Sync from SUSE:SLFO:Main glibc revision f1fe7036d0084a444082707a0f45168e
This commit is contained in:
parent
3af50a3968
commit
212e12e8ba
@ -0,0 +1,37 @@
|
||||
From 87801a8fd06db1d654eea3e4f7626ff476a9bdaa Mon Sep 17 00:00:00 2001
|
||||
From: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Thu, 25 Apr 2024 15:00:45 +0200
|
||||
Subject: [PATCH 1/4] CVE-2024-33599: nscd: Stack-based buffer overflow in
|
||||
netgroup cache (bug 31677)
|
||||
|
||||
Using alloca matches what other caches do. The request length is
|
||||
bounded by MAXKEYLEN.
|
||||
|
||||
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
|
||||
---
|
||||
nscd/netgroupcache.c | 5 +++--
|
||||
1 file changed, 3 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
|
||||
index 0c6e46f15c..f227dc7fa2 100644
|
||||
--- a/nscd/netgroupcache.c
|
||||
+++ b/nscd/netgroupcache.c
|
||||
@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
||||
= (struct indataset *) mempool_alloc (db,
|
||||
sizeof (*dataset) + req->key_len,
|
||||
1);
|
||||
- struct indataset dataset_mem;
|
||||
bool cacheable = true;
|
||||
if (__glibc_unlikely (dataset == NULL))
|
||||
{
|
||||
cacheable = false;
|
||||
- dataset = &dataset_mem;
|
||||
+ /* The alloca is safe because nscd_run_worker verfies that
|
||||
+ key_len is not larger than MAXKEYLEN. */
|
||||
+ dataset = alloca (sizeof (*dataset) + req->key_len);
|
||||
}
|
||||
|
||||
datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
|
||||
--
|
||||
2.35.3
|
||||
|
@ -0,0 +1,59 @@
|
||||
From b048a482f088e53144d26a61c390bed0210f49f2 Mon Sep 17 00:00:00 2001
|
||||
From: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Thu, 25 Apr 2024 15:01:07 +0200
|
||||
Subject: [PATCH 3/4] CVE-2024-33600: nscd: Avoid null pointer crashes after
|
||||
notfound response (bug 31678)
|
||||
|
||||
The addgetnetgrentX call in addinnetgrX may have failed to produce
|
||||
a result, so the result variable in addinnetgrX can be NULL.
|
||||
Use db->negtimeout as the fallback value if there is no result data;
|
||||
the timeout is also overwritten below.
|
||||
|
||||
Also avoid sending a second not-found response. (The client
|
||||
disconnects after receiving the first response, so the data stream did
|
||||
not go out of sync even without this fix.) It is still beneficial to
|
||||
add the negative response to the mapping, so that the client can get
|
||||
it from there in the future, instead of going through the socket.
|
||||
|
||||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
---
|
||||
nscd/netgroupcache.c | 11 +++++++----
|
||||
1 file changed, 7 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
|
||||
index c18fe111f3..e22ffa5884 100644
|
||||
--- a/nscd/netgroupcache.c
|
||||
+++ b/nscd/netgroupcache.c
|
||||
@@ -511,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
||||
|
||||
datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
|
||||
sizeof (innetgroup_response_header),
|
||||
- he == NULL ? 0 : dh->nreloads + 1, result->head.ttl);
|
||||
+ he == NULL ? 0 : dh->nreloads + 1,
|
||||
+ result == NULL ? db->negtimeout : result->head.ttl);
|
||||
/* Set the notfound status and timeout based on the result from
|
||||
getnetgrent. */
|
||||
- dataset->head.notfound = result->head.notfound;
|
||||
+ dataset->head.notfound = result == NULL || result->head.notfound;
|
||||
dataset->head.timeout = timeout;
|
||||
|
||||
dataset->resp.version = NSCD_VERSION;
|
||||
- dataset->resp.found = result->resp.found;
|
||||
+ dataset->resp.found = result != NULL && result->resp.found;
|
||||
/* Until we find a matching entry the result is 0. */
|
||||
dataset->resp.result = 0;
|
||||
|
||||
@@ -566,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
||||
goto out;
|
||||
}
|
||||
|
||||
- if (he == NULL)
|
||||
+ /* addgetnetgrentX may have already sent a notfound response. Do
|
||||
+ not send another one. */
|
||||
+ if (he == NULL && dataset->resp.found)
|
||||
{
|
||||
/* We write the dataset before inserting it to the database
|
||||
since while inserting this thread might block and so would
|
||||
--
|
||||
2.35.3
|
||||
|
@ -0,0 +1,58 @@
|
||||
From 7835b00dbce53c3c87bbbb1754a95fb5e58187aa Mon Sep 17 00:00:00 2001
|
||||
From: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Thu, 25 Apr 2024 15:01:07 +0200
|
||||
Subject: [PATCH 2/4] CVE-2024-33600: nscd: Do not send missing not-found
|
||||
response in addgetnetgrentX (bug 31678)
|
||||
|
||||
If we failed to add a not-found response to the cache, the dataset
|
||||
point can be null, resulting in a null pointer dereference.
|
||||
|
||||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
---
|
||||
nscd/netgroupcache.c | 14 ++++++--------
|
||||
1 file changed, 6 insertions(+), 8 deletions(-)
|
||||
|
||||
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
|
||||
index f227dc7fa2..c18fe111f3 100644
|
||||
--- a/nscd/netgroupcache.c
|
||||
+++ b/nscd/netgroupcache.c
|
||||
@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
/* No such service. */
|
||||
cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
|
||||
&key_copy);
|
||||
- goto writeout;
|
||||
+ goto maybe_cache_add;
|
||||
}
|
||||
|
||||
memset (&data, '\0', sizeof (data));
|
||||
@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
{
|
||||
cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
|
||||
&key_copy);
|
||||
- goto writeout;
|
||||
+ goto maybe_cache_add;
|
||||
}
|
||||
|
||||
total = buffilled;
|
||||
@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
}
|
||||
|
||||
if (he == NULL && fd != -1)
|
||||
- {
|
||||
- /* We write the dataset before inserting it to the database
|
||||
- since while inserting this thread might block and so would
|
||||
- unnecessarily let the receiver wait. */
|
||||
- writeout:
|
||||
+ /* We write the dataset before inserting it to the database since
|
||||
+ while inserting this thread might block and so would
|
||||
+ unnecessarily let the receiver wait. */
|
||||
writeall (fd, &dataset->resp, dataset->head.recsize);
|
||||
- }
|
||||
|
||||
+ maybe_cache_add:
|
||||
if (cacheable)
|
||||
{
|
||||
/* If necessary, we also propagate the data to disk. */
|
||||
--
|
||||
2.35.3
|
||||
|
389
glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch
Normal file
389
glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch
Normal file
@ -0,0 +1,389 @@
|
||||
From c04a21e050d64a1193a6daab872bca2528bda44b Mon Sep 17 00:00:00 2001
|
||||
From: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Thu, 25 Apr 2024 15:01:07 +0200
|
||||
Subject: [PATCH 4/4] CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two
|
||||
buffers in addgetnetgrentX (bug 31680)
|
||||
|
||||
This avoids potential memory corruption when the underlying NSS
|
||||
callback function does not use the buffer space to store all strings
|
||||
(e.g., for constant strings).
|
||||
|
||||
Instead of custom buffer management, two scratch buffers are used.
|
||||
This increases stack usage somewhat.
|
||||
|
||||
Scratch buffer allocation failure is handled by return -1
|
||||
(an invalid timeout value) instead of terminating the process.
|
||||
This fixes bug 31679.
|
||||
|
||||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
---
|
||||
nscd/netgroupcache.c | 219 ++++++++++++++++++++++++-------------------
|
||||
1 file changed, 121 insertions(+), 98 deletions(-)
|
||||
|
||||
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
|
||||
index e22ffa5884..e8fe041846 100644
|
||||
--- a/nscd/netgroupcache.c
|
||||
+++ b/nscd/netgroupcache.c
|
||||
@@ -23,6 +23,7 @@
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
#include <sys/mman.h>
|
||||
+#include <scratch_buffer.h>
|
||||
|
||||
#include "../inet/netgroup.h"
|
||||
#include "nscd.h"
|
||||
@@ -65,6 +66,16 @@ struct dataset
|
||||
char strdata[0];
|
||||
};
|
||||
|
||||
+/* Send a notfound response to FD. Always returns -1 to indicate an
|
||||
+ ephemeral error. */
|
||||
+static time_t
|
||||
+send_notfound (int fd)
|
||||
+{
|
||||
+ if (fd != -1)
|
||||
+ TEMP_FAILURE_RETRY (send (fd, ¬found, sizeof (notfound), MSG_NOSIGNAL));
|
||||
+ return -1;
|
||||
+}
|
||||
+
|
||||
/* Sends a notfound message and prepares a notfound dataset to write to the
|
||||
cache. Returns true if there was enough memory to allocate the dataset and
|
||||
returns the dataset in DATASETP, total bytes to write in TOTALP and the
|
||||
@@ -83,8 +94,7 @@ do_notfound (struct database_dyn *db, int fd, request_header *req,
|
||||
total = sizeof (notfound);
|
||||
timeout = time (NULL) + db->negtimeout;
|
||||
|
||||
- if (fd != -1)
|
||||
- TEMP_FAILURE_RETRY (send (fd, ¬found, total, MSG_NOSIGNAL));
|
||||
+ send_notfound (fd);
|
||||
|
||||
dataset = mempool_alloc (db, sizeof (struct dataset) + req->key_len, 1);
|
||||
/* If we cannot permanently store the result, so be it. */
|
||||
@@ -109,11 +119,78 @@ do_notfound (struct database_dyn *db, int fd, request_header *req,
|
||||
return cacheable;
|
||||
}
|
||||
|
||||
+struct addgetnetgrentX_scratch
|
||||
+{
|
||||
+ /* This is the result that the caller should use. It can be NULL,
|
||||
+ point into buffer, or it can be in the cache. */
|
||||
+ struct dataset *dataset;
|
||||
+
|
||||
+ struct scratch_buffer buffer;
|
||||
+
|
||||
+ /* Used internally in addgetnetgrentX as a staging area. */
|
||||
+ struct scratch_buffer tmp;
|
||||
+
|
||||
+ /* Number of bytes in buffer that are actually used. */
|
||||
+ size_t buffer_used;
|
||||
+};
|
||||
+
|
||||
+static void
|
||||
+addgetnetgrentX_scratch_init (struct addgetnetgrentX_scratch *scratch)
|
||||
+{
|
||||
+ scratch->dataset = NULL;
|
||||
+ scratch_buffer_init (&scratch->buffer);
|
||||
+ scratch_buffer_init (&scratch->tmp);
|
||||
+
|
||||
+ /* Reserve space for the header. */
|
||||
+ scratch->buffer_used = sizeof (struct dataset);
|
||||
+ static_assert (sizeof (struct dataset) < sizeof (scratch->tmp.__space),
|
||||
+ "initial buffer space");
|
||||
+ memset (scratch->tmp.data, 0, sizeof (struct dataset));
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+addgetnetgrentX_scratch_free (struct addgetnetgrentX_scratch *scratch)
|
||||
+{
|
||||
+ scratch_buffer_free (&scratch->buffer);
|
||||
+ scratch_buffer_free (&scratch->tmp);
|
||||
+}
|
||||
+
|
||||
+/* Copy LENGTH bytes from S into SCRATCH. Returns NULL if SCRATCH
|
||||
+ could not be resized, otherwise a pointer to the copy. */
|
||||
+static char *
|
||||
+addgetnetgrentX_append_n (struct addgetnetgrentX_scratch *scratch,
|
||||
+ const char *s, size_t length)
|
||||
+{
|
||||
+ while (true)
|
||||
+ {
|
||||
+ size_t remaining = scratch->buffer.length - scratch->buffer_used;
|
||||
+ if (remaining >= length)
|
||||
+ break;
|
||||
+ if (!scratch_buffer_grow_preserve (&scratch->buffer))
|
||||
+ return NULL;
|
||||
+ }
|
||||
+ char *copy = scratch->buffer.data + scratch->buffer_used;
|
||||
+ memcpy (copy, s, length);
|
||||
+ scratch->buffer_used += length;
|
||||
+ return copy;
|
||||
+}
|
||||
+
|
||||
+/* Copy S into SCRATCH, including its null terminator. Returns false
|
||||
+ if SCRATCH could not be resized. */
|
||||
+static bool
|
||||
+addgetnetgrentX_append (struct addgetnetgrentX_scratch *scratch, const char *s)
|
||||
+{
|
||||
+ if (s == NULL)
|
||||
+ s = "";
|
||||
+ return addgetnetgrentX_append_n (scratch, s, strlen (s) + 1) != NULL;
|
||||
+}
|
||||
+
|
||||
+/* Caller must initialize and free *SCRATCH. If the return value is
|
||||
+ negative, this function has sent a notfound response. */
|
||||
static time_t
|
||||
addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
const char *key, uid_t uid, struct hashentry *he,
|
||||
- struct datahead *dh, struct dataset **resultp,
|
||||
- void **tofreep)
|
||||
+ struct datahead *dh, struct addgetnetgrentX_scratch *scratch)
|
||||
{
|
||||
if (__glibc_unlikely (debug_level > 0))
|
||||
{
|
||||
@@ -132,14 +209,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
|
||||
char *key_copy = NULL;
|
||||
struct __netgrent data;
|
||||
- size_t buflen = MAX (1024, sizeof (*dataset) + req->key_len);
|
||||
- size_t buffilled = sizeof (*dataset);
|
||||
- char *buffer = NULL;
|
||||
size_t nentries = 0;
|
||||
size_t group_len = strlen (key) + 1;
|
||||
struct name_list *first_needed
|
||||
= alloca (sizeof (struct name_list) + group_len);
|
||||
- *tofreep = NULL;
|
||||
|
||||
if (netgroup_database == NULL
|
||||
&& !__nss_database_get (nss_database_netgroup, &netgroup_database))
|
||||
@@ -151,8 +224,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
}
|
||||
|
||||
memset (&data, '\0', sizeof (data));
|
||||
- buffer = xmalloc (buflen);
|
||||
- *tofreep = buffer;
|
||||
first_needed->next = first_needed;
|
||||
memcpy (first_needed->name, key, group_len);
|
||||
data.needed_groups = first_needed;
|
||||
@@ -195,8 +266,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
while (1)
|
||||
{
|
||||
int e;
|
||||
- status = getfct.f (&data, buffer + buffilled,
|
||||
- buflen - buffilled - req->key_len, &e);
|
||||
+ status = getfct.f (&data, scratch->tmp.data,
|
||||
+ scratch->tmp.length, &e);
|
||||
if (status == NSS_STATUS_SUCCESS)
|
||||
{
|
||||
if (data.type == triple_val)
|
||||
@@ -204,68 +275,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
const char *nhost = data.val.triple.host;
|
||||
const char *nuser = data.val.triple.user;
|
||||
const char *ndomain = data.val.triple.domain;
|
||||
-
|
||||
- size_t hostlen = strlen (nhost ?: "") + 1;
|
||||
- size_t userlen = strlen (nuser ?: "") + 1;
|
||||
- size_t domainlen = strlen (ndomain ?: "") + 1;
|
||||
-
|
||||
- if (nhost == NULL || nuser == NULL || ndomain == NULL
|
||||
- || nhost > nuser || nuser > ndomain)
|
||||
- {
|
||||
- const char *last = nhost;
|
||||
- if (last == NULL
|
||||
- || (nuser != NULL && nuser > last))
|
||||
- last = nuser;
|
||||
- if (last == NULL
|
||||
- || (ndomain != NULL && ndomain > last))
|
||||
- last = ndomain;
|
||||
-
|
||||
- size_t bufused
|
||||
- = (last == NULL
|
||||
- ? buffilled
|
||||
- : last + strlen (last) + 1 - buffer);
|
||||
-
|
||||
- /* We have to make temporary copies. */
|
||||
- size_t needed = hostlen + userlen + domainlen;
|
||||
-
|
||||
- if (buflen - req->key_len - bufused < needed)
|
||||
- {
|
||||
- buflen += MAX (buflen, 2 * needed);
|
||||
- /* Save offset in the old buffer. We don't
|
||||
- bother with the NULL check here since
|
||||
- we'll do that later anyway. */
|
||||
- size_t nhostdiff = nhost - buffer;
|
||||
- size_t nuserdiff = nuser - buffer;
|
||||
- size_t ndomaindiff = ndomain - buffer;
|
||||
-
|
||||
- char *newbuf = xrealloc (buffer, buflen);
|
||||
- /* Fix up the triplet pointers into the new
|
||||
- buffer. */
|
||||
- nhost = (nhost ? newbuf + nhostdiff
|
||||
- : NULL);
|
||||
- nuser = (nuser ? newbuf + nuserdiff
|
||||
- : NULL);
|
||||
- ndomain = (ndomain ? newbuf + ndomaindiff
|
||||
- : NULL);
|
||||
- *tofreep = buffer = newbuf;
|
||||
- }
|
||||
-
|
||||
- nhost = memcpy (buffer + bufused,
|
||||
- nhost ?: "", hostlen);
|
||||
- nuser = memcpy ((char *) nhost + hostlen,
|
||||
- nuser ?: "", userlen);
|
||||
- ndomain = memcpy ((char *) nuser + userlen,
|
||||
- ndomain ?: "", domainlen);
|
||||
- }
|
||||
-
|
||||
- char *wp = buffer + buffilled;
|
||||
- wp = memmove (wp, nhost ?: "", hostlen);
|
||||
- wp += hostlen;
|
||||
- wp = memmove (wp, nuser ?: "", userlen);
|
||||
- wp += userlen;
|
||||
- wp = memmove (wp, ndomain ?: "", domainlen);
|
||||
- wp += domainlen;
|
||||
- buffilled = wp - buffer;
|
||||
+ if (!(addgetnetgrentX_append (scratch, nhost)
|
||||
+ && addgetnetgrentX_append (scratch, nuser)
|
||||
+ && addgetnetgrentX_append (scratch, ndomain)))
|
||||
+ return send_notfound (fd);
|
||||
++nentries;
|
||||
}
|
||||
else
|
||||
@@ -317,8 +330,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
}
|
||||
else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
|
||||
{
|
||||
- buflen *= 2;
|
||||
- *tofreep = buffer = xrealloc (buffer, buflen);
|
||||
+ if (!scratch_buffer_grow (&scratch->tmp))
|
||||
+ return send_notfound (fd);
|
||||
}
|
||||
else if (status == NSS_STATUS_RETURN
|
||||
|| status == NSS_STATUS_NOTFOUND
|
||||
@@ -351,10 +364,17 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
goto maybe_cache_add;
|
||||
}
|
||||
|
||||
- total = buffilled;
|
||||
+ /* Capture the result size without the key appended. */
|
||||
+ total = scratch->buffer_used;
|
||||
+
|
||||
+ /* Make a copy of the key. The scratch buffer must not move after
|
||||
+ this point. */
|
||||
+ key_copy = addgetnetgrentX_append_n (scratch, key, req->key_len);
|
||||
+ if (key_copy == NULL)
|
||||
+ return send_notfound (fd);
|
||||
|
||||
/* Fill in the dataset. */
|
||||
- dataset = (struct dataset *) buffer;
|
||||
+ dataset = scratch->buffer.data;
|
||||
timeout = datahead_init_pos (&dataset->head, total + req->key_len,
|
||||
total - offsetof (struct dataset, resp),
|
||||
he == NULL ? 0 : dh->nreloads + 1,
|
||||
@@ -363,11 +383,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
dataset->resp.version = NSCD_VERSION;
|
||||
dataset->resp.found = 1;
|
||||
dataset->resp.nresults = nentries;
|
||||
- dataset->resp.result_len = buffilled - sizeof (*dataset);
|
||||
-
|
||||
- assert (buflen - buffilled >= req->key_len);
|
||||
- key_copy = memcpy (buffer + buffilled, key, req->key_len);
|
||||
- buffilled += req->key_len;
|
||||
+ dataset->resp.result_len = total - sizeof (*dataset);
|
||||
|
||||
/* Now we can determine whether on refill we have to create a new
|
||||
record or not. */
|
||||
@@ -398,7 +414,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
if (__glibc_likely (newp != NULL))
|
||||
{
|
||||
/* Adjust pointer into the memory block. */
|
||||
- key_copy = (char *) newp + (key_copy - buffer);
|
||||
+ key_copy = (char *) newp + (key_copy - (char *) dataset);
|
||||
|
||||
dataset = memcpy (newp, dataset, total + req->key_len);
|
||||
cacheable = true;
|
||||
@@ -439,7 +455,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
|
||||
}
|
||||
|
||||
out:
|
||||
- *resultp = dataset;
|
||||
+ scratch->dataset = dataset;
|
||||
|
||||
return timeout;
|
||||
}
|
||||
@@ -460,6 +476,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
||||
if (user != NULL)
|
||||
key = strchr (key, '\0') + 1;
|
||||
const char *domain = *key++ ? key : NULL;
|
||||
+ struct addgetnetgrentX_scratch scratch;
|
||||
+
|
||||
+ addgetnetgrentX_scratch_init (&scratch);
|
||||
|
||||
if (__glibc_unlikely (debug_level > 0))
|
||||
{
|
||||
@@ -475,12 +494,8 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
||||
group, group_len,
|
||||
db, uid);
|
||||
time_t timeout;
|
||||
- void *tofree;
|
||||
if (result != NULL)
|
||||
- {
|
||||
- timeout = result->head.timeout;
|
||||
- tofree = NULL;
|
||||
- }
|
||||
+ timeout = result->head.timeout;
|
||||
else
|
||||
{
|
||||
request_header req_get =
|
||||
@@ -489,7 +504,10 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
||||
.key_len = group_len
|
||||
};
|
||||
timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL,
|
||||
- &result, &tofree);
|
||||
+ &scratch);
|
||||
+ result = scratch.dataset;
|
||||
+ if (timeout < 0)
|
||||
+ goto out;
|
||||
}
|
||||
|
||||
struct indataset
|
||||
@@ -603,7 +621,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
|
||||
}
|
||||
|
||||
out:
|
||||
- free (tofree);
|
||||
+ addgetnetgrentX_scratch_free (&scratch);
|
||||
return timeout;
|
||||
}
|
||||
|
||||
@@ -613,11 +631,12 @@ addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req,
|
||||
const char *key, uid_t uid, struct hashentry *he,
|
||||
struct datahead *dh)
|
||||
{
|
||||
- struct dataset *ignore;
|
||||
- void *tofree;
|
||||
- time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh,
|
||||
- &ignore, &tofree);
|
||||
- free (tofree);
|
||||
+ struct addgetnetgrentX_scratch scratch;
|
||||
+ addgetnetgrentX_scratch_init (&scratch);
|
||||
+ time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, &scratch);
|
||||
+ addgetnetgrentX_scratch_free (&scratch);
|
||||
+ if (timeout < 0)
|
||||
+ timeout = 0;
|
||||
return timeout;
|
||||
}
|
||||
|
||||
@@ -661,5 +680,9 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he,
|
||||
.key_len = he->len
|
||||
};
|
||||
|
||||
- return addinnetgrX (db, -1, &req, db->data + he->key, he->owner, he, dh);
|
||||
+ int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner,
|
||||
+ he, dh);
|
||||
+ if (timeout < 0)
|
||||
+ timeout = 0;
|
||||
+ return timeout;
|
||||
}
|
||||
--
|
||||
2.35.3
|
||||
|
@ -1,3 +1,39 @@
|
||||
-------------------------------------------------------------------
|
||||
Tue May 7 10:32:54 UTC 2024 - Andreas Schwab <schwab@suse.de>
|
||||
|
||||
- nscd-netgroup-cache-timeout.patch: Use time_t for return type of
|
||||
addgetnetgrentX (CVE-2024-33602, bsc#1223425)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 1 23:50:51 UTC 2024 - Giuliano Belinassi <giuliano.belinassi@suse.com>
|
||||
|
||||
- glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch:
|
||||
nscd: Stack-based buffer overflow in netgroup cache
|
||||
(CVE-2024-33599, bsc#1223423, BZ #31677)
|
||||
- glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch:
|
||||
nscd: Avoid null pointer crashes after notfound response
|
||||
(CVE-2024-33600, bsc#1223424, BZ #31678)
|
||||
- glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch:
|
||||
nscd: Do not send missing not-found response in addgetnetgrentX
|
||||
(CVE-2024-33600, bsc#1223424, BZ #31678)
|
||||
- glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch:
|
||||
netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601,
|
||||
CVE-2024-33602, bsc#1223425, BZ #31680)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Apr 18 08:22:48 UTC 2024 - Andreas Schwab <schwab@suse.de>
|
||||
|
||||
- iconv-iso-2022-cn-ext.patch: iconv: ISO-2022-CN-EXT: fix out-of-bound
|
||||
writes when writing escape sequence (CVE-2024-2961, bsc#1222992)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Mar 21 13:22:51 UTC 2024 - Andreas Schwab <schwab@suse.de>
|
||||
|
||||
- malloc-arena-get2.patch: malloc: Use __get_nprocs on arena_get2 (BZ
|
||||
#30945)
|
||||
- sched-getcpu-rseq-area.patch: linux: Use rseq area unconditionally in
|
||||
sched_getcpu (BZ #31479)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Mar 11 10:06:42 UTC 2024 - Andreas Schwab <schwab@suse.de>
|
||||
|
||||
|
54
glibc.spec
54
glibc.spec
@ -343,6 +343,22 @@ Patch1022: qsort-invalid-cmp.patch
|
||||
Patch1023: s390-clone-error-clobber-r7.patch
|
||||
# PATCH-FIX-UPSTREAM duplocale: protect use of global locale (BZ #23970)
|
||||
Patch1024: duplocale-global-locale.patch
|
||||
# PATCH-FIX-UPSTREAM malloc: Use __get_nprocs on arena_get2 (BZ #30945)
|
||||
Patch1025: malloc-arena-get2.patch
|
||||
# PATCH-FIX-UPSTREAM linux: Use rseq area unconditionally in sched_getcpu (BZ #31479)
|
||||
Patch1026: sched-getcpu-rseq-area.patch
|
||||
# PATCH-FIX-UPSTREAM iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961)
|
||||
Patch1027: iconv-iso-2022-cn-ext.patch
|
||||
# PATCH-FIX-UPSTREAM nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599, BZ #31677)
|
||||
Patch1028: glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch
|
||||
# PATCH-FIX-UPSTREAM nscd: Do not send missing not found response in addgetnetgrentX (CVE-2024-33600, BZ #31678)
|
||||
Patch1029: glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch
|
||||
# PATCH-FIX-UPSTREAM nscd: Avoid null pointer crashes after notfound response (CVE-2024-33600, BZ #31678)
|
||||
Patch1030: glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch
|
||||
# PATCH-FIX-UPSTREAM nscd netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, CVE-2024-33602, BZ #31680)
|
||||
Patch1031: glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch
|
||||
# PATCH-FIX-UPSTREAM nscd: Use time_t for return type of addgetnetgrentX (CVE-2024-33602)
|
||||
Patch1032: nscd-netgroup-cache-timeout.patch
|
||||
|
||||
###
|
||||
# Patches awaiting upstream approval
|
||||
@ -750,6 +766,44 @@ echo 'CFLAGS-.os += -fdump-ipa-clones' \
|
||||
%endif
|
||||
|
||||
make %{?_smp_mflags} %{?make_output_sync}
|
||||
|
||||
%ifarch x86_64
|
||||
%if %{build_main} && 0%{?sle_version}
|
||||
# Horrible workaround for bsc#1221482
|
||||
gcc -O2 -xc - -c -o stat.oS <<\EOF
|
||||
#define _STAT_VER 1
|
||||
int __xstat (int, const char *, void *);
|
||||
|
||||
int
|
||||
stat (const char *file, void *buf)
|
||||
{
|
||||
return __xstat (_STAT_VER, file, buf);
|
||||
}
|
||||
EOF
|
||||
gcc -O2 -xc - -c -o fstat.oS <<\EOF
|
||||
#define _STAT_VER 1
|
||||
int __fxstat (int, int, void *);
|
||||
|
||||
int
|
||||
fstat (int fd, void *buf)
|
||||
{
|
||||
return __fxstat (_STAT_VER, fd, buf);
|
||||
}
|
||||
EOF
|
||||
gcc -O2 -xc - -c -o lstat.oS <<\EOF
|
||||
#define _STAT_VER 1
|
||||
int __lxstat (int, const char *, void *);
|
||||
|
||||
int
|
||||
lstat (const char *file, void *buf)
|
||||
{
|
||||
return __lxstat (_STAT_VER, file, buf);
|
||||
}
|
||||
EOF
|
||||
ar r libc_nonshared.a stat.oS fstat.oS lstat.oS
|
||||
%endif
|
||||
%endif
|
||||
|
||||
cd ..
|
||||
|
||||
#
|
||||
|
216
iconv-iso-2022-cn-ext.patch
Normal file
216
iconv-iso-2022-cn-ext.patch
Normal file
@ -0,0 +1,216 @@
|
||||
From e1135387deded5d73924f6ca20c72a35dc8e1bda Mon Sep 17 00:00:00 2001
|
||||
From: Charles Fol <folcharles@gmail.com>
|
||||
Date: Thu, 28 Mar 2024 12:25:38 -0300
|
||||
Subject: [PATCH] iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing
|
||||
escape sequence (CVE-2024-2961)
|
||||
|
||||
ISO-2022-CN-EXT uses escape sequences to indicate character set changes
|
||||
(as specified by RFC 1922). While the SOdesignation has the expected
|
||||
bounds checks, neither SS2designation nor SS3designation have its;
|
||||
allowing a write overflow of 1, 2, or 3 bytes with fixed values:
|
||||
'$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'.
|
||||
|
||||
Checked on aarch64-linux-gnu.
|
||||
|
||||
Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
||||
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
|
||||
Tested-by: Carlos O'Donell <carlos@redhat.com>
|
||||
|
||||
(cherry picked from commit f9dc609e06b1136bb0408be9605ce7973a767ada)
|
||||
---
|
||||
iconvdata/Makefile | 5 +-
|
||||
iconvdata/iso-2022-cn-ext.c | 12 +++
|
||||
iconvdata/tst-iconv-iso-2022-cn-ext.c | 128 ++++++++++++++++++++++++++
|
||||
3 files changed, 144 insertions(+), 1 deletion(-)
|
||||
create mode 100644 iconvdata/tst-iconv-iso-2022-cn-ext.c
|
||||
|
||||
diff --git a/iconvdata/Makefile b/iconvdata/Makefile
|
||||
index dd5cafab21..075098dce8 100644
|
||||
--- a/iconvdata/Makefile
|
||||
+++ b/iconvdata/Makefile
|
||||
@@ -75,7 +75,8 @@ ifeq (yes,$(build-shared))
|
||||
tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \
|
||||
tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \
|
||||
bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \
|
||||
- bug-iconv13 bug-iconv14 bug-iconv15
|
||||
+ bug-iconv13 bug-iconv14 bug-iconv15 \
|
||||
+ tst-iconv-iso-2022-cn-ext
|
||||
ifeq ($(have-thread-library),yes)
|
||||
tests += bug-iconv3
|
||||
endif
|
||||
@@ -330,6 +331,8 @@ $(objpfx)bug-iconv14.out: $(addprefix $(objpfx), $(gconv-modules)) \
|
||||
$(addprefix $(objpfx),$(modules.so))
|
||||
$(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \
|
||||
$(addprefix $(objpfx),$(modules.so))
|
||||
+$(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \
|
||||
+ $(addprefix $(objpfx),$(modules.so))
|
||||
|
||||
$(objpfx)iconv-test.out: run-iconv-test.sh \
|
||||
$(addprefix $(objpfx), $(gconv-modules)) \
|
||||
diff --git a/iconvdata/iso-2022-cn-ext.c b/iconvdata/iso-2022-cn-ext.c
|
||||
index 36727f0865..9bb02238a3 100644
|
||||
--- a/iconvdata/iso-2022-cn-ext.c
|
||||
+++ b/iconvdata/iso-2022-cn-ext.c
|
||||
@@ -574,6 +574,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
|
||||
{ \
|
||||
const char *escseq; \
|
||||
\
|
||||
+ if (outptr + 4 > outend) \
|
||||
+ { \
|
||||
+ result = __GCONV_FULL_OUTPUT; \
|
||||
+ break; \
|
||||
+ } \
|
||||
+ \
|
||||
assert (used == CNS11643_2_set); /* XXX */ \
|
||||
escseq = "*H"; \
|
||||
*outptr++ = ESC; \
|
||||
@@ -587,6 +593,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized");
|
||||
{ \
|
||||
const char *escseq; \
|
||||
\
|
||||
+ if (outptr + 4 > outend) \
|
||||
+ { \
|
||||
+ result = __GCONV_FULL_OUTPUT; \
|
||||
+ break; \
|
||||
+ } \
|
||||
+ \
|
||||
assert ((used >> 5) >= 3 && (used >> 5) <= 7); \
|
||||
escseq = "+I+J+K+L+M" + ((used >> 5) - 3) * 2; \
|
||||
*outptr++ = ESC; \
|
||||
diff --git a/iconvdata/tst-iconv-iso-2022-cn-ext.c b/iconvdata/tst-iconv-iso-2022-cn-ext.c
|
||||
new file mode 100644
|
||||
index 0000000000..96a8765fd5
|
||||
--- /dev/null
|
||||
+++ b/iconvdata/tst-iconv-iso-2022-cn-ext.c
|
||||
@@ -0,0 +1,128 @@
|
||||
+/* Verify ISO-2022-CN-EXT does not write out of the bounds.
|
||||
+ Copyright (C) 2024 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <https://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#include <stdio.h>
|
||||
+#include <string.h>
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <iconv.h>
|
||||
+#include <sys/mman.h>
|
||||
+
|
||||
+#include <support/xunistd.h>
|
||||
+#include <support/check.h>
|
||||
+#include <support/support.h>
|
||||
+
|
||||
+/* The test sets up a two memory page buffer with the second page marked
|
||||
+ PROT_NONE to trigger a fault if the conversion writes beyond the exact
|
||||
+ expected amount. Then we carry out various conversions and precisely
|
||||
+ place the start of the output buffer in order to trigger a SIGSEGV if the
|
||||
+ process writes anywhere between 1 and page sized bytes more (only one
|
||||
+ PROT_NONE page is setup as a canary) than expected. These tests exercise
|
||||
+ all three of the cases in ISO-2022-CN-EXT where the converter must switch
|
||||
+ character sets and may run out of buffer space while doing the
|
||||
+ operation. */
|
||||
+
|
||||
+static int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ iconv_t cd = iconv_open ("ISO-2022-CN-EXT", "UTF-8");
|
||||
+ TEST_VERIFY_EXIT (cd != (iconv_t) -1);
|
||||
+
|
||||
+ char *ntf;
|
||||
+ size_t ntfsize;
|
||||
+ char *outbufbase;
|
||||
+ {
|
||||
+ int pgz = getpagesize ();
|
||||
+ TEST_VERIFY_EXIT (pgz > 0);
|
||||
+ ntfsize = 2 * pgz;
|
||||
+
|
||||
+ ntf = xmmap (NULL, ntfsize, PROT_READ | PROT_WRITE, MAP_PRIVATE
|
||||
+ | MAP_ANONYMOUS, -1);
|
||||
+ xmprotect (ntf + pgz, pgz, PROT_NONE);
|
||||
+
|
||||
+ outbufbase = ntf + pgz;
|
||||
+ }
|
||||
+
|
||||
+ /* Check if SOdesignation escape sequence does not trigger an OOB write. */
|
||||
+ {
|
||||
+ char inbuf[] = "\xe4\xba\xa4\xe6\x8d\xa2";
|
||||
+
|
||||
+ for (int i = 0; i < 9; i++)
|
||||
+ {
|
||||
+ char *inp = inbuf;
|
||||
+ size_t inleft = sizeof (inbuf) - 1;
|
||||
+
|
||||
+ char *outp = outbufbase - i;
|
||||
+ size_t outleft = i;
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
|
||||
+ == (size_t) -1);
|
||||
+ TEST_COMPARE (errno, E2BIG);
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* Same as before for SS2designation. */
|
||||
+ {
|
||||
+ char inbuf[] = "㴽 \xe3\xb4\xbd";
|
||||
+
|
||||
+ for (int i = 0; i < 14; i++)
|
||||
+ {
|
||||
+ char *inp = inbuf;
|
||||
+ size_t inleft = sizeof (inbuf) - 1;
|
||||
+
|
||||
+ char *outp = outbufbase - i;
|
||||
+ size_t outleft = i;
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
|
||||
+ == (size_t) -1);
|
||||
+ TEST_COMPARE (errno, E2BIG);
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ /* Same as before for SS3designation. */
|
||||
+ {
|
||||
+ char inbuf[] = "劄 \xe5\x8a\x84";
|
||||
+
|
||||
+ for (int i = 0; i < 14; i++)
|
||||
+ {
|
||||
+ char *inp = inbuf;
|
||||
+ size_t inleft = sizeof (inbuf) - 1;
|
||||
+
|
||||
+ char *outp = outbufbase - i;
|
||||
+ size_t outleft = i;
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft)
|
||||
+ == (size_t) -1);
|
||||
+ TEST_COMPARE (errno, E2BIG);
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0);
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (iconv_close (cd) != -1);
|
||||
+
|
||||
+ xmunmap (ntf, ntfsize);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#include <support/test-driver.c>
|
||||
--
|
||||
2.44.0
|
||||
|
106
malloc-arena-get2.patch
Normal file
106
malloc-arena-get2.patch
Normal file
@ -0,0 +1,106 @@
|
||||
From 506e47da1d66b33e24440a495eeef85daf7f2a78 Mon Sep 17 00:00:00 2001
|
||||
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
||||
Date: Wed, 11 Oct 2023 13:43:56 -0300
|
||||
Subject: [PATCH] malloc: Use __get_nprocs on arena_get2 (BZ 30945)
|
||||
|
||||
This restore the 2.33 semantic for arena_get2. It was changed by
|
||||
11a02b035b46 to avoid arena_get2 call malloc (back when __get_nproc
|
||||
was refactored to use an scratch_buffer - 903bc7dcc2acafc). The
|
||||
__get_nproc was refactored over then and now it also avoid to call
|
||||
malloc.
|
||||
|
||||
The 11a02b035b46 did not take in consideration any performance
|
||||
implication, which should have been discussed properly. The
|
||||
__get_nprocs_sched is still used as a fallback mechanism if procfs
|
||||
and sysfs is not acessible.
|
||||
|
||||
Checked on x86_64-linux-gnu.
|
||||
Reviewed-by: DJ Delorie <dj@redhat.com>
|
||||
|
||||
(cherry picked from commit 472894d2cfee5751b44c0aaa71ed87df81c8e62e)
|
||||
---
|
||||
include/sys/sysinfo.h | 4 ----
|
||||
malloc/arena.c | 2 +-
|
||||
misc/getsysstats.c | 6 ------
|
||||
sysdeps/mach/getsysstats.c | 6 ------
|
||||
sysdeps/unix/sysv/linux/getsysstats.c | 2 +-
|
||||
5 files changed, 2 insertions(+), 18 deletions(-)
|
||||
|
||||
diff --git a/include/sys/sysinfo.h b/include/sys/sysinfo.h
|
||||
index c490561581..65742b1036 100644
|
||||
--- a/include/sys/sysinfo.h
|
||||
+++ b/include/sys/sysinfo.h
|
||||
@@ -14,10 +14,6 @@ libc_hidden_proto (__get_nprocs_conf)
|
||||
extern int __get_nprocs (void);
|
||||
libc_hidden_proto (__get_nprocs)
|
||||
|
||||
-/* Return the number of available processors which the process can
|
||||
- be scheduled. */
|
||||
-extern int __get_nprocs_sched (void) attribute_hidden;
|
||||
-
|
||||
/* Return number of physical pages of memory in the system. */
|
||||
extern long int __get_phys_pages (void);
|
||||
libc_hidden_proto (__get_phys_pages)
|
||||
diff --git a/malloc/arena.c b/malloc/arena.c
|
||||
index 6f03955ff2..82b09adb47 100644
|
||||
--- a/malloc/arena.c
|
||||
+++ b/malloc/arena.c
|
||||
@@ -820,7 +820,7 @@ arena_get2 (size_t size, mstate avoid_arena)
|
||||
narenas_limit = mp_.arena_max;
|
||||
else if (narenas > mp_.arena_test)
|
||||
{
|
||||
- int n = __get_nprocs_sched ();
|
||||
+ int n = __get_nprocs ();
|
||||
|
||||
if (n >= 1)
|
||||
narenas_limit = NARENAS_FROM_NCORES (n);
|
||||
diff --git a/misc/getsysstats.c b/misc/getsysstats.c
|
||||
index 5f36adc0e8..23cc112074 100644
|
||||
--- a/misc/getsysstats.c
|
||||
+++ b/misc/getsysstats.c
|
||||
@@ -44,12 +44,6 @@ weak_alias (__get_nprocs, get_nprocs)
|
||||
link_warning (get_nprocs, "warning: get_nprocs will always return 1")
|
||||
|
||||
|
||||
-int
|
||||
-__get_nprocs_sched (void)
|
||||
-{
|
||||
- return 1;
|
||||
-}
|
||||
-
|
||||
long int
|
||||
__get_phys_pages (void)
|
||||
{
|
||||
diff --git a/sysdeps/mach/getsysstats.c b/sysdeps/mach/getsysstats.c
|
||||
index 5184e5eee1..d3834f3b69 100644
|
||||
--- a/sysdeps/mach/getsysstats.c
|
||||
+++ b/sysdeps/mach/getsysstats.c
|
||||
@@ -62,12 +62,6 @@ __get_nprocs (void)
|
||||
libc_hidden_def (__get_nprocs)
|
||||
weak_alias (__get_nprocs, get_nprocs)
|
||||
|
||||
-int
|
||||
-__get_nprocs_sched (void)
|
||||
-{
|
||||
- return __get_nprocs ();
|
||||
-}
|
||||
-
|
||||
/* Return the number of physical pages on the system. */
|
||||
long int
|
||||
__get_phys_pages (void)
|
||||
diff --git a/sysdeps/unix/sysv/linux/getsysstats.c b/sysdeps/unix/sysv/linux/getsysstats.c
|
||||
index b0b6c154ac..1ea7f1f01f 100644
|
||||
--- a/sysdeps/unix/sysv/linux/getsysstats.c
|
||||
+++ b/sysdeps/unix/sysv/linux/getsysstats.c
|
||||
@@ -29,7 +29,7 @@
|
||||
#include <sys/sysinfo.h>
|
||||
#include <sysdep.h>
|
||||
|
||||
-int
|
||||
+static int
|
||||
__get_nprocs_sched (void)
|
||||
{
|
||||
enum
|
||||
--
|
||||
2.44.0
|
||||
|
36
nscd-netgroup-cache-timeout.patch
Normal file
36
nscd-netgroup-cache-timeout.patch
Normal file
@ -0,0 +1,36 @@
|
||||
From f510d75ff7f7405328853bd67b75f6847dfe9d31 Mon Sep 17 00:00:00 2001
|
||||
From: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Thu, 2 May 2024 17:06:19 +0200
|
||||
Subject: [PATCH] nscd: Use time_t for return type of addgetnetgrentX
|
||||
|
||||
Using int may give false results for future dates (timeouts after the
|
||||
year 2028).
|
||||
|
||||
Fixes commit 04a21e050d64a1193a6daab872bca2528bda44b ("CVE-2024-33601,
|
||||
CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX
|
||||
(bug 31680)").
|
||||
|
||||
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
|
||||
(cherry picked from commit 4bbca1a44691a6e9adcee5c6798a707b626bc331)
|
||||
---
|
||||
nscd/netgroupcache.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
|
||||
index cc4e270c1f..a63b260fdb 100644
|
||||
--- a/nscd/netgroupcache.c
|
||||
+++ b/nscd/netgroupcache.c
|
||||
@@ -680,8 +680,8 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he,
|
||||
.key_len = he->len
|
||||
};
|
||||
|
||||
- int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner,
|
||||
- he, dh);
|
||||
+ time_t timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner,
|
||||
+ he, dh);
|
||||
if (timeout < 0)
|
||||
timeout = 0;
|
||||
return timeout;
|
||||
--
|
||||
2.45.0
|
||||
|
52
sched-getcpu-rseq-area.patch
Normal file
52
sched-getcpu-rseq-area.patch
Normal file
@ -0,0 +1,52 @@
|
||||
From 5753cda1ca0749002c4718122a9b6d5177087b7b Mon Sep 17 00:00:00 2001
|
||||
From: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Fri, 15 Mar 2024 19:08:24 +0100
|
||||
Subject: [PATCH] linux: Use rseq area unconditionally in sched_getcpu (bug
|
||||
31479)
|
||||
|
||||
Originally, nptl/descr.h included <sys/rseq.h>, but we removed that
|
||||
in commit 2c6b4b272e6b4d07303af25709051c3e96288f2d ("nptl:
|
||||
Unconditionally use a 32-byte rseq area"). After that, it was
|
||||
not ensured that the RSEQ_SIG macro was defined during sched_getcpu.c
|
||||
compilation that provided a definition. This commit always checks
|
||||
the rseq area for CPU number information before using the other
|
||||
approaches.
|
||||
|
||||
This adds an unnecessary (but well-predictable) branch on
|
||||
architectures which do not define RSEQ_SIG, but its cost is small
|
||||
compared to the system call. Most architectures that have vDSO
|
||||
acceleration for getcpu also have rseq support.
|
||||
|
||||
Fixes: 2c6b4b272e6b4d07303af25709051c3e96288f2d
|
||||
Fixes: 1d350aa06091211863e41169729cee1bca39f72f
|
||||
Reviewed-by: Arjun Shankar <arjun@redhat.com>
|
||||
(cherry picked from commit 7a76f218677d149d8b7875b336722108239f7ee9)
|
||||
---
|
||||
sysdeps/unix/sysv/linux/sched_getcpu.c | 8 --------
|
||||
1 file changed, 8 deletions(-)
|
||||
|
||||
diff --git a/sysdeps/unix/sysv/linux/sched_getcpu.c b/sysdeps/unix/sysv/linux/sched_getcpu.c
|
||||
index 4457d714bc..22700ef846 100644
|
||||
--- a/sysdeps/unix/sysv/linux/sched_getcpu.c
|
||||
+++ b/sysdeps/unix/sysv/linux/sched_getcpu.c
|
||||
@@ -33,17 +33,9 @@ vsyscall_sched_getcpu (void)
|
||||
return r == -1 ? r : cpu;
|
||||
}
|
||||
|
||||
-#ifdef RSEQ_SIG
|
||||
int
|
||||
sched_getcpu (void)
|
||||
{
|
||||
int cpu_id = THREAD_GETMEM_VOLATILE (THREAD_SELF, rseq_area.cpu_id);
|
||||
return __glibc_likely (cpu_id >= 0) ? cpu_id : vsyscall_sched_getcpu ();
|
||||
}
|
||||
-#else /* RSEQ_SIG */
|
||||
-int
|
||||
-sched_getcpu (void)
|
||||
-{
|
||||
- return vsyscall_sched_getcpu ();
|
||||
-}
|
||||
-#endif /* RSEQ_SIG */
|
||||
--
|
||||
2.44.0
|
||||
|
Loading…
Reference in New Issue
Block a user