd *c) + { ++ if (c->prot & PROT_EXEC) ++ l->l_text_end = l->l_addr + c->mapend; ++ + if (l->l_phdr == 0 + && c->mapoff <= header->e_phoff + && ((size_t) (c->mapend - c->mapstart + c->mapoff) +@@ -100,7 +103,7 @@ _dl_postprocess_loadcmd (struct link_map *l, const ElfW(Ehdr) *header, + + /* This is a subroutine of _dl_map_object_from_fd. It is responsible + for filling in several fields in *L: l_map_start, l_map_end, l_addr, +- l_contiguous, l_phdr. On successful return, all the ++ l_contiguous, l_text_end, l_phdr. On successful return, all the + segments are mapped (or copied, or whatever) from the file into their + final places in the address space, with the correct page permissions, + and any bss-like regions already zeroed. It returns a null pointer +diff --git a/elf/rtld.c b/elf/rtld.c +index 5107d16fe3..a91e2a4471 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -477,6 +477,7 @@ _dl_start_final (void *arg, struct dl_start_final_info *info) + GL(dl_rtld_map).l_real = &GL(dl_rtld_map); + GL(dl_rtld_map).l_map_start = (ElfW(Addr)) &__ehdr_start; + GL(dl_rtld_map).l_map_end = (ElfW(Addr)) _end; ++ GL(dl_rtld_map).l_text_end = (ElfW(Addr)) _etext; + /* Copy the TLS related data if necessary. */ + #ifndef DONT_USE_BOOTSTRAP_MAP + # if NO_TLS_OFFSET != 0 +@@ -1118,6 +1119,7 @@ rtld_setup_main_map (struct link_map *main_map) + bool has_interp = false; + + main_map->l_map_end = 0; ++ main_map->l_text_end = 0; + /* Perhaps the executable has no PT_LOAD header entries at all. */ + main_map->l_map_start = ~0; + /* And it was opened directly. */ +@@ -1209,6 +1211,8 @@ rtld_setup_main_map (struct link_map *main_map) + allocend = main_map->l_addr + ph->p_vaddr + ph->p_memsz; + if (main_map->l_map_end < allocend) + main_map->l_map_end = allocend; ++ if ((ph->p_flags & PF_X) && allocend > main_map->l_text_end) ++ main_map->l_text_end = allocend; + + /* The next expected address is the page following this load + segment. */ +@@ -1268,6 +1272,8 @@ rtld_setup_main_map (struct link_map *main_map) + = (char *) main_map->l_tls_initimage + main_map->l_addr; + if (! main_map->l_map_end) + main_map->l_map_end = ~0; ++ if (! main_map->l_text_end) ++ main_map->l_text_end = ~0; + if (! GL(dl_rtld_map).l_libname && GL(dl_rtld_map).l_name) + { + /* We were invoked directly, so the program might not have a +diff --git a/elf/setup-vdso.h b/elf/setup-vdso.h +index d92b12a7aa..0079842d1f 100644 +--- a/elf/setup-vdso.h ++++ b/elf/setup-vdso.h +@@ -51,6 +51,9 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)), + l->l_addr = ph->p_vaddr; + if (ph->p_vaddr + ph->p_memsz >= l->l_map_end) + l->l_map_end = ph->p_vaddr + ph->p_memsz; ++ if ((ph->p_flags & PF_X) ++ && ph->p_vaddr + ph->p_memsz >= l->l_text_end) ++ l->l_text_end = ph->p_vaddr + ph->p_memsz; + } + else + /* There must be no TLS segment. */ +@@ -59,6 +62,7 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)), + l->l_map_start = (ElfW(Addr)) GLRO(dl_sysinfo_dso); + l->l_addr = l->l_map_start - l->l_addr; + l->l_map_end += l->l_addr; ++ l->l_text_end += l->l_addr; + l->l_ld = (void *) ((ElfW(Addr)) l->l_ld + l->l_addr); + elf_get_dynamic_info (l, false, false); + _dl_setup_hash (l); +diff --git a/include/link.h b/include/link.h +index 686813f281..a02d5f2eba 100644 +--- a/include/link.h ++++ b/include/link.h +@@ -253,6 +253,8 @@ struct link_map + /* Start and finish of memory map for this object. l_map_start + need not be the same as l_addr. */ + ElfW(Addr) l_map_start, l_map_end; ++ /* End of the executable part of the mapping. */ ++ ElfW(Addr) l_text_end; + + /* Linked list of objects in reverse ELF constructor execution + order. Head of list is stored in _dl_init_called_list. */ +-- +2.33.0 +
View file
_service:tar_scm:0001-elf-Do-not-run-constructors-for-proxy-objects.patch
Added
@@ -0,0 +1,37 @@ +From 7ae211a01b085d0bde54bd13b887ce8f9d57c2b4 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Tue, 22 Aug 2023 13:56:25 +0200 +Subject: PATCH 1/5 elf: Do not run constructors for proxy objects + +Otherwise, the ld.so constructor runs for each audit namespace +and each dlmopen namespace. + +(cherry picked from commit f6c8204fd7fabf0cf4162eaf10ccf23258e4d10e) +--- + elf/dl-init.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/elf/dl-init.c b/elf/dl-init.c +index 5b0732590f..ba4d2fdc85 100644 +--- a/elf/dl-init.c ++++ b/elf/dl-init.c +@@ -25,10 +25,14 @@ + static void + call_init (struct link_map *l, int argc, char **argv, char **env) + { ++ /* Do not run constructors for proxy objects. */ ++ if (l != l->l_real) ++ return; ++ + /* If the object has not been relocated, this is a bug. The + function pointers are invalid in this case. (Executables do not +- need relocation, and neither do proxy objects.) */ +- assert (l->l_real->l_relocated || l->l_real->l_type == lt_executable); ++ need relocation.) */ ++ assert (l->l_relocated || l->l_type == lt_executable); + + if (l->l_init_called) + /* This object is all done. */ +-- +2.33.0 +
View file
_service:tar_scm:0001-getaddrinfo-Fix-use-after-free-in-getcanonname-CVE-2.patch
Added
@@ -0,0 +1,338 @@ +From 00ae4f10b504bc4564e9f22f00907093f1ab9338 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Fri, 15 Sep 2023 13:51:12 -0400 +Subject: PATCH 1/4 getaddrinfo: Fix use after free in getcanonname + (CVE-2023-4806) + +When an NSS plugin only implements the _gethostbyname2_r and +_getcanonname_r callbacks, getaddrinfo could use memory that was freed +during tmpbuf resizing, through h_name in a previous query response. + +The backing store for res->at->name when doing a query with +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in +gethosts during the query. For AF_INET6 lookup with AI_ALL | +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second +for a v4 lookup. In this case, if the first call reallocates tmpbuf +enough number of times, resulting in a malloc, th->h_name (that +res->at->name refers to) ends up on a heap allocated storage in tmpbuf. +Now if the second call to gethosts also causes the plugin callback to +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF +reference in res->at->name. This then gets dereferenced in the +getcanonname_r plugin call, resulting in the use after free. + +Fix this by copying h_name over and freeing it at the end. This +resolves BZ #30843, which is assigned CVE-2023-4806. + +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +(cherry picked from commit 973fe93a5675c42798b2161c6f29c01b0e243994) +--- + nss/Makefile | 15 ++++- + nss/nss_test_gai_hv2_canonname.c | 56 +++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.c | 63 +++++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.h | 1 + + .../postclean.req | 0 + .../tst-nss-gai-hv2-canonname.script | 2 + + sysdeps/posix/getaddrinfo.c | 25 +++++--- + 7 files changed, 152 insertions(+), 10 deletions(-) + create mode 100644 nss/nss_test_gai_hv2_canonname.c + create mode 100644 nss/tst-nss-gai-hv2-canonname.c + create mode 100644 nss/tst-nss-gai-hv2-canonname.h + create mode 100644 nss/tst-nss-gai-hv2-canonname.root/postclean.req + create mode 100644 nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script + +diff --git a/nss/Makefile b/nss/Makefile +index 06fcdc450f..8a5126ecf3 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -82,6 +82,7 @@ tests-container := \ + tst-nss-test3 \ + tst-reload1 \ + tst-reload2 \ ++ tst-nss-gai-hv2-canonname \ + # tests-container + + # Tests which need libdl +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) + ifeq ($(build-static-nss),yes) + tests-static += tst-nss-static + endif +-extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os ++extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ ++ nss_test_gai_hv2_canonname.os + + include ../Rules + +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver + libof-nss_test1 = extramodules + libof-nss_test2 = extramodules + libof-nss_test_errno = extramodules ++libof-nss_test_gai_hv2_canonname = extramodules + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) + $(build-module) + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) + $(build-module) + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) + $(build-module) ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \ ++ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) ++ $(build-module) + $(objpfx)nss_test2.os : nss_test1.c + # Use the nss_files suffix for these objects as well. + $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so +@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ + $(objpfx)/libnss_test_errno.so + $(make-link) ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ ++ $(objpfx)/libnss_test_gai_hv2_canonname.so ++ $(make-link) + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ + $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ + $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ +- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) ++ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ ++ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) + + ifeq (yes,$(have-thread-library)) + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags +diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c +new file mode 100644 +index 0000000000..4439c83c9f +--- /dev/null ++++ b/nss/nss_test_gai_hv2_canonname.c +@@ -0,0 +1,56 @@ ++/* NSS service provider that only provides gethostbyname2_r. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <nss.h> ++#include <stdlib.h> ++#include <string.h> ++#include "nss/tst-nss-gai-hv2-canonname.h" ++ ++/* Catch misnamed and functions. */ ++#pragma GCC diagnostic error "-Wmissing-prototypes" ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) ++ ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, ++ struct hostent *, char *, ++ size_t, int *, int *); ++ ++enum nss_status ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, ++ struct hostent *result, ++ char *buffer, size_t buflen, ++ int *errnop, int *herrnop) ++{ ++ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, ++ herrnop); ++} ++ ++enum nss_status ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, ++ size_t buflen, char **result, ++ int *errnop, int *h_errnop) ++{ ++ /* We expect QUERYNAME, which is a small enough string that it shouldn't fail ++ the test. */ ++ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) ++ || buflen < sizeof (QUERYNAME)) ++ abort (); ++ ++ strncpy (buffer, name, buflen); ++ *result = buffer; ++ return NSS_STATUS_SUCCESS; ++} +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c +new file mode 100644 +index 0000000000..d5f10c07d6 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.c +@@ -0,0 +1,63 @@ ++/* Test NSS query path for plugins that only implement gethostbyname2 ++ (#30843). ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <nss.h> ++#include <netdb.h> ++#include <stdlib.h> ++#include <string.h> ++#include <support/check.h> ++#include <support/xstdio.h> ++#include "nss/tst-nss-gai-hv2-canonname.h" ++ ++#define PREPARE do_prepare ++
View file
_service:tar_scm:0001-x86-Fix-for-cache-computation-on-AMD-legacy-cpus.patch
Added
@@ -0,0 +1,286 @@ +From ced101ed9d3b7cfd12d97ef24940cb00b8658c81 Mon Sep 17 00:00:00 2001 +From: Sajan Karumanchi <sajan.karumanchi@amd.com> +Date: Tue, 1 Aug 2023 15:20:55 +0000 +Subject: PATCH 01/12 x86: Fix for cache computation on AMD legacy cpus. + +Some legacy AMD CPUs and hypervisors have the _cpuid_ '0x8000_001D' +set to Zero, thus resulting in zeroed-out computed cache values. +This patch reintroduces the old way of cache computation as a +fail-safe option to handle these exceptions. +Fixed 'level4_cache_size' value through handle_amd(). + +Reviewed-by: Premachandra Mallappa <premachandra.mallappa@amd.com> +Tested-by: Florian Weimer <fweimer@redhat.com> +--- + sysdeps/x86/dl-cacheinfo.h | 226 ++++++++++++++++++++++++++++++++----- + 1 file changed, 199 insertions(+), 27 deletions(-) + +diff --git a/sysdeps/x86/dl-cacheinfo.h b/sysdeps/x86/dl-cacheinfo.h +index cd4d0351ae..285773039f 100644 +--- a/sysdeps/x86/dl-cacheinfo.h ++++ b/sysdeps/x86/dl-cacheinfo.h +@@ -315,40 +315,206 @@ handle_amd (int name) + { + unsigned int eax; + unsigned int ebx; +- unsigned int ecx; ++ unsigned int ecx = 0; + unsigned int edx; +- unsigned int count = 0x1; ++ unsigned int max_cpuid = 0; ++ unsigned int fn = 0; + + /* No level 4 cache (yet). */ + if (name > _SC_LEVEL3_CACHE_LINESIZE) + return 0; + +- if (name >= _SC_LEVEL3_CACHE_SIZE) +- count = 0x3; +- else if (name >= _SC_LEVEL2_CACHE_SIZE) +- count = 0x2; +- else if (name >= _SC_LEVEL1_DCACHE_SIZE) +- count = 0x0; ++ __cpuid (0x80000000, max_cpuid, ebx, ecx, edx); ++ ++ if (max_cpuid >= 0x8000001D) ++ /* Use __cpuid__ '0x8000_001D' to compute cache details. */ ++ { ++ unsigned int count = 0x1; ++ ++ if (name >= _SC_LEVEL3_CACHE_SIZE) ++ count = 0x3; ++ else if (name >= _SC_LEVEL2_CACHE_SIZE) ++ count = 0x2; ++ else if (name >= _SC_LEVEL1_DCACHE_SIZE) ++ count = 0x0; ++ ++ __cpuid_count (0x8000001D, count, eax, ebx, ecx, edx); ++ ++ if (ecx != 0) ++ { ++ switch (name) ++ { ++ case _SC_LEVEL1_ICACHE_ASSOC: ++ case _SC_LEVEL1_DCACHE_ASSOC: ++ case _SC_LEVEL2_CACHE_ASSOC: ++ case _SC_LEVEL3_CACHE_ASSOC: ++ return ((ebx >> 22) & 0x3ff) + 1; ++ case _SC_LEVEL1_ICACHE_LINESIZE: ++ case _SC_LEVEL1_DCACHE_LINESIZE: ++ case _SC_LEVEL2_CACHE_LINESIZE: ++ case _SC_LEVEL3_CACHE_LINESIZE: ++ return (ebx & 0xfff) + 1; ++ case _SC_LEVEL1_ICACHE_SIZE: ++ case _SC_LEVEL1_DCACHE_SIZE: ++ case _SC_LEVEL2_CACHE_SIZE: ++ case _SC_LEVEL3_CACHE_SIZE: ++ return (((ebx >> 22) & 0x3ff) + 1) * ((ebx & 0xfff) + 1) * (ecx + 1); ++ default: ++ __builtin_unreachable (); ++ } ++ return -1; ++ } ++ } ++ ++ /* Legacy cache computation for CPUs prior to Bulldozer family. ++ This is also a fail-safe mechanism for some hypervisors that ++ accidentally configure __cpuid__ '0x8000_001D' to Zero. */ + +- __cpuid_count (0x8000001D, count, eax, ebx, ecx, edx); ++ fn = 0x80000005 + (name >= _SC_LEVEL2_CACHE_SIZE); ++ ++ if (max_cpuid < fn) ++ return 0; ++ ++ __cpuid (fn, eax, ebx, ecx, edx); ++ ++ if (name < _SC_LEVEL1_DCACHE_SIZE) ++ { ++ name += _SC_LEVEL1_DCACHE_SIZE - _SC_LEVEL1_ICACHE_SIZE; ++ ecx = edx; ++ } + + switch (name) + { +- case _SC_LEVEL1_ICACHE_ASSOC: +- case _SC_LEVEL1_DCACHE_ASSOC: +- case _SC_LEVEL2_CACHE_ASSOC: ++ case _SC_LEVEL1_DCACHE_SIZE: ++ return (ecx >> 14) & 0x3fc00; ++ ++ case _SC_LEVEL1_DCACHE_ASSOC: ++ ecx >>= 16; ++ if ((ecx & 0xff) == 0xff) ++ { ++ /* Fully associative. */ ++ return (ecx << 2) & 0x3fc00; ++ } ++ return ecx & 0xff; ++ ++ case _SC_LEVEL1_DCACHE_LINESIZE: ++ return ecx & 0xff; ++ ++ case _SC_LEVEL2_CACHE_SIZE: ++ return (ecx & 0xf000) == 0 ? 0 : (ecx >> 6) & 0x3fffc00; ++ ++ case _SC_LEVEL2_CACHE_ASSOC: ++ switch ((ecx >> 12) & 0xf) ++ { ++ case 0: ++ case 1: ++ case 2: ++ case 4: ++ return (ecx >> 12) & 0xf; ++ case 6: ++ return 8; ++ case 8: ++ return 16; ++ case 10: ++ return 32; ++ case 11: ++ return 48; ++ case 12: ++ return 64; ++ case 13: ++ return 96; ++ case 14: ++ return 128; ++ case 15: ++ return ((ecx >> 6) & 0x3fffc00) / (ecx & 0xff); ++ default: ++ return 0; ++ } ++ ++ case _SC_LEVEL2_CACHE_LINESIZE: ++ return (ecx & 0xf000) == 0 ? 0 : ecx & 0xff; ++ ++ case _SC_LEVEL3_CACHE_SIZE: ++ { ++ long int total_l3_cache = 0, l3_cache_per_thread = 0; ++ unsigned int threads = 0; ++ const struct cpu_features *cpu_features; ++ ++ if ((edx & 0xf000) == 0) ++ return 0; ++ ++ total_l3_cache = (edx & 0x3ffc0000) << 1; ++ cpu_features = __get_cpu_features (); ++ ++ /* Figure out the number of logical threads that share L3. */ ++ if (max_cpuid >= 0x80000008) ++ { ++ /* Get width of APIC ID. */ ++ __cpuid (0x80000008, eax, ebx, ecx, edx); ++ threads = (ecx & 0xff) + 1; ++ } ++ ++ if (threads == 0) ++ { ++ /* If APIC ID width is not available, use logical ++ processor count. */ ++ __cpuid (0x00000001, eax, ebx, ecx, edx); ++ if ((edx & (1 << 28)) != 0) ++ threads = (ebx >> 16) & 0xff; ++ } ++ ++ /* Cap usage of highest cache level to the number of ++ supported threads. */ ++ if (threads > 0) ++ l3_cache_per_thread = total_l3_cache/threads; ++ ++ /* Get shared cache per ccx for Zen architectures. */ ++ if (cpu_features->basic.family >= 0x17) ++ { ++ long int l3_cache_per_ccx = 0; ++ /* Get number of threads share the L3 cache in CCX. */ ++ __cpuid_count (0x8000001D, 0x3, eax, ebx, ecx, edx); ++ unsigned int threads_per_ccx = ((eax >> 14) & 0xfff) + 1; ++ l3_cache_per_ccx = l3_cache_per_thread * threads_per_ccx; ++ return l3_cache_per_ccx;
View file
_service:tar_scm:0002-Document-CVE-2023-4806-and-CVE-2023-5156-in-NEWS.patch
Added
@@ -0,0 +1,36 @@ +From f6445dc94da185b3d1ee283f0ca0a34c4e1986cc Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Tue, 26 Sep 2023 07:38:07 -0400 +Subject: PATCH 2/4 Document CVE-2023-4806 and CVE-2023-5156 in NEWS + +These are tracked in BZ #30884 and BZ #30843. + +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +(cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd) +--- + NEWS | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/NEWS b/NEWS +index dfee278a9c..f1b1b0a3b4 100644 +--- a/NEWS ++++ b/NEWS +@@ -15,6 +15,15 @@ Security related changes: + 2048 bytes, getaddrinfo may potentially disclose stack contents via + the returned address data, or crash. + ++ CVE-2023-4806: When an NSS plugin only implements the ++ _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use ++ memory that was freed during buffer resizing, potentially causing a ++ crash or read or write to arbitrary memory. ++ ++ CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when ++ an application calls getaddrinfo for AF_INET6 with AI_CANONNAME, ++ AI_ALL and AI_V4MAPPED flags set. ++ + The following bugs are resolved with this release: + + 30723 posix_memalign repeatedly scans long bin lists +-- +2.33.0 +
View file
_service:tar_scm:0002-Revert-elf-Always-call-destructors-in-reverse-constr.patch
Added
@@ -0,0 +1,593 @@ +From 719866ab2ff0e6d514a04fb47e507d92e70ef7ee Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Wed, 18 Oct 2023 14:25:46 +0200 +Subject: PATCH 2/3 Revert "elf: Always call destructors in reverse + constructor order (bug 30785)" + +This reverts commit a3189f66a5f2fe86568286fa025fa153be04c6c0. + +Reason for revert: Incompatibility with existing applications. +--- + NEWS | 1 - + elf/dl-close.c | 113 ++++++++++----------------- + elf/dl-fini.c | 152 ++++++++++++++++++++++++------------- + elf/dl-init.c | 16 ---- + elf/dso-sort-tests-1.def | 19 +++-- + elf/tst-audit23.c | 44 +++++------ + sysdeps/generic/ldsodefs.h | 4 - + 7 files changed, 173 insertions(+), 176 deletions(-) + +diff --git a/NEWS b/NEWS +index bfcd46efa9..f117874e34 100644 +--- a/NEWS ++++ b/NEWS +@@ -32,7 +32,6 @@ Security related changes: + The following bugs are resolved with this release: + + 30723 posix_memalign repeatedly scans long bin lists +- 30785 Always call destructors in reverse constructor order + 30804 F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with + -D_FILE_OFFSET_BITS=64 + 30842 Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) +diff --git a/elf/dl-close.c b/elf/dl-close.c +index ea62d0e601..b887a44888 100644 +--- a/elf/dl-close.c ++++ b/elf/dl-close.c +@@ -138,31 +138,30 @@ _dl_close_worker (struct link_map *map, bool force) + + bool any_tls = false; + const unsigned int nloaded = ns->_ns_nloaded; ++ struct link_map *mapsnloaded; + +- /* Run over the list and assign indexes to the link maps. */ ++ /* Run over the list and assign indexes to the link maps and enter ++ them into the MAPS array. */ + int idx = 0; + for (struct link_map *l = ns->_ns_loaded; l != NULL; l = l->l_next) + { + l->l_map_used = 0; + l->l_map_done = 0; + l->l_idx = idx; ++ mapsidx = l; + ++idx; + } + assert (idx == nloaded); + +- /* Keep marking link maps until no new link maps are found. */ +- for (struct link_map *l = ns->_ns_loaded; l != NULL; ) ++ /* Keep track of the lowest index link map we have covered already. */ ++ int done_index = -1; ++ while (++done_index < nloaded) + { +- /* next is reset to earlier link maps for remarking. */ +- struct link_map *next = l->l_next; +- int next_idx = l->l_idx + 1; /* next->l_idx, but covers next == NULL. */ ++ struct link_map *l = mapsdone_index; + + if (l->l_map_done) +- { +- /* Already handled. */ +- l = next; +- continue; +- } ++ /* Already handled. */ ++ continue; + + /* Check whether this object is still used. */ + if (l->l_type == lt_loaded +@@ -172,10 +171,7 @@ _dl_close_worker (struct link_map *map, bool force) + acquire is sufficient and correct. */ + && atomic_load_acquire (&l->l_tls_dtor_count) == 0 + && !l->l_map_used) +- { +- l = next; +- continue; +- } ++ continue; + + /* We need this object and we handle it now. */ + l->l_map_used = 1; +@@ -202,11 +198,8 @@ _dl_close_worker (struct link_map *map, bool force) + already processed it, then we need to go back + and process again from that point forward to + ensure we keep all of its dependencies also. */ +- if ((*lp)->l_idx < next_idx) +- { +- next = *lp; +- next_idx = next->l_idx; +- } ++ if ((*lp)->l_idx - 1 < done_index) ++ done_index = (*lp)->l_idx - 1; + } + } + +@@ -226,65 +219,44 @@ _dl_close_worker (struct link_map *map, bool force) + if (!jmap->l_map_used) + { + jmap->l_map_used = 1; +- if (jmap->l_idx < next_idx) +- { +- next = jmap; +- next_idx = next->l_idx; +- } ++ if (jmap->l_idx - 1 < done_index) ++ done_index = jmap->l_idx - 1; + } + } + } +- +- l = next; + } + +- /* Call the destructors in reverse constructor order, and remove the +- closed link maps from the list. */ +- for (struct link_map **init_called_head = &_dl_init_called_list; +- *init_called_head != NULL; ) ++ /* Sort the entries. We can skip looking for the binary itself which is ++ at the front of the search list for the main namespace. */ ++ _dl_sort_maps (maps, nloaded, (nsid == LM_ID_BASE), true); ++ ++ /* Call all termination functions at once. */ ++ bool unload_any = false; ++ bool scope_mem_left = false; ++ unsigned int unload_global = 0; ++ unsigned int first_loaded = ~0; ++ for (unsigned int i = 0; i < nloaded; ++i) + { +- struct link_map *imap = *init_called_head; ++ struct link_map *imap = mapsi; + +- /* _dl_init_called_list is global, to produce a global odering. +- Ignore the other namespaces (and link maps that are still used). */ +- if (imap->l_ns != nsid || imap->l_map_used) +- init_called_head = &imap->l_init_called_next; +- else ++ /* All elements must be in the same namespace. */ ++ assert (imap->l_ns == nsid); ++ ++ if (!imap->l_map_used) + { + assert (imap->l_type == lt_loaded && !imap->l_nodelete_active); + +- /* _dl_init_called_list is updated at the same time as +- l_init_called. */ +- assert (imap->l_init_called); +- +- if (imap->l_infoDT_FINI_ARRAY != NULL +- || imap->l_infoDT_FINI != NULL) ++ /* Call its termination function. Do not do it for ++ half-cooked objects. Temporarily disable exception ++ handling, so that errors are fatal. */ ++ if (imap->l_init_called) + _dl_catch_exception (NULL, _dl_call_fini, imap); + + #ifdef SHARED + /* Auditing checkpoint: we remove an object. */ + _dl_audit_objclose (imap); + #endif +- /* Unlink this link map. */ +- *init_called_head = imap->l_init_called_next; +- } +- } +- +- +- bool unload_any = false; +- bool scope_mem_left = false; +- unsigned int unload_global = 0; +- +- /* For skipping un-unloadable link maps in the second loop. */ +- struct link_map *first_loaded = ns->_ns_loaded; + +- /* Iterate over the namespace to find objects to unload. Some +- unloadable objects may not be on _dl_init_called_list due to +- dlopen failure. */ +- for (struct link_map *imap = first_loaded; imap != NULL; imap = imap->l_next) +- { +- if (!imap->l_map_used) +- { + /* This object must not be used anymore. */ + imap->l_removed = 1; + +@@ -295,8 +267,8 @@ _dl_close_worker (struct link_map *map, bool force) + ++unload_global; + + /* Remember where the first dynamically loaded object is. */ +- if (first_loaded == NULL) +- first_loaded = imap; ++ if (i < first_loaded) ++ first_loaded = i; + }
View file
_service:tar_scm:0002-elf-Always-call-destructors-in-reverse-constructor-o.patch
Added
@@ -0,0 +1,669 @@ +From a3189f66a5f2fe86568286fa025fa153be04c6c0 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Fri, 8 Sep 2023 12:32:14 +0200 +Subject: PATCH 2/5 elf: Always call destructors in reverse constructor order + (bug 30785) + +The current implementation of dlclose (and process exit) re-sorts the +link maps before calling ELF destructors. Destructor order is not the +reverse of the constructor order as a result: The second sort takes +relocation dependencies into account, and other differences can result +from ambiguous inputs, such as cycles. (The force_first handling in +_dl_sort_maps is not effective for dlclose.) After the changes in +this commit, there is still a required difference due to +dlopen/dlclose ordering by the application, but the previous +discrepancies went beyond that. + +A new global (namespace-spanning) list of link maps, +_dl_init_called_list, is updated right before ELF constructors are +called from _dl_init. + +In dl_close_worker, the maps variable, an on-stack variable length +array, is eliminated. (VLAs are problematic, and dlclose should not +call malloc because it cannot readily deal with malloc failure.) +Marking still-used objects uses the namespace list directly, with +next and next_idx replacing the done_index variable. + +After marking, _dl_init_called_list is used to call the destructors +of now-unused maps in reverse destructor order. These destructors +can call dlopen. Previously, new objects do not have l_map_used set. +This had to change: There is no copy of the link map list anymore, +so processing would cover newly opened (and unmarked) mappings, +unloading them. Now, _dl_init (indirectly) sets l_map_used, too. +(dlclose is handled by the existing reentrancy guard.) + +After _dl_init_called_list traversal, two more loops follow. The +processing order changes to the original link map order in the +namespace. Previously, dependency order was used. The difference +should not matter because relocation dependencies could already +reorder link maps in the old code. + +The changes to _dl_fini remove the sorting step and replace it with +a traversal of _dl_init_called_list. The l_direct_opencount +decrement outside the loader lock is removed because it appears +incorrect: the counter manipulation could race with other dynamic +loader operations. + +tst-audit23 needs adjustments to the changes in LA_ACT_DELETE +notifications. The new approach for checking la_activity should +make it clearer that la_activty calls come in pairs around namespace +updates. + +The dependency sorting test cases need updates because the destructor +order is always the opposite order of constructor order, even with +relocation dependencies or cycles present. + +There is a future cleanup opportunity to remove the now-constant +force_first and for_fini arguments from the _dl_sort_maps function. + +Fixes commit 1df71d32fe5f5905ffd5d100e5e9ca8ad62 ("elf: Implement +force_first handling in _dl_sort_maps_dfs (bug 28937)"). + +Reviewed-by: DJ Delorie <dj@redhat.com> +(cherry picked from commit 6985865bc3ad5b23147ee73466583dd7fdf65892) +--- + NEWS | 7 ++ + elf/dl-close.c | 113 +++++++++++++++++---------- + elf/dl-fini.c | 152 +++++++++++++------------------------ + elf/dl-init.c | 16 ++++ + elf/dso-sort-tests-1.def | 19 ++--- + elf/tst-audit23.c | 44 ++++++----- + include/link.h | 4 + + sysdeps/generic/ldsodefs.h | 4 + + 8 files changed, 186 insertions(+), 173 deletions(-) + +diff --git a/NEWS b/NEWS +index 8156572cdf..f1a14f45dd 100644 +--- a/NEWS ++++ b/NEWS +@@ -4,6 +4,13 @@ See the end for copying conditions. + + Please send GNU C library bug reports via <https://sourceware.org/bugzilla/> + using `glibc' in the "product" field. ++ ++Version 2.38.1 ++ ++The following bugs are resolved with this release: ++ ++ 30785 Always call destructors in reverse constructor order ++ +  + Version 2.38 + +diff --git a/elf/dl-close.c b/elf/dl-close.c +index b887a44888..ea62d0e601 100644 +--- a/elf/dl-close.c ++++ b/elf/dl-close.c +@@ -138,30 +138,31 @@ _dl_close_worker (struct link_map *map, bool force) + + bool any_tls = false; + const unsigned int nloaded = ns->_ns_nloaded; +- struct link_map *mapsnloaded; + +- /* Run over the list and assign indexes to the link maps and enter +- them into the MAPS array. */ ++ /* Run over the list and assign indexes to the link maps. */ + int idx = 0; + for (struct link_map *l = ns->_ns_loaded; l != NULL; l = l->l_next) + { + l->l_map_used = 0; + l->l_map_done = 0; + l->l_idx = idx; +- mapsidx = l; + ++idx; + } + assert (idx == nloaded); + +- /* Keep track of the lowest index link map we have covered already. */ +- int done_index = -1; +- while (++done_index < nloaded) ++ /* Keep marking link maps until no new link maps are found. */ ++ for (struct link_map *l = ns->_ns_loaded; l != NULL; ) + { +- struct link_map *l = mapsdone_index; ++ /* next is reset to earlier link maps for remarking. */ ++ struct link_map *next = l->l_next; ++ int next_idx = l->l_idx + 1; /* next->l_idx, but covers next == NULL. */ + + if (l->l_map_done) +- /* Already handled. */ +- continue; ++ { ++ /* Already handled. */ ++ l = next; ++ continue; ++ } + + /* Check whether this object is still used. */ + if (l->l_type == lt_loaded +@@ -171,7 +172,10 @@ _dl_close_worker (struct link_map *map, bool force) + acquire is sufficient and correct. */ + && atomic_load_acquire (&l->l_tls_dtor_count) == 0 + && !l->l_map_used) +- continue; ++ { ++ l = next; ++ continue; ++ } + + /* We need this object and we handle it now. */ + l->l_map_used = 1; +@@ -198,8 +202,11 @@ _dl_close_worker (struct link_map *map, bool force) + already processed it, then we need to go back + and process again from that point forward to + ensure we keep all of its dependencies also. */ +- if ((*lp)->l_idx - 1 < done_index) +- done_index = (*lp)->l_idx - 1; ++ if ((*lp)->l_idx < next_idx) ++ { ++ next = *lp; ++ next_idx = next->l_idx; ++ } + } + } + +@@ -219,44 +226,65 @@ _dl_close_worker (struct link_map *map, bool force) + if (!jmap->l_map_used) + { + jmap->l_map_used = 1; +- if (jmap->l_idx - 1 < done_index) +- done_index = jmap->l_idx - 1; ++ if (jmap->l_idx < next_idx) ++ { ++ next = jmap; ++ next_idx = next->l_idx; ++ } + } + } + } +- } + +- /* Sort the entries. We can skip looking for the binary itself which is +- at the front of the search list for the main namespace. */ +- _dl_sort_maps (maps, nloaded, (nsid == LM_ID_BASE), true); ++ l = next; ++ } + +- /* Call all termination functions at once. */ +- bool unload_any = false; +- bool scope_mem_left = false; +- unsigned int unload_global = 0; +- unsigned int first_loaded = ~0; +- for (unsigned int i = 0; i < nloaded; ++i) ++ /* Call the destructors in reverse constructor order, and remove the ++ closed link maps from the list. */ ++ for (struct link_map **init_called_head = &_dl_init_called_list; ++ *init_called_head != NULL; ) + { +- struct link_map *imap = mapsi; ++ struct link_map *imap = *init_called_head;
View file
_service:tar_scm:0002-iconv-restore-verbosity-with-unrecognized-encoding-n.patch
Added
@@ -0,0 +1,32 @@ +From 63250e9c571314b6daa2c949ea0af335ee766751 Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <schwab@suse.de> +Date: Tue, 1 Aug 2023 17:01:37 +0200 +Subject: PATCH 2/4 iconv: restore verbosity with unrecognized encoding names + (bug 30694) + +Commit 91927b7c76 ("Rewrite iconv option parsing BZ #19519") changed the +iconv program to call __gconv_open directly instead of the iconv_open +wrapper, but the former does not set errno. Update the caller to +interpret the return codes like iconv_open does. + +(cherry picked from commit fc72b6d7d818ab2868920af956d1542d03342a4d) +--- + iconv/iconv_prog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/iconv/iconv_prog.c b/iconv/iconv_prog.c +index bee898c63c..cf32cf9b44 100644 +--- a/iconv/iconv_prog.c ++++ b/iconv/iconv_prog.c +@@ -187,7 +187,7 @@ main (int argc, char *argv) + + if (res != __GCONV_OK) + { +- if (errno == EINVAL) ++ if (res == __GCONV_NOCONV || res == __GCONV_NODB) + { + /* Try to be nice with the user and tell her which of the + two encoding names is wrong. This is possible because +-- +2.33.0 +
View file
_service:tar_scm:0002-nscd-Do-not-rebuild-getaddrinfo-bug-30709.patch
Added
@@ -0,0 +1,185 @@ +From 6b99458d197ab779ebb6ff632c168e2cbfa4f543 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Fri, 11 Aug 2023 10:10:16 +0200 +Subject: PATCH 02/12 nscd: Do not rebuild getaddrinfo (bug 30709) + +The nscd daemon caches hosts data from NSS modules verbatim, without +filtering protocol families or sorting them (otherwise separate caches +would be needed for certain ai_flags combinations). The cache +implementation is complete separate from the getaddrinfo code. This +means that rebuilding getaddrinfo is not needed. The only function +actually used is __bump_nl_timestamp from check_pf.c, and this change +moves it into nscd/connections.c. + +Tested on x86_64-linux-gnu with -fexceptions, built with +build-many-glibcs.py. I also backported this patch into a distribution +that still supports nscd and verified manually that caching still works. + +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +(cherry picked from commit 039ff51ac7e02db1cfc0c23e38ac7bfbb00221d1) +--- + include/ifaddrs.h | 4 --- + inet/check_pf.c | 9 ------ + nscd/Makefile | 2 +- + nscd/connections.c | 11 +++++++ + nscd/gai.c | 50 ------------------------------ + sysdeps/unix/sysv/linux/check_pf.c | 17 +--------- + 6 files changed, 13 insertions(+), 80 deletions(-) + delete mode 100644 nscd/gai.c + +diff --git a/include/ifaddrs.h b/include/ifaddrs.h +index 416118f1b3..19a3afb19f 100644 +--- a/include/ifaddrs.h ++++ b/include/ifaddrs.h +@@ -34,9 +34,5 @@ extern void __check_native (uint32_t a1_index, int *a1_native, + uint32_t a2_index, int *a2_native) + attribute_hidden; + +-#if IS_IN (nscd) +-extern uint32_t __bump_nl_timestamp (void) attribute_hidden; +-#endif +- + # endif /* !_ISOMAC */ + #endif /* ifaddrs.h */ +diff --git a/inet/check_pf.c b/inet/check_pf.c +index 5310c99121..6d1475920f 100644 +--- a/inet/check_pf.c ++++ b/inet/check_pf.c +@@ -60,12 +60,3 @@ __free_in6ai (struct in6addrinfo *in6ai) + { + /* Nothing to do. */ + } +- +- +-#if IS_IN (nscd) +-uint32_t +-__bump_nl_timestamp (void) +-{ +- return 0; +-} +-#endif +diff --git a/nscd/Makefile b/nscd/Makefile +index 2a0489f4cf..16b6460ee9 100644 +--- a/nscd/Makefile ++++ b/nscd/Makefile +@@ -35,7 +35,7 @@ nscd-modules := nscd connections pwdcache getpwnam_r getpwuid_r grpcache \ + getgrnam_r getgrgid_r hstcache gethstbyad_r gethstbynm3_r \ + getsrvbynm_r getsrvbypt_r servicescache \ + dbg_log nscd_conf nscd_stat cache mem nscd_setup_thread \ +- xmalloc xstrdup aicache initgrcache gai res_hconf \ ++ xmalloc xstrdup aicache initgrcache res_hconf \ + netgroupcache cachedumper + + ifeq ($(build-nscd)$(have-thread-library),yesyes) +diff --git a/nscd/connections.c b/nscd/connections.c +index a405a44a9b..15693e5090 100644 +--- a/nscd/connections.c ++++ b/nscd/connections.c +@@ -256,6 +256,17 @@ int inotify_fd = -1; + #ifdef HAVE_NETLINK + /* Descriptor for netlink status updates. */ + static int nl_status_fd = -1; ++ ++static uint32_t ++__bump_nl_timestamp (void) ++{ ++ static uint32_t nl_timestamp; ++ ++ if (atomic_fetch_add_relaxed (&nl_timestamp, 1) + 1 == 0) ++ atomic_fetch_add_relaxed (&nl_timestamp, 1); ++ ++ return nl_timestamp; ++} + #endif + + /* Number of times clients had to wait. */ +diff --git a/nscd/gai.c b/nscd/gai.c +deleted file mode 100644 +index e29f3fe583..0000000000 +--- a/nscd/gai.c ++++ /dev/null +@@ -1,50 +0,0 @@ +-/* Copyright (C) 2004-2023 Free Software Foundation, Inc. +- This file is part of the GNU C Library. +- +- This program is free software; you can redistribute it and/or modify +- it under the terms of the GNU General Public License as published +- by the Free Software Foundation; version 2 of the License, or +- (at your option) any later version. +- +- This program is distributed in the hope that it will be useful, +- but WITHOUT ANY WARRANTY; without even the implied warranty of +- MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +- GNU General Public License for more details. +- +- You should have received a copy of the GNU General Public License +- along with this program; if not, see <https://www.gnu.org/licenses/>. */ +- +-#include <alloca.h> +-#include <sys/stat.h> +- +-/* This file uses the getaddrinfo code but it compiles it without NSCD +- support. We just need a few symbol renames. */ +-#define __ioctl ioctl +-#define __getsockname getsockname +-#define __socket socket +-#define __recvmsg recvmsg +-#define __bind bind +-#define __sendto sendto +-#define __strchrnul strchrnul +-#define __getline getline +-#define __qsort_r qsort_r +-/* nscd uses 1MB or 2MB thread stacks. */ +-#define __libc_use_alloca(size) (size <= __MAX_ALLOCA_CUTOFF) +-#define __getifaddrs getifaddrs +-#define __freeifaddrs freeifaddrs +-#undef __fstat64 +-#define __fstat64 fstat64 +-#undef __stat64 +-#define __stat64 stat64 +- +-/* We are nscd, so we don't want to be talking to ourselves. */ +-#undef USE_NSCD +- +-#include <getaddrinfo.c> +- +-/* Support code. */ +-#include <check_pf.c> +-#include <check_native.c> +- +-/* Some variables normally defined in libc. */ +-nss_action_list __nss_hosts_database attribute_hidden; +diff --git a/sysdeps/unix/sysv/linux/check_pf.c b/sysdeps/unix/sysv/linux/check_pf.c +index 2b0b8b6368..3aa6a00348 100644 +--- a/sysdeps/unix/sysv/linux/check_pf.c ++++ b/sysdeps/unix/sysv/linux/check_pf.c +@@ -66,25 +66,10 @@ static struct cached_data *cache; + __libc_lock_define_initialized (static, lock); + + +-#if IS_IN (nscd) +-static uint32_t nl_timestamp; +- +-uint32_t +-__bump_nl_timestamp (void) +-{ +- if (atomic_fetch_add_relaxed (&nl_timestamp, 1) + 1 == 0) +- atomic_fetch_add_relaxed (&nl_timestamp, 1); +- +- return nl_timestamp; +-} +-#endif +- + static inline uint32_t + get_nl_timestamp (void) + { +-#if IS_IN (nscd) +- return nl_timestamp; +-#elif defined USE_NSCD ++#if defined USE_NSCD + return __nscd_get_nl_timestamp (); + #else + return 0; +-- +2.33.0 +
View file
_service:tar_scm:0003-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch
Added
@@ -0,0 +1,32 @@ +From 73e3fcd1a552783e66ff1f65c5f322e2f17a81d1 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Tue, 19 Sep 2023 13:25:40 -0400 +Subject: PATCH 3/4 Propagate GLIBC_TUNABLES in setxid binaries + +GLIBC_TUNABLES scrubbing happens earlier than envvar scrubbing and some +tunables are required to propagate past setxid boundary, like their +env_alias. Rely on tunable scrubbing to clean out GLIBC_TUNABLES like +before, restoring behaviour in glibc 2.37 and earlier. + +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Reviewed-by: Carlos O'Donell <carlos@redhat.com> +(cherry picked from commit 0d5f9ea97f1b39f2a855756078771673a68497e1) +--- + sysdeps/generic/unsecvars.h | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h +index 81397fb90b..8278c50a84 100644 +--- a/sysdeps/generic/unsecvars.h ++++ b/sysdeps/generic/unsecvars.h +@@ -4,7 +4,6 @@ + #define UNSECURE_ENVVARS \ + "GCONV_PATH\0" \ + "GETCONF_DIR\0" \ +- "GLIBC_TUNABLES\0" \ + "HOSTALIASES\0" \ + "LD_AUDIT\0" \ + "LD_DEBUG\0" \ +-- +2.33.0 +
View file
_service:tar_scm:0003-Revert-elf-Move-l_init_called_next-to-old-place-of-l.patch
Added
@@ -0,0 +1,42 @@ +From 1e04dcec491bd8f48b5b74ce3e8414132578a645 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Thu, 19 Oct 2023 09:17:38 +0200 +Subject: PATCH 3/3 Revert "elf: Move l_init_called_next to old place of + l_text_end in link map" + +This reverts commit d3ba6c1333b10680ce5900a628108507d9d4b844. + +Reason: Preserve internal ABI. +--- + include/link.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/link.h b/include/link.h +index a02d5f2eba..69bda3ed17 100644 +--- a/include/link.h ++++ b/include/link.h +@@ -256,10 +256,6 @@ struct link_map + /* End of the executable part of the mapping. */ + ElfW(Addr) l_text_end; + +- /* Linked list of objects in reverse ELF constructor execution +- order. Head of list is stored in _dl_init_called_list. */ +- struct link_map *l_init_called_next; +- + /* Default array for 'l_scope'. */ + struct r_scope_elem *l_scope_mem4; + /* Size of array allocated for 'l_scope'. */ +@@ -282,6 +278,10 @@ struct link_map + /* List of object in order of the init and fini calls. */ + struct link_map **l_initfini; + ++ /* Linked list of objects in reverse ELF constructor execution ++ order. Head of list is stored in _dl_init_called_list. */ ++ struct link_map *l_init_called_next; ++ + /* List of the dependencies introduced through symbol binding. */ + struct link_map_reldeps + { +-- +2.33.0 +
View file
_service:tar_scm:0003-elf-Remove-unused-l_text_end-field-from-struct-link_.patch
Added
@@ -0,0 +1,142 @@ +From 750f19526ae71aac801c77a3f7ef5374890c09b7 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Fri, 8 Sep 2023 13:02:06 +0200 +Subject: PATCH 3/5 elf: Remove unused l_text_end field from struct link_map + +It is a left-over from commit 52a01100ad011293197637e42b5be1a479a2 +("elf: Remove ad-hoc restrictions on dlopen callers BZ #22787"). + +When backporting commmit 6985865bc3ad5b23147ee73466583dd7fdf65892 +("elf: Always call destructors in reverse constructor order +(bug 30785)"), we can move the l_init_called_next field to this +place, so that the internal GLIBC_PRIVATE ABI does not change. + +Reviewed-by: Carlos O'Donell <carlos@redhat.com> +Tested-by: Carlos O'Donell <carlos@redhat.com> +(cherry picked from commit 53df2ce6885da3d0e89e87dca7b095622296014f) +--- + elf/dl-load.c | 2 +- + elf/dl-load.h | 7 ++----- + elf/rtld.c | 6 ------ + elf/setup-vdso.h | 4 ---- + include/link.h | 2 -- + 5 files changed, 3 insertions(+), 18 deletions(-) + +diff --git a/elf/dl-load.c b/elf/dl-load.c +index 9a87fda9c9..2923b1141d 100644 +--- a/elf/dl-load.c ++++ b/elf/dl-load.c +@@ -1253,7 +1253,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, + + /* Now process the load commands and map segments into memory. + This is responsible for filling in: +- l_map_start, l_map_end, l_addr, l_contiguous, l_text_end, l_phdr ++ l_map_start, l_map_end, l_addr, l_contiguous, l_phdr + */ + errstring = _dl_map_segments (l, fd, header, type, loadcmds, nloadcmds, + maplength, has_holes, loader); +diff --git a/elf/dl-load.h b/elf/dl-load.h +index ecf6910c68..1d5207694b 100644 +--- a/elf/dl-load.h ++++ b/elf/dl-load.h +@@ -83,14 +83,11 @@ struct loadcmd + + /* This is a subroutine of _dl_map_segments. It should be called for each + load command, some time after L->l_addr has been set correctly. It is +- responsible for setting up the l_text_end and l_phdr fields. */ ++ responsible for setting the l_phdr fields */ + static __always_inline void + _dl_postprocess_loadcmd (struct link_map *l, const ElfW(Ehdr) *header, + const struct loadcmd *c) + { +- if (c->prot & PROT_EXEC) +- l->l_text_end = l->l_addr + c->mapend; +- + if (l->l_phdr == 0 + && c->mapoff <= header->e_phoff + && ((size_t) (c->mapend - c->mapstart + c->mapoff) +@@ -103,7 +100,7 @@ _dl_postprocess_loadcmd (struct link_map *l, const ElfW(Ehdr) *header, + + /* This is a subroutine of _dl_map_object_from_fd. It is responsible + for filling in several fields in *L: l_map_start, l_map_end, l_addr, +- l_contiguous, l_text_end, l_phdr. On successful return, all the ++ l_contiguous, l_phdr. On successful return, all the + segments are mapped (or copied, or whatever) from the file into their + final places in the address space, with the correct page permissions, + and any bss-like regions already zeroed. It returns a null pointer +diff --git a/elf/rtld.c b/elf/rtld.c +index a91e2a4471..5107d16fe3 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -477,7 +477,6 @@ _dl_start_final (void *arg, struct dl_start_final_info *info) + GL(dl_rtld_map).l_real = &GL(dl_rtld_map); + GL(dl_rtld_map).l_map_start = (ElfW(Addr)) &__ehdr_start; + GL(dl_rtld_map).l_map_end = (ElfW(Addr)) _end; +- GL(dl_rtld_map).l_text_end = (ElfW(Addr)) _etext; + /* Copy the TLS related data if necessary. */ + #ifndef DONT_USE_BOOTSTRAP_MAP + # if NO_TLS_OFFSET != 0 +@@ -1119,7 +1118,6 @@ rtld_setup_main_map (struct link_map *main_map) + bool has_interp = false; + + main_map->l_map_end = 0; +- main_map->l_text_end = 0; + /* Perhaps the executable has no PT_LOAD header entries at all. */ + main_map->l_map_start = ~0; + /* And it was opened directly. */ +@@ -1211,8 +1209,6 @@ rtld_setup_main_map (struct link_map *main_map) + allocend = main_map->l_addr + ph->p_vaddr + ph->p_memsz; + if (main_map->l_map_end < allocend) + main_map->l_map_end = allocend; +- if ((ph->p_flags & PF_X) && allocend > main_map->l_text_end) +- main_map->l_text_end = allocend; + + /* The next expected address is the page following this load + segment. */ +@@ -1272,8 +1268,6 @@ rtld_setup_main_map (struct link_map *main_map) + = (char *) main_map->l_tls_initimage + main_map->l_addr; + if (! main_map->l_map_end) + main_map->l_map_end = ~0; +- if (! main_map->l_text_end) +- main_map->l_text_end = ~0; + if (! GL(dl_rtld_map).l_libname && GL(dl_rtld_map).l_name) + { + /* We were invoked directly, so the program might not have a +diff --git a/elf/setup-vdso.h b/elf/setup-vdso.h +index 0079842d1f..d92b12a7aa 100644 +--- a/elf/setup-vdso.h ++++ b/elf/setup-vdso.h +@@ -51,9 +51,6 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)), + l->l_addr = ph->p_vaddr; + if (ph->p_vaddr + ph->p_memsz >= l->l_map_end) + l->l_map_end = ph->p_vaddr + ph->p_memsz; +- if ((ph->p_flags & PF_X) +- && ph->p_vaddr + ph->p_memsz >= l->l_text_end) +- l->l_text_end = ph->p_vaddr + ph->p_memsz; + } + else + /* There must be no TLS segment. */ +@@ -62,7 +59,6 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)), + l->l_map_start = (ElfW(Addr)) GLRO(dl_sysinfo_dso); + l->l_addr = l->l_map_start - l->l_addr; + l->l_map_end += l->l_addr; +- l->l_text_end += l->l_addr; + l->l_ld = (void *) ((ElfW(Addr)) l->l_ld + l->l_addr); + elf_get_dynamic_info (l, false, false); + _dl_setup_hash (l); +diff --git a/include/link.h b/include/link.h +index 69bda3ed17..c6af095d87 100644 +--- a/include/link.h ++++ b/include/link.h +@@ -253,8 +253,6 @@ struct link_map + /* Start and finish of memory map for this object. l_map_start + need not be the same as l_addr. */ + ElfW(Addr) l_map_start, l_map_end; +- /* End of the executable part of the mapping. */ +- ElfW(Addr) l_text_end; + + /* Default array for 'l_scope'. */ + struct r_scope_elem *l_scope_mem4; +-- +2.33.0 +
View file
_service:tar_scm:0003-string-Fix-tester-build-with-fortify-enable-with-gcc.patch
Added
@@ -0,0 +1,50 @@ +From d94461bb86ba176b9390c0015bb612a528e22d95 Mon Sep 17 00:00:00 2001 +From: Mahesh Bodapati <bmahi496@linux.ibm.com> +Date: Fri, 11 Aug 2023 10:38:25 -0500 +Subject: PATCH 3/4 string: Fix tester build with fortify enable with gcc < + 12 + +When building with fortify enabled, GCC < 12 issues a warning on the +fortify strncat wrapper might overflow the destination buffer (the +failure is tied to -Werror). + +Checked on ppc64 and x86_64. +Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> + +(cherry picked from commit f1c7ed0859a45929136836341741c7cd70f428cb) +--- + string/tester.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/string/tester.c b/string/tester.c +index f7d4bac5a8..824cf315ff 100644 +--- a/string/tester.c ++++ b/string/tester.c +@@ -34,6 +34,14 @@ + DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-truncation"); + #endif + ++/* When building with fortify enabled, GCC < 12 issues a warning on the ++ fortify strncat wrapper might overflow the destination buffer (the ++ failure is tied to -Werror). ++ Triggered by strncat fortify wrapper when it is enabled. */ ++#if __GNUC_PREREQ (11, 0) ++DIAG_IGNORE_NEEDS_COMMENT (11, "-Wstringop-overread"); ++#endif ++ + #include <errno.h> + #include <stdint.h> + #include <stdio.h> +@@ -52,9 +60,6 @@ DIAG_IGNORE_NEEDS_COMMENT (5.0, "-Wmemset-transposed-args"); + DIAG_IGNORE_NEEDS_COMMENT (9, "-Wrestrict"); + DIAG_IGNORE_NEEDS_COMMENT (7, "-Wstringop-overflow="); + #endif +-#if __GNUC_PREREQ (11, 0) +-DIAG_IGNORE_NEEDS_COMMENT (11, "-Wstringop-overread"); +-#endif + + + #define STREQ(a, b) (strcmp((a), (b)) == 0) +-- +2.33.0 +
View file
_service:tar_scm:0003-x86-Fix-incorrect-scope-of-setting-shared_per_thread.patch
Added
@@ -0,0 +1,45 @@ +From 5ea70cc02626d9b85f1570153873d8648a47bf95 Mon Sep 17 00:00:00 2001 +From: Noah Goldstein <goldstein.w.n@gmail.com> +Date: Thu, 10 Aug 2023 19:28:24 -0500 +Subject: PATCH 03/12 x86: Fix incorrect scope of setting `shared_per_thread` + BZ# 30745 + +The: + +``` + if (shared_per_thread > 0 && threads > 0) + shared_per_thread /= threads; +``` + +Code was accidentally moved to inside the else scope. This doesn't +match how it was previously (before af992e7abd). + +This patch fixes that by putting the division after the `else` block. + +(cherry picked from commit 084fb31bc2c5f95ae0b9e6df4d3cf0ff43471ede) +--- + sysdeps/x86/dl-cacheinfo.h | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/sysdeps/x86/dl-cacheinfo.h b/sysdeps/x86/dl-cacheinfo.h +index 285773039f..5ddb35c9d9 100644 +--- a/sysdeps/x86/dl-cacheinfo.h ++++ b/sysdeps/x86/dl-cacheinfo.h +@@ -770,11 +770,10 @@ get_common_cache_info (long int *shared_ptr, long int * shared_per_thread_ptr, u + level. */ + threads = ((cpu_features->featuresCPUID_INDEX_1.cpuid.ebx >> 16) + & 0xff); +- +- /* Get per-thread size of highest level cache. */ +- if (shared_per_thread > 0 && threads > 0) +- shared_per_thread /= threads; + } ++ /* Get per-thread size of highest level cache. */ ++ if (shared_per_thread > 0 && threads > 0) ++ shared_per_thread /= threads; + } + + /* Account for non-inclusive L2 and L3 caches. */ +-- +2.33.0 +
View file
_service:tar_scm:0004-elf-Move-l_init_called_next-to-old-place-of-l_text_e.patch
Added
@@ -0,0 +1,41 @@ +From d3ba6c1333b10680ce5900a628108507d9d4b844 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Mon, 11 Sep 2023 09:17:52 +0200 +Subject: PATCH 4/5 elf: Move l_init_called_next to old place of l_text_end + in link map + +This preserves all member offsets and the GLIBC_PRIVATE ABI +for backporting. +--- + include/link.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/link.h b/include/link.h +index c6af095d87..686813f281 100644 +--- a/include/link.h ++++ b/include/link.h +@@ -254,6 +254,10 @@ struct link_map + need not be the same as l_addr. */ + ElfW(Addr) l_map_start, l_map_end; + ++ /* Linked list of objects in reverse ELF constructor execution ++ order. Head of list is stored in _dl_init_called_list. */ ++ struct link_map *l_init_called_next; ++ + /* Default array for 'l_scope'. */ + struct r_scope_elem *l_scope_mem4; + /* Size of array allocated for 'l_scope'. */ +@@ -276,10 +280,6 @@ struct link_map + /* List of object in order of the init and fini calls. */ + struct link_map **l_initfini; + +- /* Linked list of objects in reverse ELF constructor execution +- order. Head of list is stored in _dl_init_called_list. */ +- struct link_map *l_init_called_next; +- + /* List of the dependencies introduced through symbol binding. */ + struct link_map_reldeps + { +-- +2.33.0 +
View file
_service:tar_scm:0004-manual-jobs.texi-Add-missing-item-EPERM-for-getpgid.patch
Added
@@ -0,0 +1,30 @@ +From 0e1ef6779a90bc0f8a05bc367796df2793deecaa Mon Sep 17 00:00:00 2001 +From: Mark Wielaard <mark@klomp.org> +Date: Thu, 24 Aug 2023 21:36:34 +0200 +Subject: PATCH 4/4 manual/jobs.texi: Add missing @item EPERM for getpgid + +The missing @item makes it look like errno will be set to ESRCH +if a cross-session getpgid is not permitted. + +Found by ulfvonbelow on irc. + +(cherry picked from commit 5a21cefd5abab1b99eda1fbf84204a9bf41662ab) +--- + manual/job.texi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/manual/job.texi b/manual/job.texi +index 42cb9fb26d..8157f13a1c 100644 +--- a/manual/job.texi ++++ b/manual/job.texi +@@ -1133,6 +1133,7 @@ following @code{errno} error conditions are defined for this function: + @table @code + @item ESRCH + There is no process with the given process ID @var{pid}. ++@item EPERM + The calling process and the process specified by @var{pid} are in + different sessions, and the implementation doesn't allow to access the + process group ID of the process with ID @var{pid} from the calling +-- +2.33.0 +
View file
_service:tar_scm:0004-tunables-Terminate-if-end-of-input-is-reached-CVE-20.patch
Added
@@ -0,0 +1,173 @@ +From 750a45a783906a19591fb8ff6b7841470f1f5701 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar <siddhesh@sourceware.org> +Date: Tue, 19 Sep 2023 18:39:32 -0400 +Subject: PATCH 4/4 tunables: Terminate if end of input is reached + (CVE-2023-4911) + +The string parsing routine may end up writing beyond bounds of tunestr +if the input tunable string is malformed, of the form name=name=val. +This gets processed twice, first as name=name=val and next as name=val, +resulting in tunestr being name=name=val:name=val, thus overflowing +tunestr. + +Terminate the parsing loop at the first instance itself so that tunestr +does not overflow. + +This also fixes up tst-env-setuid-tunables to actually handle failures +correct and add new tests to validate the fix for this CVE. + +Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> +Reviewed-by: Carlos O'Donell <carlos@redhat.com> +(cherry picked from commit 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa) +--- + NEWS | 5 +++++ + elf/dl-tunables.c | 17 +++++++++------- + elf/tst-env-setuid-tunables.c | 37 +++++++++++++++++++++++++++-------- + 3 files changed, 44 insertions(+), 15 deletions(-) + +diff --git a/NEWS b/NEWS +index f1b1b0a3b4..bfcd46efa9 100644 +--- a/NEWS ++++ b/NEWS +@@ -24,6 +24,11 @@ Security related changes: + an application calls getaddrinfo for AF_INET6 with AI_CANONNAME, + AI_ALL and AI_V4MAPPED flags set. + ++ CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the ++ environment of a setuid program and NAME is valid, it may result in a ++ buffer overflow, which could be exploited to achieve escalated ++ privileges. This flaw was introduced in glibc 2.34. ++ + The following bugs are resolved with this release: + + 30723 posix_memalign repeatedly scans long bin lists +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c +index 62b7332d95..cae67efa0a 100644 +--- a/elf/dl-tunables.c ++++ b/elf/dl-tunables.c +@@ -180,11 +180,7 @@ parse_tunables (char *tunestr, char *valstring) + /* If we reach the end of the string before getting a valid name-value + pair, bail out. */ + if (plen == '\0') +- { +- if (__libc_enable_secure) +- tunestroff = '\0'; +- return; +- } ++ break; + + /* We did not find a valid name-value pair before encountering the + colon. */ +@@ -244,9 +240,16 @@ parse_tunables (char *tunestr, char *valstring) + } + } + +- if (plen != '\0') +- p += len + 1; ++ /* We reached the end while processing the tunable string. */ ++ if (plen == '\0') ++ break; ++ ++ p += len + 1; + } ++ ++ /* Terminate tunestr before we leave. */ ++ if (__libc_enable_secure) ++ tunestroff = '\0'; + } + + /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when +diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c +index 7dfb0e073a..f0b92c97e7 100644 +--- a/elf/tst-env-setuid-tunables.c ++++ b/elf/tst-env-setuid-tunables.c +@@ -50,6 +50,8 @@ const char *teststrings = + "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", + "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096", + "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.check=2", + "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2", + "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096", + ":glibc.malloc.garbage=2:glibc.malloc.check=1", +@@ -68,6 +70,8 @@ const char *resultstrings = + "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", ++ "", + "", + "", + "", +@@ -81,11 +85,18 @@ test_child (int off) + { + const char *val = getenv ("GLIBC_TUNABLES"); + ++ printf (" %d GLIBC_TUNABLES is %s\n", off, val); ++ fflush (stdout); + if (val != NULL && strcmp (val, resultstringsoff) == 0) + return 0; + + if (val != NULL) +- printf ("%d Unexpected GLIBC_TUNABLES VALUE %s\n", off, val); ++ printf (" %d Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n", ++ off, val, resultstringsoff); ++ else ++ printf (" %d GLIBC_TUNABLES environment variable absent\n", off); ++ ++ fflush (stdout); + + return 1; + } +@@ -106,21 +117,26 @@ do_test (int argc, char **argv) + if (ret != 0) + exit (1); + +- exit (EXIT_SUCCESS); ++ /* Special return code to make sure that the child executed all the way ++ through. */ ++ exit (42); + } + else + { +- int ret = 0; +- + /* Spawn tests. */ + for (int i = 0; i < array_length (teststrings); i++) + { + char bufINT_BUFSIZE_BOUND (int); + +- printf ("Spawned test for %s (%d)\n", teststringsi, i); ++ printf ("%d Spawned test for %s\n", i, teststringsi); + snprintf (buf, sizeof (buf), "%d\n", i); ++ fflush (stdout); + if (setenv ("GLIBC_TUNABLES", teststringsi, 1) != 0) +- exit (1); ++ { ++ printf (" %d Failed to set GLIBC_TUNABLES: %m", i); ++ support_record_failure (); ++ continue; ++ } + + int status = support_capture_subprogram_self_sgid (buf); + +@@ -128,9 +144,14 @@ do_test (int argc, char **argv) + if (WEXITSTATUS (status) == EXIT_UNSUPPORTED) + return EXIT_UNSUPPORTED; + +- ret |= status; ++ if (WEXITSTATUS (status) != 42) ++ { ++ printf (" %d child failed with status %d\n", i, ++ WEXITSTATUS (status)); ++ support_record_failure (); ++ } + } +- return ret; ++ return 0; + } + } + +-- +2.33.0 +
View file
_service:tar_scm:0004-x86_64-Fix-build-with-disable-multiarch-BZ-30721.patch
Added
@@ -0,0 +1,60 @@ +From 6135d50e44233d8c89ca788f78c669941ad09fb9 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Date: Tue, 8 Aug 2023 09:27:54 -0300 +Subject: PATCH 04/12 x86_64: Fix build with --disable-multiarch (BZ 30721) + +With multiarch disabled, the default memmove implementation provides +the fortify routines for memcpy, mempcpy, and memmove. However, it +does not provide the internal hidden definitions used when building +with fortify enabled. The memset has a similar issue. + +Checked on x86_64-linux-gnu building with different options: +default and --disable-multi-arch plus default, --disable-default-pie, +--enable-fortify-source={2,3}, and --enable-fortify-source={2,3} +with --disable-default-pie. +Tested-by: Andreas K. Huettel <dilfridge@gentoo.org> +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> + +(cherry picked from commit 51cb52214fcd72849c640b12f5099ed3ac776181) +--- + sysdeps/x86_64/memcpy.S | 2 +- + sysdeps/x86_64/memmove.S | 3 +++ + sysdeps/x86_64/memset.S | 1 + + 3 files changed, 5 insertions(+), 1 deletion(-) + +diff --git a/sysdeps/x86_64/memcpy.S b/sysdeps/x86_64/memcpy.S +index d98500a78a..4922cba657 100644 +--- a/sysdeps/x86_64/memcpy.S ++++ b/sysdeps/x86_64/memcpy.S +@@ -1 +1 @@ +-/* Implemented in memcpy.S. */ ++/* Implemented in memmove.S. */ +diff --git a/sysdeps/x86_64/memmove.S b/sysdeps/x86_64/memmove.S +index f0b84e3b52..c3c08165e1 100644 +--- a/sysdeps/x86_64/memmove.S ++++ b/sysdeps/x86_64/memmove.S +@@ -46,6 +46,9 @@ weak_alias (__mempcpy, mempcpy) + + #ifndef USE_MULTIARCH + libc_hidden_builtin_def (memmove) ++libc_hidden_builtin_def (__memmove_chk) ++libc_hidden_builtin_def (__memcpy_chk) ++libc_hidden_builtin_def (__mempcpy_chk) + # if defined SHARED && IS_IN (libc) + strong_alias (memmove, __memcpy) + libc_hidden_ver (memmove, memcpy) +diff --git a/sysdeps/x86_64/memset.S b/sysdeps/x86_64/memset.S +index 7c99df36db..c6df24e8de 100644 +--- a/sysdeps/x86_64/memset.S ++++ b/sysdeps/x86_64/memset.S +@@ -32,6 +32,7 @@ + #include "isa-default-impl.h" + + libc_hidden_builtin_def (memset) ++libc_hidden_builtin_def (__memset_chk) + + #if IS_IN (libc) + libc_hidden_def (__wmemset) +-- +2.33.0 +
View file
_service:tar_scm:0005-NEWS-Add-the-2.38.1-bug-list.patch
Added
@@ -0,0 +1,37 @@ +From 89da8bc588c2296252543b049bf6d9272321f90d Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Mon, 11 Sep 2023 10:06:15 +0200 +Subject: PATCH 5/5 NEWS: Add the 2.38.1 bug list + +--- + NEWS | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/NEWS b/NEWS +index f1a14f45dd..64596d5d09 100644 +--- a/NEWS ++++ b/NEWS +@@ -9,7 +9,10 @@ Version 2.38.1 + + The following bugs are resolved with this release: + ++ 30723 posix_memalign repeatedly scans long bin lists + 30785 Always call destructors in reverse constructor order ++ 30804 F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with ++ -D_FILE_OFFSET_BITS=64 + +  + Version 2.38 +@@ -139,9 +142,6 @@ The following bugs are resolved with this release: + 30555 string: strerror can incorrectly return NULL + 30579 malloc: trim_threshold in realloc lead to high memory usage + 30662 nscd: Group and password cache use errno in place of errval +- 30723 posix_memalign repeatedly scans long bin lists +- 30804 F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with +- -D_FILE_OFFSET_BITS=64 +  + Version 2.37 + +-- +2.33.0 +
View file
_service:tar_scm:0005-i686-Fix-build-with-disable-multiarch.patch
Added
@@ -0,0 +1,100 @@ +From 7ac405a74c6069b0627dc2d8449a82a621f8ff06 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Date: Tue, 8 Aug 2023 09:27:55 -0300 +Subject: PATCH 05/12 i686: Fix build with --disable-multiarch + +Since i686 provides the fortified wrappers for memcpy, mempcpy, +memmove, and memset on the same string implementation, the static +build tries to optimized it by not tying the fortified wrappers +to string routine (to avoid pulling the fortify function if +they are not required). + +Checked on i686-linux-gnu building with different option: +default and --disable-multi-arch plus default, --disable-default-pie, +--enable-fortify-source={2,3}, and --enable-fortify-source={2,3} +with --disable-default-pie. +Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> + +(cherry picked from commit c73c96a4a1af1326df7f96eec58209e1e04066d8) +--- + sysdeps/i386/i686/memcpy.S | 2 +- + sysdeps/i386/i686/mempcpy.S | 2 +- + sysdeps/i386/i686/multiarch/memcpy_chk.c | 2 ++ + sysdeps/i386/i686/multiarch/memmove_chk.c | 2 ++ + sysdeps/i386/i686/multiarch/mempcpy_chk.c | 2 ++ + sysdeps/i386/i686/multiarch/memset_chk.c | 2 ++ + 6 files changed, 10 insertions(+), 2 deletions(-) + +diff --git a/sysdeps/i386/i686/memcpy.S b/sysdeps/i386/i686/memcpy.S +index 9b48ec0ea1..b86af4aac9 100644 +--- a/sysdeps/i386/i686/memcpy.S ++++ b/sysdeps/i386/i686/memcpy.S +@@ -27,7 +27,7 @@ + #define LEN SRC+4 + + .text +-#if defined PIC && IS_IN (libc) ++#if defined SHARED && IS_IN (libc) + ENTRY_CHK (__memcpy_chk) + movl 12(%esp), %eax + cmpl %eax, 16(%esp) +diff --git a/sysdeps/i386/i686/mempcpy.S b/sysdeps/i386/i686/mempcpy.S +index 26f8501e7d..14d9dd681a 100644 +--- a/sysdeps/i386/i686/mempcpy.S ++++ b/sysdeps/i386/i686/mempcpy.S +@@ -27,7 +27,7 @@ + #define LEN SRC+4 + + .text +-#if defined PIC && IS_IN (libc) ++#if defined SHARED && IS_IN (libc) + ENTRY_CHK (__mempcpy_chk) + movl 12(%esp), %eax + cmpl %eax, 16(%esp) +diff --git a/sysdeps/i386/i686/multiarch/memcpy_chk.c b/sysdeps/i386/i686/multiarch/memcpy_chk.c +index ec945dc91f..c3a8aeaf18 100644 +--- a/sysdeps/i386/i686/multiarch/memcpy_chk.c ++++ b/sysdeps/i386/i686/multiarch/memcpy_chk.c +@@ -32,4 +32,6 @@ libc_ifunc_redirected (__redirect_memcpy_chk, __memcpy_chk, + __hidden_ver1 (__memcpy_chk, __GI___memcpy_chk, __redirect_memcpy_chk) + __attribute__ ((visibility ("hidden"))) __attribute_copy__ (__memcpy_chk); + # endif ++#else ++# include <debug/memcpy_chk.c> + #endif +diff --git a/sysdeps/i386/i686/multiarch/memmove_chk.c b/sysdeps/i386/i686/multiarch/memmove_chk.c +index 55c7601d5d..070dde083a 100644 +--- a/sysdeps/i386/i686/multiarch/memmove_chk.c ++++ b/sysdeps/i386/i686/multiarch/memmove_chk.c +@@ -32,4 +32,6 @@ libc_ifunc_redirected (__redirect_memmove_chk, __memmove_chk, + __hidden_ver1 (__memmove_chk, __GI___memmove_chk, __redirect_memmove_chk) + __attribute__ ((visibility ("hidden"))) __attribute_copy__ (__memmove_chk); + # endif ++#else ++# include <debug/memmove_chk.c> + #endif +diff --git a/sysdeps/i386/i686/multiarch/mempcpy_chk.c b/sysdeps/i386/i686/multiarch/mempcpy_chk.c +index 83569cf9d9..14360f1828 100644 +--- a/sysdeps/i386/i686/multiarch/mempcpy_chk.c ++++ b/sysdeps/i386/i686/multiarch/mempcpy_chk.c +@@ -32,4 +32,6 @@ libc_ifunc_redirected (__redirect_mempcpy_chk, __mempcpy_chk, + __hidden_ver1 (__mempcpy_chk, __GI___mempcpy_chk, __redirect_mempcpy_chk) + __attribute__ ((visibility ("hidden"))) __attribute_copy__ (__mempcpy_chk); + # endif ++#else ++# include <debug/mempcpy_chk.c> + #endif +diff --git a/sysdeps/i386/i686/multiarch/memset_chk.c b/sysdeps/i386/i686/multiarch/memset_chk.c +index 1a7503858d..8179ef7c0b 100644 +--- a/sysdeps/i386/i686/multiarch/memset_chk.c ++++ b/sysdeps/i386/i686/multiarch/memset_chk.c +@@ -32,4 +32,6 @@ libc_ifunc_redirected (__redirect_memset_chk, __memset_chk, + __hidden_ver1 (__memset_chk, __GI___memset_chk, __redirect_memset_chk) + __attribute__ ((visibility ("hidden"))) __attribute_copy__ (__memset_chk); + # endif ++#else ++# include <debug/memset_chk.c> + #endif +-- +2.33.0 +
View file
_service:tar_scm:0006-malloc-Enable-merging-of-remainders-in-memalign-bug-.patch
Added
@@ -0,0 +1,301 @@ +From 98c293c61f770b6b7a22f89a6ea81b711ecb1952 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Fri, 11 Aug 2023 11:18:17 +0200 +Subject: PATCH 06/12 malloc: Enable merging of remainders in memalign (bug + 30723) + +Previously, calling _int_free from _int_memalign could put remainders +into the tcache or into fastbins, where they are invisible to the +low-level allocator. This results in missed merge opportunities +because once these freed chunks become available to the low-level +allocator, further memalign allocations (even of the same size are) +likely obstructing merges. + +Furthermore, during forwards merging in _int_memalign, do not +completely give up when the remainder is too small to serve as a +chunk on its own. We can still give it back if it can be merged +with the following unused chunk. This makes it more likely that +memalign calls in a loop achieve a compact memory layout, +independently of initial heap layout. + +Drop some useless (unsigned long) casts along the way, and tweak +the style to more closely match GNU on changed lines. + +Reviewed-by: DJ Delorie <dj@redhat.com> +(cherry picked from commit 542b1105852568c3ebc712225ae78b8c8ba31a78) +--- + malloc/malloc.c | 197 +++++++++++++++++++++++++++++------------------- + 1 file changed, 121 insertions(+), 76 deletions(-) + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index e2f1a615a4..948f9759af 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -1086,6 +1086,11 @@ typedef struct malloc_chunk* mchunkptr; + + static void* _int_malloc(mstate, size_t); + static void _int_free(mstate, mchunkptr, int); ++static void _int_free_merge_chunk (mstate, mchunkptr, INTERNAL_SIZE_T); ++static INTERNAL_SIZE_T _int_free_create_chunk (mstate, ++ mchunkptr, INTERNAL_SIZE_T, ++ mchunkptr, INTERNAL_SIZE_T); ++static void _int_free_maybe_consolidate (mstate, INTERNAL_SIZE_T); + static void* _int_realloc(mstate, mchunkptr, INTERNAL_SIZE_T, + INTERNAL_SIZE_T); + static void* _int_memalign(mstate, size_t, size_t); +@@ -4637,31 +4642,52 @@ _int_free (mstate av, mchunkptr p, int have_lock) + if (!have_lock) + __libc_lock_lock (av->mutex); + +- nextchunk = chunk_at_offset(p, size); +- +- /* Lightweight tests: check whether the block is already the +- top block. */ +- if (__glibc_unlikely (p == av->top)) +- malloc_printerr ("double free or corruption (top)"); +- /* Or whether the next chunk is beyond the boundaries of the arena. */ +- if (__builtin_expect (contiguous (av) +- && (char *) nextchunk +- >= ((char *) av->top + chunksize(av->top)), 0)) +- malloc_printerr ("double free or corruption (out)"); +- /* Or whether the block is actually not marked used. */ +- if (__glibc_unlikely (!prev_inuse(nextchunk))) +- malloc_printerr ("double free or corruption (!prev)"); +- +- nextsize = chunksize(nextchunk); +- if (__builtin_expect (chunksize_nomask (nextchunk) <= CHUNK_HDR_SZ, 0) +- || __builtin_expect (nextsize >= av->system_mem, 0)) +- malloc_printerr ("free(): invalid next size (normal)"); ++ _int_free_merge_chunk (av, p, size); + +- free_perturb (chunk2mem(p), size - CHUNK_HDR_SZ); ++ if (!have_lock) ++ __libc_lock_unlock (av->mutex); ++ } ++ /* ++ If the chunk was allocated via mmap, release via munmap(). ++ */ ++ ++ else { ++ munmap_chunk (p); ++ } ++} ++ ++/* Try to merge chunk P of SIZE bytes with its neighbors. Put the ++ resulting chunk on the appropriate bin list. P must not be on a ++ bin list yet, and it can be in use. */ ++static void ++_int_free_merge_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size) ++{ ++ mchunkptr nextchunk = chunk_at_offset(p, size); ++ ++ /* Lightweight tests: check whether the block is already the ++ top block. */ ++ if (__glibc_unlikely (p == av->top)) ++ malloc_printerr ("double free or corruption (top)"); ++ /* Or whether the next chunk is beyond the boundaries of the arena. */ ++ if (__builtin_expect (contiguous (av) ++ && (char *) nextchunk ++ >= ((char *) av->top + chunksize(av->top)), 0)) ++ malloc_printerr ("double free or corruption (out)"); ++ /* Or whether the block is actually not marked used. */ ++ if (__glibc_unlikely (!prev_inuse(nextchunk))) ++ malloc_printerr ("double free or corruption (!prev)"); ++ ++ INTERNAL_SIZE_T nextsize = chunksize(nextchunk); ++ if (__builtin_expect (chunksize_nomask (nextchunk) <= CHUNK_HDR_SZ, 0) ++ || __builtin_expect (nextsize >= av->system_mem, 0)) ++ malloc_printerr ("free(): invalid next size (normal)"); ++ ++ free_perturb (chunk2mem(p), size - CHUNK_HDR_SZ); + +- /* consolidate backward */ +- if (!prev_inuse(p)) { +- prevsize = prev_size (p); ++ /* Consolidate backward. */ ++ if (!prev_inuse(p)) ++ { ++ INTERNAL_SIZE_T prevsize = prev_size (p); + size += prevsize; + p = chunk_at_offset(p, -((long) prevsize)); + if (__glibc_unlikely (chunksize(p) != prevsize)) +@@ -4669,9 +4695,25 @@ _int_free (mstate av, mchunkptr p, int have_lock) + unlink_chunk (av, p); + } + +- if (nextchunk != av->top) { ++ /* Write the chunk header, maybe after merging with the following chunk. */ ++ size = _int_free_create_chunk (av, p, size, nextchunk, nextsize); ++ _int_free_maybe_consolidate (av, size); ++} ++ ++/* Create a chunk at P of SIZE bytes, with SIZE potentially increased ++ to cover the immediately following chunk NEXTCHUNK of NEXTSIZE ++ bytes (if NEXTCHUNK is unused). The chunk at P is not actually ++ read and does not have to be initialized. After creation, it is ++ placed on the appropriate bin list. The function returns the size ++ of the new chunk. */ ++static INTERNAL_SIZE_T ++_int_free_create_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size, ++ mchunkptr nextchunk, INTERNAL_SIZE_T nextsize) ++{ ++ if (nextchunk != av->top) ++ { + /* get and clear inuse bit */ +- nextinuse = inuse_bit_at_offset(nextchunk, nextsize); ++ bool nextinuse = inuse_bit_at_offset (nextchunk, nextsize); + + /* consolidate forward */ + if (!nextinuse) { +@@ -4686,8 +4728,8 @@ _int_free (mstate av, mchunkptr p, int have_lock) + been given one chance to be used in malloc. + */ + +- bck = unsorted_chunks(av); +- fwd = bck->fd; ++ mchunkptr bck = unsorted_chunks (av); ++ mchunkptr fwd = bck->fd; + if (__glibc_unlikely (fwd->bk != bck)) + malloc_printerr ("free(): corrupted unsorted chunks"); + p->fd = fwd; +@@ -4706,61 +4748,52 @@ _int_free (mstate av, mchunkptr p, int have_lock) + check_free_chunk(av, p); + } + +- /* +- If the chunk borders the current high end of memory, +- consolidate into top +- */ +- +- else { ++ else ++ { ++ /* If the chunk borders the current high end of memory, ++ consolidate into top. */ + size += nextsize; + set_head(p, size | PREV_INUSE); + av->top = p; + check_chunk(av, p); + } + +- /* +- If freeing a large space, consolidate possibly-surrounding +- chunks. Then, if the total unused topmost memory exceeds trim +- threshold, ask malloc_trim to reduce top. +- +- Unless max_fast is 0, we don't know if there are fastbins +- bordering top, so we cannot tell for sure whether threshold +- has been reached unless fastbins are consolidated. But we +- don't want to consolidate on each free. As a compromise, +- consolidation is performed if FASTBIN_CONSOLIDATION_THRESHOLD +- is reached. +- */ ++ return size; ++} + +- if ((unsigned long)(size) >= FASTBIN_CONSOLIDATION_THRESHOLD) { ++/* If freeing a large space, consolidate possibly-surrounding ++ chunks. Then, if the total unused topmost memory exceeds trim ++ threshold, ask malloc_trim to reduce top. */
View file
_service:tar_scm:0007-malloc-Remove-bin-scanning-from-memalign-bug-30723.patch
Added
@@ -0,0 +1,269 @@ +From 2af141bda3cd407abd4bedf615f9e45fe79518e2 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Thu, 10 Aug 2023 19:36:56 +0200 +Subject: PATCH 07/12 malloc: Remove bin scanning from memalign (bug 30723) + +On the test workload (mpv --cache=yes with VP9 video decoding), the +bin scanning has a very poor success rate (less than 2%). The tcache +scanning has about 50% success rate, so keep that. + +Update comments in malloc/tst-memalign-2 to indicate the purpose +of the tests. Even with the scanning removed, the additional +merging opportunities since commit 542b1105852568c3ebc712225ae78b +("malloc: Enable merging of remainders in memalign (bug 30723)") +are sufficient to pass the existing large bins test. + +Remove leftover variables from _int_free from refactoring in the +same commit. + +Reviewed-by: DJ Delorie <dj@redhat.com> +(cherry picked from commit 0dc7fc1cf094406a138e4d1bcf9553e59edcf89d) +--- + NEWS | 1 + + malloc/malloc.c | 169 ++-------------------------------------- + malloc/tst-memalign-2.c | 7 +- + 3 files changed, 11 insertions(+), 166 deletions(-) + +diff --git a/NEWS b/NEWS +index 872bc8907b..c339cb444e 100644 +--- a/NEWS ++++ b/NEWS +@@ -132,6 +132,7 @@ The following bugs are resolved with this release: + 30555 string: strerror can incorrectly return NULL + 30579 malloc: trim_threshold in realloc lead to high memory usage + 30662 nscd: Group and password cache use errno in place of errval ++ 30723 posix_memalign repeatedly scans long bin lists +  + Version 2.37 + +diff --git a/malloc/malloc.c b/malloc/malloc.c +index 948f9759af..d0bbbf3710 100644 +--- a/malloc/malloc.c ++++ b/malloc/malloc.c +@@ -4488,12 +4488,6 @@ _int_free (mstate av, mchunkptr p, int have_lock) + { + INTERNAL_SIZE_T size; /* its size */ + mfastbinptr *fb; /* associated fastbin */ +- mchunkptr nextchunk; /* next contiguous chunk */ +- INTERNAL_SIZE_T nextsize; /* its size */ +- int nextinuse; /* true if nextchunk is used */ +- INTERNAL_SIZE_T prevsize; /* size of previous contiguous chunk */ +- mchunkptr bck; /* misc temp for linking */ +- mchunkptr fwd; /* misc temp for linking */ + + size = chunksize (p); + +@@ -5032,42 +5026,6 @@ _int_realloc (mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize, + ------------------------------ memalign ------------------------------ + */ + +-/* Returns 0 if the chunk is not and does not contain the requested +- aligned sub-chunk, else returns the amount of "waste" from +- trimming. NB is the *chunk* byte size, not the user byte +- size. */ +-static size_t +-chunk_ok_for_memalign (mchunkptr p, size_t alignment, size_t nb) +-{ +- void *m = chunk2mem (p); +- INTERNAL_SIZE_T size = chunksize (p); +- void *aligned_m = m; +- +- if (__glibc_unlikely (misaligned_chunk (p))) +- malloc_printerr ("_int_memalign(): unaligned chunk detected"); +- +- aligned_m = PTR_ALIGN_UP (m, alignment); +- +- INTERNAL_SIZE_T front_extra = (intptr_t) aligned_m - (intptr_t) m; +- +- /* We can't trim off the front as it's too small. */ +- if (front_extra > 0 && front_extra < MINSIZE) +- return 0; +- +- /* If it's a perfect fit, it's an exception to the return value rule +- (we would return zero waste, which looks like "not usable"), so +- handle it here by returning a small non-zero value instead. */ +- if (size == nb && front_extra == 0) +- return 1; +- +- /* If the block we need fits in the chunk, calculate total waste. */ +- if (size > nb + front_extra) +- return size - nb; +- +- /* Can't use this chunk. */ +- return 0; +-} +- + /* BYTES is user requested bytes, not requested chunksize bytes. */ + static void * + _int_memalign (mstate av, size_t alignment, size_t bytes) +@@ -5082,7 +5040,6 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) + mchunkptr remainder; /* spare room at end to split off */ + unsigned long remainder_size; /* its size */ + INTERNAL_SIZE_T size; +- mchunkptr victim; + + nb = checked_request2size (bytes); + if (nb == 0) +@@ -5101,129 +5058,13 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) + we don't find anything in those bins, the common malloc code will + scan starting at 2x. */ + +- /* This will be set if we found a candidate chunk. */ +- victim = NULL; +- +- /* Fast bins are singly-linked, hard to remove a chunk from the middle +- and unlikely to meet our alignment requirements. We have not done +- any experimentation with searching for aligned fastbins. */ +- +- if (av != NULL) +- { +- int first_bin_index; +- int first_largebin_index; +- int last_bin_index; +- +- if (in_smallbin_range (nb)) +- first_bin_index = smallbin_index (nb); +- else +- first_bin_index = largebin_index (nb); +- +- if (in_smallbin_range (nb * 2)) +- last_bin_index = smallbin_index (nb * 2); +- else +- last_bin_index = largebin_index (nb * 2); +- +- first_largebin_index = largebin_index (MIN_LARGE_SIZE); +- +- int victim_index; /* its bin index */ +- +- for (victim_index = first_bin_index; +- victim_index < last_bin_index; +- victim_index ++) +- { +- victim = NULL; +- +- if (victim_index < first_largebin_index) +- { +- /* Check small bins. Small bin chunks are doubly-linked despite +- being the same size. */ +- +- mchunkptr fwd; /* misc temp for linking */ +- mchunkptr bck; /* misc temp for linking */ +- +- bck = bin_at (av, victim_index); +- fwd = bck->fd; +- while (fwd != bck) +- { +- if (chunk_ok_for_memalign (fwd, alignment, nb) > 0) +- { +- victim = fwd; +- +- /* Unlink it */ +- victim->fd->bk = victim->bk; +- victim->bk->fd = victim->fd; +- break; +- } +- +- fwd = fwd->fd; +- } +- } +- else +- { +- /* Check large bins. */ +- mchunkptr fwd; /* misc temp for linking */ +- mchunkptr bck; /* misc temp for linking */ +- mchunkptr best = NULL; +- size_t best_size = 0; +- +- bck = bin_at (av, victim_index); +- fwd = bck->fd; ++ /* Call malloc with worst case padding to hit alignment. */ ++ m = (char *) (_int_malloc (av, nb + alignment + MINSIZE)); + +- while (fwd != bck) +- { +- int extra; +- +- if (chunksize (fwd) < nb) +- break; +- extra = chunk_ok_for_memalign (fwd, alignment, nb); +- if (extra > 0 +- && (extra <= best_size || best == NULL)) +- { +- best = fwd; +- best_size = extra; +- } ++ if (m == 0) ++ return 0; /* propagate failure */ + +- fwd = fwd->fd; +- }
View file
_service:tar_scm:0008-sysdeps-tst-bz21269-fix-test-parameter.patch
Added
@@ -0,0 +1,31 @@ +From c8ecda6251dd4a0dfe074e0a6011211cadeef742 Mon Sep 17 00:00:00 2001 +From: Sam James <sam@gentoo.org> +Date: Fri, 4 Aug 2023 23:58:27 +0100 +Subject: PATCH 08/12 sysdeps: tst-bz21269: fix test parameter + +All callers pass 1 or 0x11 anyway (same meaning according to man page), +but still. + +Reviewed-by: DJ Delorie <dj@redhat.com> +Signed-off-by: Sam James <sam@gentoo.org> +(cherry picked from commit e0b712dd9183d527aae4506cd39564c14af3bb28) +--- + sysdeps/unix/sysv/linux/i386/tst-bz21269.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sysdeps/unix/sysv/linux/i386/tst-bz21269.c b/sysdeps/unix/sysv/linux/i386/tst-bz21269.c +index 51d4a1b082..f508ef8f16 100644 +--- a/sysdeps/unix/sysv/linux/i386/tst-bz21269.c ++++ b/sysdeps/unix/sysv/linux/i386/tst-bz21269.c +@@ -52,7 +52,7 @@ xset_thread_area (struct user_desc *u_info) + static void + xmodify_ldt (int func, const void *ptr, unsigned long bytecount) + { +- TEST_VERIFY_EXIT (syscall (SYS_modify_ldt, 1, ptr, bytecount) == 0); ++ TEST_VERIFY_EXIT (syscall (SYS_modify_ldt, func, ptr, bytecount) == 0); + } + + static int +-- +2.33.0 +
View file
_service:tar_scm:0009-sysdeps-tst-bz21269-handle-ENOSYS-skip-appropriately.patch
Added
@@ -0,0 +1,42 @@ +From ad9b8399537670a990572c4b0c4da5411e3b68cf Mon Sep 17 00:00:00 2001 +From: Sam James <sam@gentoo.org> +Date: Sat, 5 Aug 2023 00:04:33 +0100 +Subject: PATCH 09/12 sysdeps: tst-bz21269: handle ENOSYS & skip + appropriately + +SYS_modify_ldt requires CONFIG_MODIFY_LDT_SYSCALL to be set in the kernel, which +some distributions may disable for hardening. Check if that's the case (unset) +and mark the test as UNSUPPORTED if so. + +Reviewed-by: DJ Delorie <dj@redhat.com> +Signed-off-by: Sam James <sam@gentoo.org> +(cherry picked from commit 652b9fdb77d9fd056d4dd26dad2c14142768ab49) +--- + sysdeps/unix/sysv/linux/i386/tst-bz21269.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/sysdeps/unix/sysv/linux/i386/tst-bz21269.c b/sysdeps/unix/sysv/linux/i386/tst-bz21269.c +index f508ef8f16..28f5359bea 100644 +--- a/sysdeps/unix/sysv/linux/i386/tst-bz21269.c ++++ b/sysdeps/unix/sysv/linux/i386/tst-bz21269.c +@@ -52,7 +52,16 @@ xset_thread_area (struct user_desc *u_info) + static void + xmodify_ldt (int func, const void *ptr, unsigned long bytecount) + { +- TEST_VERIFY_EXIT (syscall (SYS_modify_ldt, func, ptr, bytecount) == 0); ++ long ret = syscall (SYS_modify_ldt, func, ptr, bytecount); ++ ++ if (ret == -1) ++ { ++ if (errno == ENOSYS) ++ FAIL_UNSUPPORTED ("modify_ldt not supported"); ++ FAIL_EXIT1 ("modify_ldt failed (errno=%d)", errno); ++ } ++ ++ return 0; + } + + static int +-- +2.33.0 +
View file
_service:tar_scm:0010-sysdeps-tst-bz21269-fix-Wreturn-type.patch
Added
@@ -0,0 +1,30 @@ +From 1aed90c9c8f8be9f68b58e96b6e4cd0fc08eb2b1 Mon Sep 17 00:00:00 2001 +From: Sam James <sam@gentoo.org> +Date: Thu, 17 Aug 2023 09:30:29 +0100 +Subject: PATCH 10/12 sysdeps: tst-bz21269: fix -Wreturn-type + +Thanks to Andreas Schwab for reporting. + +Fixes: 652b9fdb77d9fd056d4dd26dad2c14142768ab49 +Signed-off-by: Sam James <sam@gentoo.org> +(cherry picked from commit 369f373057073c307938da91af16922bda3dff6a) +--- + sysdeps/unix/sysv/linux/i386/tst-bz21269.c | 2 -- + 1 file changed, 2 deletions(-) + +diff --git a/sysdeps/unix/sysv/linux/i386/tst-bz21269.c b/sysdeps/unix/sysv/linux/i386/tst-bz21269.c +index 28f5359bea..822c41fceb 100644 +--- a/sysdeps/unix/sysv/linux/i386/tst-bz21269.c ++++ b/sysdeps/unix/sysv/linux/i386/tst-bz21269.c +@@ -60,8 +60,6 @@ xmodify_ldt (int func, const void *ptr, unsigned long bytecount) + FAIL_UNSUPPORTED ("modify_ldt not supported"); + FAIL_EXIT1 ("modify_ldt failed (errno=%d)", errno); + } +- +- return 0; + } + + static int +-- +2.33.0 +
View file
_service:tar_scm:0011-io-Fix-record-locking-contants-for-powerpc64-with-__.patch
Added
@@ -0,0 +1,91 @@ +From 5bdef6f27c91f45505ed5444147be4ed0e9bc3c7 Mon Sep 17 00:00:00 2001 +From: Aurelien Jarno <aurelien@aurel32.net> +Date: Mon, 28 Aug 2023 23:30:37 +0200 +Subject: PATCH 11/12 io: Fix record locking contants for powerpc64 with + __USE_FILE_OFFSET64 + +Commit 5f828ff824e3b7cd1 ("io: Fix F_GETLK, F_SETLK, and F_SETLKW for +powerpc64") fixed an issue with the value of the lock constants on +powerpc64 when not using __USE_FILE_OFFSET64, but it ended-up also +changing the value when using __USE_FILE_OFFSET64 causing an API change. + +Fix that by also checking that define, restoring the pre +4d0fe291aed3a476a commit values: + +Default values: +- F_GETLK: 5 +- F_SETLK: 6 +- F_SETLKW: 7 + +With -D_FILE_OFFSET_BITS=64: +- F_GETLK: 12 +- F_SETLK: 13 +- F_SETLKW: 14 + +At the same time, it has been noticed that there was no test for io lock +with __USE_FILE_OFFSET64, so just add one. + +Tested on x86_64-linux-gnu, i686-linux-gnu and +powerpc64le-unknown-linux-gnu. + +Resolves: BZ #30804. +Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> +(cherry picked from commit 434bf72a94de68f0cc7fbf3c44bf38c1911b70cb) +--- + NEWS | 2 ++ + io/Makefile | 1 + + io/tst-fcntl-lock-lfs.c | 2 ++ + sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h | 2 +- + 4 files changed, 6 insertions(+), 1 deletion(-) + create mode 100644 io/tst-fcntl-lock-lfs.c + +diff --git a/NEWS b/NEWS +index c339cb444e..8156572cdf 100644 +--- a/NEWS ++++ b/NEWS +@@ -133,6 +133,8 @@ The following bugs are resolved with this release: + 30579 malloc: trim_threshold in realloc lead to high memory usage + 30662 nscd: Group and password cache use errno in place of errval + 30723 posix_memalign repeatedly scans long bin lists ++ 30804 F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with ++ -D_FILE_OFFSET_BITS=64 +  + Version 2.37 + +diff --git a/io/Makefile b/io/Makefile +index 6ccc0e8691..8a3c83a3bb 100644 +--- a/io/Makefile ++++ b/io/Makefile +@@ -192,6 +192,7 @@ tests := \ + tst-fchownat \ + tst-fcntl \ + tst-fcntl-lock \ ++ tst-fcntl-lock-lfs \ + tst-fstatat \ + tst-fts \ + tst-fts-lfs \ +diff --git a/io/tst-fcntl-lock-lfs.c b/io/tst-fcntl-lock-lfs.c +new file mode 100644 +index 0000000000..f2a909fb02 +--- /dev/null ++++ b/io/tst-fcntl-lock-lfs.c +@@ -0,0 +1,2 @@ ++#define _FILE_OFFSET_BITS 64 ++#include <io/tst-fcntl-lock.c> +diff --git a/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h b/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h +index f7615a447e..d8a291a331 100644 +--- a/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h ++++ b/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h +@@ -33,7 +33,7 @@ + # define __O_LARGEFILE 0200000 + #endif + +-#if __WORDSIZE == 64 ++#if __WORDSIZE == 64 && !defined __USE_FILE_OFFSET64 + # define F_GETLK 5 + # define F_SETLK 6 + # define F_SETLKW 7 +-- +2.33.0 +
View file
_service:tar_scm:0012-libio-Fix-oversized-__io_vtables.patch
Added
@@ -0,0 +1,51 @@ +From 92201f16cbcfd9eafe314ef6654be2ea7ba25675 Mon Sep 17 00:00:00 2001 +From: Adam Jackson <ajax@redhat.com> +Date: Fri, 8 Sep 2023 15:55:19 -0400 +Subject: PATCH 12/12 libio: Fix oversized __io_vtables + +IO_VTABLES_LEN is the size of the struct array in bytes, not the number +of __IO_jump_t's in the array. Drops just under 384kb from .rodata on +LP64 machines. + +Fixes: 3020f72618e ("libio: Remove the usage of __libc_IO_vtables") +Signed-off-by: Adam Jackson <ajax@redhat.com> +Reviewed-by: Florian Weimer <fweimer@redhat.com> +Tested-by: Florian Weimer <fweimer@redhat.com> +(cherry picked from commit 8cb69e054386f980f9ff4d93b157861d72b2019e) +--- + libio/vtables.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libio/vtables.c b/libio/vtables.c +index 1d8ad612e9..34f7e15f1c 100644 +--- a/libio/vtables.c ++++ b/libio/vtables.c +@@ -20,6 +20,7 @@ + #include <libioP.h> + #include <stdio.h> + #include <ldsodefs.h> ++#include <array_length.h> + #include <pointer_guard.h> + #include <libio-macros.h> + +@@ -88,7 +89,7 @@ + # pragma weak __wprintf_buffer_as_file_xsputn + #endif + +-const struct _IO_jump_t __io_vtablesIO_VTABLES_LEN attribute_relro = ++const struct _IO_jump_t __io_vtables attribute_relro = + { + /* _IO_str_jumps */ + IO_STR_JUMPS = +@@ -485,6 +486,8 @@ const struct _IO_jump_t __io_vtablesIO_VTABLES_LEN attribute_relro = + }, + #endif + }; ++_Static_assert (array_length (__io_vtables) == IO_VTABLES_NUM, ++ "initializer count"); + + #ifdef SHARED + +-- +2.33.0 +
View file
_service:tar_scm:CVE-2023-4527-Stack-read-overflow-with-large-TCP-res.patch
Added
@@ -0,0 +1,221 @@ +From b25508dd774b617f99419bdc3cf2ace4560cd2d6 Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Wed, 13 Sep 2023 14:10:56 +0200 +Subject: PATCH CVE-2023-4527: Stack read overflow with large TCP responses + in no-aaaa mode + +Without passing alt_dns_packet_buffer, __res_context_search can only +store 2048 bytes (what fits into dns_packet_buffer). However, +the function returns the total packet size, and the subsequent +DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end +of the stack-allocated buffer. + +Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa +stub resolver option") and bug 30842. + +(cherry picked from commit bd77dd7e73e3530203be1c52c8a29d08270cb25d) +--- + NEWS | 9 +++ + resolv/Makefile | 2 + + resolv/nss_dns/dns-host.c | 2 +- + resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++ + 4 files changed, 141 insertions(+), 1 deletion(-) + create mode 100644 resolv/tst-resolv-noaaaa-vc.c + +diff --git a/NEWS b/NEWS +index 64596d5d09..dfee278a9c 100644 +--- a/NEWS ++++ b/NEWS +@@ -7,12 +7,21 @@ using `glibc' in the "product" field. +  + Version 2.38.1 + ++Security related changes: ++ ++ CVE-2023-4527: If the system is configured in no-aaaa mode via ++ /etc/resolv.conf, getaddrinfo is called for the AF_UNSPEC address ++ family, and a DNS response is received over TCP that is larger than ++ 2048 bytes, getaddrinfo may potentially disclose stack contents via ++ the returned address data, or crash. ++ + The following bugs are resolved with this release: + + 30723 posix_memalign repeatedly scans long bin lists + 30785 Always call destructors in reverse constructor order + 30804 F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with + -D_FILE_OFFSET_BITS=64 ++ 30842 Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) + +  + Version 2.38 +diff --git a/resolv/Makefile b/resolv/Makefile +index 054b1fa36c..2f99eb3862 100644 +--- a/resolv/Makefile ++++ b/resolv/Makefile +@@ -102,6 +102,7 @@ tests += \ + tst-resolv-invalid-cname \ + tst-resolv-network \ + tst-resolv-noaaaa \ ++ tst-resolv-noaaaa-vc \ + tst-resolv-nondecimal \ + tst-resolv-res_init-multi \ + tst-resolv-search \ +@@ -293,6 +294,7 @@ $(objpfx)tst-resolv-res_init-thread: $(objpfx)libresolv.so \ + $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ + $(shared-thread-library) + $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) ++$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library) +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index 1d60c51f5e..5d0ab30de6 100644 +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, + { + n = __res_context_search (ctx, name, C_IN, T_A, + dns_packet_buffer, sizeof (dns_packet_buffer), +- NULL, NULL, NULL, NULL, NULL); ++ &alt_dns_packet_buffer, NULL, NULL, NULL, NULL); + if (n >= 0) + status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n, + &abuf, pat, errnop, herrnop, ttlp); +diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c +new file mode 100644 +index 0000000000..9f5aebd99f +--- /dev/null ++++ b/resolv/tst-resolv-noaaaa-vc.c +@@ -0,0 +1,129 @@ ++/* Test the RES_NOAAAA resolver option with a large response. ++ Copyright (C) 2022-2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <https://www.gnu.org/licenses/>. */ ++ ++#include <errno.h> ++#include <netdb.h> ++#include <resolv.h> ++#include <stdbool.h> ++#include <stdlib.h> ++#include <support/check.h> ++#include <support/check_nss.h> ++#include <support/resolv_test.h> ++#include <support/support.h> ++#include <support/xmemstream.h> ++ ++/* Used to keep track of the number of queries. */ ++static volatile unsigned int queries; ++ ++/* If true, add a large TXT record at the start of the answer section. */ ++static volatile bool stuff_txt; ++ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ /* If not using TCP, just force its use. */ ++ if (!ctx->tcp) ++ { ++ struct resolv_response_flags flags = {.tc = true}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ return; ++ } ++ ++ /* The test needs to send four queries, the first three are used to ++ grow the NSS buffer via the ERANGE handshake. */ ++ ++queries; ++ TEST_VERIFY (queries <= 4); ++ ++ /* AAAA queries are supposed to be disabled. */ ++ TEST_COMPARE (qtype, T_A); ++ TEST_COMPARE (qclass, C_IN); ++ TEST_COMPARE_STRING (qname, "example.com"); ++ ++ struct resolv_response_flags flags = {}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ ++ resolv_response_section (b, ns_s_an); ++ ++ if (stuff_txt) ++ { ++ resolv_response_open_record (b, qname, qclass, T_TXT, 60); ++ int zero = 0; ++ for (int i = 0; i <= 15000; ++i) ++ resolv_response_add_data (b, &zero, sizeof (zero)); ++ resolv_response_close_record (b); ++ } ++ ++ for (int i = 0; i < 200; ++i) ++ { ++ resolv_response_open_record (b, qname, qclass, qtype, 60); ++ char ipv44 = {192, 0, 2, i + 1}; ++ resolv_response_add_data (b, &ipv4, sizeof (ipv4)); ++ resolv_response_close_record (b); ++ } ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *obj = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response ++ }); ++ ++ _res.options |= RES_NOAAAA; ++ ++ for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt) ++ { ++ queries = 0; ++ stuff_txt = do_stuff_txt; ++ ++ struct addrinfo *ai = NULL; ++ int ret; ++ ret = getaddrinfo ("example.com", "80", ++ &(struct addrinfo) ++ { ++ .ai_family = AF_UNSPEC, ++ .ai_socktype = SOCK_STREAM, ++ }, &ai); ++ ++ char *expected_result; ++ {
View file
_service:tar_scm:LoongArch-Delete-excessively-allocated-memory.patch
Added
@@ -0,0 +1,109 @@ +From 44f757a6364a546359809d48c76b3debd26e77d4 Mon Sep 17 00:00:00 2001 +From: caiyinyu <caiyinyu@loongson.cn> +Date: Thu, 26 Oct 2023 17:27:21 +0800 +Subject: PATCH 1/9 LoongArch: Delete excessively allocated memory. + +Backported from glibc 2.39 development. +--- + sysdeps/loongarch/dl-trampoline.h | 68 +++++++++++++++---------------- + 1 file changed, 34 insertions(+), 34 deletions(-) + +diff --git a/sysdeps/loongarch/dl-trampoline.h b/sysdeps/loongarch/dl-trampoline.h +index 02375286f8..99fcacab76 100644 +--- a/sysdeps/loongarch/dl-trampoline.h ++++ b/sysdeps/loongarch/dl-trampoline.h +@@ -19,9 +19,9 @@ + /* Assembler veneer called from the PLT header code for lazy loading. + The PLT header passes its own args in t0-t2. */ + #ifdef USE_LASX +-# define FRAME_SIZE (-((-9 * SZREG - 8 * SZFREG - 8 * SZXREG) & ALMASK)) ++# define FRAME_SIZE (-((-9 * SZREG - 8 * SZXREG) & ALMASK)) + #elif defined USE_LSX +-# define FRAME_SIZE (-((-9 * SZREG - 8 * SZFREG - 8 * SZVREG) & ALMASK)) ++# define FRAME_SIZE (-((-9 * SZREG - 8 * SZVREG) & ALMASK)) + #elif !defined __loongarch_soft_float + # define FRAME_SIZE (-((-9 * SZREG - 8 * SZFREG) & ALMASK)) + #else +@@ -44,23 +44,23 @@ ENTRY (_dl_runtime_resolve) + REG_S a7, sp, 8*SZREG + + #ifdef USE_LASX +- xvst xr0, sp, 9*SZREG + 8*SZFREG + 0*SZXREG +- xvst xr1, sp, 9*SZREG + 8*SZFREG + 1*SZXREG +- xvst xr2, sp, 9*SZREG + 8*SZFREG + 2*SZXREG +- xvst xr3, sp, 9*SZREG + 8*SZFREG + 3*SZXREG +- xvst xr4, sp, 9*SZREG + 8*SZFREG + 4*SZXREG +- xvst xr5, sp, 9*SZREG + 8*SZFREG + 5*SZXREG +- xvst xr6, sp, 9*SZREG + 8*SZFREG + 6*SZXREG +- xvst xr7, sp, 9*SZREG + 8*SZFREG + 7*SZXREG ++ xvst xr0, sp, 9*SZREG + 0*SZXREG ++ xvst xr1, sp, 9*SZREG + 1*SZXREG ++ xvst xr2, sp, 9*SZREG + 2*SZXREG ++ xvst xr3, sp, 9*SZREG + 3*SZXREG ++ xvst xr4, sp, 9*SZREG + 4*SZXREG ++ xvst xr5, sp, 9*SZREG + 5*SZXREG ++ xvst xr6, sp, 9*SZREG + 6*SZXREG ++ xvst xr7, sp, 9*SZREG + 7*SZXREG + #elif defined USE_LSX +- vst vr0, sp, 9*SZREG + 8*SZFREG + 0*SZVREG +- vst vr1, sp, 9*SZREG + 8*SZFREG + 1*SZVREG +- vst vr2, sp, 9*SZREG + 8*SZFREG + 2*SZVREG +- vst vr3, sp, 9*SZREG + 8*SZFREG + 3*SZVREG +- vst vr4, sp, 9*SZREG + 8*SZFREG + 4*SZVREG +- vst vr5, sp, 9*SZREG + 8*SZFREG + 5*SZVREG +- vst vr6, sp, 9*SZREG + 8*SZFREG + 6*SZVREG +- vst vr7, sp, 9*SZREG + 8*SZFREG + 7*SZVREG ++ vst vr0, sp, 9*SZREG + 0*SZVREG ++ vst vr1, sp, 9*SZREG + 1*SZVREG ++ vst vr2, sp, 9*SZREG + 2*SZVREG ++ vst vr3, sp, 9*SZREG + 3*SZVREG ++ vst vr4, sp, 9*SZREG + 4*SZVREG ++ vst vr5, sp, 9*SZREG + 5*SZVREG ++ vst vr6, sp, 9*SZREG + 6*SZVREG ++ vst vr7, sp, 9*SZREG + 7*SZVREG + #elif !defined __loongarch_soft_float + FREG_S fa0, sp, 9*SZREG + 0*SZFREG + FREG_S fa1, sp, 9*SZREG + 1*SZFREG +@@ -92,23 +92,23 @@ ENTRY (_dl_runtime_resolve) + REG_L a7, sp, 8*SZREG + + #ifdef USE_LASX +- xvld xr0, sp, 9*SZREG + 8*SZFREG + 0*SZXREG +- xvld xr1, sp, 9*SZREG + 8*SZFREG + 1*SZXREG +- xvld xr2, sp, 9*SZREG + 8*SZFREG + 2*SZXREG +- xvld xr3, sp, 9*SZREG + 8*SZFREG + 3*SZXREG +- xvld xr4, sp, 9*SZREG + 8*SZFREG + 4*SZXREG +- xvld xr5, sp, 9*SZREG + 8*SZFREG + 5*SZXREG +- xvld xr6, sp, 9*SZREG + 8*SZFREG + 6*SZXREG +- xvld xr7, sp, 9*SZREG + 8*SZFREG + 7*SZXREG ++ xvld xr0, sp, 9*SZREG + 0*SZXREG ++ xvld xr1, sp, 9*SZREG + 1*SZXREG ++ xvld xr2, sp, 9*SZREG + 2*SZXREG ++ xvld xr3, sp, 9*SZREG + 3*SZXREG ++ xvld xr4, sp, 9*SZREG + 4*SZXREG ++ xvld xr5, sp, 9*SZREG + 5*SZXREG ++ xvld xr6, sp, 9*SZREG + 6*SZXREG ++ xvld xr7, sp, 9*SZREG + 7*SZXREG + #elif defined USE_LSX +- vld vr0, sp, 9*SZREG + 8*SZFREG + 0*SZVREG +- vld vr1, sp, 9*SZREG + 8*SZFREG + 1*SZVREG +- vld vr2, sp, 9*SZREG + 8*SZFREG + 2*SZVREG +- vld vr3, sp, 9*SZREG + 8*SZFREG + 3*SZVREG +- vld vr4, sp, 9*SZREG + 8*SZFREG + 4*SZVREG +- vld vr5, sp, 9*SZREG + 8*SZFREG + 5*SZVREG +- vld vr6, sp, 9*SZREG + 8*SZFREG + 6*SZVREG +- vld vr7, sp, 9*SZREG + 8*SZFREG + 7*SZVREG ++ vld vr0, sp, 9*SZREG + 0*SZVREG ++ vld vr1, sp, 9*SZREG + 1*SZVREG ++ vld vr2, sp, 9*SZREG + 2*SZVREG ++ vld vr3, sp, 9*SZREG + 3*SZVREG ++ vld vr4, sp, 9*SZREG + 4*SZVREG ++ vld vr5, sp, 9*SZREG + 5*SZVREG ++ vld vr6, sp, 9*SZREG + 6*SZVREG ++ vld vr7, sp, 9*SZREG + 7*SZVREG + #elif !defined __loongarch_soft_float + FREG_L fa0, sp, 9*SZREG + 0*SZFREG + FREG_L fa1, sp, 9*SZREG + 1*SZFREG +-- +2.33.0 +
View file
_service:tar_scm:NEWS-Mention-bug-fixes-for-29039-30694-30709-30721.patch
Added
@@ -0,0 +1,27 @@ +From d25e2c8d5cb0778ae87ad43b1f4c301abe5a932b Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Sat, 23 Dec 2023 06:24:41 -0800 +Subject: PATCH 6/9 NEWS: Mention bug fixes for 29039/30694/30709/30721 + +--- + NEWS | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/NEWS b/NEWS +index 6fbb8a9e1d..db4d6c8373 100644 +--- a/NEWS ++++ b/NEWS +@@ -31,6 +31,10 @@ Security related changes: + + The following bugs are resolved with this release: + ++ 29039 Corrupt DTV after reuse of a TLS module ID following dlclose with unused TLS ++ 30694 The iconv program no longer tells the user which given encoding name was wrong ++ 30709 nscd fails to build with cleanup handler if built with -fexceptions ++ 30721 x86_64: Fix build with --disable-multiarch + 30723 posix_memalign repeatedly scans long bin lists + 30789 sem_open will fail on multithreaded scenarios when semaphore + file doesn't exist (O_CREAT) +-- +2.33.0 +
View file
_service:tar_scm:NEWS-Mention-bug-fixes-for-30745-30843.patch
Added
@@ -0,0 +1,30 @@ +From 27339a3eb8f987eebae72b854af80256c1588ebd Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Sat, 23 Dec 2023 06:27:50 -0800 +Subject: PATCH 7/9 NEWS: Mention bug fixes for 30745/30843 + +--- + NEWS | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/NEWS b/NEWS +index db4d6c8373..905230b838 100644 +--- a/NEWS ++++ b/NEWS +@@ -36,11 +36,13 @@ The following bugs are resolved with this release: + 30709 nscd fails to build with cleanup handler if built with -fexceptions + 30721 x86_64: Fix build with --disable-multiarch + 30723 posix_memalign repeatedly scans long bin lists ++ 30745 Slight bug in cache info codes for x86 + 30789 sem_open will fail on multithreaded scenarios when semaphore + file doesn't exist (O_CREAT) + 30804 F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with + -D_FILE_OFFSET_BITS=64 + 30842 Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) ++ 30843 potential use-after-free in getcanonname (CVE-2023-4806) + 31184 FAIL: elf/tst-tlsgap + 31185 Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic + +-- +2.33.0 +
View file
_service:tar_scm:backport-elf-Handle-non-directory-name-in-search-path-BZ-3103.patch
Added
@@ -0,0 +1,220 @@ +From a8dcffb30680d6db5704f9ce2fc30621ceb454e7 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Date: Fri, 10 Nov 2023 10:43:12 -0300 +Subject: PATCH elf: Handle non-directory name in search path (BZ 31035) + +The open_path stops if a relative path in search path contains a +component that is a non directory (for instance, if the component +is an existing file). + +For instance: + + $ cat > lib.c <<EOF + > void foo (void) {} + > EOF + $ gcc -shared -fPIC -o lib.so lib.c + $ cat > main.c <<EOF + extern void foo (); + int main () { foo (); return 0; } + EOF + $ gcc -o main main.c lib.so + $ LD_LIBRARY_PATH=. ./main + $ LD_LIBRARY_PATH=non-existing/path:. ./main + $ LD_LIBRARY_PATH=$(pwd)/main:. ./main + $ LD_LIBRARY_PATH=./main:. ./main + ./main: error while loading shared libraries: lib.so: cannot open shared object file: No such file or directory + +The invalid './main' should be ignored as a non-existent one, +instead as a valid but non accessible file. + +Absolute paths do not trigger this issue because their status are +initialized as 'unknown' and open_path check if this is a directory. + +Checked on x86_64-linux-gnu. + +Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com> +--- + elf/Makefile | 12 ++++++ + elf/dl-load.c | 9 ++-- + elf/tst-non-directory-mod.c | 1 + + elf/tst-non-directory-path.c | 7 ++++ + elf/tst-non-directory-path.sh | 77 +++++++++++++++++++++++++++++++++++ + 5 files changed, 103 insertions(+), 3 deletions(-) + create mode 100644 elf/tst-non-directory-mod.c + create mode 100644 elf/tst-non-directory-path.c + create mode 100755 elf/tst-non-directory-path.sh + +diff --git a/elf/Makefile b/elf/Makefile +index 8cd01845..00ac7430 100644 +--- a/elf/Makefile ++++ b/elf/Makefile +@@ -427,6 +427,7 @@ tests += \ + tst-nodelete-opened \ + tst-nodelete2 \ + tst-noload \ ++ tst-non-directory-path \ + tst-null-argv \ + tst-p_align1 \ + tst-p_align2 \ +@@ -855,6 +856,7 @@ modules-names += \ + tst-nodelete-dlclose-plugin \ + tst-nodelete-opened-lib \ + tst-nodelete2mod \ ++ tst-non-directory-mod \ + tst-null-argv-lib \ + tst-p_alignmod-base \ + tst-p_alignmod3 \ +@@ -1102,6 +1104,7 @@ ifeq (yes,$(build-shared)) + ifeq ($(run-built-tests),yes) + tests-special += \ + $(objpfx)argv0test.out \ ++ $(objpfx)tst-non-directory-path.out \ + $(objpfx)tst-pathopt.out \ + $(objpfx)tst-rtld-help.out \ + $(objpfx)tst-rtld-load-self.out \ +@@ -2990,3 +2993,12 @@ LDFLAGS-tst-dlclose-lazy-mod1.so = -Wl,-z,lazy,--no-as-needed + $(objpfx)tst-dlclose-lazy-mod1.so: $(objpfx)tst-dlclose-lazy-mod2.so + $(objpfx)tst-dlclose-lazy.out: \ + $(objpfx)tst-dlclose-lazy-mod1.so $(objpfx)tst-dlclose-lazy-mod2.so ++ ++LDFLAGS-tst-non-directory-mod.so = -Wl,-soname,tst-non-directory-mod.so ++$(objpfx)tst-non-directory-path: $(objpfx)tst-non-directory-mod.so ++$(objpfx)tst-non-directory-path.out: tst-non-directory-path.sh \ ++ $(objpfx)tst-non-directory-path ++ $(SHELL) tst-non-directory-path.sh $(objpfx)ld.so $(objpfx)tst-non-directory-path \ ++ '$(test-wrapper-env)' '$(run_program_env)' \ ++ '$(rpath-link)' $(objpfx) > $@; \ ++ $(evaluate-test) +diff --git a/elf/dl-load.c b/elf/dl-load.c +index 9a87fda9..7caa405b 100644 +--- a/elf/dl-load.c ++++ b/elf/dl-load.c +@@ -1810,7 +1810,6 @@ open_path (const char *name, size_t namelen, int mode, + size_t cnt; + char *edp; + int here_any = 0; +- int err; + + /* If we are debugging the search for libraries print the path + now if it hasn't happened now. */ +@@ -1911,8 +1910,12 @@ open_path (const char *name, size_t namelen, int mode, + return -1; + } + } +- if (here_any && (err = errno) != ENOENT && err != EACCES) +- /* The file exists and is readable, but something went wrong. */ ++ ++ /* Continue the search if the file does not exist (ENOENT), if it can ++ not be accessed (EACCES), or if the a component in the path is not a ++ directory (for instance, if the component is a existing file meaning ++ essentially that the pathname is invalid - ENOTDIR). */ ++ if (here_any && errno != ENOENT && errno != EACCES && errno != ENOTDIR) + return -1; + + /* Remember whether we found anything. */ +diff --git a/elf/tst-non-directory-mod.c b/elf/tst-non-directory-mod.c +new file mode 100644 +index 00000000..aa6d4c27 +--- /dev/null ++++ b/elf/tst-non-directory-mod.c +@@ -0,0 +1 @@ ++void foo (void) {} +diff --git a/elf/tst-non-directory-path.c b/elf/tst-non-directory-path.c +new file mode 100644 +index 00000000..1016a97a +--- /dev/null ++++ b/elf/tst-non-directory-path.c +@@ -0,0 +1,7 @@ ++extern void foo (void); ++ ++int main (int argc, char *argv) ++{ ++ foo (); ++ return 0; ++} +diff --git a/elf/tst-non-directory-path.sh b/elf/tst-non-directory-path.sh +new file mode 100755 +index 00000000..e804a445 +--- /dev/null ++++ b/elf/tst-non-directory-path.sh +@@ -0,0 +1,77 @@ ++#!/bin/sh ++# Test if library search path does not terminates with non-directory ++# components. ++# Copyright (C) 2023 Free Software Foundation, Inc. ++# This file is part of the GNU C Library. ++# ++# The GNU C Library is free software; you can redistribute it and/or ++# modify it under the terms of the GNU Lesser General Public ++# License as published by the Free Software Foundation; either ++# version 2.1 of the License, or (at your option) any later version. ++# ++# The GNU C Library is distributed in the hope that it will be useful, ++# but WITHOUT ANY WARRANTY; without even the implied warranty of ++# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++# Lesser General Public License for more details. ++# ++# You should have received a copy of the GNU Lesser General Public ++# License along with the GNU C Library; if not, see ++# <https://www.gnu.org/licenses/>. ++ ++set -e ++ ++rtld=$1 ++test_program=$2 ++test_wrapper_env=$3 ++run_program_env=$4 ++# Remove the last space to allow concatenate extra paths. ++library_path=$(echo $5) ++objpfx=$6 ++ ++test_binary=$(basename ${test_program}) ++test_libpath=${test_binary}-x ++ ++mkdir -p ${objpfx}/${test_libpath} ++mv ${objpfx}/tst-non-directory-mod.so ${objpfx}/${test_libpath} ++ ++# Check with absolute paths. ++${test_wrapper_env} \ ++${run_program_env} \ ++$rtld --inhibit-cache \ ++ --library-path \ ++ "$library_path":"${objpfx}"tst-non-directory-invalid:"${objpfx}"${test_libpath} \ ++ $test_program 2>&1 && rc=0 || rc=$? ++ ++${test_wrapper_env} \ ++${run_program_env} \ ++$rtld --inhibit-cache \ ++ --library-path \ ++ "$library_path":"${objpfx}"${test_binary}:"${objpfx}"${test_libpath} \ ++ $test_program 2>&1 && rc=0 || rc=$? ++ ++# Relative paths along with non-existent path in search list. ++cd "$objpfx" ++${test_wrapper_env} \ ++${run_program_env} \ ++$rtld --inhibit-cache \ ++ --library-path \ ++ "$library_path":../elf/tst-non-directory-invalid::../elf/${test_libpath} \ ++ $test_program 2>&1 && rc=0 || rc=$?
View file
_service:tar_scm:elf-Add-TLS-modid-reuse-test-for-bug-29039.patch
Added
@@ -0,0 +1,210 @@ +From 0de9082ed8d8f149ca87d569a73692046e236c18 Mon Sep 17 00:00:00 2001 +From: Szabolcs Nagy <szabolcs.nagy@arm.com> +Date: Wed, 29 Nov 2023 11:31:37 +0000 +Subject: PATCH 3/9 elf: Add TLS modid reuse test for bug 29039 + +This is a minimal regression test for bug 29039 which only affects +targets with TLSDESC and a reproducer requires that + +1) Have modid gaps (closed modules) with old generation. +2) Update a DTV to a newer generation (needs a newer dlopen). +3) But do not update the closed gap entry in that DTV. +4) Reuse the modid gap for a new module (another dlopen). +5) Use dynamic TLSDESC in that new module with old generation (bug). +6) Access TLS via this TLSDESC and the now outdated DTV. + +However step (3) in practice rarely happens: during DTV update the +entries for closed modids are initialized to "unallocated" and then +dynamic TLSDESC calls __tls_get_addr independently of its generation. +The only exception to this is DTV setup at thread creation (gaps are +initialized to NULL instead of unallocated) or DTV resize where the +gap entries are outside the previous DTV array (again NULL instead +of unallocated, and this requires loading > DTV_SURPLUS modules). + +So the bug can only cause NULL (+ offset) dereference, not use after +free. And the easiest way to get (3) is via thread creation. + +Note that step (5) requires that the newly loaded module has larger +TLS than the remaining optional static TLS. And for (6) there cannot +be other TLS access or dlopen in the thread that updates the DTV. + +Tested on aarch64-linux-gnu. + +Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> +(cherry picked from commit 980450f12685326729d63ff72e93a996113bf073) + +Conflict: This adapt the context elf/Makefile due to BZ 31035. +--- + elf/Makefile | 15 +++++++ + elf/tst-tlsgap-mod0.c | 2 + + elf/tst-tlsgap-mod1.c | 2 + + elf/tst-tlsgap-mod2.c | 2 + + elf/tst-tlsgap.c | 92 +++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 113 insertions(+) + create mode 100644 elf/tst-tlsgap-mod0.c + create mode 100644 elf/tst-tlsgap-mod1.c + create mode 100644 elf/tst-tlsgap-mod2.c + create mode 100644 elf/tst-tlsgap.c + +diff --git a/elf/Makefile b/elf/Makefile +index 00ac7430..711f96fe 100644 +--- a/elf/Makefile ++++ b/elf/Makefile +@@ -460,6 +460,7 @@ tests += \ + tst-tls21 \ + tst-tlsalign \ + tst-tlsalign-extern \ ++ tst-tlsgap \ + tst-unique1 \ + tst-unique2 \ + tst-unwind-ctor \ +@@ -885,6 +886,9 @@ modules-names += \ + tst-tls20mod-bad \ + tst-tls21mod \ + tst-tlsalign-lib \ ++ tst-tlsgap-mod0 \ ++ tst-tlsgap-mod1 \ ++ tst-tlsgap-mod2 \ + tst-tlsmod1 \ + tst-tlsmod10 \ + tst-tlsmod11 \ +@@ -3002,3 +3006,14 @@ $(objpfx)tst-non-directory-path.out: tst-non-directory-path.sh \ + '$(test-wrapper-env)' '$(run_program_env)' \ + '$(rpath-link)' $(objpfx) > $@; \ + $(evaluate-test) ++ ++$(objpfx)tst-tlsgap: $(shared-thread-library) ++$(objpfx)tst-tlsgap.out: \ ++ $(objpfx)tst-tlsgap-mod0.so \ ++ $(objpfx)tst-tlsgap-mod1.so \ ++ $(objpfx)tst-tlsgap-mod2.so ++ifeq (yes,$(have-mtls-dialect-gnu2)) ++CFLAGS-tst-tlsgap-mod0.c += -mtls-dialect=gnu2 ++CFLAGS-tst-tlsgap-mod1.c += -mtls-dialect=gnu2 ++CFLAGS-tst-tlsgap-mod2.c += -mtls-dialect=gnu2 ++endif +diff --git a/elf/tst-tlsgap-mod0.c b/elf/tst-tlsgap-mod0.c +new file mode 100644 +index 00000000..1478b0be +--- /dev/null ++++ b/elf/tst-tlsgap-mod0.c +@@ -0,0 +1,2 @@ ++int __thread tls0; ++int *f0(void) { return &tls0; } +diff --git a/elf/tst-tlsgap-mod1.c b/elf/tst-tlsgap-mod1.c +new file mode 100644 +index 00000000..b10fc370 +--- /dev/null ++++ b/elf/tst-tlsgap-mod1.c +@@ -0,0 +1,2 @@ ++int __thread tls1100; /* Size > glibc.rtld.optional_static_tls / 2. */ ++int *f1(void) { return tls1; } +diff --git a/elf/tst-tlsgap-mod2.c b/elf/tst-tlsgap-mod2.c +new file mode 100644 +index 00000000..166c27d7 +--- /dev/null ++++ b/elf/tst-tlsgap-mod2.c +@@ -0,0 +1,2 @@ ++int __thread tls2; ++int *f2(void) { return &tls2; } +diff --git a/elf/tst-tlsgap.c b/elf/tst-tlsgap.c +new file mode 100644 +index 00000000..49328850 +--- /dev/null ++++ b/elf/tst-tlsgap.c +@@ -0,0 +1,92 @@ ++/* TLS modid gap reuse regression test for bug 29039. ++ Copyright (C) 2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <stdio.h> ++#include <dlfcn.h> ++#include <pthread.h> ++#include <support/xdlfcn.h> ++#include <support/xthread.h> ++#include <support/check.h> ++ ++static void *mod3; ++#define MOD(i) "tst-tlsgap-mod" #i ".so" ++static const char *modname3 = { MOD(0), MOD(1), MOD(2) }; ++#undef MOD ++ ++static void ++open_mod (int i) ++{ ++ modi = xdlopen (modnamei, RTLD_LAZY); ++ printf ("open %s\n", modnamei); ++} ++ ++static void ++close_mod (int i) ++{ ++ xdlclose (modi); ++ modi = NULL; ++ printf ("close %s\n", modnamei); ++} ++ ++static void ++access_mod (int i, const char *sym) ++{ ++ int *(*f) (void) = xdlsym (modi, sym); ++ int *p = f (); ++ printf ("access %s: %s() = %p\n", modnamei, sym, p); ++ TEST_VERIFY_EXIT (p != NULL); ++ ++*p; ++} ++ ++static void * ++start (void *arg) ++{ ++ /* The DTV generation is at the last dlopen of mod0 and the ++ entry for mod1 is NULL. */ ++ ++ open_mod (1); /* Reuse modid of mod1. Uses dynamic TLS. */ ++ ++ /* DTV is unchanged: dlopen only updates the DTV to the latest ++ generation if static TLS is allocated for a loaded module. ++ ++ With bug 29039, the TLSDESC relocation in mod1 uses the old ++ dlclose generation of mod1 instead of the new dlopen one so ++ DTV is not updated on TLS access. */ ++ ++ access_mod (1, "f1"); ++ ++ return arg; ++} ++ ++static int ++do_test (void) ++{ ++ open_mod (0); ++ open_mod (1); ++ open_mod (2); ++ close_mod (0); ++ close_mod (1); /* Create modid gap at mod1. */ ++ open_mod (0); /* Reuse modid of mod0, bump generation count. */
View file
_service:tar_scm:elf-Add-a-way-to-check-if-tunable-is-set-BZ-27069.patch
Added
@@ -0,0 +1,201 @@ +From a4c3f5f46e850c977cda81c251036475aab8313c Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Date: Thu, 23 Nov 2023 14:29:14 -0300 +Subject: PATCH elf: Add a way to check if tunable is set (BZ 27069) + +The patch adds two new macros, TUNABLE_GET_DEFAULT and TUNABLE_IS_INITIALIZED, +here the former get the default value with a signature similar to +TUNABLE_GET, while the later returns whether the tunable was set by +the environment variable. + +Checked on x86_64-linux-gnu. +Reviewed-by: DJ Delorie <dj@redhat.com> +Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> + +Conflict: this adapt the context of scripts/gen-tunables.awk +--- + elf/Versions | 1 + + elf/dl-tunable-types.h | 1 + + elf/dl-tunables.c | 40 ++++++++++++++++++++++++++++++++++++++++ + elf/dl-tunables.h | 28 ++++++++++++++++++++++++++++ + elf/dl-tunables.list | 1 + + scripts/gen-tunables.awk | 4 ++-- + 6 files changed, 73 insertions(+), 2 deletions(-) + +diff --git a/elf/Versions b/elf/Versions +index 4614acea..1591031d 100644 +--- a/elf/Versions ++++ b/elf/Versions +@@ -77,6 +77,7 @@ ld { + _dl_signal_error; + + # Set value of a tunable. ++ __tunable_is_initialized; + __tunable_get_val; + } + } +diff --git a/elf/dl-tunable-types.h b/elf/dl-tunable-types.h +index c8833265..c41a3b3b 100644 +--- a/elf/dl-tunable-types.h ++++ b/elf/dl-tunable-types.h +@@ -61,6 +61,7 @@ struct _tunable + { + const char nameTUNABLE_NAME_MAX; /* Internal name of the tunable. */ + tunable_type_t type; /* Data type of the tunable. */ ++ const tunable_val_t def; /* The value. */ + tunable_val_t val; /* The value. */ + bool initialized; /* Flag to indicate that the tunable is + initialized. */ +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c +index cae67efa..79b4d542 100644 +--- a/elf/dl-tunables.c ++++ b/elf/dl-tunables.c +@@ -145,6 +145,13 @@ tunable_initialize (tunable_t *cur, const char *strval) + do_tunable_update_val (cur, &val, NULL, NULL); + } + ++bool ++__tunable_is_initialized (tunable_id_t id) ++{ ++ return tunable_listid.initialized; ++} ++rtld_hidden_def (__tunable_is_initialized) ++ + void + __tunable_set_val (tunable_id_t id, tunable_val_t *valp, tunable_num_t *minp, + tunable_num_t *maxp) +@@ -388,6 +395,39 @@ __tunables_print (void) + } + } + ++void ++__tunable_get_default (tunable_id_t id, void *valp) ++{ ++ tunable_t *cur = &tunable_listid; ++ ++ switch (cur->type.type_code) ++ { ++ case TUNABLE_TYPE_UINT_64: ++ { ++ *((uint64_t *) valp) = (uint64_t) cur->def.numval; ++ break; ++ } ++ case TUNABLE_TYPE_INT_32: ++ { ++ *((int32_t *) valp) = (int32_t) cur->def.numval; ++ break; ++ } ++ case TUNABLE_TYPE_SIZE_T: ++ { ++ *((size_t *) valp) = (size_t) cur->def.numval; ++ break; ++ } ++ case TUNABLE_TYPE_STRING: ++ { ++ *((const char **)valp) = cur->def.strval; ++ break; ++ } ++ default: ++ __builtin_unreachable (); ++ } ++} ++rtld_hidden_def (__tunable_get_default) ++ + /* Set the tunable value. This is called by the module that the tunable exists + in. */ + void +diff --git a/elf/dl-tunables.h b/elf/dl-tunables.h +index 45c191e0..0df4dde2 100644 +--- a/elf/dl-tunables.h ++++ b/elf/dl-tunables.h +@@ -45,18 +45,26 @@ typedef void (*tunable_callback_t) (tunable_val_t *); + + extern void __tunables_init (char **); + extern void __tunables_print (void); ++extern bool __tunable_is_initialized (tunable_id_t); + extern void __tunable_get_val (tunable_id_t, void *, tunable_callback_t); + extern void __tunable_set_val (tunable_id_t, tunable_val_t *, tunable_num_t *, + tunable_num_t *); ++extern void __tunable_get_default (tunable_id_t id, void *valp); + rtld_hidden_proto (__tunables_init) + rtld_hidden_proto (__tunables_print) ++rtld_hidden_proto (__tunable_is_initialized) + rtld_hidden_proto (__tunable_get_val) + rtld_hidden_proto (__tunable_set_val) ++rtld_hidden_proto (__tunable_get_default) + + /* Define TUNABLE_GET and TUNABLE_SET in short form if TOP_NAMESPACE and + TUNABLE_NAMESPACE are defined. This is useful shorthand to get and set + tunables within a module. */ + #if defined TOP_NAMESPACE && defined TUNABLE_NAMESPACE ++# define TUNABLE_IS_INITIALIZED(__id) \ ++ TUNABLE_IS_INITIALIZED_FULL(TOP_NAMESPACE, TUNABLE_NAMESPACE, __id) ++# define TUNABLE_GET_DEFAULT(__id, __type) \ ++ TUNABLE_GET_DEFAULT_FULL(TOP_NAMESPACE, TUNABLE_NAMESPACE,__id, __type) + # define TUNABLE_GET(__id, __type, __cb) \ + TUNABLE_GET_FULL (TOP_NAMESPACE, TUNABLE_NAMESPACE, __id, __type, __cb) + # define TUNABLE_SET(__id, __val) \ +@@ -65,6 +73,10 @@ rtld_hidden_proto (__tunable_set_val) + TUNABLE_SET_WITH_BOUNDS_FULL (TOP_NAMESPACE, TUNABLE_NAMESPACE, __id, \ + __val, __min, __max) + #else ++# define TUNABLE_IS_INITIALIZED(__top, __ns, __id) \ ++ TUNABLE_IS_INITIALIZED_FULL(__top, __ns, __id) ++# define TUNABLE_GET_DEFAULT(__top, __ns, __type) \ ++ TUNABLE_GET_DEFAULT_FULL(__top, __ns, __id, __type) + # define TUNABLE_GET(__top, __ns, __id, __type, __cb) \ + TUNABLE_GET_FULL (__top, __ns, __id, __type, __cb) + # define TUNABLE_SET(__top, __ns, __id, __val) \ +@@ -73,6 +85,22 @@ rtld_hidden_proto (__tunable_set_val) + TUNABLE_SET_WITH_BOUNDS_FULL (__top, __ns, __id, __val, __min, __max) + #endif + ++/* Return whether the tunable was initialized by the environment variable. */ ++#define TUNABLE_IS_INITIALIZED_FULL(__top, __ns, __id) \ ++({ \ ++ tunable_id_t id = TUNABLE_ENUM_NAME (__top, __ns, __id); \ ++ __tunable_is_initialized (id); \ ++}) ++ ++/* Return the default value of the tunable. */ ++#define TUNABLE_GET_DEFAULT_FULL(__top, __ns, __id, __type) \ ++({ \ ++ tunable_id_t id = TUNABLE_ENUM_NAME (__top, __ns, __id); \ ++ __type __ret; \ ++ __tunable_get_default (id, &__ret); \ ++ __ret; \ ++}) ++ + /* Get and return a tunable value. If the tunable was set externally and __CB + is defined then call __CB before returning the value. */ + #define TUNABLE_GET_FULL(__top, __ns, __id, __type, __cb) \ +diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list +index 695ba719..5bb858b1 100644 +--- a/elf/dl-tunables.list ++++ b/elf/dl-tunables.list +@@ -20,6 +20,7 @@ + # type: Defaults to STRING + # minval: Optional minimum acceptable value + # maxval: Optional maximum acceptable value ++# default: Optional default value (if not specified it will be 0 or "") + # env_alias: An alias environment variable + # security_level: Specify security level of the tunable for AT_SECURE binaries. + # Valid values are: +diff --git a/scripts/gen-tunables.awk b/scripts/gen-tunables.awk +index d6de100d..9726b052 100644 +--- a/scripts/gen-tunables.awk ++++ b/scripts/gen-tunables.awk +@@ -177,8 +177,8 @@ END { + n = indices2; + m = indices3; + printf (" {TUNABLE_NAME_S(%s, %s, %s)", t, n, m) +- printf (", {TUNABLE_TYPE_%s, %s, %s}, {%s}, false, TUNABLE_SECLEVEL_%s, %s},\n", +- typest,n,m, minvalst,n,m, maxvalst,n,m, ++ printf (", {TUNABLE_TYPE_%s, %s, %s}, {%s}, {%s}, false, TUNABLE_SECLEVEL_%s, %s},\n", ++ typest,n,m, minvalst,n,m, maxvalst,n,m, default_valt,n,m, + default_valt,n,m, security_levelt,n,m, env_aliast,n,m); + } + print "};" +--
View file
_service:tar_scm:elf-Fix-TLS-modid-reuse-generation-assignment-BZ-290.patch
Added
@@ -0,0 +1,53 @@ +From ccdc4cba07684fe1397e1f5f134a0a827af98c04 Mon Sep 17 00:00:00 2001 +From: Hector Martin <marcan@marcan.st> +Date: Tue, 28 Nov 2023 15:23:07 +0900 +Subject: PATCH 2/9 elf: Fix TLS modid reuse generation assignment (BZ 29039) + +_dl_assign_tls_modid() assigns a slotinfo entry for a new module, but +does *not* do anything to the generation counter. The first time this +happens, the generation is zero and map_generation() returns the current +generation to be used during relocation processing. However, if +a slotinfo entry is later reused, it will already have a generation +assigned. If this generation has fallen behind the current global max +generation, then this causes an obsolete generation to be assigned +during relocation processing, as map_generation() returns this +generation if nonzero. _dl_add_to_slotinfo() eventually resets the +generation, but by then it is too late. This causes DTV updates to be +skipped, leading to NULL or broken TLS slot pointers and segfaults. + +Fix this by resetting the generation to zero in _dl_assign_tls_modid(), +so it behaves the same as the first time a slot is assigned. +_dl_add_to_slotinfo() will still assign the correct static generation +later during module load, but relocation processing will no longer use +an obsolete generation. + +Note that slotinfo entry (aka modid) reuse typically happens after a +dlclose and only TLS access via dynamic tlsdesc is affected. Because +tlsdesc is optimized to use the optional part of static TLS, dynamic +tlsdesc can be avoided by increasing the glibc.rtld.optional_static_tls +tunable to a large enough value, or by LD_PRELOAD-ing the affected +modules. + +Fixes bug 29039. + +Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com> +(cherry picked from commit 3921c5b40f293c57cb326f58713c924b0662ef59) +--- + elf/dl-tls.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/elf/dl-tls.c b/elf/dl-tls.c +index 99b83ca696..1f6f820819 100644 +--- a/elf/dl-tls.c ++++ b/elf/dl-tls.c +@@ -154,6 +154,7 @@ _dl_assign_tls_modid (struct link_map *l) + { + /* Mark the entry as used, so any dependency see it. */ + atomic_store_relaxed (&runp->slotinforesult - disp.map, l); ++ atomic_store_relaxed (&runp->slotinforesult - disp.gen, 0); + break; + } + +-- +2.33.0 +
View file
_service:tar_scm:elf-Fix-wrong-break-removal-from-8ee878592c.patch
Added
@@ -0,0 +1,26 @@ +From bf5aa419cbf545d2cd09dc097e518033d6e4df5e Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Date: Thu, 7 Dec 2023 11:17:35 -0300 +Subject: PATCH elf: Fix wrong break removal from 8ee878592c + +Reported-by: Alexander Monakov <amonakov@ispras.ru> +(cherry picked from commit 546a1ba664626603660b595662249d524e429013) +--- + elf/readelflib.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/elf/readelflib.c b/elf/readelflib.c +index f5b8c80e38..64f1d662a9 100644 +--- a/elf/readelflib.c ++++ b/elf/readelflib.c +@@ -107,6 +107,7 @@ process_elf_file (const char *file_name, const char *lib, int *flag, + case PT_INTERP: + program_interpreter = (char *) (file_contents + segment->p_offset); + check_ptr (program_interpreter); ++ break; + + case PT_GNU_PROPERTY: + /* The NT_GNU_PROPERTY_TYPE_0 note must be aligned to 4 bytes +-- +2.33.0 +
View file
_service:tar_scm:fix-Segmentation-fault-in-nss-module.patch
Added
@@ -0,0 +1,40 @@ +From f5b9e0f2a8ada29cebeb6e51cbcbea396375ab26 Mon Sep 17 00:00:00 2001 +From: huangyu <huangyu106@huawei.com> +Date: Wed, 7 Dec 2022 14:35:26 +0800 +Subject: PATCH fix Segmentation fault in nss module + +Signed-off-by: huangyu <huangyu106@huawei.com> +--- + nss/nss_module.c | 2 +- + nss/nsswitch.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nss/nss_module.c b/nss/nss_module.c +index b28cb94a..bb2807e9 100644 +--- a/nss/nss_module.c ++++ b/nss/nss_module.c +@@ -352,7 +352,7 @@ nss_load_all_libraries (enum nss_database service) + { + nss_action_list ni = NULL; + +- if (__nss_database_get (service, &ni)) ++ if (__nss_database_get (service, &ni) && ni != NULL) + while (ni->module != NULL) + { + __nss_module_load (ni->module); +diff --git a/nss/nsswitch.c b/nss/nsswitch.c +index 6b7d4c78..c9d7e372 100644 +--- a/nss/nsswitch.c ++++ b/nss/nsswitch.c +@@ -133,7 +133,7 @@ libc_hidden_def (__nss_next2) + void * + __nss_lookup_function (nss_action_list ni, const char *fct_name) + { +- if (ni->module == NULL) ++ if (ni == NULL || ni->module == NULL) + return NULL; + return __nss_module_get_function (ni->module, fct_name); + } +-- +2.33.0 +
View file
_service:tar_scm:fix_nss_database_check_reload_and_get_memleak.patch
Added
@@ -0,0 +1,38 @@ +From 66c23fa97a1bf8819051f1c358ae5eb38eeefae2 Mon Sep 17 00:00:00 2001 +From: huangyu <huangyu106@huawei.com> +Date: Tue, 6 Sep 2022 11:55:40 +0800 +Subject: PATCH huawei-fix_nss_database_check_reload_and_get_memleak.patch +The return nss_database_check_reload_adn_get (local, actions, db) does not check +whether the local value is empty before invoking the local interface. + +Signed-off-by: huangyu <huangyu106@huawei.com> +--- + nss/nss_database.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/nss/nss_database.c b/nss/nss_database.c +index 54561f03..a503890a 100644 +--- a/nss/nss_database.c ++++ b/nss/nss_database.c +@@ -254,6 +254,8 @@ __nss_configure_lookup (const char *dbname, const char *service_line) + __nss_database_get (db, &result); + + local = nss_database_state_get (); ++ if (local == NULL) ++ return -1; + + result = __nss_action_parse (service_line); + if (result == NULL) +@@ -399,6 +401,9 @@ nss_database_check_reload_and_get (struct nss_database_state *local, + /* Acquire MO is needed because the thread that sets reload_disabled + may have loaded the configuration first, so synchronize with the + Release MO store there. */ ++ if (local == NULL) ++ return false; ++ + if (atomic_load_acquire (&local->data.reload_disabled)) + { + *result = local->data.servicesdatabase_index; +-- +2.33.0 +
View file
_service:tar_scm:getaddrinfo-translate-ENOMEM-to-EAI_MEMORY-bug-31163.patch
Added
@@ -0,0 +1,36 @@ +From ae1e5217021e43e1f2de443d26e87ea3adfb221c Mon Sep 17 00:00:00 2001 +From: Andreas Schwab <schwab@suse.de> +Date: Wed, 6 Dec 2023 14:48:22 +0100 +Subject: PATCH 8/9 getaddrinfo: translate ENOMEM to EAI_MEMORY (bug 31163) + +When __resolv_context_get returns NULL due to out of memory, translate it +to a return value of EAI_MEMORY. + +(cherry picked from commit 5eabdb6a6ac1599d23dd5966a37417215950245f) +--- + sysdeps/posix/getaddrinfo.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 13082305d3..da573bea24 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -616,7 +616,14 @@ get_nss_addresses (const char *name, const struct addrinfo *req, + function variant. */ + res_ctx = __resolv_context_get (); + if (res_ctx == NULL) +- no_more = 1; ++ { ++ if (errno == ENOMEM) ++ { ++ result = -EAI_MEMORY; ++ goto out; ++ } ++ no_more = 1; ++ } + + while (!no_more) + { +-- +2.33.0 +
View file
_service:tar_scm:libio-Check-remaining-buffer-size-in-_IO_wdo_write-b.patch
Added
@@ -0,0 +1,48 @@ +From cfe121910013a46e2477562282c56ae8062089aa Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Tue, 2 Jan 2024 14:36:17 +0100 +Subject: PATCH 9/9 libio: Check remaining buffer size in _IO_wdo_write (bug + 31183) + +The multibyte character needs to fit into the remaining buffer space, +not the already-written buffer space. Without the fix, we were never +moving the write pointer from the start of the buffer, always using +the single-character fallback buffer. + +Fixes commit 04b76b5aa8b2d1d19066e42dd1 ("Don't error out writing +a multibyte character to an unbuffered stream (bug 17522)"). + +(cherry picked from commit ecc7c3deb9f347649c2078fcc0f94d4cedf92d60) +--- + NEWS | 1 + + libio/wfileops.c | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index 905230b838..6768c2da6f 100644 +--- a/NEWS ++++ b/NEWS +@@ -43,6 +43,7 @@ The following bugs are resolved with this release: + -D_FILE_OFFSET_BITS=64 + 30842 Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) + 30843 potential use-after-free in getcanonname (CVE-2023-4806) ++ 31183 Wide stream buffer size reduced MB_LEN_MAX bytes after bug 17522 fix + 31184 FAIL: elf/tst-tlsgap + 31185 Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic + +diff --git a/libio/wfileops.c b/libio/wfileops.c +index f16f6db1c3..9ab8f2e7f3 100644 +--- a/libio/wfileops.c ++++ b/libio/wfileops.c +@@ -55,7 +55,7 @@ _IO_wdo_write (FILE *fp, const wchar_t *data, size_t to_do) + char mb_bufMB_LEN_MAX; + char *write_base, *write_ptr, *buf_end; + +- if (fp->_IO_write_ptr - fp->_IO_write_base < sizeof (mb_buf)) ++ if (fp->_IO_buf_end - fp->_IO_write_ptr < sizeof (mb_buf)) + { + /* Make sure we have room for at least one multibyte + character. */ +-- +2.33.0 +
View file
_service:tar_scm:malloc-Improve-MAP_HUGETLB-with-glibc.malloc.hugetlb.patch
Added
@@ -0,0 +1,50 @@ +From bc6d79f4ae99206e7ec7d6a8c5abf26cdefc8bff Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella <adhemerval.zanella@linaro.org> +Date: Thu, 23 Nov 2023 14:29:15 -0300 +Subject: PATCH malloc: Improve MAP_HUGETLB with glibc.malloc.hugetlb=2 + +Even for explicit large page support, allocation might use mmap without +the hugepage bit set if the requested size is smaller than +mmap_threshold. For this case where mmap is issued, MAP_HUGETLB is set +iff the allocation size is larger than the used large page. + +To force such allocations to use large pages, also tune the mmap_threhold +(if it is not explicit set by a tunable). This forces allocation to +follow the sbrk path, which will fall back to mmap (which will try large +pages before galling back to default mmap). + +Checked on x86_64-linux-gnu. +Reviewed-by: DJ Delorie <dj@redhat.com> +Tested-by: Zhangfei Gao <zhangfei.gao@linaro.org> +--- + malloc/arena.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/malloc/arena.c b/malloc/arena.c +index a1a75e5a2b..c73f68890d 100644 +--- a/malloc/arena.c ++++ b/malloc/arena.c +@@ -312,10 +312,17 @@ ptmalloc_init (void) + # endif + TUNABLE_GET (mxfast, size_t, TUNABLE_CALLBACK (set_mxfast)); + TUNABLE_GET (hugetlb, size_t, TUNABLE_CALLBACK (set_hugetlb)); ++ + if (mp_.hp_pagesize > 0) +- /* Force mmap for main arena instead of sbrk, so hugepages are explicitly +- used. */ +- __always_fail_morecore = true; ++ { ++ /* Force mmap for main arena instead of sbrk, so MAP_HUGETLB is always ++ tried. Also tune the mmap threshold, so allocation smaller than the ++ large page will also try to use large pages by falling back ++ to sysmalloc_mmap_fallback on sysmalloc. */ ++ if (!TUNABLE_IS_INITIALIZED (mmap_threshold)) ++ do_set_mmap_threshold (mp_.hp_pagesize); ++ __always_fail_morecore = true; ++ } + } + + /* Managing heaps and arenas (for concurrent threads) */ +-- +2.27.0 +
View file
_service:tar_scm:reserve-relocation-information-for-sysboost.patch
Changed
@@ -1,6 +1,6 @@ -From 18e50f9a39cabaa22d650c027215f252f3001e88 Mon Sep 17 00:00:00 2001 -From: l00580197 <longwei27@huawei.com> -Date: Fri, 4 Aug 2023 21:55:19 +0800 +From b44dbe791e801b4ef40352849b83264e8ad9415b Mon Sep 17 00:00:00 2001 +From: lw <longwei27@huawei.com> +Date: Mon, 21 Aug 2023 15:28:09 +0800 Subject: PATCH reserve relocation information for sysboost ---
View file
_service:tar_scm:stdlib-Improve-tst-realpath-compatibility-with-sourc.patch
Added
@@ -0,0 +1,43 @@ +From d97cca1e5df812be0e4de1e38091f02bb1e7ec4e Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Tue, 1 Aug 2023 10:27:15 +0200 +Subject: PATCH stdlib: Improve tst-realpath compatibility with source + fortification + +On GCC before 11, IPA can make the fortified realpath aware that the +buffer size is not large enough (8 bytes instead of PATH_MAX bytes). +Fix this by using a buffer that is large enough. + +(cherry picked from commit 510fc20d73de12c85823d9996faac74666e9c2e7) +--- + stdlib/tst-realpath.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/stdlib/tst-realpath.c b/stdlib/tst-realpath.c +index f325c95a44..3694ecd8af 100644 +--- a/stdlib/tst-realpath.c ++++ b/stdlib/tst-realpath.c +@@ -24,6 +24,7 @@ + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + ++#include <limits.h> + #include <stdio.h> + #include <stdlib.h> + #include <malloc.h> +@@ -50,7 +51,11 @@ void dealloc (void *p) + + char* alloc (void) + { +- return (char *)malloc (8); ++#ifdef PATH_MAX ++ return (char *)malloc (PATH_MAX); ++#else ++ return (char *)malloc (4096); ++#endif + } + + static int +-- +2.33.0 +
View file
_service:tar_scm:sysdeps-sem_open-Clear-O_CREAT-when-semaphore-file-i.patch
Added
@@ -0,0 +1,105 @@ +From 63dbbc5c52f9823f86270f32fce20d1e91cdf484 Mon Sep 17 00:00:00 2001 +From: Sergio Durigan Junior <sergiodj@sergiodj.net> +Date: Wed, 1 Nov 2023 18:15:23 -0400 +Subject: PATCH sysdeps: sem_open: Clear O_CREAT when semaphore file is + expected to exist BZ #30789 + +When invoking sem_open with O_CREAT as one of its flags, we'll end up +in the second part of sem_open's "if ((oflag & O_CREAT) == 0 || (oflag +& O_EXCL) == 0)", which means that we don't expect the semaphore file +to exist. + +In that part, open_flags is initialized as "O_RDWR | O_CREAT | O_EXCL +| O_CLOEXEC" and there's an attempt to open(2) the file, which will +likely fail because it won't exist. After that first (expected) +failure, some cleanup is done and we go back to the label "try_again", +which lives in the first part of the aforementioned "if". + +The problem is that, in that part of the code, we expect the semaphore +file to exist, and as such O_CREAT (this time the flag we pass to +open(2)) needs to be cleaned from open_flags, otherwise we'll see +another failure (this time unexpected) when trying to open the file, +which will lead the call to sem_open to fail as well. + +This can cause very strange bugs, especially with OpenMPI, which makes +extensive use of semaphores. + +Fix the bug by simplifying the logic when choosing open(2) flags and +making sure O_CREAT is not set when the semaphore file is expected to +exist. + +A regression test for this issue would require a complex and cpu time +consuming logic, since to trigger the wrong code path is not +straightforward due the racy condition. There is a somewhat reliable +reproducer in the bug, but it requires using OpenMPI. + +This resolves BZ #30789. + +See also: https://bugs.launchpad.net/ubuntu/+source/h5py/+bug/2031912 + +Signed-off-by: Sergio Durigan Junior <sergiodj@sergiodj.net> +Co-Authored-By: Simon Chopin <simon.chopin@canonical.com> +Co-Authored-By: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org> +Fixes: 533deafbdf189f5fbb280c28562dd43ace2f4b0f ("Use O_CLOEXEC in more places (BZ #15722)") +(cherry picked from commit f957f47df75b9fab995754011491edebc6feb147) +--- + NEWS | 2 ++ + sysdeps/pthread/sem_open.c | 10 ++++------ + 2 files changed, 6 insertions(+), 6 deletions(-) + +diff --git a/NEWS b/NEWS +index f117874e34..5ac488bf9b 100644 +--- a/NEWS ++++ b/NEWS +@@ -32,6 +32,8 @@ Security related changes: + The following bugs are resolved with this release: + + 30723 posix_memalign repeatedly scans long bin lists ++ 30789 sem_open will fail on multithreaded scenarios when semaphore ++ file doesn't exist (O_CREAT) + 30804 F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with + -D_FILE_OFFSET_BITS=64 + 30842 Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) +diff --git a/sysdeps/pthread/sem_open.c b/sysdeps/pthread/sem_open.c +index e5db929d20..0e331a7445 100644 +--- a/sysdeps/pthread/sem_open.c ++++ b/sysdeps/pthread/sem_open.c +@@ -32,11 +32,12 @@ + # define __unlink unlink + #endif + ++#define SEM_OPEN_FLAGS (O_RDWR | O_NOFOLLOW | O_CLOEXEC) ++ + sem_t * + __sem_open (const char *name, int oflag, ...) + { + int fd; +- int open_flags; + sem_t *result; + + /* Check that shared futexes are supported. */ +@@ -65,10 +66,8 @@ __sem_open (const char *name, int oflag, ...) + /* If the semaphore object has to exist simply open it. */ + if ((oflag & O_CREAT) == 0 || (oflag & O_EXCL) == 0) + { +- open_flags = O_RDWR | O_NOFOLLOW | O_CLOEXEC; +- open_flags |= (oflag & ~(O_CREAT|O_ACCMODE)); + try_again: +- fd = __open (dirname.name, open_flags); ++ fd = __open (dirname.name, (oflag & O_EXCL) | SEM_OPEN_FLAGS); + + if (fd == -1) + { +@@ -135,8 +134,7 @@ __sem_open (const char *name, int oflag, ...) + } + + /* Open the file. Make sure we do not overwrite anything. */ +- open_flags = O_RDWR | O_CREAT | O_EXCL | O_CLOEXEC; +- fd = __open (tmpfname, open_flags, mode); ++ fd = __open (tmpfname, O_CREAT | O_EXCL | SEM_OPEN_FLAGS, mode); + if (fd == -1) + { + if (errno == EEXIST) +-- +2.33.0 +
View file
_service:tar_scm:x86-64-Fix-the-dtv-field-load-for-x32-BZ-31184.patch
Added
@@ -0,0 +1,68 @@ +From 35ea7549751d4f13a28c732e6ad68204f5e60a06 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Wed, 20 Dec 2023 16:31:43 -0800 +Subject: PATCH 4/9 x86-64: Fix the dtv field load for x32 BZ #31184 + +On x32, I got + +FAIL: elf/tst-tlsgap + +$ gdb elf/tst-tlsgap +... +open tst-tlsgap-mod1.so + +Thread 2 "tst-tlsgap" received signal SIGSEGV, Segmentation fault. +Switching to LWP 2268754 +_dl_tlsdesc_dynamic () at ../sysdeps/x86_64/dl-tlsdesc.S:108 +108 movq (%rsi), %rax +(gdb) p/x $rsi +$4 = 0xf7dbf9005655fb18 +(gdb) + +This is caused by + +_dl_tlsdesc_dynamic: + _CET_ENDBR + /* Preserve call-clobbered registers that we modify. + We need two scratch regs anyway. */ + movq %rsi, -16(%rsp) + movq %fs:DTV_OFFSET, %rsi + +Since the dtv field in TCB is a pointer, %fs:DTV_OFFSET is a 32-bit +location, not 64-bit. Load the dtv field to RSI_LP instead of rsi. +This fixes BZ #31184. + +(cherry picked from commit 3502440397bbb840e2f7223734aa5cc2cc0e29b6) +--- + NEWS | 1 + + sysdeps/x86_64/dl-tlsdesc.S | 2 +- + 2 files changed, 2 insertions(+), 1 deletion(-) + +diff --git a/NEWS b/NEWS +index 5ac488bf9b..71057e4793 100644 +--- a/NEWS ++++ b/NEWS +@@ -37,6 +37,7 @@ The following bugs are resolved with this release: + 30804 F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with + -D_FILE_OFFSET_BITS=64 + 30842 Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) ++ 31184 FAIL: elf/tst-tlsgap + +  + Version 2.38 +diff --git a/sysdeps/x86_64/dl-tlsdesc.S b/sysdeps/x86_64/dl-tlsdesc.S +index 5593897e29..c4823547d7 100644 +--- a/sysdeps/x86_64/dl-tlsdesc.S ++++ b/sysdeps/x86_64/dl-tlsdesc.S +@@ -102,7 +102,7 @@ _dl_tlsdesc_dynamic: + /* Preserve call-clobbered registers that we modify. + We need two scratch regs anyway. */ + movq %rsi, -16(%rsp) +- movq %fs:DTV_OFFSET, %rsi ++ mov %fs:DTV_OFFSET, %RSI_LP + movq %rdi, -8(%rsp) + movq TLSDESC_ARG(%rax), %rdi + movq (%rsi), %rax +-- +2.33.0 +
View file
_service:tar_scm:x86-64-Fix-the-tcb-field-load-for-x32-BZ-31185.patch
Added
@@ -0,0 +1,69 @@ +From 968c983d43bc51f719f3e7a0fcb1bb8669b5f7c4 Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" <hjl.tools@gmail.com> +Date: Wed, 20 Dec 2023 19:42:12 -0800 +Subject: PATCH 5/9 x86-64: Fix the tcb field load for x32 BZ #31185 + +_dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic access the thread pointer +via the tcb field in TCB: + +_dl_tlsdesc_undefweak: + _CET_ENDBR + movq 8(%rax), %rax + subq %fs:0, %rax + ret + +_dl_tlsdesc_dynamic: + ... + subq %fs:0, %rax + movq -8(%rsp), %rdi + ret + +Since the tcb field in TCB is a pointer, %fs:0 is a 32-bit location, +not 64-bit. It should use "sub %fs:0, %RAX_LP" instead. Since +_dl_tlsdesc_undefweak returns ptrdiff_t and _dl_make_tlsdesc_dynamic +returns void *, RAX_LP is appropriate here for x32 and x86-64. This +fixes BZ #31185. + +(cherry picked from commit 81be2a61dafc168327c1639e97b6dae128c7ccf3) +--- + NEWS | 1 + + sysdeps/x86_64/dl-tlsdesc.S | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/NEWS b/NEWS +index 71057e4793..6fbb8a9e1d 100644 +--- a/NEWS ++++ b/NEWS +@@ -38,6 +38,7 @@ The following bugs are resolved with this release: + -D_FILE_OFFSET_BITS=64 + 30842 Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) + 31184 FAIL: elf/tst-tlsgap ++ 31185 Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic + +  + Version 2.38 +diff --git a/sysdeps/x86_64/dl-tlsdesc.S b/sysdeps/x86_64/dl-tlsdesc.S +index c4823547d7..4579424bf7 100644 +--- a/sysdeps/x86_64/dl-tlsdesc.S ++++ b/sysdeps/x86_64/dl-tlsdesc.S +@@ -61,7 +61,7 @@ _dl_tlsdesc_return: + _dl_tlsdesc_undefweak: + _CET_ENDBR + movq 8(%rax), %rax +- subq %fs:0, %rax ++ sub %fs:0, %RAX_LP + ret + cfi_endproc + .size _dl_tlsdesc_undefweak, .-_dl_tlsdesc_undefweak +@@ -116,7 +116,7 @@ _dl_tlsdesc_dynamic: + addq TLSDESC_MODOFF(%rdi), %rax + .Lret: + movq -16(%rsp), %rsi +- subq %fs:0, %rax ++ sub %fs:0, %RAX_LP + movq -8(%rsp), %rdi + ret + .Lslow: +-- +2.33.0 +
View file
_service
Changed
@@ -2,7 +2,7 @@ <service name="tar_scm"> <param name="url">git@gitee.com:src-openeuler/glibc.git</param> <param name="scm">git</param> - <param name="revision">openEuler-23.09</param> + <param name="revision">master</param> <param name="exclude">*</param> <param name="extract">*</param> </service>
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2