From b08edd98b27174620d51d099a4d7ef0a3689075c2740e0921297e7b9cee4e536 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Tue, 14 May 2024 09:28:22 +0000 Subject: [PATCH] Accepting request 1173931 from home:Andreas_Schwab:Factory - glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch: nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599, bsc#1223423, BZ #31677) - glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch: nscd: Avoid null pointer crashes after notfound response (CVE-2024-33600, bsc#1223424, BZ #31678) - glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch: nscd: Do not send missing not-found response in addgetnetgrentX (CVE-2024-33600, bsc#1223424, BZ #31678) - glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch: netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, CVE-2024-33602, bsc#1223425, BZ #31680) - nscd-netgroup-cache-timeout.patch: Use time_t for return type of addgetnetgrentX (CVE-2024-33602, bsc#1223425) - utmp-time-bits.patch: login: structs utmp, utmpx, lastlog _TIME_BITS independence (BZ #30701) - elf-parse-tunables.patch: elf: Only process multiple tunable once (BZ #31686) OBS-URL: https://build.opensuse.org/request/show/1173931 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=707 --- elf-parse-tunables.patch | 215 ++++++ ...scd-Stack-based-buffer-overflow-in-n.patch | 5 +- ...scd-Avoid-null-pointer-crashes-after.patch | 60 ++ ...scd-Do-not-send-missing-not-found-re.patch | 59 ++ ...CVE-2024-33602-nscd-netgroup-Use-two.patch | 390 +++++++++++ glibc.changes | 26 + glibc.spec | 16 +- nscd-netgroup-cache-timeout.patch | 36 + utmp-time-bits.patch | 645 ++++++++++++++++++ 9 files changed, 1448 insertions(+), 4 deletions(-) create mode 100644 elf-parse-tunables.patch rename glibc-fix-cve-2024-33599.patch => glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch (89%) create mode 100644 glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch create mode 100644 glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch create mode 100644 glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch create mode 100644 nscd-netgroup-cache-timeout.patch create mode 100644 utmp-time-bits.patch diff --git a/elf-parse-tunables.patch b/elf-parse-tunables.patch new file mode 100644 index 0000000..ccc040c --- /dev/null +++ b/elf-parse-tunables.patch @@ -0,0 +1,215 @@ +From 71149c2a2e85a8233631cc816030d449f021bb2a Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella +Date: Mon, 6 May 2024 13:18:45 -0300 +Subject: [PATCH] elf: Only process multiple tunable once (BZ 31686) + +The 680c597e9c3 commit made loader reject ill-formatted strings by +first tracking all set tunables and then applying them. However, it does +not take into consideration if the same tunable is set multiple times, +where parse_tunables_string appends the found tunable without checking +if it was already in the list. It leads to a stack-based buffer overflow +if the tunable is specified more than the total number of tunables. For +instance: + + GLIBC_TUNABLES=glibc.malloc.check=2:... (repeat over the number of + total support for different tunable). + +Instead, use the index of the tunable list to get the expected tunable +entry. Since now the initial list is zero-initialized, the compiler +might emit an extra memset and this requires some minor adjustment +on some ports. + +Checked on x86_64-linux-gnu and aarch64-linux-gnu. + +Reported-by: Yuto Maeda +Reported-by: Yutaro Shimizu +Reviewed-by: Siddhesh Poyarekar +(cherry picked from commit bcae44ea8536b30a7119c0986ff5692bddacb672) +--- + elf/dl-tunables.c | 28 ++++++---- + elf/tst-tunables.c | 61 +++++++++++++++++++++- + sysdeps/aarch64/multiarch/memset_generic.S | 4 ++ + sysdeps/sparc/sparc64/rtld-memset.c | 3 ++ + 4 files changed, 84 insertions(+), 12 deletions(-) + +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c +index 03e1a68675..614ac9c047 100644 +--- a/elf/dl-tunables.c ++++ b/elf/dl-tunables.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #define TUNABLES_INTERNAL 1 + #include "dl-tunables.h" +@@ -223,6 +224,7 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables) + { + tunables[ntunables++] = + (struct tunable_toset_t) { cur, value, p - value }; ++ + break; + } + } +@@ -234,23 +236,27 @@ parse_tunables_string (const char *valstring, struct tunable_toset_t *tunables) + static void + parse_tunables (const char *valstring) + { +- struct tunable_toset_t tunables[tunables_list_size]; +- int ntunables = parse_tunables_string (valstring, tunables); +- if (ntunables == -1) ++ struct tunable_toset_t tunables[tunables_list_size] = { 0 }; ++ if (parse_tunables_string (valstring, tunables) == -1) + { + _dl_error_printf ( + "WARNING: ld.so: invalid GLIBC_TUNABLES `%s': ignored.\n", valstring); + return; + } + +- for (int i = 0; i < ntunables; i++) +- if (!tunable_initialize (tunables[i].t, tunables[i].value, +- tunables[i].len)) +- _dl_error_printf ("WARNING: ld.so: invalid GLIBC_TUNABLES value `%.*s' " +- "for option `%s': ignored.\n", +- (int) tunables[i].len, +- tunables[i].value, +- tunables[i].t->name); ++ for (int i = 0; i < tunables_list_size; i++) ++ { ++ if (tunables[i].t == NULL) ++ continue; ++ ++ if (!tunable_initialize (tunables[i].t, tunables[i].value, ++ tunables[i].len)) ++ _dl_error_printf ("WARNING: ld.so: invalid GLIBC_TUNABLES value `%.*s' " ++ "for option `%s': ignored.\n", ++ (int) tunables[i].len, ++ tunables[i].value, ++ tunables[i].t->name); ++ } + } + + /* Initialize the tunables list from the environment. For now we only use the +diff --git a/elf/tst-tunables.c b/elf/tst-tunables.c +index 095b5c81d9..dff34ed748 100644 +--- a/elf/tst-tunables.c ++++ b/elf/tst-tunables.c +@@ -17,6 +17,10 @@ + . */ + + #include ++/* The test uses the tunable_list size, which is only exported for ++ ld.so. This will result in a copy of tunable_list, which is ununsed by ++ the test itself. */ ++#define TUNABLES_INTERNAL 1 + #include + #include + #include +@@ -24,12 +28,13 @@ + #include + #include + #include ++#include + + static int restart; + #define CMDLINE_OPTIONS \ + { "restart", no_argument, &restart, 1 }, + +-static const struct test_t ++static struct test_t + { + const char *name; + const char *value; +@@ -284,6 +289,29 @@ static const struct test_t + 0, + 0, + }, ++ /* Also check for repeated tunables with a count larger than the total number ++ of tunables. */ ++ { ++ "GLIBC_TUNABLES", ++ NULL, ++ 2, ++ 0, ++ 0, ++ }, ++ { ++ "GLIBC_TUNABLES", ++ NULL, ++ 1, ++ 0, ++ 0, ++ }, ++ { ++ "GLIBC_TUNABLES", ++ NULL, ++ 0, ++ 0, ++ 0, ++ }, + }; + + static int +@@ -327,6 +355,37 @@ do_test (int argc, char *argv[]) + spargv[i] = NULL; + } + ++ /* Create a tunable line with the duplicate values with a total number ++ larger than the different number of tunables. */ ++ { ++ enum { tunables_list_size = array_length (tunable_list) }; ++ const char *value = ""; ++ for (int i = 0; i < tunables_list_size; i++) ++ value = xasprintf ("%sglibc.malloc.check=2%c", ++ value, ++ i == (tunables_list_size - 1) ? '\0' : ':'); ++ tests[33].value = value; ++ } ++ /* Same as before, but the last tunable values is differen than the ++ rest. */ ++ { ++ enum { tunables_list_size = array_length (tunable_list) }; ++ const char *value = ""; ++ for (int i = 0; i < tunables_list_size - 1; i++) ++ value = xasprintf ("%sglibc.malloc.check=2:", value); ++ value = xasprintf ("%sglibc.malloc.check=1", value); ++ tests[34].value = value; ++ } ++ /* Same as before, but with an invalid last entry. */ ++ { ++ enum { tunables_list_size = array_length (tunable_list) }; ++ const char *value = ""; ++ for (int i = 0; i < tunables_list_size - 1; i++) ++ value = xasprintf ("%sglibc.malloc.check=2:", value); ++ value = xasprintf ("%sglibc.malloc.check=1=1", value); ++ tests[35].value = value; ++ } ++ + for (int i = 0; i < array_length (tests); i++) + { + snprintf (nteststr, sizeof nteststr, "%d", i); +diff --git a/sysdeps/aarch64/multiarch/memset_generic.S b/sysdeps/aarch64/multiarch/memset_generic.S +index 81748bdbce..e125a5ed85 100644 +--- a/sysdeps/aarch64/multiarch/memset_generic.S ++++ b/sysdeps/aarch64/multiarch/memset_generic.S +@@ -33,3 +33,7 @@ + #endif + + #include <../memset.S> ++ ++#if IS_IN (rtld) ++strong_alias (memset, __memset_generic) ++#endif +diff --git a/sysdeps/sparc/sparc64/rtld-memset.c b/sysdeps/sparc/sparc64/rtld-memset.c +index 55f3835790..a19202a620 100644 +--- a/sysdeps/sparc/sparc64/rtld-memset.c ++++ b/sysdeps/sparc/sparc64/rtld-memset.c +@@ -1 +1,4 @@ + #include ++#if IS_IN(rtld) ++strong_alias (memset, __memset_ultra1) ++#endif +-- +2.45.0 + diff --git a/glibc-fix-cve-2024-33599.patch b/glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch similarity index 89% rename from glibc-fix-cve-2024-33599.patch rename to glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch index e0eb939..d66fa7d 100644 --- a/glibc-fix-cve-2024-33599.patch +++ b/glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch @@ -1,4 +1,4 @@ -From 87801a8fd06db1d654eea3e4f7626ff476a9bdaa Mon Sep 17 00:00:00 2001 +From 1263d583d2e28afb8be53f8d6922f0842036f35d Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Thu, 25 Apr 2024 15:00:45 +0200 Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup @@ -8,6 +8,7 @@ Using alloca matches what other caches do. The request length is bounded by MAXKEYLEN. Reviewed-by: Carlos O'Donell +(cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa) --- nscd/netgroupcache.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) @@ -33,5 +34,5 @@ index 0c6e46f15c..f227dc7fa2 100644 datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, -- -2.44.0 +2.45.0 diff --git a/glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch b/glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch new file mode 100644 index 0000000..72869e4 --- /dev/null +++ b/glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch @@ -0,0 +1,60 @@ +From c99f886de54446cd4447db6b44be93dabbdc2f8b Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Thu, 25 Apr 2024 15:01:07 +0200 +Subject: [PATCH] CVE-2024-33600: nscd: Avoid null pointer crashes after + notfound response (bug 31678) + +The addgetnetgrentX call in addinnetgrX may have failed to produce +a result, so the result variable in addinnetgrX can be NULL. +Use db->negtimeout as the fallback value if there is no result data; +the timeout is also overwritten below. + +Also avoid sending a second not-found response. (The client +disconnects after receiving the first response, so the data stream did +not go out of sync even without this fix.) It is still beneficial to +add the negative response to the mapping, so that the client can get +it from there in the future, instead of going through the socket. + +Reviewed-by: Siddhesh Poyarekar +(cherry picked from commit b048a482f088e53144d26a61c390bed0210f49f2) +--- + nscd/netgroupcache.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index c18fe111f3..e22ffa5884 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -511,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + + datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, + sizeof (innetgroup_response_header), +- he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); ++ he == NULL ? 0 : dh->nreloads + 1, ++ result == NULL ? db->negtimeout : result->head.ttl); + /* Set the notfound status and timeout based on the result from + getnetgrent. */ +- dataset->head.notfound = result->head.notfound; ++ dataset->head.notfound = result == NULL || result->head.notfound; + dataset->head.timeout = timeout; + + dataset->resp.version = NSCD_VERSION; +- dataset->resp.found = result->resp.found; ++ dataset->resp.found = result != NULL && result->resp.found; + /* Until we find a matching entry the result is 0. */ + dataset->resp.result = 0; + +@@ -566,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + goto out; + } + +- if (he == NULL) ++ /* addgetnetgrentX may have already sent a notfound response. Do ++ not send another one. */ ++ if (he == NULL && dataset->resp.found) + { + /* We write the dataset before inserting it to the database + since while inserting this thread might block and so would +-- +2.45.0 + diff --git a/glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch b/glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch new file mode 100644 index 0000000..7ecd88f --- /dev/null +++ b/glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch @@ -0,0 +1,59 @@ +From 5a508e0b508c8ad53bd0d2fb48fd71b242626341 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Thu, 25 Apr 2024 15:01:07 +0200 +Subject: [PATCH] CVE-2024-33600: nscd: Do not send missing not-found response + in addgetnetgrentX (bug 31678) + +If we failed to add a not-found response to the cache, the dataset +point can be null, resulting in a null pointer dereference. + +Reviewed-by: Siddhesh Poyarekar +(cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa) +--- + nscd/netgroupcache.c | 14 ++++++-------- + 1 file changed, 6 insertions(+), 8 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index f227dc7fa2..c18fe111f3 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + /* No such service. */ + cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, + &key_copy); +- goto writeout; ++ goto maybe_cache_add; + } + + memset (&data, '\0', sizeof (data)); +@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + { + cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, + &key_copy); +- goto writeout; ++ goto maybe_cache_add; + } + + total = buffilled; +@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + if (he == NULL && fd != -1) +- { +- /* We write the dataset before inserting it to the database +- since while inserting this thread might block and so would +- unnecessarily let the receiver wait. */ +- writeout: ++ /* We write the dataset before inserting it to the database since ++ while inserting this thread might block and so would ++ unnecessarily let the receiver wait. */ + writeall (fd, &dataset->resp, dataset->head.recsize); +- } + ++ maybe_cache_add: + if (cacheable) + { + /* If necessary, we also propagate the data to disk. */ +-- +2.45.0 + diff --git a/glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch b/glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch new file mode 100644 index 0000000..e1edf7d --- /dev/null +++ b/glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch @@ -0,0 +1,390 @@ +From a9a8d3eebb145779a18d90e3966009a1daa63cd8 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Thu, 25 Apr 2024 15:01:07 +0200 +Subject: [PATCH] CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two + buffers in addgetnetgrentX (bug 31680) + +This avoids potential memory corruption when the underlying NSS +callback function does not use the buffer space to store all strings +(e.g., for constant strings). + +Instead of custom buffer management, two scratch buffers are used. +This increases stack usage somewhat. + +Scratch buffer allocation failure is handled by return -1 +(an invalid timeout value) instead of terminating the process. +This fixes bug 31679. + +Reviewed-by: Siddhesh Poyarekar +(cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b) +--- + nscd/netgroupcache.c | 219 ++++++++++++++++++++++++------------------- + 1 file changed, 121 insertions(+), 98 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index e22ffa5884..e8fe041846 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include "../nss/netgroup.h" + #include "nscd.h" +@@ -65,6 +66,16 @@ struct dataset + char strdata[0]; + }; + ++/* Send a notfound response to FD. Always returns -1 to indicate an ++ ephemeral error. */ ++static time_t ++send_notfound (int fd) ++{ ++ if (fd != -1) ++ TEMP_FAILURE_RETRY (send (fd, ¬found, sizeof (notfound), MSG_NOSIGNAL)); ++ return -1; ++} ++ + /* Sends a notfound message and prepares a notfound dataset to write to the + cache. Returns true if there was enough memory to allocate the dataset and + returns the dataset in DATASETP, total bytes to write in TOTALP and the +@@ -83,8 +94,7 @@ do_notfound (struct database_dyn *db, int fd, request_header *req, + total = sizeof (notfound); + timeout = time (NULL) + db->negtimeout; + +- if (fd != -1) +- TEMP_FAILURE_RETRY (send (fd, ¬found, total, MSG_NOSIGNAL)); ++ send_notfound (fd); + + dataset = mempool_alloc (db, sizeof (struct dataset) + req->key_len, 1); + /* If we cannot permanently store the result, so be it. */ +@@ -109,11 +119,78 @@ do_notfound (struct database_dyn *db, int fd, request_header *req, + return cacheable; + } + ++struct addgetnetgrentX_scratch ++{ ++ /* This is the result that the caller should use. It can be NULL, ++ point into buffer, or it can be in the cache. */ ++ struct dataset *dataset; ++ ++ struct scratch_buffer buffer; ++ ++ /* Used internally in addgetnetgrentX as a staging area. */ ++ struct scratch_buffer tmp; ++ ++ /* Number of bytes in buffer that are actually used. */ ++ size_t buffer_used; ++}; ++ ++static void ++addgetnetgrentX_scratch_init (struct addgetnetgrentX_scratch *scratch) ++{ ++ scratch->dataset = NULL; ++ scratch_buffer_init (&scratch->buffer); ++ scratch_buffer_init (&scratch->tmp); ++ ++ /* Reserve space for the header. */ ++ scratch->buffer_used = sizeof (struct dataset); ++ static_assert (sizeof (struct dataset) < sizeof (scratch->tmp.__space), ++ "initial buffer space"); ++ memset (scratch->tmp.data, 0, sizeof (struct dataset)); ++} ++ ++static void ++addgetnetgrentX_scratch_free (struct addgetnetgrentX_scratch *scratch) ++{ ++ scratch_buffer_free (&scratch->buffer); ++ scratch_buffer_free (&scratch->tmp); ++} ++ ++/* Copy LENGTH bytes from S into SCRATCH. Returns NULL if SCRATCH ++ could not be resized, otherwise a pointer to the copy. */ ++static char * ++addgetnetgrentX_append_n (struct addgetnetgrentX_scratch *scratch, ++ const char *s, size_t length) ++{ ++ while (true) ++ { ++ size_t remaining = scratch->buffer.length - scratch->buffer_used; ++ if (remaining >= length) ++ break; ++ if (!scratch_buffer_grow_preserve (&scratch->buffer)) ++ return NULL; ++ } ++ char *copy = scratch->buffer.data + scratch->buffer_used; ++ memcpy (copy, s, length); ++ scratch->buffer_used += length; ++ return copy; ++} ++ ++/* Copy S into SCRATCH, including its null terminator. Returns false ++ if SCRATCH could not be resized. */ ++static bool ++addgetnetgrentX_append (struct addgetnetgrentX_scratch *scratch, const char *s) ++{ ++ if (s == NULL) ++ s = ""; ++ return addgetnetgrentX_append_n (scratch, s, strlen (s) + 1) != NULL; ++} ++ ++/* Caller must initialize and free *SCRATCH. If the return value is ++ negative, this function has sent a notfound response. */ + static time_t + addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + const char *key, uid_t uid, struct hashentry *he, +- struct datahead *dh, struct dataset **resultp, +- void **tofreep) ++ struct datahead *dh, struct addgetnetgrentX_scratch *scratch) + { + if (__glibc_unlikely (debug_level > 0)) + { +@@ -132,14 +209,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + + char *key_copy = NULL; + struct __netgrent data; +- size_t buflen = MAX (1024, sizeof (*dataset) + req->key_len); +- size_t buffilled = sizeof (*dataset); +- char *buffer = NULL; + size_t nentries = 0; + size_t group_len = strlen (key) + 1; + struct name_list *first_needed + = alloca (sizeof (struct name_list) + group_len); +- *tofreep = NULL; + + if (netgroup_database == NULL + && !__nss_database_get (nss_database_netgroup, &netgroup_database)) +@@ -151,8 +224,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + memset (&data, '\0', sizeof (data)); +- buffer = xmalloc (buflen); +- *tofreep = buffer; + first_needed->next = first_needed; + memcpy (first_needed->name, key, group_len); + data.needed_groups = first_needed; +@@ -195,8 +266,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + while (1) + { + int e; +- status = getfct.f (&data, buffer + buffilled, +- buflen - buffilled - req->key_len, &e); ++ status = getfct.f (&data, scratch->tmp.data, ++ scratch->tmp.length, &e); + if (status == NSS_STATUS_SUCCESS) + { + if (data.type == triple_val) +@@ -204,68 +275,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + const char *nhost = data.val.triple.host; + const char *nuser = data.val.triple.user; + const char *ndomain = data.val.triple.domain; +- +- size_t hostlen = strlen (nhost ?: "") + 1; +- size_t userlen = strlen (nuser ?: "") + 1; +- size_t domainlen = strlen (ndomain ?: "") + 1; +- +- if (nhost == NULL || nuser == NULL || ndomain == NULL +- || nhost > nuser || nuser > ndomain) +- { +- const char *last = nhost; +- if (last == NULL +- || (nuser != NULL && nuser > last)) +- last = nuser; +- if (last == NULL +- || (ndomain != NULL && ndomain > last)) +- last = ndomain; +- +- size_t bufused +- = (last == NULL +- ? buffilled +- : last + strlen (last) + 1 - buffer); +- +- /* We have to make temporary copies. */ +- size_t needed = hostlen + userlen + domainlen; +- +- if (buflen - req->key_len - bufused < needed) +- { +- buflen += MAX (buflen, 2 * needed); +- /* Save offset in the old buffer. We don't +- bother with the NULL check here since +- we'll do that later anyway. */ +- size_t nhostdiff = nhost - buffer; +- size_t nuserdiff = nuser - buffer; +- size_t ndomaindiff = ndomain - buffer; +- +- char *newbuf = xrealloc (buffer, buflen); +- /* Fix up the triplet pointers into the new +- buffer. */ +- nhost = (nhost ? newbuf + nhostdiff +- : NULL); +- nuser = (nuser ? newbuf + nuserdiff +- : NULL); +- ndomain = (ndomain ? newbuf + ndomaindiff +- : NULL); +- *tofreep = buffer = newbuf; +- } +- +- nhost = memcpy (buffer + bufused, +- nhost ?: "", hostlen); +- nuser = memcpy ((char *) nhost + hostlen, +- nuser ?: "", userlen); +- ndomain = memcpy ((char *) nuser + userlen, +- ndomain ?: "", domainlen); +- } +- +- char *wp = buffer + buffilled; +- wp = memmove (wp, nhost ?: "", hostlen); +- wp += hostlen; +- wp = memmove (wp, nuser ?: "", userlen); +- wp += userlen; +- wp = memmove (wp, ndomain ?: "", domainlen); +- wp += domainlen; +- buffilled = wp - buffer; ++ if (!(addgetnetgrentX_append (scratch, nhost) ++ && addgetnetgrentX_append (scratch, nuser) ++ && addgetnetgrentX_append (scratch, ndomain))) ++ return send_notfound (fd); + ++nentries; + } + else +@@ -317,8 +330,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE) + { +- buflen *= 2; +- *tofreep = buffer = xrealloc (buffer, buflen); ++ if (!scratch_buffer_grow (&scratch->tmp)) ++ return send_notfound (fd); + } + else if (status == NSS_STATUS_RETURN + || status == NSS_STATUS_NOTFOUND +@@ -351,10 +364,17 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + goto maybe_cache_add; + } + +- total = buffilled; ++ /* Capture the result size without the key appended. */ ++ total = scratch->buffer_used; ++ ++ /* Make a copy of the key. The scratch buffer must not move after ++ this point. */ ++ key_copy = addgetnetgrentX_append_n (scratch, key, req->key_len); ++ if (key_copy == NULL) ++ return send_notfound (fd); + + /* Fill in the dataset. */ +- dataset = (struct dataset *) buffer; ++ dataset = scratch->buffer.data; + timeout = datahead_init_pos (&dataset->head, total + req->key_len, + total - offsetof (struct dataset, resp), + he == NULL ? 0 : dh->nreloads + 1, +@@ -363,11 +383,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + dataset->resp.version = NSCD_VERSION; + dataset->resp.found = 1; + dataset->resp.nresults = nentries; +- dataset->resp.result_len = buffilled - sizeof (*dataset); +- +- assert (buflen - buffilled >= req->key_len); +- key_copy = memcpy (buffer + buffilled, key, req->key_len); +- buffilled += req->key_len; ++ dataset->resp.result_len = total - sizeof (*dataset); + + /* Now we can determine whether on refill we have to create a new + record or not. */ +@@ -398,7 +414,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + if (__glibc_likely (newp != NULL)) + { + /* Adjust pointer into the memory block. */ +- key_copy = (char *) newp + (key_copy - buffer); ++ key_copy = (char *) newp + (key_copy - (char *) dataset); + + dataset = memcpy (newp, dataset, total + req->key_len); + cacheable = true; +@@ -439,7 +455,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, + } + + out: +- *resultp = dataset; ++ scratch->dataset = dataset; + + return timeout; + } +@@ -460,6 +476,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + if (user != NULL) + key = strchr (key, '\0') + 1; + const char *domain = *key++ ? key : NULL; ++ struct addgetnetgrentX_scratch scratch; ++ ++ addgetnetgrentX_scratch_init (&scratch); + + if (__glibc_unlikely (debug_level > 0)) + { +@@ -475,12 +494,8 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + group, group_len, + db, uid); + time_t timeout; +- void *tofree; + if (result != NULL) +- { +- timeout = result->head.timeout; +- tofree = NULL; +- } ++ timeout = result->head.timeout; + else + { + request_header req_get = +@@ -489,7 +504,10 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + .key_len = group_len + }; + timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL, +- &result, &tofree); ++ &scratch); ++ result = scratch.dataset; ++ if (timeout < 0) ++ goto out; + } + + struct indataset +@@ -603,7 +621,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, + } + + out: +- free (tofree); ++ addgetnetgrentX_scratch_free (&scratch); + return timeout; + } + +@@ -613,11 +631,12 @@ addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req, + const char *key, uid_t uid, struct hashentry *he, + struct datahead *dh) + { +- struct dataset *ignore; +- void *tofree; +- time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, +- &ignore, &tofree); +- free (tofree); ++ struct addgetnetgrentX_scratch scratch; ++ addgetnetgrentX_scratch_init (&scratch); ++ time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, &scratch); ++ addgetnetgrentX_scratch_free (&scratch); ++ if (timeout < 0) ++ timeout = 0; + return timeout; + } + +@@ -661,5 +680,9 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he, + .key_len = he->len + }; + +- return addinnetgrX (db, -1, &req, db->data + he->key, he->owner, he, dh); ++ int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner, ++ he, dh); ++ if (timeout < 0) ++ timeout = 0; ++ return timeout; + } +-- +2.45.0 + diff --git a/glibc.changes b/glibc.changes index acad9d8..54863e0 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,29 @@ +------------------------------------------------------------------- +Mon May 13 09:45:36 UTC 2024 - Andreas Schwab + +- glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch: + nscd: Stack-based buffer overflow in netgroup cache + (CVE-2024-33599, bsc#1223423, BZ #31677) +- glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch: + nscd: Avoid null pointer crashes after notfound response + (CVE-2024-33600, bsc#1223424, BZ #31678) +- glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch: + nscd: Do not send missing not-found response in addgetnetgrentX + (CVE-2024-33600, bsc#1223424, BZ #31678) +- glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch: + netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, + CVE-2024-33602, bsc#1223425, BZ #31680) +- nscd-netgroup-cache-timeout.patch: Use time_t for return type of + addgetnetgrentX (CVE-2024-33602, bsc#1223425) + +------------------------------------------------------------------- +Wed May 8 10:42:39 UTC 2024 - Andreas Schwab + +- utmp-time-bits.patch: login: structs utmp, utmpx, lastlog _TIME_BITS + independence (BZ #30701) +- elf-parse-tunables.patch: elf: Only process multiple tunable once (BZ + #31686) + ------------------------------------------------------------------- Mon Apr 29 17:42:43 UTC 2024 - Giuliano Belinassi diff --git a/glibc.spec b/glibc.spec index ea086da..9cb9bfd 100644 --- a/glibc.spec +++ b/glibc.spec @@ -314,8 +314,20 @@ Patch1003: sigisemptyset.patch Patch1004: stdbit-builtins.patch # PATCH-FIX-UPSTREAM iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing escape sequence (CVE-2024-2961) Patch1005: iconv-iso-2022-cn-ext.patch -# PATCH-FIX-UPSTREAM: CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup cache -Patch1006: glibc-fix-cve-2024-33599.patch +# PATCH-FIX-UPSTREAM login: structs utmp, utmpx, lastlog _TIME_BITS independence (BZ #30701) +Patch1006: utmp-time-bits.patch +# PATCH-FIX-UPSTREAM elf: Only process multiple tunable once (BZ #31686) +Patch1007: elf-parse-tunables.patch +# PATCH-FIX-UPSTREAM nscd: Stack-based buffer overflow in netgroup cache (CVE-2024-33599, BZ #31677) +Patch1008: glibc-CVE-2024-33599-nscd-Stack-based-buffer-overflow-in-n.patch +# PATCH-FIX-UPSTREAM nscd: Do not send missing not found response in addgetnetgrentX (CVE-2024-33600, BZ #31678) +Patch1009: glibc-CVE-2024-33600-nscd-Do-not-send-missing-not-found-re.patch +# PATCH-FIX-UPSTREAM nscd: Avoid null pointer crashes after notfound response (CVE-2024-33600, BZ #31678) +Patch1010: glibc-CVE-2024-33600-nscd-Avoid-null-pointer-crashes-after.patch +# PATCH-FIX-UPSTREAM nscd netgroup: Use two buffers in addgetnetgrentX (CVE-2024-33601, CVE-2024-33602, BZ #31680) +Patch1011: glibc-CVE-2024-33601-CVE-2024-33602-nscd-netgroup-Use-two.patch +# PATCH-FIX-UPSTREAM nscd: Use time_t for return type of addgetnetgrentX (CVE-2024-33602) +Patch1012: nscd-netgroup-cache-timeout.patch %endif ### diff --git a/nscd-netgroup-cache-timeout.patch b/nscd-netgroup-cache-timeout.patch new file mode 100644 index 0000000..abe8f76 --- /dev/null +++ b/nscd-netgroup-cache-timeout.patch @@ -0,0 +1,36 @@ +From acc56074b0a5127631a64640aef1b7c5c103ebd8 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Thu, 2 May 2024 17:06:19 +0200 +Subject: [PATCH] nscd: Use time_t for return type of addgetnetgrentX + +Using int may give false results for future dates (timeouts after the +year 2028). + +Fixes commit 04a21e050d64a1193a6daab872bca2528bda44b ("CVE-2024-33601, +CVE-2024-33602: nscd: netgroup: Use two buffers in addgetnetgrentX +(bug 31680)"). + +Reviewed-by: Carlos O'Donell +(cherry picked from commit 4bbca1a44691a6e9adcee5c6798a707b626bc331) +--- + nscd/netgroupcache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c +index e8fe041846..01d554af9c 100644 +--- a/nscd/netgroupcache.c ++++ b/nscd/netgroupcache.c +@@ -680,8 +680,8 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he, + .key_len = he->len + }; + +- int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner, +- he, dh); ++ time_t timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner, ++ he, dh); + if (timeout < 0) + timeout = 0; + return timeout; +-- +2.45.0 + diff --git a/utmp-time-bits.patch b/utmp-time-bits.patch new file mode 100644 index 0000000..2924fde --- /dev/null +++ b/utmp-time-bits.patch @@ -0,0 +1,645 @@ +From 9831f98c266a8d56d1bf729b709c08e40375540c Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Fri, 19 Apr 2024 14:38:17 +0200 +Subject: [PATCH] login: Check default sizes of structs utmp, utmpx, lastlog + +The default is for ports with a 64-bit time_t. +Ports with a 32-bit time_t or with __WORDSIZE_TIME64_COMPAT32=1 +need to override it. + +Reviewed-by: Adhemerval Zanella +(cherry picked from commit 4d4da5aab936504b2d3eca3146e109630d9093c4) +--- + login/Makefile | 2 +- + login/tst-utmp-size.c | 33 +++++++++++++++++++++++++++++++++ + sysdeps/arc/utmp-size.h | 3 +++ + sysdeps/arm/utmp-size.h | 2 ++ + sysdeps/csky/utmp-size.h | 2 ++ + sysdeps/generic/utmp-size.h | 23 +++++++++++++++++++++++ + sysdeps/hppa/utmp-size.h | 2 ++ + sysdeps/m68k/utmp-size.h | 3 +++ + sysdeps/microblaze/utmp-size.h | 2 ++ + sysdeps/mips/utmp-size.h | 2 ++ + sysdeps/nios2/utmp-size.h | 2 ++ + sysdeps/or1k/utmp-size.h | 3 +++ + sysdeps/powerpc/utmp-size.h | 2 ++ + sysdeps/riscv/utmp-size.h | 2 ++ + sysdeps/sh/utmp-size.h | 2 ++ + sysdeps/sparc/utmp-size.h | 2 ++ + sysdeps/x86/utmp-size.h | 2 ++ + 17 files changed, 88 insertions(+), 1 deletion(-) + create mode 100644 login/tst-utmp-size.c + create mode 100644 sysdeps/arc/utmp-size.h + create mode 100644 sysdeps/arm/utmp-size.h + create mode 100644 sysdeps/csky/utmp-size.h + create mode 100644 sysdeps/generic/utmp-size.h + create mode 100644 sysdeps/hppa/utmp-size.h + create mode 100644 sysdeps/m68k/utmp-size.h + create mode 100644 sysdeps/microblaze/utmp-size.h + create mode 100644 sysdeps/mips/utmp-size.h + create mode 100644 sysdeps/nios2/utmp-size.h + create mode 100644 sysdeps/or1k/utmp-size.h + create mode 100644 sysdeps/powerpc/utmp-size.h + create mode 100644 sysdeps/riscv/utmp-size.h + create mode 100644 sysdeps/sh/utmp-size.h + create mode 100644 sysdeps/sparc/utmp-size.h + create mode 100644 sysdeps/x86/utmp-size.h + +diff --git a/login/Makefile b/login/Makefile +index 1e22008a61..b26ac42bfc 100644 +--- a/login/Makefile ++++ b/login/Makefile +@@ -44,7 +44,7 @@ subdir-dirs = programs + vpath %.c programs + + tests := tst-utmp tst-utmpx tst-grantpt tst-ptsname tst-getlogin tst-updwtmpx \ +- tst-pututxline-lockfail tst-pututxline-cache ++ tst-pututxline-lockfail tst-pututxline-cache tst-utmp-size + + # Empty compatibility library for old binaries. + extra-libs := libutil +diff --git a/login/tst-utmp-size.c b/login/tst-utmp-size.c +new file mode 100644 +index 0000000000..1b7f7ff042 +--- /dev/null ++++ b/login/tst-utmp-size.c +@@ -0,0 +1,33 @@ ++/* Check expected sizes of struct utmp, struct utmpx, struct lastlog. ++ Copyright (C) 2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ _Static_assert (sizeof (struct utmp) == UTMP_SIZE, "struct utmp size"); ++ _Static_assert (sizeof (struct utmpx) == UTMP_SIZE, "struct utmpx size"); ++ _Static_assert (sizeof (struct lastlog) == LASTLOG_SIZE, ++ "struct lastlog size"); ++ return 0; ++} ++ ++#include +diff --git a/sysdeps/arc/utmp-size.h b/sysdeps/arc/utmp-size.h +new file mode 100644 +index 0000000000..a247fcd3da +--- /dev/null ++++ b/sysdeps/arc/utmp-size.h +@@ -0,0 +1,3 @@ ++/* arc has less padding than other architectures with 64-bit time_t. */ ++#define UTMP_SIZE 392 ++#define LASTLOG_SIZE 296 +diff --git a/sysdeps/arm/utmp-size.h b/sysdeps/arm/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/arm/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/csky/utmp-size.h b/sysdeps/csky/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/csky/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/generic/utmp-size.h b/sysdeps/generic/utmp-size.h +new file mode 100644 +index 0000000000..89dbe878b0 +--- /dev/null ++++ b/sysdeps/generic/utmp-size.h +@@ -0,0 +1,23 @@ ++/* Expected sizes of utmp-related structures stored in files. 64-bit version. ++ Copyright (C) 2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++/* Expected size, in bytes, of struct utmp and struct utmpx. */ ++#define UTMP_SIZE 400 ++ ++/* Expected size, in bytes, of struct lastlog. */ ++#define LASTLOG_SIZE 296 +diff --git a/sysdeps/hppa/utmp-size.h b/sysdeps/hppa/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/hppa/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/m68k/utmp-size.h b/sysdeps/m68k/utmp-size.h +new file mode 100644 +index 0000000000..5946685819 +--- /dev/null ++++ b/sysdeps/m68k/utmp-size.h +@@ -0,0 +1,3 @@ ++/* m68k has 2-byte alignment. */ ++#define UTMP_SIZE 382 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/microblaze/utmp-size.h b/sysdeps/microblaze/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/microblaze/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/mips/utmp-size.h b/sysdeps/mips/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/mips/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/nios2/utmp-size.h b/sysdeps/nios2/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/nios2/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/or1k/utmp-size.h b/sysdeps/or1k/utmp-size.h +new file mode 100644 +index 0000000000..6b3653aa4d +--- /dev/null ++++ b/sysdeps/or1k/utmp-size.h +@@ -0,0 +1,3 @@ ++/* or1k has less padding than other architectures with 64-bit time_t. */ ++#define UTMP_SIZE 392 ++#define LASTLOG_SIZE 296 +diff --git a/sysdeps/powerpc/utmp-size.h b/sysdeps/powerpc/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/powerpc/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/riscv/utmp-size.h b/sysdeps/riscv/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/riscv/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/sh/utmp-size.h b/sysdeps/sh/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/sh/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/sparc/utmp-size.h b/sysdeps/sparc/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/sparc/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +diff --git a/sysdeps/x86/utmp-size.h b/sysdeps/x86/utmp-size.h +new file mode 100644 +index 0000000000..8f21ebe1b6 +--- /dev/null ++++ b/sysdeps/x86/utmp-size.h +@@ -0,0 +1,2 @@ ++#define UTMP_SIZE 384 ++#define LASTLOG_SIZE 292 +-- +2.45.0 + +From 836d43b98973e0845b739ff5d3aad3af09dc7d0f Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Fri, 19 Apr 2024 14:38:17 +0200 +Subject: [PATCH] login: structs utmp, utmpx, lastlog _TIME_BITS independence + (bug 30701) + +These structs describe file formats under /var/log, and should not +depend on the definition of _TIME_BITS. This is achieved by +defining __WORDSIZE_TIME64_COMPAT32 to 1 on 32-bit ports that +support 32-bit time_t values (where __time_t is 32 bits). + +Reviewed-by: Adhemerval Zanella +(cherry picked from commit 9abdae94c7454c45e02e97e4ed1eb1b1915d13d8) +--- + bits/wordsize.h | 6 ++++-- + login/Makefile | 4 +++- + login/tst-utmp-size-64.c | 2 ++ + sysdeps/arm/bits/wordsize.h | 21 +++++++++++++++++++ + sysdeps/csky/bits/wordsize.h | 21 +++++++++++++++++++ + sysdeps/m68k/bits/wordsize.h | 21 +++++++++++++++++++ + sysdeps/microblaze/bits/wordsize.h | 21 +++++++++++++++++++ + sysdeps/mips/bits/wordsize.h | 6 +----- + sysdeps/nios2/bits/wordsize.h | 21 +++++++++++++++++++ + sysdeps/powerpc/powerpc32/bits/wordsize.h | 3 +-- + sysdeps/powerpc/powerpc64/bits/wordsize.h | 3 +-- + sysdeps/sh/bits/wordsize.h | 21 +++++++++++++++++++ + sysdeps/sparc/sparc32/bits/wordsize.h | 2 +- + sysdeps/sparc/sparc64/bits/wordsize.h | 3 +-- + sysdeps/unix/sysv/linux/hppa/bits/wordsize.h | 21 +++++++++++++++++++ + .../unix/sysv/linux/powerpc/bits/wordsize.h | 3 +-- + sysdeps/unix/sysv/linux/sparc/bits/wordsize.h | 3 +-- + sysdeps/x86/bits/wordsize.h | 5 ++--- + 18 files changed, 165 insertions(+), 22 deletions(-) + create mode 100644 login/tst-utmp-size-64.c + create mode 100644 sysdeps/arm/bits/wordsize.h + create mode 100644 sysdeps/csky/bits/wordsize.h + create mode 100644 sysdeps/m68k/bits/wordsize.h + create mode 100644 sysdeps/microblaze/bits/wordsize.h + create mode 100644 sysdeps/nios2/bits/wordsize.h + create mode 100644 sysdeps/sh/bits/wordsize.h + create mode 100644 sysdeps/unix/sysv/linux/hppa/bits/wordsize.h + +diff --git a/bits/wordsize.h b/bits/wordsize.h +index 14edae3a11..53013a9275 100644 +--- a/bits/wordsize.h ++++ b/bits/wordsize.h +@@ -21,7 +21,9 @@ + #define __WORDSIZE32_PTRDIFF_LONG + + /* Set to 1 in order to force time types to be 32 bits instead of 64 bits in +- struct lastlog and struct utmp{,x} on 64-bit ports. This may be done in ++ struct lastlog and struct utmp{,x}. This may be done in + order to make 64-bit ports compatible with 32-bit ports. Set to 0 for +- 64-bit ports where the time types are 64-bits or for any 32-bit ports. */ ++ 64-bit ports where the time types are 64-bits and new 32-bit ports ++ where time_t is 64 bits, and there is no companion architecture with ++ 32-bit time_t. */ + #define __WORDSIZE_TIME64_COMPAT32 +diff --git a/login/Makefile b/login/Makefile +index b26ac42bfc..f91190e3dc 100644 +--- a/login/Makefile ++++ b/login/Makefile +@@ -44,7 +44,9 @@ subdir-dirs = programs + vpath %.c programs + + tests := tst-utmp tst-utmpx tst-grantpt tst-ptsname tst-getlogin tst-updwtmpx \ +- tst-pututxline-lockfail tst-pututxline-cache tst-utmp-size ++ tst-pututxline-lockfail tst-pututxline-cache tst-utmp-size tst-utmp-size-64 ++ ++CFLAGS-tst-utmp-size-64.c += -D_FILE_OFFSET_BITS=64 -D_TIME_BITS=64 + + # Empty compatibility library for old binaries. + extra-libs := libutil +diff --git a/login/tst-utmp-size-64.c b/login/tst-utmp-size-64.c +new file mode 100644 +index 0000000000..7a581a4c12 +--- /dev/null ++++ b/login/tst-utmp-size-64.c +@@ -0,0 +1,2 @@ ++/* The on-disk layout must not change in time64 mode. */ ++#include "tst-utmp-size.c" +diff --git a/sysdeps/arm/bits/wordsize.h b/sysdeps/arm/bits/wordsize.h +new file mode 100644 +index 0000000000..6ecbfe7c86 +--- /dev/null ++++ b/sysdeps/arm/bits/wordsize.h +@@ -0,0 +1,21 @@ ++/* Copyright (C) 1999-2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#define __WORDSIZE 32 ++#define __WORDSIZE_TIME64_COMPAT32 1 ++#define __WORDSIZE32_SIZE_ULONG 0 ++#define __WORDSIZE32_PTRDIFF_LONG 0 +diff --git a/sysdeps/csky/bits/wordsize.h b/sysdeps/csky/bits/wordsize.h +new file mode 100644 +index 0000000000..6ecbfe7c86 +--- /dev/null ++++ b/sysdeps/csky/bits/wordsize.h +@@ -0,0 +1,21 @@ ++/* Copyright (C) 1999-2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#define __WORDSIZE 32 ++#define __WORDSIZE_TIME64_COMPAT32 1 ++#define __WORDSIZE32_SIZE_ULONG 0 ++#define __WORDSIZE32_PTRDIFF_LONG 0 +diff --git a/sysdeps/m68k/bits/wordsize.h b/sysdeps/m68k/bits/wordsize.h +new file mode 100644 +index 0000000000..6ecbfe7c86 +--- /dev/null ++++ b/sysdeps/m68k/bits/wordsize.h +@@ -0,0 +1,21 @@ ++/* Copyright (C) 1999-2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#define __WORDSIZE 32 ++#define __WORDSIZE_TIME64_COMPAT32 1 ++#define __WORDSIZE32_SIZE_ULONG 0 ++#define __WORDSIZE32_PTRDIFF_LONG 0 +diff --git a/sysdeps/microblaze/bits/wordsize.h b/sysdeps/microblaze/bits/wordsize.h +new file mode 100644 +index 0000000000..6ecbfe7c86 +--- /dev/null ++++ b/sysdeps/microblaze/bits/wordsize.h +@@ -0,0 +1,21 @@ ++/* Copyright (C) 1999-2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#define __WORDSIZE 32 ++#define __WORDSIZE_TIME64_COMPAT32 1 ++#define __WORDSIZE32_SIZE_ULONG 0 ++#define __WORDSIZE32_PTRDIFF_LONG 0 +diff --git a/sysdeps/mips/bits/wordsize.h b/sysdeps/mips/bits/wordsize.h +index 57f0f2a22f..30dd3fd85d 100644 +--- a/sysdeps/mips/bits/wordsize.h ++++ b/sysdeps/mips/bits/wordsize.h +@@ -19,11 +19,7 @@ + + #define __WORDSIZE _MIPS_SZPTR + +-#if _MIPS_SIM == _ABI64 +-# define __WORDSIZE_TIME64_COMPAT32 1 +-#else +-# define __WORDSIZE_TIME64_COMPAT32 0 +-#endif ++#define __WORDSIZE_TIME64_COMPAT32 1 + + #if __WORDSIZE == 32 + #define __WORDSIZE32_SIZE_ULONG 0 +diff --git a/sysdeps/nios2/bits/wordsize.h b/sysdeps/nios2/bits/wordsize.h +new file mode 100644 +index 0000000000..6ecbfe7c86 +--- /dev/null ++++ b/sysdeps/nios2/bits/wordsize.h +@@ -0,0 +1,21 @@ ++/* Copyright (C) 1999-2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#define __WORDSIZE 32 ++#define __WORDSIZE_TIME64_COMPAT32 1 ++#define __WORDSIZE32_SIZE_ULONG 0 ++#define __WORDSIZE32_PTRDIFF_LONG 0 +diff --git a/sysdeps/powerpc/powerpc32/bits/wordsize.h b/sysdeps/powerpc/powerpc32/bits/wordsize.h +index 04ca9debf0..6993fb6b29 100644 +--- a/sysdeps/powerpc/powerpc32/bits/wordsize.h ++++ b/sysdeps/powerpc/powerpc32/bits/wordsize.h +@@ -2,10 +2,9 @@ + + #if defined __powerpc64__ + # define __WORDSIZE 64 +-# define __WORDSIZE_TIME64_COMPAT32 1 + #else + # define __WORDSIZE 32 +-# define __WORDSIZE_TIME64_COMPAT32 0 + # define __WORDSIZE32_SIZE_ULONG 0 + # define __WORDSIZE32_PTRDIFF_LONG 0 + #endif ++#define __WORDSIZE_TIME64_COMPAT32 1 +diff --git a/sysdeps/powerpc/powerpc64/bits/wordsize.h b/sysdeps/powerpc/powerpc64/bits/wordsize.h +index 04ca9debf0..6993fb6b29 100644 +--- a/sysdeps/powerpc/powerpc64/bits/wordsize.h ++++ b/sysdeps/powerpc/powerpc64/bits/wordsize.h +@@ -2,10 +2,9 @@ + + #if defined __powerpc64__ + # define __WORDSIZE 64 +-# define __WORDSIZE_TIME64_COMPAT32 1 + #else + # define __WORDSIZE 32 +-# define __WORDSIZE_TIME64_COMPAT32 0 + # define __WORDSIZE32_SIZE_ULONG 0 + # define __WORDSIZE32_PTRDIFF_LONG 0 + #endif ++#define __WORDSIZE_TIME64_COMPAT32 1 +diff --git a/sysdeps/sh/bits/wordsize.h b/sysdeps/sh/bits/wordsize.h +new file mode 100644 +index 0000000000..6ecbfe7c86 +--- /dev/null ++++ b/sysdeps/sh/bits/wordsize.h +@@ -0,0 +1,21 @@ ++/* Copyright (C) 1999-2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#define __WORDSIZE 32 ++#define __WORDSIZE_TIME64_COMPAT32 1 ++#define __WORDSIZE32_SIZE_ULONG 0 ++#define __WORDSIZE32_PTRDIFF_LONG 0 +diff --git a/sysdeps/sparc/sparc32/bits/wordsize.h b/sysdeps/sparc/sparc32/bits/wordsize.h +index 4bbd2e63b4..a2e79e0fa9 100644 +--- a/sysdeps/sparc/sparc32/bits/wordsize.h ++++ b/sysdeps/sparc/sparc32/bits/wordsize.h +@@ -1,6 +1,6 @@ + /* Determine the wordsize from the preprocessor defines. */ + + #define __WORDSIZE 32 +-#define __WORDSIZE_TIME64_COMPAT32 0 ++#define __WORDSIZE_TIME64_COMPAT32 1 + #define __WORDSIZE32_SIZE_ULONG 0 + #define __WORDSIZE32_PTRDIFF_LONG 0 +diff --git a/sysdeps/sparc/sparc64/bits/wordsize.h b/sysdeps/sparc/sparc64/bits/wordsize.h +index 2f66f10d72..ea103e5970 100644 +--- a/sysdeps/sparc/sparc64/bits/wordsize.h ++++ b/sysdeps/sparc/sparc64/bits/wordsize.h +@@ -2,10 +2,9 @@ + + #if defined __arch64__ || defined __sparcv9 + # define __WORDSIZE 64 +-# define __WORDSIZE_TIME64_COMPAT32 1 + #else + # define __WORDSIZE 32 +-# define __WORDSIZE_TIME64_COMPAT32 0 + # define __WORDSIZE32_SIZE_ULONG 0 + # define __WORDSIZE32_PTRDIFF_LONG 0 + #endif ++#define __WORDSIZE_TIME64_COMPAT32 1 +diff --git a/sysdeps/unix/sysv/linux/hppa/bits/wordsize.h b/sysdeps/unix/sysv/linux/hppa/bits/wordsize.h +new file mode 100644 +index 0000000000..6ecbfe7c86 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/hppa/bits/wordsize.h +@@ -0,0 +1,21 @@ ++/* Copyright (C) 1999-2024 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#define __WORDSIZE 32 ++#define __WORDSIZE_TIME64_COMPAT32 1 ++#define __WORDSIZE32_SIZE_ULONG 0 ++#define __WORDSIZE32_PTRDIFF_LONG 0 +diff --git a/sysdeps/unix/sysv/linux/powerpc/bits/wordsize.h b/sysdeps/unix/sysv/linux/powerpc/bits/wordsize.h +index 04ca9debf0..6993fb6b29 100644 +--- a/sysdeps/unix/sysv/linux/powerpc/bits/wordsize.h ++++ b/sysdeps/unix/sysv/linux/powerpc/bits/wordsize.h +@@ -2,10 +2,9 @@ + + #if defined __powerpc64__ + # define __WORDSIZE 64 +-# define __WORDSIZE_TIME64_COMPAT32 1 + #else + # define __WORDSIZE 32 +-# define __WORDSIZE_TIME64_COMPAT32 0 + # define __WORDSIZE32_SIZE_ULONG 0 + # define __WORDSIZE32_PTRDIFF_LONG 0 + #endif ++#define __WORDSIZE_TIME64_COMPAT32 1 +diff --git a/sysdeps/unix/sysv/linux/sparc/bits/wordsize.h b/sysdeps/unix/sysv/linux/sparc/bits/wordsize.h +index 7562875ee2..ea103e5970 100644 +--- a/sysdeps/unix/sysv/linux/sparc/bits/wordsize.h ++++ b/sysdeps/unix/sysv/linux/sparc/bits/wordsize.h +@@ -2,10 +2,9 @@ + + #if defined __arch64__ || defined __sparcv9 + # define __WORDSIZE 64 +-# define __WORDSIZE_TIME64_COMPAT32 1 + #else + # define __WORDSIZE 32 + # define __WORDSIZE32_SIZE_ULONG 0 + # define __WORDSIZE32_PTRDIFF_LONG 0 +-# define __WORDSIZE_TIME64_COMPAT32 0 + #endif ++#define __WORDSIZE_TIME64_COMPAT32 1 +diff --git a/sysdeps/x86/bits/wordsize.h b/sysdeps/x86/bits/wordsize.h +index 70f652bca1..3f40aa76f9 100644 +--- a/sysdeps/x86/bits/wordsize.h ++++ b/sysdeps/x86/bits/wordsize.h +@@ -8,10 +8,9 @@ + #define __WORDSIZE32_PTRDIFF_LONG 0 + #endif + ++#define __WORDSIZE_TIME64_COMPAT32 1 ++ + #ifdef __x86_64__ +-# define __WORDSIZE_TIME64_COMPAT32 1 + /* Both x86-64 and x32 use the 64-bit system call interface. */ + # define __SYSCALL_WORDSIZE 64 +-#else +-# define __WORDSIZE_TIME64_COMPAT32 0 + #endif +-- +2.45.0 +