pool/glibc
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Accepting request 1173931 from home:Andreas_Schwab:Factory

Browse Source 
- glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch:
  nscd: Stack-based buffer overflow in netgroup cache
  (CVE-2024-33599, bsc#1223423, BZ #31677)
- glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch:
  nscd: Avoid null pointer crashes after notfound response
  (CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch:
  nscd: Do not send missing not-found response in addgetnetgrentX
  (CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch:
  netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601,
  CVE-2024-33602, bsc#1223425, BZ #31680)
- nscd-netgroup-cache-timeout.patch: Use time_t for return type of
  addgetnetgrentX (CVE-2024-33602, bsc#1223425)

- utmp-time-bits.patch: login: structs utmp, utmpx, lastlog _TIME_BITS
  independence (BZ #30701)
- elf-parse-tunables.patch: elf: Only process multiple tunable once (BZ
  #31686)

OBS-URL: https://build.opensuse.org/request/show/1173931
OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=707
This commit is contained in:
Andreas Schwab 2024-05-14 09:28:22 +00:00 committed by Git OBS Bridge
parent 98ab6167bc
commit b08edd98b2
9 changed files with 1448 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

215
elf-parse-tunables.patch Normal file
View File

@ -0,0 +1,215 @@
From 71149c2a2e85a8233631cc816030d449f021bb2a Mon Sep 17 00:00:00 2001
From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date: Mon, 6 May 2024 13:18:45 -0300
Subject: [PATCH] elf: Only process multiple tunable once (BZ 31686)
The 680c597e9c3 commit made loader reject ill-formatted strings by
first tracking all set tunables and then applying them. However, it does
not take into consideration if the same tunable is set multiple times,
where parse_tunables_string appends the found tunable without checking
if it was already in the list. It leads to a stack-based buffer overflow
if the tunable is specified more than the total number of tunables. For
instance:
GLIBC_TUNABLES=glibc.malloc.check=2:... (repeat over the number of
total support for different tunable).
Instead, use the index of the tunable list to get the expected tunable
entry. Since now the initial list is zero-initialized, the compiler
might emit an extra memset and this requires some minor adjustment
on some ports.
Checked on x86_64-linux-gnu and aarch64-linux-gnu.
Reported-by: Yuto Maeda <maeda@cyberdefense.jp>
Reported-by: Yutaro Shimizu <shimizu@cyberdefense.jp>
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit bcae44ea8536b30a7119c0986ff5692bddacb672)
---
elf/dl-tunables.c | 28 ++++++----
elf/tst-tunables.c | 61 +++++++++++++++++++++-
sysdeps/aarch64/multiarch/memset_generic.S | 4 ++
sysdeps/sparc/sparc64/rtld-memset.c | 3 ++
4 files changed, 84 insertions(+), 12 deletions(-)
diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
index 03e1a68675..614ac9c047 100644
--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
@@ -32,6 +32,7 @@
#include <ldsodefs.h>
#include <array_length.h>
#include <dl-minimal-malloc.h>
+#include <dl-symbol-redir-ifunc.h>
#define TUNABLES_INTERNAL 1
#include "dl-tunables.h"
@@ -223,6 +224,7 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables)
{
tunables[ntunables++] =
(struct tunable_toset_t) { cur, value, p - value };
+
break;
}
}
@@ -234,23 +236,27 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables)
static void
parse_tunables (const char *valstring)
{
- struct tunable_toset_t tunables[tunables_list_size];
- int ntunables = parse_tunables_string (valstring, tunables);
- if (ntunables == -1)
+ struct tunable_toset_t tunables[tunables_list_size] = { 0 };
+ if (parse_tunables_string (valstring, tunables) == -1)
{
_dl_error_printf (
"WARNING: ld.so: invalid GLIBC_TUNABLES `%s': ignored.\n", valstring);
return;
}
- for (int i = 0; i < ntunables; i++)
- if (!tunable_initialize (tunables[i].t, tunables[i].value,
- tunables[i].len))
- _dl_error_printf ("WARNING: ld.so: invalid GLIBC_TUNABLES value `%.*s' "
- "for option `%s': ignored.\n",
- (int) tunables[i].len,
- tunables[i].value,
- tunables[i].t->name);
+ for (int i = 0; i < tunables_list_size; i++)
+ {
+ if (tunables[i].t == NULL)
+ continue;
+
+ if (!tunable_initialize (tunables[i].t, tunables[i].value,
+ tunables[i].len))
+ _dl_error_printf ("WARNING: ld.so: invalid GLIBC_TUNABLES value `%.*s' "
+ "for option `%s': ignored.\n",
+ (int) tunables[i].len,
+ tunables[i].value,
+ tunables[i].t->name);
+ }
}
/* Initialize the tunables list from the environment. For now we only use the
diff --git a/elf/tst-tunables.c b/elf/tst-tunables.c
index 095b5c81d9..dff34ed748 100644
--- a/elf/tst-tunables.c
+++ b/elf/tst-tunables.c
@@ -17,6 +17,10 @@
<https://www.gnu.org/licenses/>. */
#include <array_length.h>
+/* The test uses the tunable_list size, which is only exported for
+ ld.so. This will result in a copy of tunable_list, which is ununsed by
+ the test itself. */
+#define TUNABLES_INTERNAL 1
#include <dl-tunables.h>
#include <getopt.h>
#include <intprops.h>
@@ -24,12 +28,13 @@
#include <stdlib.h>
#include <support/capture_subprocess.h>
#include <support/check.h>
+#include <support/support.h>
static int restart;
#define CMDLINE_OPTIONS \
{ "restart", no_argument, &restart, 1 },
-static const struct test_t
+static struct test_t
{
const char *name;
const char *value;
@@ -284,6 +289,29 @@ static const struct test_t
0,
0,
},
+ /* Also check for repeated tunables with a count larger than the total number
+ of tunables. */
+ {
+ "GLIBC_TUNABLES",
+ NULL,
+ 2,
+ 0,
+ 0,
+ },
+ {
+ "GLIBC_TUNABLES",
+ NULL,
+ 1,
+ 0,
+ 0,
+ },
+ {
+ "GLIBC_TUNABLES",
+ NULL,
+ 0,
+ 0,
+ 0,
+ },
};
static int
@@ -327,6 +355,37 @@ do_test (int argc, char *argv[])
spargv[i] = NULL;
}
+ /* Create a tunable line with the duplicate values with a total number
+ larger than the different number of tunables. */
+ {
+ enum { tunables_list_size = array_length (tunable_list) };
+ const char *value = "";
+ for (int i = 0; i < tunables_list_size; i++)
+ value = xasprintf ("%sglibc.malloc.check=2%c",
+ value,
+ i == (tunables_list_size - 1) ? '\0' : ':');
+ tests[33].value = value;
+ }
+ /* Same as before, but the last tunable values is differen than the
+ rest. */
+ {
+ enum { tunables_list_size = array_length (tunable_list) };
+ const char *value = "";
+ for (int i = 0; i < tunables_list_size - 1; i++)
+ value = xasprintf ("%sglibc.malloc.check=2:", value);
+ value = xasprintf ("%sglibc.malloc.check=1", value);
+ tests[34].value = value;
+ }
+ /* Same as before, but with an invalid last entry. */
+ {
+ enum { tunables_list_size = array_length (tunable_list) };
+ const char *value = "";
+ for (int i = 0; i < tunables_list_size - 1; i++)
+ value = xasprintf ("%sglibc.malloc.check=2:", value);
+ value = xasprintf ("%sglibc.malloc.check=1=1", value);
+ tests[35].value = value;
+ }
+
for (int i = 0; i < array_length (tests); i++)
{
snprintf (nteststr, sizeof nteststr, "%d", i);
diff --git a/sysdeps/aarch64/multiarch/memset_generic.S b/sysdeps/aarch64/multiarch/memset_generic.S
index 81748bdbce..e125a5ed85 100644
--- a/sysdeps/aarch64/multiarch/memset_generic.S
+++ b/sysdeps/aarch64/multiarch/memset_generic.S
@@ -33,3 +33,7 @@
#endif
#include <../memset.S>
+
+#if IS_IN (rtld)
+strong_alias (memset, __memset_generic)
+#endif
diff --git a/sysdeps/sparc/sparc64/rtld-memset.c b/sysdeps/sparc/sparc64/rtld-memset.c
index 55f3835790..a19202a620 100644
--- a/sysdeps/sparc/sparc64/rtld-memset.c
+++ b/sysdeps/sparc/sparc64/rtld-memset.c
@@ -1 +1,4 @@
#include <string/memset.c>
+#if IS_IN(rtld)
+strong_alias (memset, __memset_ultra1)
+#endif
--
2.45.0

5
glibc-fix-cve-2024-33599.patch → glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch
View File

@ -1,4 +1,4 @@
From 87801a8fd06db1d654eea3e4f7626ff476a9bdaa Mon Sep 17 00:00:00 2001
From 1263d583d2e28afb8be53f8d6922f0842036f35d Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 25 Apr 2024 15:00:45 +0200
Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup
@ -8,6 +8,7 @@ Using alloca matches what other caches do. The request length is
bounded by MAXKEYLEN.
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa)
---
nscd/netgroupcache.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
@ -33,5 +34,5 @@ index 0c6e46f15c..f227dc7fa2 100644
datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
--
2.44.0
2.45.0

60
glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch Normal file
View File

@ -0,0 +1,60 @@
From c99f886de54446cd4447db6b44be93dabbdc2f8b Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 25 Apr 2024 15:01:07 +0200
Subject: [PATCH] CVE-2024-33600: nscd: Avoid null pointer crashes after
notfound response (bug 31678)
The addgetnetgrentX call in addinnetgrX may have failed to produce
a result, so the result variable in addinnetgrX can be NULL.
Use db->negtimeout as the fallback value if there is no result data;
the timeout is also overwritten below.
Also avoid sending a second not-found response. (The client
disconnects after receiving the first response, so the data stream did
not go out of sync even without this fix.) It is still beneficial to
add the negative response to the mapping, so that the client can get
it from there in the future, instead of going through the socket.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit b048a482f088e53144d26a61c390bed0210f49f2)
---
nscd/netgroupcache.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index c18fe111f3..e22ffa5884 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -511,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len,
sizeof (innetgroup_response_header),
- he == NULL ? 0 : dh->nreloads + 1, result->head.ttl);
+ he == NULL ? 0 : dh->nreloads + 1,
+ result == NULL ? db->negtimeout : result->head.ttl);
/* Set the notfound status and timeout based on the result from
getnetgrent. */
- dataset->head.notfound = result->head.notfound;
+ dataset->head.notfound = result == NULL || result->head.notfound;
dataset->head.timeout = timeout;
dataset->resp.version = NSCD_VERSION;
- dataset->resp.found = result->resp.found;
+ dataset->resp.found = result != NULL && result->resp.found;
/* Until we find a matching entry the result is 0. */
dataset->resp.result = 0;
@@ -566,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
goto out;
}
- if (he == NULL)
+ /* addgetnetgrentX may have already sent a notfound response. Do
+ not send another one. */
+ if (he == NULL && dataset->resp.found)
{
/* We write the dataset before inserting it to the database
since while inserting this thread might block and so would
--
2.45.0

59
glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch Normal file
View File

@ -0,0 +1,59 @@
From 5a508e0b508c8ad53bd0d2fb48fd71b242626341 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 25 Apr 2024 15:01:07 +0200
Subject: [PATCH] CVE-2024-33600: nscd: Do not send missing not-found response
in addgetnetgrentX (bug 31678)
If we failed to add a not-found response to the cache, the dataset
point can be null, resulting in a null pointer dereference.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa)
---
nscd/netgroupcache.c | 14 ++++++--------
1 file changed, 6 insertions(+), 8 deletions(-)
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index f227dc7fa2..c18fe111f3 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
/* No such service. */
cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
&key_copy);
- goto writeout;
+ goto maybe_cache_add;
}
memset (&data, '\0', sizeof (data));
@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
{
cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout,
&key_copy);
- goto writeout;
+ goto maybe_cache_add;
}
total = buffilled;
@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
}
if (he == NULL && fd != -1)
- {
- /* We write the dataset before inserting it to the database
- since while inserting this thread might block and so would
- unnecessarily let the receiver wait. */
- writeout:
+ /* We write the dataset before inserting it to the database since
+ while inserting this thread might block and so would
+ unnecessarily let the receiver wait. */
writeall (fd, &dataset->resp, dataset->head.recsize);
- }
+ maybe_cache_add:
if (cacheable)
{
/* If necessary, we also propagate the data to disk. */
--
2.45.0

390
glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch Normal file
View File

@ -0,0 +1,390 @@
From a9a8d3eebb145779a18d90e3966009a1daa63cd8 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 25 Apr 2024 15:01:07 +0200
Subject: [PATCH] CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two
buffers in addgetnetgrentX (bug 31680)
This avoids potential memory corruption when the underlying NSS
callback function does not use the buffer space to store all strings
(e.g., for constant strings).
Instead of custom buffer management, two scratch buffers are used.
This increases stack usage somewhat.
Scratch buffer allocation failure is handled by return -1
(an invalid timeout value) instead of terminating the process.
This fixes bug 31679.
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
(cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b)
---
nscd/netgroupcache.c | 219 ++++++++++++++++++++++++-------------------
1 file changed, 121 insertions(+), 98 deletions(-)
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index e22ffa5884..e8fe041846 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -23,6 +23,7 @@
#include <stdlib.h>
#include <unistd.h>
#include <sys/mman.h>
+#include <scratch_buffer.h>
#include "../nss/netgroup.h"
#include "nscd.h"
@@ -65,6 +66,16 @@ struct dataset
char strdata[0];
};
+/* Send a notfound response to FD. Always returns -1 to indicate an
+ ephemeral error. */
+static time_t
+send_notfound (int fd)
+{
+ if (fd != -1)
+ TEMP_FAILURE_RETRY (send (fd, &notfound, sizeof (notfound), MSG_NOSIGNAL));
+ return -1;
+}
+
/* Sends a notfound message and prepares a notfound dataset to write to the
cache. Returns true if there was enough memory to allocate the dataset and
returns the dataset in DATASETP, total bytes to write in TOTALP and the
@@ -83,8 +94,7 @@ do_notfound (struct database_dyn *db, int fd, request_header *req,
total = sizeof (notfound);
timeout = time (NULL) + db->negtimeout;
- if (fd != -1)
- TEMP_FAILURE_RETRY (send (fd, &notfound, total, MSG_NOSIGNAL));
+ send_notfound (fd);
dataset = mempool_alloc (db, sizeof (struct dataset) + req->key_len, 1);
/* If we cannot permanently store the result, so be it. */
@@ -109,11 +119,78 @@ do_notfound (struct database_dyn *db, int fd, request_header *req,
return cacheable;
}
+struct addgetnetgrentX_scratch
+{
+ /* This is the result that the caller should use. It can be NULL,
+ point into buffer, or it can be in the cache. */
+ struct dataset *dataset;
+
+ struct scratch_buffer buffer;
+
+ /* Used internally in addgetnetgrentX as a staging area. */
+ struct scratch_buffer tmp;
+
+ /* Number of bytes in buffer that are actually used. */
+ size_t buffer_used;
+};
+
+static void
+addgetnetgrentX_scratch_init (struct addgetnetgrentX_scratch *scratch)
+{
+ scratch->dataset = NULL;
+ scratch_buffer_init (&scratch->buffer);
+ scratch_buffer_init (&scratch->tmp);
+
+ /* Reserve space for the header. */
+ scratch->buffer_used = sizeof (struct dataset);
+ static_assert (sizeof (struct dataset) < sizeof (scratch->tmp.__space),
+ "initial buffer space");
+ memset (scratch->tmp.data, 0, sizeof (struct dataset));
+}
+
+static void
+addgetnetgrentX_scratch_free (struct addgetnetgrentX_scratch *scratch)
+{
+ scratch_buffer_free (&scratch->buffer);
+ scratch_buffer_free (&scratch->tmp);
+}
+
+/* Copy LENGTH bytes from S into SCRATCH. Returns NULL if SCRATCH
+ could not be resized, otherwise a pointer to the copy. */
+static char *
+addgetnetgrentX_append_n (struct addgetnetgrentX_scratch *scratch,
+ const char *s, size_t length)
+{
+ while (true)
+ {
+ size_t remaining = scratch->buffer.length - scratch->buffer_used;
+ if (remaining >= length)
+ break;
+ if (!scratch_buffer_grow_preserve (&scratch->buffer))
+ return NULL;
+ }
+ char *copy = scratch->buffer.data + scratch->buffer_used;
+ memcpy (copy, s, length);
+ scratch->buffer_used += length;
+ return copy;
+}
+
+/* Copy S into SCRATCH, including its null terminator. Returns false
+ if SCRATCH could not be resized. */
+static bool
+addgetnetgrentX_append (struct addgetnetgrentX_scratch *scratch, const char *s)
+{
+ if (s == NULL)
+ s = "";
+ return addgetnetgrentX_append_n (scratch, s, strlen (s) + 1) != NULL;
+}
+
+/* Caller must initialize and free *SCRATCH. If the return value is
+ negative, this function has sent a notfound response. */
static time_t
addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
const char *key, uid_t uid, struct hashentry *he,
- struct datahead *dh, struct dataset **resultp,
- void **tofreep)
+ struct datahead *dh, struct addgetnetgrentX_scratch *scratch)
{
if (__glibc_unlikely (debug_level > 0))
{
@@ -132,14 +209,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
char *key_copy = NULL;
struct __netgrent data;
- size_t buflen = MAX (1024, sizeof (*dataset) + req->key_len);
- size_t buffilled = sizeof (*dataset);
- char *buffer = NULL;
size_t nentries = 0;
size_t group_len = strlen (key) + 1;
struct name_list *first_needed
= alloca (sizeof (struct name_list) + group_len);
- *tofreep = NULL;
if (netgroup_database == NULL
&& !__nss_database_get (nss_database_netgroup, &netgroup_database))
@@ -151,8 +224,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
}
memset (&data, '\0', sizeof (data));
- buffer = xmalloc (buflen);
- *tofreep = buffer;
first_needed->next = first_needed;
memcpy (first_needed->name, key, group_len);
data.needed_groups = first_needed;
@@ -195,8 +266,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
while (1)
{
int e;
- status = getfct.f (&data, buffer + buffilled,
- buflen - buffilled - req->key_len, &e);
+ status = getfct.f (&data, scratch->tmp.data,
+ scratch->tmp.length, &e);
if (status == NSS_STATUS_SUCCESS)
{
if (data.type == triple_val)
@@ -204,68 +275,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
const char *nhost = data.val.triple.host;
const char *nuser = data.val.triple.user;
const char *ndomain = data.val.triple.domain;
-
- size_t hostlen = strlen (nhost ?: "") + 1;
- size_t userlen = strlen (nuser ?: "") + 1;
- size_t domainlen = strlen (ndomain ?: "") + 1;
-
- if (nhost == NULL || nuser == NULL || ndomain == NULL
- || nhost > nuser || nuser > ndomain)
- {
- const char *last = nhost;
- if (last == NULL
- || (nuser != NULL && nuser > last))
- last = nuser;
- if (last == NULL
- || (ndomain != NULL && ndomain > last))
- last = ndomain;
-
- size_t bufused
- = (last == NULL
- ? buffilled
- : last + strlen (last) + 1 - buffer);
-
- /* We have to make temporary copies. */
- size_t needed = hostlen + userlen + domainlen;
-
- if (buflen - req->key_len - bufused < needed)
- {
- buflen += MAX (buflen, 2 * needed);
- /* Save offset in the old buffer. We don't
- bother with the NULL check here since
- we'll do that later anyway. */
- size_t nhostdiff = nhost - buffer;
- size_t nuserdiff = nuser - buffer;
- size_t ndomaindiff = ndomain - buffer;
-
- char *newbuf = xrealloc (buffer, buflen);
- /* Fix up the triplet pointers into the new
- buffer. */
- nhost = (nhost ? newbuf + nhostdiff
- : NULL);
- nuser = (nuser ? newbuf + nuserdiff
- : NULL);
- ndomain = (ndomain ? newbuf + ndomaindiff
- : NULL);
- *tofreep = buffer = newbuf;
- }
-
- nhost = memcpy (buffer + bufused,
- nhost ?: "", hostlen);
- nuser = memcpy ((char *) nhost + hostlen,
- nuser ?: "", userlen);
- ndomain = memcpy ((char *) nuser + userlen,
- ndomain ?: "", domainlen);
- }
-
- char *wp = buffer + buffilled;
- wp = memmove (wp, nhost ?: "", hostlen);
- wp += hostlen;
- wp = memmove (wp, nuser ?: "", userlen);
- wp += userlen;
- wp = memmove (wp, ndomain ?: "", domainlen);
- wp += domainlen;
- buffilled = wp - buffer;
+ if (!(addgetnetgrentX_append (scratch, nhost)
+ && addgetnetgrentX_append (scratch, nuser)
+ && addgetnetgrentX_append (scratch, ndomain)))
+ return send_notfound (fd);
++nentries;
}
else
@@ -317,8 +330,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
}
else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE)
{
- buflen *= 2;
- *tofreep = buffer = xrealloc (buffer, buflen);
+ if (!scratch_buffer_grow (&scratch->tmp))
+ return send_notfound (fd);
}
else if (status == NSS_STATUS_RETURN
|| status == NSS_STATUS_NOTFOUND
@@ -351,10 +364,17 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
goto maybe_cache_add;
}
- total = buffilled;
+ /* Capture the result size without the key appended. */
+ total = scratch->buffer_used;
+
+ /* Make a copy of the key. The scratch buffer must not move after
+ this point. */
+ key_copy = addgetnetgrentX_append_n (scratch, key, req->key_len);
+ if (key_copy == NULL)
+ return send_notfound (fd);
/* Fill in the dataset. */
- dataset = (struct dataset *) buffer;
+ dataset = scratch->buffer.data;
timeout = datahead_init_pos (&dataset->head, total + req->key_len,
total - offsetof (struct dataset, resp),
he == NULL ? 0 : dh->nreloads + 1,
@@ -363,11 +383,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
dataset->resp.version = NSCD_VERSION;
dataset->resp.found = 1;
dataset->resp.nresults = nentries;
- dataset->resp.result_len = buffilled - sizeof (*dataset);
-
- assert (buflen - buffilled >= req->key_len);
- key_copy = memcpy (buffer + buffilled, key, req->key_len);
- buffilled += req->key_len;
+ dataset->resp.result_len = total - sizeof (*dataset);
/* Now we can determine whether on refill we have to create a new
record or not. */
@@ -398,7 +414,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
if (__glibc_likely (newp != NULL))
{
/* Adjust pointer into the memory block. */
- key_copy = (char *) newp + (key_copy - buffer);
+ key_copy = (char *) newp + (key_copy - (char *) dataset);
dataset = memcpy (newp, dataset, total + req->key_len);
cacheable = true;
@@ -439,7 +455,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req,
}
out:
- *resultp = dataset;
+ scratch->dataset = dataset;
return timeout;
}
@@ -460,6 +476,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
if (user != NULL)
key = strchr (key, '\0') + 1;
const char *domain = *key++ ? key : NULL;
+ struct addgetnetgrentX_scratch scratch;
+
+ addgetnetgrentX_scratch_init (&scratch);
if (__glibc_unlikely (debug_level > 0))
{
@@ -475,12 +494,8 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
group, group_len,
db, uid);
time_t timeout;
- void *tofree;
if (result != NULL)
- {
- timeout = result->head.timeout;
- tofree = NULL;
- }
+ timeout = result->head.timeout;
else
{
request_header req_get =
@@ -489,7 +504,10 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
.key_len = group_len
};
timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL,
- &result, &tofree);
+ &scratch);
+ result = scratch.dataset;
+ if (timeout < 0)
+ goto out;
}
struct indataset
@@ -603,7 +621,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req,
}
out:
- free (tofree);
+ addgetnetgrentX_scratch_free (&scratch);
return timeout;
}
@@ -613,11 +631,12 @@ addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req,
const char *key, uid_t uid, struct hashentry *he,
struct datahead *dh)
{
- struct dataset *ignore;
- void *tofree;
- time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh,
- &ignore, &tofree);
- free (tofree);
+ struct addgetnetgrentX_scratch scratch;
+ addgetnetgrentX_scratch_init (&scratch);
+ time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, &scratch);
+ addgetnetgrentX_scratch_free (&scratch);
+ if (timeout < 0)
+ timeout = 0;
return timeout;
}
@@ -661,5 +680,9 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he,
.key_len = he->len
};
- return addinnetgrX (db, -1, &req, db->data + he->key, he->owner, he, dh);
+ int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner,
+ he, dh);
+ if (timeout < 0)
+ timeout = 0;
+ return timeout;
}
--
2.45.0

26
glibc.changes
View File

@ -1,3 +1,29 @@
-------------------------------------------------------------------
Mon May 13 09:45:36 UTC 2024 - Andreas Schwab <schwab@suse.de>
- glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch:
nscd: Stack-based buffer overflow in netgroup cache
(CVE-2024-33599, bsc#1223423, BZ #31677)
- glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch:
nscd: Avoid null pointer crashes after notfound response
(CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch:
nscd: Do not send missing not-found response in addgetnetgrentX
(CVE-2024-33600, bsc#1223424, BZ #31678)
- glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch:
netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601,
CVE-2024-33602, bsc#1223425, BZ #31680)
- nscd-netgroup-cache-timeout.patch: Use time_t for return type of
addgetnetgrentX (CVE-2024-33602, bsc#1223425)
-------------------------------------------------------------------
Wed May 8 10:42:39 UTC 2024 - Andreas Schwab <schwab@suse.de>
- utmp-time-bits.patch: login: structs utmp, utmpx, lastlog _TIME_BITS
independence (BZ #30701)
- elf-parse-tunables.patch: elf: Only process multiple tunable once (BZ
#31686)
-------------------------------------------------------------------
Mon Apr 29 17:42:43 UTC 2024 - Giuliano Belinassi <giuliano.belinassi@suse.com>

16
glibc.spec
View File

@ -314,8 +314,20 @@ Patch1003: sigisemptyset.patch
Patch1004: stdbit-builtins.patch
# PATCH-FIX-UPSTREAM iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961)
Patch1005: iconv-iso-2022-cn-ext.patch
# PATCH-FIX-UPSTREAM: CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache
Patch1006: glibc-fix-cve-2024-33599.patch
# PATCH-FIX-UPSTREAM login: structs utmp, utmpx, lastlog _TIME_BITS independence (BZ #30701)
Patch1006: utmp-time-bits.patch
# PATCH-FIX-UPSTREAM elf: Only process multiple tunable once (BZ #31686)
Patch1007: elf-parse-tunables.patch
# PATCH-FIX-UPSTREAM nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599, BZ #31677)
Patch1008: glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch
# PATCH-FIX-UPSTREAM nscd: Do not send missing not found response in addgetnetgrentX (CVE-2024-33600, BZ #31678)
Patch1009: glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch
# PATCH-FIX-UPSTREAM nscd: Avoid null pointer crashes after notfound response (CVE-2024-33600, BZ #31678)
Patch1010: glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch
# PATCH-FIX-UPSTREAM nscd netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, CVE-2024-33602, BZ #31680)
Patch1011: glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch
# PATCH-FIX-UPSTREAM nscd: Use time_t for return type of addgetnetgrentX (CVE-2024-33602)
Patch1012: nscd-netgroup-cache-timeout.patch
%endif
###

36
nscd-netgroup-cache-timeout.patch Normal file
View File

@ -0,0 +1,36 @@
From acc56074b0a5127631a64640aef1b7c5c103ebd8 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 2 May 2024 17:06:19 +0200
Subject: [PATCH] nscd: Use time_t for return type of addgetnetgrentX
Using int may give false results for future dates (timeouts after the
year 2028).
Fixes commit 04a21e050d64a1193a6daab872bca2528bda44b ("CVE-2024-33601,
CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX
(bug 31680)").
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 4bbca1a44691a6e9adcee5c6798a707b626bc331)
---
nscd/netgroupcache.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c
index e8fe041846..01d554af9c 100644
--- a/nscd/netgroupcache.c
+++ b/nscd/netgroupcache.c
@@ -680,8 +680,8 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he,
.key_len = he->len
};
- int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner,
- he, dh);
+ time_t timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner,
+ he, dh);
if (timeout < 0)
timeout = 0;
return timeout;
--
2.45.0

645
utmp-time-bits.patch Normal file
View File

@ -0,0 +1,645 @@
From 9831f98c266a8d56d1bf729b709c08e40375540c Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Fri, 19 Apr 2024 14:38:17 +0200
Subject: [PATCH] login: Check default sizes of structs utmp, utmpx, lastlog
The default <utmp-size.h> is for ports with a 64-bit time_t.
Ports with a 32-bit time_t or with __WORDSIZE_TIME64_COMPAT32=1
need to override it.
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit 4d4da5aab936504b2d3eca3146e109630d9093c4)
---
login/Makefile | 2 +-
login/tst-utmp-size.c | 33 +++++++++++++++++++++++++++++++++
sysdeps/arc/utmp-size.h | 3 +++
sysdeps/arm/utmp-size.h | 2 ++
sysdeps/csky/utmp-size.h | 2 ++
sysdeps/generic/utmp-size.h | 23 +++++++++++++++++++++++
sysdeps/hppa/utmp-size.h | 2 ++
sysdeps/m68k/utmp-size.h | 3 +++
sysdeps/microblaze/utmp-size.h | 2 ++
sysdeps/mips/utmp-size.h | 2 ++
sysdeps/nios2/utmp-size.h | 2 ++
sysdeps/or1k/utmp-size.h | 3 +++
sysdeps/powerpc/utmp-size.h | 2 ++
sysdeps/riscv/utmp-size.h | 2 ++
sysdeps/sh/utmp-size.h | 2 ++
sysdeps/sparc/utmp-size.h | 2 ++
sysdeps/x86/utmp-size.h | 2 ++
17 files changed, 88 insertions(+), 1 deletion(-)
create mode 100644 login/tst-utmp-size.c
create mode 100644 sysdeps/arc/utmp-size.h
create mode 100644 sysdeps/arm/utmp-size.h
create mode 100644 sysdeps/csky/utmp-size.h
create mode 100644 sysdeps/generic/utmp-size.h
create mode 100644 sysdeps/hppa/utmp-size.h
create mode 100644 sysdeps/m68k/utmp-size.h
create mode 100644 sysdeps/microblaze/utmp-size.h
create mode 100644 sysdeps/mips/utmp-size.h
create mode 100644 sysdeps/nios2/utmp-size.h
create mode 100644 sysdeps/or1k/utmp-size.h
create mode 100644 sysdeps/powerpc/utmp-size.h
create mode 100644 sysdeps/riscv/utmp-size.h
create mode 100644 sysdeps/sh/utmp-size.h
create mode 100644 sysdeps/sparc/utmp-size.h
create mode 100644 sysdeps/x86/utmp-size.h
diff --git a/login/Makefile b/login/Makefile
index 1e22008a61..b26ac42bfc 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -44,7 +44,7 @@ subdir-dirs = programs
vpath %.c programs
tests := tst-utmp tst-utmpx tst-grantpt tst-ptsname tst-getlogin tst-updwtmpx \
- tst-pututxline-lockfail tst-pututxline-cache
+ tst-pututxline-lockfail tst-pututxline-cache tst-utmp-size
# Empty compatibility library for old binaries.
extra-libs := libutil
diff --git a/login/tst-utmp-size.c b/login/tst-utmp-size.c
new file mode 100644
index 0000000000..1b7f7ff042
--- /dev/null
+++ b/login/tst-utmp-size.c
@@ -0,0 +1,33 @@
+/* Check expected sizes of struct utmp, struct utmpx, struct lastlog.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#include <utmp.h>
+#include <utmpx.h>
+#include <utmp-size.h>
+
+static int
+do_test (void)
+{
+ _Static_assert (sizeof (struct utmp) == UTMP_SIZE, "struct utmp size");
+ _Static_assert (sizeof (struct utmpx) == UTMP_SIZE, "struct utmpx size");
+ _Static_assert (sizeof (struct lastlog) == LASTLOG_SIZE,
+ "struct lastlog size");
+ return 0;
+}
+
+#include <support/test-driver.c>
diff --git a/sysdeps/arc/utmp-size.h b/sysdeps/arc/utmp-size.h
new file mode 100644
index 0000000000..a247fcd3da
--- /dev/null
+++ b/sysdeps/arc/utmp-size.h
@@ -0,0 +1,3 @@
+/* arc has less padding than other architectures with 64-bit time_t. */
+#define UTMP_SIZE 392
+#define LASTLOG_SIZE 296
diff --git a/sysdeps/arm/utmp-size.h b/sysdeps/arm/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/arm/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/csky/utmp-size.h b/sysdeps/csky/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/csky/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/generic/utmp-size.h b/sysdeps/generic/utmp-size.h
new file mode 100644
index 0000000000..89dbe878b0
--- /dev/null
+++ b/sysdeps/generic/utmp-size.h
@@ -0,0 +1,23 @@
+/* Expected sizes of utmp-related structures stored in files. 64-bit version.
+ Copyright (C) 2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+/* Expected size, in bytes, of struct utmp and struct utmpx. */
+#define UTMP_SIZE 400
+
+/* Expected size, in bytes, of struct lastlog. */
+#define LASTLOG_SIZE 296
diff --git a/sysdeps/hppa/utmp-size.h b/sysdeps/hppa/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/hppa/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/m68k/utmp-size.h b/sysdeps/m68k/utmp-size.h
new file mode 100644
index 0000000000..5946685819
--- /dev/null
+++ b/sysdeps/m68k/utmp-size.h
@@ -0,0 +1,3 @@
+/* m68k has 2-byte alignment. */
+#define UTMP_SIZE 382
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/microblaze/utmp-size.h b/sysdeps/microblaze/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/microblaze/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/mips/utmp-size.h b/sysdeps/mips/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/mips/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/nios2/utmp-size.h b/sysdeps/nios2/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/nios2/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/or1k/utmp-size.h b/sysdeps/or1k/utmp-size.h
new file mode 100644
index 0000000000..6b3653aa4d
--- /dev/null
+++ b/sysdeps/or1k/utmp-size.h
@@ -0,0 +1,3 @@
+/* or1k has less padding than other architectures with 64-bit time_t. */
+#define UTMP_SIZE 392
+#define LASTLOG_SIZE 296
diff --git a/sysdeps/powerpc/utmp-size.h b/sysdeps/powerpc/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/powerpc/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/riscv/utmp-size.h b/sysdeps/riscv/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/riscv/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/sh/utmp-size.h b/sysdeps/sh/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/sh/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/sparc/utmp-size.h b/sysdeps/sparc/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/sparc/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
diff --git a/sysdeps/x86/utmp-size.h b/sysdeps/x86/utmp-size.h
new file mode 100644
index 0000000000..8f21ebe1b6
--- /dev/null
+++ b/sysdeps/x86/utmp-size.h
@@ -0,0 +1,2 @@
+#define UTMP_SIZE 384
+#define LASTLOG_SIZE 292
--
2.45.0
From 836d43b98973e0845b739ff5d3aad3af09dc7d0f Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Fri, 19 Apr 2024 14:38:17 +0200
Subject: [PATCH] login: structs utmp, utmpx, lastlog _TIME_BITS independence
(bug 30701)
These structs describe file formats under /var/log, and should not
depend on the definition of _TIME_BITS. This is achieved by
defining __WORDSIZE_TIME64_COMPAT32 to 1 on 32-bit ports that
support 32-bit time_t values (where __time_t is 32 bits).
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
(cherry picked from commit 9abdae94c7454c45e02e97e4ed1eb1b1915d13d8)
---
bits/wordsize.h | 6 ++++--
login/Makefile | 4 +++-
login/tst-utmp-size-64.c | 2 ++
sysdeps/arm/bits/wordsize.h | 21 +++++++++++++++++++
sysdeps/csky/bits/wordsize.h | 21 +++++++++++++++++++
sysdeps/m68k/bits/wordsize.h | 21 +++++++++++++++++++
sysdeps/microblaze/bits/wordsize.h | 21 +++++++++++++++++++
sysdeps/mips/bits/wordsize.h | 6 +-----
sysdeps/nios2/bits/wordsize.h | 21 +++++++++++++++++++
sysdeps/powerpc/powerpc32/bits/wordsize.h | 3 +--
sysdeps/powerpc/powerpc64/bits/wordsize.h | 3 +--
sysdeps/sh/bits/wordsize.h | 21 +++++++++++++++++++
sysdeps/sparc/sparc32/bits/wordsize.h | 2 +-
sysdeps/sparc/sparc64/bits/wordsize.h | 3 +--
sysdeps/unix/sysv/linux/hppa/bits/wordsize.h | 21 +++++++++++++++++++
.../unix/sysv/linux/powerpc/bits/wordsize.h | 3 +--
sysdeps/unix/sysv/linux/sparc/bits/wordsize.h | 3 +--
sysdeps/x86/bits/wordsize.h | 5 ++---
18 files changed, 165 insertions(+), 22 deletions(-)
create mode 100644 login/tst-utmp-size-64.c
create mode 100644 sysdeps/arm/bits/wordsize.h
create mode 100644 sysdeps/csky/bits/wordsize.h
create mode 100644 sysdeps/m68k/bits/wordsize.h
create mode 100644 sysdeps/microblaze/bits/wordsize.h
create mode 100644 sysdeps/nios2/bits/wordsize.h
create mode 100644 sysdeps/sh/bits/wordsize.h
create mode 100644 sysdeps/unix/sysv/linux/hppa/bits/wordsize.h
diff --git a/bits/wordsize.h b/bits/wordsize.h
index 14edae3a11..53013a9275 100644
--- a/bits/wordsize.h
+++ b/bits/wordsize.h
@@ -21,7 +21,9 @@
#define __WORDSIZE32_PTRDIFF_LONG
/* Set to 1 in order to force time types to be 32 bits instead of 64 bits in
- struct lastlog and struct utmp{,x} on 64-bit ports. This may be done in
+ struct lastlog and struct utmp{,x}. This may be done in
order to make 64-bit ports compatible with 32-bit ports. Set to 0 for
- 64-bit ports where the time types are 64-bits or for any 32-bit ports. */
+ 64-bit ports where the time types are 64-bits and new 32-bit ports
+ where time_t is 64 bits, and there is no companion architecture with
+ 32-bit time_t. */
#define __WORDSIZE_TIME64_COMPAT32
diff --git a/login/Makefile b/login/Makefile
index b26ac42bfc..f91190e3dc 100644
--- a/login/Makefile
+++ b/login/Makefile
@@ -44,7 +44,9 @@ subdir-dirs = programs
vpath %.c programs
tests := tst-utmp tst-utmpx tst-grantpt tst-ptsname tst-getlogin tst-updwtmpx \
- tst-pututxline-lockfail tst-pututxline-cache tst-utmp-size
+ tst-pututxline-lockfail tst-pututxline-cache tst-utmp-size tst-utmp-size-64
+
+CFLAGS-tst-utmp-size-64.c += -D_FILE_OFFSET_BITS=64 -D_TIME_BITS=64
# Empty compatibility library for old binaries.
extra-libs := libutil
diff --git a/login/tst-utmp-size-64.c b/login/tst-utmp-size-64.c
new file mode 100644
index 0000000000..7a581a4c12
--- /dev/null
+++ b/login/tst-utmp-size-64.c
@@ -0,0 +1,2 @@
+/* The on-disk layout must not change in time64 mode. */
+#include "tst-utmp-size.c"
diff --git a/sysdeps/arm/bits/wordsize.h b/sysdeps/arm/bits/wordsize.h
new file mode 100644
index 0000000000..6ecbfe7c86
--- /dev/null
+++ b/sysdeps/arm/bits/wordsize.h
@@ -0,0 +1,21 @@
+/* Copyright (C) 1999-2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#define __WORDSIZE 32
+#define __WORDSIZE_TIME64_COMPAT32 1
+#define __WORDSIZE32_SIZE_ULONG 0
+#define __WORDSIZE32_PTRDIFF_LONG 0
diff --git a/sysdeps/csky/bits/wordsize.h b/sysdeps/csky/bits/wordsize.h
new file mode 100644
index 0000000000..6ecbfe7c86
--- /dev/null
+++ b/sysdeps/csky/bits/wordsize.h
@@ -0,0 +1,21 @@
+/* Copyright (C) 1999-2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#define __WORDSIZE 32
+#define __WORDSIZE_TIME64_COMPAT32 1
+#define __WORDSIZE32_SIZE_ULONG 0
+#define __WORDSIZE32_PTRDIFF_LONG 0
diff --git a/sysdeps/m68k/bits/wordsize.h b/sysdeps/m68k/bits/wordsize.h
new file mode 100644
index 0000000000..6ecbfe7c86
--- /dev/null
+++ b/sysdeps/m68k/bits/wordsize.h
@@ -0,0 +1,21 @@
+/* Copyright (C) 1999-2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#define __WORDSIZE 32
+#define __WORDSIZE_TIME64_COMPAT32 1
+#define __WORDSIZE32_SIZE_ULONG 0
+#define __WORDSIZE32_PTRDIFF_LONG 0
diff --git a/sysdeps/microblaze/bits/wordsize.h b/sysdeps/microblaze/bits/wordsize.h
new file mode 100644
index 0000000000..6ecbfe7c86
--- /dev/null
+++ b/sysdeps/microblaze/bits/wordsize.h
@@ -0,0 +1,21 @@
+/* Copyright (C) 1999-2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#define __WORDSIZE 32
+#define __WORDSIZE_TIME64_COMPAT32 1
+#define __WORDSIZE32_SIZE_ULONG 0
+#define __WORDSIZE32_PTRDIFF_LONG 0
diff --git a/sysdeps/mips/bits/wordsize.h b/sysdeps/mips/bits/wordsize.h
index 57f0f2a22f..30dd3fd85d 100644
--- a/sysdeps/mips/bits/wordsize.h
+++ b/sysdeps/mips/bits/wordsize.h
@@ -19,11 +19,7 @@
#define __WORDSIZE _MIPS_SZPTR
-#if _MIPS_SIM == _ABI64
-# define __WORDSIZE_TIME64_COMPAT32 1
-#else
-# define __WORDSIZE_TIME64_COMPAT32 0
-#endif
+#define __WORDSIZE_TIME64_COMPAT32 1
#if __WORDSIZE == 32
#define __WORDSIZE32_SIZE_ULONG 0
diff --git a/sysdeps/nios2/bits/wordsize.h b/sysdeps/nios2/bits/wordsize.h
new file mode 100644
index 0000000000..6ecbfe7c86
--- /dev/null
+++ b/sysdeps/nios2/bits/wordsize.h
@@ -0,0 +1,21 @@
+/* Copyright (C) 1999-2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#define __WORDSIZE 32
+#define __WORDSIZE_TIME64_COMPAT32 1
+#define __WORDSIZE32_SIZE_ULONG 0
+#define __WORDSIZE32_PTRDIFF_LONG 0
diff --git a/sysdeps/powerpc/powerpc32/bits/wordsize.h b/sysdeps/powerpc/powerpc32/bits/wordsize.h
index 04ca9debf0..6993fb6b29 100644
--- a/sysdeps/powerpc/powerpc32/bits/wordsize.h
+++ b/sysdeps/powerpc/powerpc32/bits/wordsize.h
@@ -2,10 +2,9 @@
#if defined __powerpc64__
# define __WORDSIZE 64
-# define __WORDSIZE_TIME64_COMPAT32 1
#else
# define __WORDSIZE 32
-# define __WORDSIZE_TIME64_COMPAT32 0
# define __WORDSIZE32_SIZE_ULONG 0
# define __WORDSIZE32_PTRDIFF_LONG 0
#endif
+#define __WORDSIZE_TIME64_COMPAT32 1
diff --git a/sysdeps/powerpc/powerpc64/bits/wordsize.h b/sysdeps/powerpc/powerpc64/bits/wordsize.h
index 04ca9debf0..6993fb6b29 100644
--- a/sysdeps/powerpc/powerpc64/bits/wordsize.h
+++ b/sysdeps/powerpc/powerpc64/bits/wordsize.h
@@ -2,10 +2,9 @@
#if defined __powerpc64__
# define __WORDSIZE 64
-# define __WORDSIZE_TIME64_COMPAT32 1
#else
# define __WORDSIZE 32
-# define __WORDSIZE_TIME64_COMPAT32 0
# define __WORDSIZE32_SIZE_ULONG 0
# define __WORDSIZE32_PTRDIFF_LONG 0
#endif
+#define __WORDSIZE_TIME64_COMPAT32 1
diff --git a/sysdeps/sh/bits/wordsize.h b/sysdeps/sh/bits/wordsize.h
new file mode 100644
index 0000000000..6ecbfe7c86
--- /dev/null
+++ b/sysdeps/sh/bits/wordsize.h
@@ -0,0 +1,21 @@
+/* Copyright (C) 1999-2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#define __WORDSIZE 32
+#define __WORDSIZE_TIME64_COMPAT32 1
+#define __WORDSIZE32_SIZE_ULONG 0
+#define __WORDSIZE32_PTRDIFF_LONG 0
diff --git a/sysdeps/sparc/sparc32/bits/wordsize.h b/sysdeps/sparc/sparc32/bits/wordsize.h
index 4bbd2e63b4..a2e79e0fa9 100644
--- a/sysdeps/sparc/sparc32/bits/wordsize.h
+++ b/sysdeps/sparc/sparc32/bits/wordsize.h
@@ -1,6 +1,6 @@
/* Determine the wordsize from the preprocessor defines. */
#define __WORDSIZE 32
-#define __WORDSIZE_TIME64_COMPAT32 0
+#define __WORDSIZE_TIME64_COMPAT32 1
#define __WORDSIZE32_SIZE_ULONG 0
#define __WORDSIZE32_PTRDIFF_LONG 0
diff --git a/sysdeps/sparc/sparc64/bits/wordsize.h b/sysdeps/sparc/sparc64/bits/wordsize.h
index 2f66f10d72..ea103e5970 100644
--- a/sysdeps/sparc/sparc64/bits/wordsize.h
+++ b/sysdeps/sparc/sparc64/bits/wordsize.h
@@ -2,10 +2,9 @@
#if defined __arch64__ || defined __sparcv9
# define __WORDSIZE 64
-# define __WORDSIZE_TIME64_COMPAT32 1
#else
# define __WORDSIZE 32
-# define __WORDSIZE_TIME64_COMPAT32 0
# define __WORDSIZE32_SIZE_ULONG 0
# define __WORDSIZE32_PTRDIFF_LONG 0
#endif
+#define __WORDSIZE_TIME64_COMPAT32 1
diff --git a/sysdeps/unix/sysv/linux/hppa/bits/wordsize.h b/sysdeps/unix/sysv/linux/hppa/bits/wordsize.h
new file mode 100644
index 0000000000..6ecbfe7c86
--- /dev/null
+++ b/sysdeps/unix/sysv/linux/hppa/bits/wordsize.h
@@ -0,0 +1,21 @@
+/* Copyright (C) 1999-2024 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <https://www.gnu.org/licenses/>. */
+
+#define __WORDSIZE 32
+#define __WORDSIZE_TIME64_COMPAT32 1
+#define __WORDSIZE32_SIZE_ULONG 0
+#define __WORDSIZE32_PTRDIFF_LONG 0
diff --git a/sysdeps/unix/sysv/linux/powerpc/bits/wordsize.h b/sysdeps/unix/sysv/linux/powerpc/bits/wordsize.h
index 04ca9debf0..6993fb6b29 100644
--- a/sysdeps/unix/sysv/linux/powerpc/bits/wordsize.h
+++ b/sysdeps/unix/sysv/linux/powerpc/bits/wordsize.h
@@ -2,10 +2,9 @@
#if defined __powerpc64__
# define __WORDSIZE 64
-# define __WORDSIZE_TIME64_COMPAT32 1
#else
# define __WORDSIZE 32
-# define __WORDSIZE_TIME64_COMPAT32 0
# define __WORDSIZE32_SIZE_ULONG 0
# define __WORDSIZE32_PTRDIFF_LONG 0
#endif
+#define __WORDSIZE_TIME64_COMPAT32 1
diff --git a/sysdeps/unix/sysv/linux/sparc/bits/wordsize.h b/sysdeps/unix/sysv/linux/sparc/bits/wordsize.h
index 7562875ee2..ea103e5970 100644
--- a/sysdeps/unix/sysv/linux/sparc/bits/wordsize.h
+++ b/sysdeps/unix/sysv/linux/sparc/bits/wordsize.h
@@ -2,10 +2,9 @@
#if defined __arch64__ || defined __sparcv9
# define __WORDSIZE 64
-# define __WORDSIZE_TIME64_COMPAT32 1
#else
# define __WORDSIZE 32
# define __WORDSIZE32_SIZE_ULONG 0
# define __WORDSIZE32_PTRDIFF_LONG 0
-# define __WORDSIZE_TIME64_COMPAT32 0
#endif
+#define __WORDSIZE_TIME64_COMPAT32 1
diff --git a/sysdeps/x86/bits/wordsize.h b/sysdeps/x86/bits/wordsize.h
index 70f652bca1..3f40aa76f9 100644
--- a/sysdeps/x86/bits/wordsize.h
+++ b/sysdeps/x86/bits/wordsize.h
@@ -8,10 +8,9 @@
#define __WORDSIZE32_PTRDIFF_LONG 0
#endif
+#define __WORDSIZE_TIME64_COMPAT32 1
+
#ifdef __x86_64__
-# define __WORDSIZE_TIME64_COMPAT32 1
/* Both x86-64 and x32 use the 64-bit system call interface. */
# define __SYSCALL_WORDSIZE 64
-#else
-# define __WORDSIZE_TIME64_COMPAT32 0
#endif
--
2.45.0