From 25084a9191d7f88bb4e74249ac2523a72156dc3907481be4e9bffbfc004f3c99 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Wed, 6 Sep 2023 08:18:53 +0000 Subject: [PATCH 1/9] Accepting request 1109216 from home:Andreas_Schwab:Factory - intl-c-utf-8-like-c-locale.patch: intl: Treat C.UTF-8 locale like C locale (BZ #16621) - glibc-disable-gettext-for-c-utf8.patch: Removed OBS-URL: https://build.opensuse.org/request/show/1109216 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=666 --- glibc-disable-gettext-for-c-utf8.patch | 12 -------- glibc.changes | 8 ++++++ glibc.spec | 6 ++-- intl-c-utf-8-like-c-locale.patch | 39 ++++++++++++++++++++++++++ 4 files changed, 50 insertions(+), 15 deletions(-) delete mode 100644 glibc-disable-gettext-for-c-utf8.patch create mode 100644 intl-c-utf-8-like-c-locale.patch diff --git a/glibc-disable-gettext-for-c-utf8.patch b/glibc-disable-gettext-for-c-utf8.patch deleted file mode 100644 index aab0f8a..0000000 --- a/glibc-disable-gettext-for-c-utf8.patch +++ /dev/null @@ -1,12 +0,0 @@ -Index: glibc-2.27/intl/dcigettext.c -=================================================================== ---- glibc-2.27.orig/intl/dcigettext.c -+++ glibc-2.27/intl/dcigettext.c -@@ -695,6 +695,7 @@ DCIGETTEXT (const char *domainname, cons - /* If the current locale value is C (or POSIX) we don't load a - domain. Return the MSGID. */ - if (strcmp (single_locale, "C") == 0 -+ || strcmp (single_locale, "C.UTF-8") == 0 - || strcmp (single_locale, "POSIX") == 0) - break; - diff --git a/glibc.changes b/glibc.changes index a7114dc..f0d9791 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue Sep 5 11:13:13 UTC 2023 - Andreas Schwab + +- intl-c-utf-8-like-c-locale.patch: intl: Treat C.UTF-8 locale like C + locale (BZ #16621) +- glibc-disable-gettext-for-c-utf8.patch: Removed + +------------------------------------------------------------------- Mon Aug 28 11:56:10 UTC 2023 - Richard Biener - Add cross-ppc64le package diff --git a/glibc.spec b/glibc.spec index 9743132..f9d3049 100644 --- a/glibc.spec +++ b/glibc.spec @@ -287,8 +287,6 @@ Patch100: add-locales.patch Patch102: glibc-2.4.90-no_NO.diff # PATCH-FIX-OPENSUSE -- Renames for China Patch103: glibc-2.4-china.diff -# PATCH-FIX-OPENSUSE -- Disable gettext for C.UTF-8 locale -Patch104: glibc-disable-gettext-for-c-utf8.patch ### Network related patches # PATCH-FIX-OPENSUSE Warn about usage of mdns in resolv.conv @@ -307,6 +305,8 @@ Patch1001: cache-amd-legacy.patch Patch1002: cache-intel-shared.patch # PATCH-FIX-UPSTREAM malloc: Enable merging of remainders in memalign, remove bin scanning from memalign (BZ #30723) Patch1003: posix-memalign-fragmentation.patch +# PATCH-FIX-UPSTREAM intl: Treat C.UTF-8 locale like C locale (BZ #16621) +Patch1004: intl-c-utf-8-like-c-locale.patch ### # Patches awaiting upstream approval @@ -524,7 +524,6 @@ library in a cross compilation setting. %patch100 -p1 %patch102 -p1 %patch103 -p1 -%patch104 -p1 %patch304 -p1 %patch306 -p1 @@ -534,6 +533,7 @@ library in a cross compilation setting. %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 +%patch1004 -p1 %endif %patch2000 -p1 diff --git a/intl-c-utf-8-like-c-locale.patch b/intl-c-utf-8-like-c-locale.patch new file mode 100644 index 0000000..ff9e1c1 --- /dev/null +++ b/intl-c-utf-8-like-c-locale.patch @@ -0,0 +1,39 @@ +From 2897b231a6b71ee17d47d3d63f1112b2641a476c Mon Sep 17 00:00:00 2001 +From: Bruno Haible +Date: Mon, 4 Sep 2023 15:31:36 +0200 +Subject: [PATCH] intl: Treat C.UTF-8 locale like C locale (BZ# 16621) + +The wiki page https://sourceware.org/glibc/wiki/Proposals/C.UTF-8 +says that "Setting LC_ALL=C.UTF-8 will ignore LANGUAGE just like it +does with LC_ALL=C." This patch implements it. + +* intl/dcigettext.c (guess_category_value): Treat C. locale +like the C locale. + +Reviewed-by: Florian Weimer +--- + intl/dcigettext.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/intl/dcigettext.c b/intl/dcigettext.c +index 7886ac9545..27063886d2 100644 +--- a/intl/dcigettext.c ++++ b/intl/dcigettext.c +@@ -1560,8 +1560,12 @@ guess_category_value (int category, const char *categoryname) + 2. The precise output of some programs in the "C" locale is specified + by POSIX and should not depend on environment variables like + "LANGUAGE" or system-dependent information. We allow such programs +- to use gettext(). */ +- if (strcmp (locale, "C") == 0) ++ to use gettext(). ++ Ignore LANGUAGE and its system-dependent analogon also if the locale is ++ set to "C.UTF-8" or, more generally, to "C.", because that's ++ the by-design behaviour for glibc, see ++ . */ ++ if (locale[0] == 'C' && (locale[1] == '\0' || locale[1] == '.')) + return locale; + + /* The highest priority value is the value of the 'LANGUAGE' environment +-- +2.42.0 + From d239abb7947d4e0a3c2c94ef9665991e8aa5eb0c9166a551195568facc271ea4 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Tue, 12 Sep 2023 06:37:03 +0000 Subject: [PATCH 2/9] Accepting request 1110438 from home:Andreas_Schwab:Factory - ppc64-flock-fob64.patch: io: Fix record locking contants for powerpc64 with __USE_FILE_OFFSET64 (BZ #30804) - libio-io-vtables.patch: libio: Fix oversized __io_vtables - call-init-proxy-objects.patch: elf: Do not run constructors for proxy objects - dtors-reverse-ctor-order.patch: elf: Always call destructors in reverse constructor order (BZ #30785) OBS-URL: https://build.opensuse.org/request/show/1110438 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=667 --- call-init-proxy-objects.patch | 37 ++ dtors-reverse-ctor-order.patch | 834 +++++++++++++++++++++++++++++++++ glibc.changes | 11 + glibc.spec | 12 + libio-io-vtables.patch | 51 ++ ppc64-flock-fob64.patch | 76 +++ 6 files changed, 1021 insertions(+) create mode 100644 call-init-proxy-objects.patch create mode 100644 dtors-reverse-ctor-order.patch create mode 100644 libio-io-vtables.patch create mode 100644 ppc64-flock-fob64.patch diff --git a/call-init-proxy-objects.patch b/call-init-proxy-objects.patch new file mode 100644 index 0000000..ec3497b --- /dev/null +++ b/call-init-proxy-objects.patch @@ -0,0 +1,37 @@ +From 7ae211a01b085d0bde54bd13b887ce8f9d57c2b4 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Tue, 22 Aug 2023 13:56:25 +0200 +Subject: [PATCH] elf: Do not run constructors for proxy objects + +Otherwise, the ld.so constructor runs for each audit namespace +and each dlmopen namespace. + +(cherry picked from commit f6c8204fd7fabf0cf4162eaf10ccf23258e4d10e) +--- + elf/dl-init.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/elf/dl-init.c b/elf/dl-init.c +index 5b0732590f..ba4d2fdc85 100644 +--- a/elf/dl-init.c ++++ b/elf/dl-init.c +@@ -25,10 +25,14 @@ + static void + call_init (struct link_map *l, int argc, char **argv, char **env) + { ++ /* Do not run constructors for proxy objects. */ ++ if (l != l->l_real) ++ return; ++ + /* If the object has not been relocated, this is a bug. The + function pointers are invalid in this case. (Executables do not +- need relocation, and neither do proxy objects.) */ +- assert (l->l_real->l_relocated || l->l_real->l_type == lt_executable); ++ need relocation.) */ ++ assert (l->l_relocated || l->l_type == lt_executable); + + if (l->l_init_called) + /* This object is all done. */ +-- +2.42.0 + diff --git a/dtors-reverse-ctor-order.patch b/dtors-reverse-ctor-order.patch new file mode 100644 index 0000000..3e058ad --- /dev/null +++ b/dtors-reverse-ctor-order.patch @@ -0,0 +1,834 @@ +From a3189f66a5f2fe86568286fa025fa153be04c6c0 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Fri, 8 Sep 2023 12:32:14 +0200 +Subject: [PATCH] elf: Always call destructors in reverse constructor order + (bug 30785) + +The current implementation of dlclose (and process exit) re-sorts the +link maps before calling ELF destructors. Destructor order is not the +reverse of the constructor order as a result: The second sort takes +relocation dependencies into account, and other differences can result +from ambiguous inputs, such as cycles. (The force_first handling in +_dl_sort_maps is not effective for dlclose.) After the changes in +this commit, there is still a required difference due to +dlopen/dlclose ordering by the application, but the previous +discrepancies went beyond that. + +A new global (namespace-spanning) list of link maps, +_dl_init_called_list, is updated right before ELF constructors are +called from _dl_init. + +In dl_close_worker, the maps variable, an on-stack variable length +array, is eliminated. (VLAs are problematic, and dlclose should not +call malloc because it cannot readily deal with malloc failure.) +Marking still-used objects uses the namespace list directly, with +next and next_idx replacing the done_index variable. + +After marking, _dl_init_called_list is used to call the destructors +of now-unused maps in reverse destructor order. These destructors +can call dlopen. Previously, new objects do not have l_map_used set. +This had to change: There is no copy of the link map list anymore, +so processing would cover newly opened (and unmarked) mappings, +unloading them. Now, _dl_init (indirectly) sets l_map_used, too. +(dlclose is handled by the existing reentrancy guard.) + +After _dl_init_called_list traversal, two more loops follow. The +processing order changes to the original link map order in the +namespace. Previously, dependency order was used. The difference +should not matter because relocation dependencies could already +reorder link maps in the old code. + +The changes to _dl_fini remove the sorting step and replace it with +a traversal of _dl_init_called_list. The l_direct_opencount +decrement outside the loader lock is removed because it appears +incorrect: the counter manipulation could race with other dynamic +loader operations. + +tst-audit23 needs adjustments to the changes in LA_ACT_DELETE +notifications. The new approach for checking la_activity should +make it clearer that la_activty calls come in pairs around namespace +updates. + +The dependency sorting test cases need updates because the destructor +order is always the opposite order of constructor order, even with +relocation dependencies or cycles present. + +There is a future cleanup opportunity to remove the now-constant +force_first and for_fini arguments from the _dl_sort_maps function. + +Fixes commit 1df71d32fe5f5905ffd5d100e5e9ca8ad62 ("elf: Implement +force_first handling in _dl_sort_maps_dfs (bug 28937)"). + +Reviewed-by: DJ Delorie +(cherry picked from commit 6985865bc3ad5b23147ee73466583dd7fdf65892) +--- + NEWS | 7 ++ + elf/dl-close.c | 113 +++++++++++++++++---------- + elf/dl-fini.c | 152 +++++++++++++------------------------ + elf/dl-init.c | 16 ++++ + elf/dso-sort-tests-1.def | 19 ++--- + elf/tst-audit23.c | 44 ++++++----- + include/link.h | 4 + + sysdeps/generic/ldsodefs.h | 4 + + 8 files changed, 186 insertions(+), 173 deletions(-) + +diff --git a/elf/dl-close.c b/elf/dl-close.c +index b887a44888..ea62d0e601 100644 +--- a/elf/dl-close.c ++++ b/elf/dl-close.c +@@ -138,30 +138,31 @@ _dl_close_worker (struct link_map *map, bool force) + + bool any_tls = false; + const unsigned int nloaded = ns->_ns_nloaded; +- struct link_map *maps[nloaded]; + +- /* Run over the list and assign indexes to the link maps and enter +- them into the MAPS array. */ ++ /* Run over the list and assign indexes to the link maps. */ + int idx = 0; + for (struct link_map *l = ns->_ns_loaded; l != NULL; l = l->l_next) + { + l->l_map_used = 0; + l->l_map_done = 0; + l->l_idx = idx; +- maps[idx] = l; + ++idx; + } + assert (idx == nloaded); + +- /* Keep track of the lowest index link map we have covered already. */ +- int done_index = -1; +- while (++done_index < nloaded) ++ /* Keep marking link maps until no new link maps are found. */ ++ for (struct link_map *l = ns->_ns_loaded; l != NULL; ) + { +- struct link_map *l = maps[done_index]; ++ /* next is reset to earlier link maps for remarking. */ ++ struct link_map *next = l->l_next; ++ int next_idx = l->l_idx + 1; /* next->l_idx, but covers next == NULL. */ + + if (l->l_map_done) +- /* Already handled. */ +- continue; ++ { ++ /* Already handled. */ ++ l = next; ++ continue; ++ } + + /* Check whether this object is still used. */ + if (l->l_type == lt_loaded +@@ -171,7 +172,10 @@ _dl_close_worker (struct link_map *map, bool force) + acquire is sufficient and correct. */ + && atomic_load_acquire (&l->l_tls_dtor_count) == 0 + && !l->l_map_used) +- continue; ++ { ++ l = next; ++ continue; ++ } + + /* We need this object and we handle it now. */ + l->l_map_used = 1; +@@ -198,8 +202,11 @@ _dl_close_worker (struct link_map *map, bool force) + already processed it, then we need to go back + and process again from that point forward to + ensure we keep all of its dependencies also. */ +- if ((*lp)->l_idx - 1 < done_index) +- done_index = (*lp)->l_idx - 1; ++ if ((*lp)->l_idx < next_idx) ++ { ++ next = *lp; ++ next_idx = next->l_idx; ++ } + } + } + +@@ -219,44 +226,65 @@ _dl_close_worker (struct link_map *map, bool force) + if (!jmap->l_map_used) + { + jmap->l_map_used = 1; +- if (jmap->l_idx - 1 < done_index) +- done_index = jmap->l_idx - 1; ++ if (jmap->l_idx < next_idx) ++ { ++ next = jmap; ++ next_idx = next->l_idx; ++ } + } + } + } +- } + +- /* Sort the entries. We can skip looking for the binary itself which is +- at the front of the search list for the main namespace. */ +- _dl_sort_maps (maps, nloaded, (nsid == LM_ID_BASE), true); ++ l = next; ++ } + +- /* Call all termination functions at once. */ +- bool unload_any = false; +- bool scope_mem_left = false; +- unsigned int unload_global = 0; +- unsigned int first_loaded = ~0; +- for (unsigned int i = 0; i < nloaded; ++i) ++ /* Call the destructors in reverse constructor order, and remove the ++ closed link maps from the list. */ ++ for (struct link_map **init_called_head = &_dl_init_called_list; ++ *init_called_head != NULL; ) + { +- struct link_map *imap = maps[i]; ++ struct link_map *imap = *init_called_head; + +- /* All elements must be in the same namespace. */ +- assert (imap->l_ns == nsid); +- +- if (!imap->l_map_used) ++ /* _dl_init_called_list is global, to produce a global odering. ++ Ignore the other namespaces (and link maps that are still used). */ ++ if (imap->l_ns != nsid || imap->l_map_used) ++ init_called_head = &imap->l_init_called_next; ++ else + { + assert (imap->l_type == lt_loaded && !imap->l_nodelete_active); + +- /* Call its termination function. Do not do it for +- half-cooked objects. Temporarily disable exception +- handling, so that errors are fatal. */ +- if (imap->l_init_called) ++ /* _dl_init_called_list is updated at the same time as ++ l_init_called. */ ++ assert (imap->l_init_called); ++ ++ if (imap->l_info[DT_FINI_ARRAY] != NULL ++ || imap->l_info[DT_FINI] != NULL) + _dl_catch_exception (NULL, _dl_call_fini, imap); + + #ifdef SHARED + /* Auditing checkpoint: we remove an object. */ + _dl_audit_objclose (imap); + #endif ++ /* Unlink this link map. */ ++ *init_called_head = imap->l_init_called_next; ++ } ++ } ++ ++ ++ bool unload_any = false; ++ bool scope_mem_left = false; ++ unsigned int unload_global = 0; ++ ++ /* For skipping un-unloadable link maps in the second loop. */ ++ struct link_map *first_loaded = ns->_ns_loaded; + ++ /* Iterate over the namespace to find objects to unload. Some ++ unloadable objects may not be on _dl_init_called_list due to ++ dlopen failure. */ ++ for (struct link_map *imap = first_loaded; imap != NULL; imap = imap->l_next) ++ { ++ if (!imap->l_map_used) ++ { + /* This object must not be used anymore. */ + imap->l_removed = 1; + +@@ -267,8 +295,8 @@ _dl_close_worker (struct link_map *map, bool force) + ++unload_global; + + /* Remember where the first dynamically loaded object is. */ +- if (i < first_loaded) +- first_loaded = i; ++ if (first_loaded == NULL) ++ first_loaded = imap; + } + /* Else imap->l_map_used. */ + else if (imap->l_type == lt_loaded) +@@ -404,8 +432,8 @@ _dl_close_worker (struct link_map *map, bool force) + imap->l_loader = NULL; + + /* Remember where the first dynamically loaded object is. */ +- if (i < first_loaded) +- first_loaded = i; ++ if (first_loaded == NULL) ++ first_loaded = imap; + } + } + +@@ -476,10 +504,11 @@ _dl_close_worker (struct link_map *map, bool force) + + /* Check each element of the search list to see if all references to + it are gone. */ +- for (unsigned int i = first_loaded; i < nloaded; ++i) ++ for (struct link_map *imap = first_loaded; imap != NULL; ) + { +- struct link_map *imap = maps[i]; +- if (!imap->l_map_used) ++ if (imap->l_map_used) ++ imap = imap->l_next; ++ else + { + assert (imap->l_type == lt_loaded); + +@@ -690,7 +719,9 @@ _dl_close_worker (struct link_map *map, bool force) + if (imap == GL(dl_initfirst)) + GL(dl_initfirst) = NULL; + ++ struct link_map *next = imap->l_next; + free (imap); ++ imap = next; + } + } + +diff --git a/elf/dl-fini.c b/elf/dl-fini.c +index 9acb64f47c..e201d36651 100644 +--- a/elf/dl-fini.c ++++ b/elf/dl-fini.c +@@ -24,116 +24,68 @@ + void + _dl_fini (void) + { +- /* Lots of fun ahead. We have to call the destructors for all still +- loaded objects, in all namespaces. The problem is that the ELF +- specification now demands that dependencies between the modules +- are taken into account. I.e., the destructor for a module is +- called before the ones for any of its dependencies. +- +- To make things more complicated, we cannot simply use the reverse +- order of the constructors. Since the user might have loaded objects +- using `dlopen' there are possibly several other modules with its +- dependencies to be taken into account. Therefore we have to start +- determining the order of the modules once again from the beginning. */ +- +- /* We run the destructors of the main namespaces last. As for the +- other namespaces, we pick run the destructors in them in reverse +- order of the namespace ID. */ +-#ifdef SHARED +- int do_audit = 0; +- again: +-#endif +- for (Lmid_t ns = GL(dl_nns) - 1; ns >= 0; --ns) +- { +- /* Protect against concurrent loads and unloads. */ +- __rtld_lock_lock_recursive (GL(dl_load_lock)); +- +- unsigned int nloaded = GL(dl_ns)[ns]._ns_nloaded; +- /* No need to do anything for empty namespaces or those used for +- auditing DSOs. */ +- if (nloaded == 0 +-#ifdef SHARED +- || GL(dl_ns)[ns]._ns_loaded->l_auditing != do_audit +-#endif +- ) +- __rtld_lock_unlock_recursive (GL(dl_load_lock)); +- else +- { ++ /* Call destructors strictly in the reverse order of constructors. ++ This causes fewer surprises than some arbitrary reordering based ++ on new (relocation) dependencies. None of the objects are ++ unmapped, so applications can deal with this if their DSOs remain ++ in a consistent state after destructors have run. */ ++ ++ /* Protect against concurrent loads and unloads. */ ++ __rtld_lock_lock_recursive (GL(dl_load_lock)); ++ ++ /* Ignore objects which are opened during shutdown. */ ++ struct link_map *local_init_called_list = _dl_init_called_list; ++ ++ for (struct link_map *l = local_init_called_list; l != NULL; ++ l = l->l_init_called_next) ++ /* Bump l_direct_opencount of all objects so that they ++ are not dlclose()ed from underneath us. */ ++ ++l->l_direct_opencount; ++ ++ /* After this point, everything linked from local_init_called_list ++ cannot be unloaded because of the reference counter update. */ ++ __rtld_lock_unlock_recursive (GL(dl_load_lock)); ++ ++ /* Perform two passes: One for non-audit modules, one for audit ++ modules. This way, audit modules receive unload notifications ++ for non-audit objects, and the destructors for audit modules ++ still run. */ + #ifdef SHARED +- _dl_audit_activity_nsid (ns, LA_ACT_DELETE); ++ int last_pass = GLRO(dl_naudit) > 0; ++ Lmid_t last_ns = -1; ++ for (int do_audit = 0; do_audit <= last_pass; ++do_audit) + #endif +- +- /* Now we can allocate an array to hold all the pointers and +- copy the pointers in. */ +- struct link_map *maps[nloaded]; +- +- unsigned int i; +- struct link_map *l; +- assert (nloaded != 0 || GL(dl_ns)[ns]._ns_loaded == NULL); +- for (l = GL(dl_ns)[ns]._ns_loaded, i = 0; l != NULL; l = l->l_next) +- /* Do not handle ld.so in secondary namespaces. */ +- if (l == l->l_real) +- { +- assert (i < nloaded); +- +- maps[i] = l; +- l->l_idx = i; +- ++i; +- +- /* Bump l_direct_opencount of all objects so that they +- are not dlclose()ed from underneath us. */ +- ++l->l_direct_opencount; +- } +- assert (ns != LM_ID_BASE || i == nloaded); +- assert (ns == LM_ID_BASE || i == nloaded || i == nloaded - 1); +- unsigned int nmaps = i; +- +- /* Now we have to do the sorting. We can skip looking for the +- binary itself which is at the front of the search list for +- the main namespace. */ +- _dl_sort_maps (maps, nmaps, (ns == LM_ID_BASE), true); +- +- /* We do not rely on the linked list of loaded object anymore +- from this point on. We have our own list here (maps). The +- various members of this list cannot vanish since the open +- count is too high and will be decremented in this loop. So +- we release the lock so that some code which might be called +- from a destructor can directly or indirectly access the +- lock. */ +- __rtld_lock_unlock_recursive (GL(dl_load_lock)); +- +- /* 'maps' now contains the objects in the right order. Now +- call the destructors. We have to process this array from +- the front. */ +- for (i = 0; i < nmaps; ++i) +- { +- struct link_map *l = maps[i]; +- +- if (l->l_init_called) +- { +- _dl_call_fini (l); ++ for (struct link_map *l = local_init_called_list; l != NULL; ++ l = l->l_init_called_next) ++ { + #ifdef SHARED +- /* Auditing checkpoint: another object closed. */ +- _dl_audit_objclose (l); ++ if (GL(dl_ns)[l->l_ns]._ns_loaded->l_auditing != do_audit) ++ continue; ++ ++ /* Avoid back-to-back calls of _dl_audit_activity_nsid for the ++ same namespace. */ ++ if (last_ns != l->l_ns) ++ { ++ if (last_ns >= 0) ++ _dl_audit_activity_nsid (last_ns, LA_ACT_CONSISTENT); ++ _dl_audit_activity_nsid (l->l_ns, LA_ACT_DELETE); ++ last_ns = l->l_ns; ++ } + #endif +- } + +- /* Correct the previous increment. */ +- --l->l_direct_opencount; +- } ++ /* There is no need to re-enable exceptions because _dl_fini ++ is not called from a context where exceptions are caught. */ ++ _dl_call_fini (l); + + #ifdef SHARED +- _dl_audit_activity_nsid (ns, LA_ACT_CONSISTENT); ++ /* Auditing checkpoint: another object closed. */ ++ _dl_audit_objclose (l); + #endif +- } +- } ++ } + + #ifdef SHARED +- if (! do_audit && GLRO(dl_naudit) > 0) +- { +- do_audit = 1; +- goto again; +- } ++ if (last_ns >= 0) ++ _dl_audit_activity_nsid (last_ns, LA_ACT_CONSISTENT); + + if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_STATISTICS)) + _dl_debug_printf ("\nruntime linker statistics:\n" +diff --git a/elf/dl-init.c b/elf/dl-init.c +index ba4d2fdc85..ffd05b7806 100644 +--- a/elf/dl-init.c ++++ b/elf/dl-init.c +@@ -21,6 +21,7 @@ + #include + #include + ++struct link_map *_dl_init_called_list; + + static void + call_init (struct link_map *l, int argc, char **argv, char **env) +@@ -42,6 +43,21 @@ call_init (struct link_map *l, int argc, char **argv, char **env) + dependency. */ + l->l_init_called = 1; + ++ /* Help an already-running dlclose: The just-loaded object must not ++ be removed during the current pass. (No effect if no dlclose in ++ progress.) */ ++ l->l_map_used = 1; ++ ++ /* Record execution before starting any initializers. This way, if ++ the initializers themselves call dlopen, their ELF destructors ++ will eventually be run before this object is destructed, matching ++ that their ELF constructors have run before this object was ++ constructed. _dl_fini uses this list for audit callbacks, so ++ register objects on the list even if they do not have a ++ constructor. */ ++ l->l_init_called_next = _dl_init_called_list; ++ _dl_init_called_list = l; ++ + /* Check for object which constructors we do not run here. */ + if (__builtin_expect (l->l_name[0], 'a') == '\0' + && l->l_type == lt_executable) +diff --git a/elf/dso-sort-tests-1.def b/elf/dso-sort-tests-1.def +index 4bf9052db1..61dc54f8ae 100644 +--- a/elf/dso-sort-tests-1.def ++++ b/elf/dso-sort-tests-1.def +@@ -53,21 +53,14 @@ tst-dso-ordering10: {}->a->b->c;soname({})=c + output: b>a>{}b->c->d order). +-# The older dynamic_sort=1 algorithm does not achieve this, while the DFS-based +-# dynamic_sort=2 algorithm does, although it is still arguable whether going +-# beyond spec to do this is the right thing to do. +-# The below expected outputs are what the two algorithms currently produce +-# respectively, for regression testing purposes. ++# relocation(dynamic) dependencies. For both sorting algorithms, the ++# destruction order is the reverse of the construction order, and ++# relocation dependencies are not taken into account. + tst-bz15311: {+a;+e;+f;+g;+d;%d;-d;-g;-f;-e;-a};a->b->c->d;d=>[ba];c=>a;b=>e=>a;c=>f=>b;d=>g=>c +-output(glibc.rtld.dynamic_sort=1): {+a[d>c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[a1;a->a2;a2->a;b->b1;c->a1;c=>a1 +-output(glibc.rtld.dynamic_sort=1): {+a[a2>a1>a>];+b[b1>b>];-b[];%c(a1());}a1>a>];+b[b1>b>];-b[];%c(a1());}a1>a>];+b[b1>b>];-b[];%c(a1());} +Date: Fri, 8 Sep 2023 13:02:06 +0200 +Subject: [PATCH] elf: Remove unused l_text_end field from struct link_map + +It is a left-over from commit 52a01100ad011293197637e42b5be1a479a2 +("elf: Remove ad-hoc restrictions on dlopen callers [BZ #22787]"). + +When backporting commmit 6985865bc3ad5b23147ee73466583dd7fdf65892 +("elf: Always call destructors in reverse constructor order +(bug 30785)"), we can move the l_init_called_next field to this +place, so that the internal GLIBC_PRIVATE ABI does not change. + +Reviewed-by: Carlos O'Donell +Tested-by: Carlos O'Donell +(cherry picked from commit 53df2ce6885da3d0e89e87dca7b095622296014f) +--- + elf/dl-load.c | 2 +- + elf/dl-load.h | 7 ++----- + elf/rtld.c | 6 ------ + elf/setup-vdso.h | 4 ---- + include/link.h | 2 -- + 5 files changed, 3 insertions(+), 18 deletions(-) + +diff --git a/elf/dl-load.c b/elf/dl-load.c +index 9a87fda9c9..2923b1141d 100644 +--- a/elf/dl-load.c ++++ b/elf/dl-load.c +@@ -1253,7 +1253,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, + + /* Now process the load commands and map segments into memory. + This is responsible for filling in: +- l_map_start, l_map_end, l_addr, l_contiguous, l_text_end, l_phdr ++ l_map_start, l_map_end, l_addr, l_contiguous, l_phdr + */ + errstring = _dl_map_segments (l, fd, header, type, loadcmds, nloadcmds, + maplength, has_holes, loader); +diff --git a/elf/dl-load.h b/elf/dl-load.h +index ecf6910c68..1d5207694b 100644 +--- a/elf/dl-load.h ++++ b/elf/dl-load.h +@@ -83,14 +83,11 @@ struct loadcmd + + /* This is a subroutine of _dl_map_segments. It should be called for each + load command, some time after L->l_addr has been set correctly. It is +- responsible for setting up the l_text_end and l_phdr fields. */ ++ responsible for setting the l_phdr fields */ + static __always_inline void + _dl_postprocess_loadcmd (struct link_map *l, const ElfW(Ehdr) *header, + const struct loadcmd *c) + { +- if (c->prot & PROT_EXEC) +- l->l_text_end = l->l_addr + c->mapend; +- + if (l->l_phdr == 0 + && c->mapoff <= header->e_phoff + && ((size_t) (c->mapend - c->mapstart + c->mapoff) +@@ -103,7 +100,7 @@ _dl_postprocess_loadcmd (struct link_map *l, const ElfW(Ehdr) *header, + + /* This is a subroutine of _dl_map_object_from_fd. It is responsible + for filling in several fields in *L: l_map_start, l_map_end, l_addr, +- l_contiguous, l_text_end, l_phdr. On successful return, all the ++ l_contiguous, l_phdr. On successful return, all the + segments are mapped (or copied, or whatever) from the file into their + final places in the address space, with the correct page permissions, + and any bss-like regions already zeroed. It returns a null pointer +diff --git a/elf/rtld.c b/elf/rtld.c +index a91e2a4471..5107d16fe3 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -477,7 +477,6 @@ _dl_start_final (void *arg, struct dl_start_final_info *info) + GL(dl_rtld_map).l_real = &GL(dl_rtld_map); + GL(dl_rtld_map).l_map_start = (ElfW(Addr)) &__ehdr_start; + GL(dl_rtld_map).l_map_end = (ElfW(Addr)) _end; +- GL(dl_rtld_map).l_text_end = (ElfW(Addr)) _etext; + /* Copy the TLS related data if necessary. */ + #ifndef DONT_USE_BOOTSTRAP_MAP + # if NO_TLS_OFFSET != 0 +@@ -1119,7 +1118,6 @@ rtld_setup_main_map (struct link_map *main_map) + bool has_interp = false; + + main_map->l_map_end = 0; +- main_map->l_text_end = 0; + /* Perhaps the executable has no PT_LOAD header entries at all. */ + main_map->l_map_start = ~0; + /* And it was opened directly. */ +@@ -1211,8 +1209,6 @@ rtld_setup_main_map (struct link_map *main_map) + allocend = main_map->l_addr + ph->p_vaddr + ph->p_memsz; + if (main_map->l_map_end < allocend) + main_map->l_map_end = allocend; +- if ((ph->p_flags & PF_X) && allocend > main_map->l_text_end) +- main_map->l_text_end = allocend; + + /* The next expected address is the page following this load + segment. */ +@@ -1272,8 +1268,6 @@ rtld_setup_main_map (struct link_map *main_map) + = (char *) main_map->l_tls_initimage + main_map->l_addr; + if (! main_map->l_map_end) + main_map->l_map_end = ~0; +- if (! main_map->l_text_end) +- main_map->l_text_end = ~0; + if (! GL(dl_rtld_map).l_libname && GL(dl_rtld_map).l_name) + { + /* We were invoked directly, so the program might not have a +diff --git a/elf/setup-vdso.h b/elf/setup-vdso.h +index 0079842d1f..d92b12a7aa 100644 +--- a/elf/setup-vdso.h ++++ b/elf/setup-vdso.h +@@ -51,9 +51,6 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)), + l->l_addr = ph->p_vaddr; + if (ph->p_vaddr + ph->p_memsz >= l->l_map_end) + l->l_map_end = ph->p_vaddr + ph->p_memsz; +- if ((ph->p_flags & PF_X) +- && ph->p_vaddr + ph->p_memsz >= l->l_text_end) +- l->l_text_end = ph->p_vaddr + ph->p_memsz; + } + else + /* There must be no TLS segment. */ +@@ -62,7 +59,6 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)), + l->l_map_start = (ElfW(Addr)) GLRO(dl_sysinfo_dso); + l->l_addr = l->l_map_start - l->l_addr; + l->l_map_end += l->l_addr; +- l->l_text_end += l->l_addr; + l->l_ld = (void *) ((ElfW(Addr)) l->l_ld + l->l_addr); + elf_get_dynamic_info (l, false, false); + _dl_setup_hash (l); +diff --git a/include/link.h b/include/link.h +index 69bda3ed17..c6af095d87 100644 +--- a/include/link.h ++++ b/include/link.h +@@ -253,8 +253,6 @@ struct link_map + /* Start and finish of memory map for this object. l_map_start + need not be the same as l_addr. */ + ElfW(Addr) l_map_start, l_map_end; +- /* End of the executable part of the mapping. */ +- ElfW(Addr) l_text_end; + + /* Default array for 'l_scope'. */ + struct r_scope_elem *l_scope_mem[4]; +-- +2.42.0 + +From d3ba6c1333b10680ce5900a628108507d9d4b844 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Mon, 11 Sep 2023 09:17:52 +0200 +Subject: [PATCH] elf: Move l_init_called_next to old place of l_text_end in + link map + +This preserves all member offsets and the GLIBC_PRIVATE ABI +for backporting. +--- + include/link.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/include/link.h b/include/link.h +index c6af095d87..686813f281 100644 +--- a/include/link.h ++++ b/include/link.h +@@ -254,6 +254,10 @@ struct link_map + need not be the same as l_addr. */ + ElfW(Addr) l_map_start, l_map_end; + ++ /* Linked list of objects in reverse ELF constructor execution ++ order. Head of list is stored in _dl_init_called_list. */ ++ struct link_map *l_init_called_next; ++ + /* Default array for 'l_scope'. */ + struct r_scope_elem *l_scope_mem[4]; + /* Size of array allocated for 'l_scope'. */ +@@ -276,10 +280,6 @@ struct link_map + /* List of object in order of the init and fini calls. */ + struct link_map **l_initfini; + +- /* Linked list of objects in reverse ELF constructor execution +- order. Head of list is stored in _dl_init_called_list. */ +- struct link_map *l_init_called_next; +- + /* List of the dependencies introduced through symbol binding. */ + struct link_map_reldeps + { +-- +2.42.0 + diff --git a/glibc.changes b/glibc.changes index f0d9791..a085d8e 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,14 @@ +------------------------------------------------------------------- +Mon Sep 11 09:20:07 UTC 2023 - Andreas Schwab + +- ppc64-flock-fob64.patch: io: Fix record locking contants for powerpc64 + with __USE_FILE_OFFSET64 (BZ #30804) +- libio-io-vtables.patch: libio: Fix oversized __io_vtables +- call-init-proxy-objects.patch: elf: Do not run constructors for proxy + objects +- dtors-reverse-ctor-order.patch: elf: Always call destructors in reverse + constructor order (BZ #30785) + ------------------------------------------------------------------- Tue Sep 5 11:13:13 UTC 2023 - Andreas Schwab diff --git a/glibc.spec b/glibc.spec index f9d3049..d4b86c7 100644 --- a/glibc.spec +++ b/glibc.spec @@ -307,6 +307,14 @@ Patch1002: cache-intel-shared.patch Patch1003: posix-memalign-fragmentation.patch # PATCH-FIX-UPSTREAM intl: Treat C.UTF-8 locale like C locale (BZ #16621) Patch1004: intl-c-utf-8-like-c-locale.patch +# PATCH-FIX-UPSTREAM io: Fix record locking contants for powerpc64 with __USE_FILE_OFFSET64 (BZ #30804) +Patch1005: ppc64-flock-fob64.patch +# PATCH-FIX-UPSTREAM libio: Fix oversized __io_vtables +Patch1006: libio-io-vtables.patch +# PATCH-FIX-UPSTREAM elf: Do not run constructors for proxy objects +Patch1007: call-init-proxy-objects.patch +# PATCH-FIX-UPSTREAM elf: Always call destructors in reverse constructor order (BZ #30785) +Patch1008: dtors-reverse-ctor-order.patch ### # Patches awaiting upstream approval @@ -534,6 +542,10 @@ library in a cross compilation setting. %patch1002 -p1 %patch1003 -p1 %patch1004 -p1 +%patch1005 -p1 +%patch1006 -p1 +%patch1007 -p1 +%patch1008 -p1 %endif %patch2000 -p1 diff --git a/libio-io-vtables.patch b/libio-io-vtables.patch new file mode 100644 index 0000000..4b622f4 --- /dev/null +++ b/libio-io-vtables.patch @@ -0,0 +1,51 @@ +From 92201f16cbcfd9eafe314ef6654be2ea7ba25675 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Fri, 8 Sep 2023 15:55:19 -0400 +Subject: [PATCH] libio: Fix oversized __io_vtables + +IO_VTABLES_LEN is the size of the struct array in bytes, not the number +of __IO_jump_t's in the array. Drops just under 384kb from .rodata on +LP64 machines. + +Fixes: 3020f72618e ("libio: Remove the usage of __libc_IO_vtables") +Signed-off-by: Adam Jackson +Reviewed-by: Florian Weimer +Tested-by: Florian Weimer +(cherry picked from commit 8cb69e054386f980f9ff4d93b157861d72b2019e) +--- + libio/vtables.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/libio/vtables.c b/libio/vtables.c +index 1d8ad612e9..34f7e15f1c 100644 +--- a/libio/vtables.c ++++ b/libio/vtables.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -88,7 +89,7 @@ + # pragma weak __wprintf_buffer_as_file_xsputn + #endif + +-const struct _IO_jump_t __io_vtables[IO_VTABLES_LEN] attribute_relro = ++const struct _IO_jump_t __io_vtables[] attribute_relro = + { + /* _IO_str_jumps */ + [IO_STR_JUMPS] = +@@ -485,6 +486,8 @@ const struct _IO_jump_t __io_vtables[IO_VTABLES_LEN] attribute_relro = + }, + #endif + }; ++_Static_assert (array_length (__io_vtables) == IO_VTABLES_NUM, ++ "initializer count"); + + #ifdef SHARED + +-- +2.42.0 + diff --git a/ppc64-flock-fob64.patch b/ppc64-flock-fob64.patch new file mode 100644 index 0000000..55c9b2f --- /dev/null +++ b/ppc64-flock-fob64.patch @@ -0,0 +1,76 @@ +From 434bf72a94de68f0cc7fbf3c44bf38c1911b70cb Mon Sep 17 00:00:00 2001 +From: Aurelien Jarno +Date: Mon, 28 Aug 2023 23:30:37 +0200 +Subject: [PATCH] io: Fix record locking contants for powerpc64 with + __USE_FILE_OFFSET64 + +Commit 5f828ff824e3b7cd1 ("io: Fix F_GETLK, F_SETLK, and F_SETLKW for +powerpc64") fixed an issue with the value of the lock constants on +powerpc64 when not using __USE_FILE_OFFSET64, but it ended-up also +changing the value when using __USE_FILE_OFFSET64 causing an API change. + +Fix that by also checking that define, restoring the pre +4d0fe291aed3a476a commit values: + +Default values: +- F_GETLK: 5 +- F_SETLK: 6 +- F_SETLKW: 7 + +With -D_FILE_OFFSET_BITS=64: +- F_GETLK: 12 +- F_SETLK: 13 +- F_SETLKW: 14 + +At the same time, it has been noticed that there was no test for io lock +with __USE_FILE_OFFSET64, so just add one. + +Tested on x86_64-linux-gnu, i686-linux-gnu and +powerpc64le-unknown-linux-gnu. + +Resolves: BZ #30804. +Co-authored-by: Adhemerval Zanella +Signed-off-by: Aurelien Jarno +--- + io/Makefile | 1 + + io/tst-fcntl-lock-lfs.c | 2 ++ + sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h | 2 +- + 3 files changed, 4 insertions(+), 1 deletion(-) + create mode 100644 io/tst-fcntl-lock-lfs.c + +diff --git a/io/Makefile b/io/Makefile +index 6ccc0e8691..8a3c83a3bb 100644 +--- a/io/Makefile ++++ b/io/Makefile +@@ -192,6 +192,7 @@ tests := \ + tst-fchownat \ + tst-fcntl \ + tst-fcntl-lock \ ++ tst-fcntl-lock-lfs \ + tst-fstatat \ + tst-fts \ + tst-fts-lfs \ +diff --git a/io/tst-fcntl-lock-lfs.c b/io/tst-fcntl-lock-lfs.c +new file mode 100644 +index 0000000000..f2a909fb02 +--- /dev/null ++++ b/io/tst-fcntl-lock-lfs.c +@@ -0,0 +1,2 @@ ++#define _FILE_OFFSET_BITS 64 ++#include +diff --git a/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h b/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h +index f7615a447e..d8a291a331 100644 +--- a/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h ++++ b/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h +@@ -33,7 +33,7 @@ + # define __O_LARGEFILE 0200000 + #endif + +-#if __WORDSIZE == 64 ++#if __WORDSIZE == 64 && !defined __USE_FILE_OFFSET64 + # define F_GETLK 5 + # define F_SETLK 6 + # define F_SETLKW 7 +-- +2.42.0 + From dbf49f77e59e985ce19590b1d5e85938fa23af4c139d7814169d0d1eec37fe33 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Wed, 13 Sep 2023 06:51:34 +0000 Subject: [PATCH 3/9] Accepting request 1110816 from home:Andreas_Schwab:Factory - Add systemd to passwd, group and shadow lookups (jsc#PED-5188) OBS-URL: https://build.opensuse.org/request/show/1110816 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=668 --- glibc.changes | 5 +++++ nsswitch.conf | 6 +++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/glibc.changes b/glibc.changes index a085d8e..bada856 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Tue Sep 12 12:52:55 UTC 2023 - Andreas Schwab + +- Add systemd to passwd, group and shadow lookups (jsc#PED-5188) + ------------------------------------------------------------------- Mon Sep 11 09:20:07 UTC 2023 - Andreas Schwab diff --git a/nsswitch.conf b/nsswitch.conf index 7e3ba34..149c359 100644 --- a/nsswitch.conf +++ b/nsswitch.conf @@ -52,9 +52,9 @@ # shadow: db files # group: db files -passwd: compat -group: compat -shadow: compat +passwd: compat systemd +group: compat systemd +shadow: compat systemd # Allow initgroups to default to the setting for group. # initgroups: compat From f73bb175b7c64808c910eb52d1dc384db97412ad3f92830a32655b0fb21a3714 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Thu, 14 Sep 2023 08:19:24 +0000 Subject: [PATCH 4/9] Accepting request 1111033 from home:Andreas_Schwab:Factory - no-aaaa-read-overflow.patch: Stack read overflow with large TCP responses in no-aaaa mode (CVE-2023-4527, bsc#1215280, BZ #30842) OBS-URL: https://build.opensuse.org/request/show/1111033 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=669 --- glibc.changes | 6 ++ glibc.spec | 3 + no-aaaa-read-overflow.patch | 193 ++++++++++++++++++++++++++++++++++++ 3 files changed, 202 insertions(+) create mode 100644 no-aaaa-read-overflow.patch diff --git a/glibc.changes b/glibc.changes index bada856..f78d8e6 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Wed Sep 13 12:25:56 UTC 2023 - Andreas Schwab + +- no-aaaa-read-overflow.patch: Stack read overflow with large TCP + responses in no-aaaa mode (CVE-2023-4527, bsc#1215280, BZ #30842) + ------------------------------------------------------------------- Tue Sep 12 12:52:55 UTC 2023 - Andreas Schwab diff --git a/glibc.spec b/glibc.spec index d4b86c7..1f623a6 100644 --- a/glibc.spec +++ b/glibc.spec @@ -315,6 +315,8 @@ Patch1006: libio-io-vtables.patch Patch1007: call-init-proxy-objects.patch # PATCH-FIX-UPSTREAM elf: Always call destructors in reverse constructor order (BZ #30785) Patch1008: dtors-reverse-ctor-order.patch +# PATCH-FIX-UPSTREAM Stack read overflow with large TCP responses in no-aaaa mode (CVE-2023-4527, BZ #30842) +Patch1009: no-aaaa-read-overflow.patch ### # Patches awaiting upstream approval @@ -546,6 +548,7 @@ library in a cross compilation setting. %patch1006 -p1 %patch1007 -p1 %patch1008 -p1 +%patch1009 -p1 %endif %patch2000 -p1 diff --git a/no-aaaa-read-overflow.patch b/no-aaaa-read-overflow.patch new file mode 100644 index 0000000..65247872 --- /dev/null +++ b/no-aaaa-read-overflow.patch @@ -0,0 +1,193 @@ +From bd77dd7e73e3530203be1c52c8a29d08270cb25d Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Wed, 13 Sep 2023 14:10:56 +0200 +Subject: [PATCH] CVE-2023-4527: Stack read overflow with large TCP responses + in no-aaaa mode + +Without passing alt_dns_packet_buffer, __res_context_search can only +store 2048 bytes (what fits into dns_packet_buffer). However, +the function returns the total packet size, and the subsequent +DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end +of the stack-allocated buffer. + +Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa +stub resolver option") and bug 30842. +--- + NEWS | 6 +- + resolv/Makefile | 2 + + resolv/nss_dns/dns-host.c | 2 +- + resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++ + 4 files changed, 137 insertions(+), 2 deletions(-) + create mode 100644 resolv/tst-resolv-noaaaa-vc.c + +diff --git a/resolv/Makefile b/resolv/Makefile +index 054b1fa36c..2f99eb3862 100644 +--- a/resolv/Makefile ++++ b/resolv/Makefile +@@ -102,6 +102,7 @@ tests += \ + tst-resolv-invalid-cname \ + tst-resolv-network \ + tst-resolv-noaaaa \ ++ tst-resolv-noaaaa-vc \ + tst-resolv-nondecimal \ + tst-resolv-res_init-multi \ + tst-resolv-search \ +@@ -293,6 +294,7 @@ $(objpfx)tst-resolv-res_init-thread: $(objpfx)libresolv.so \ + $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ + $(shared-thread-library) + $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) ++$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) + $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library) +diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c +index c8b77bbc35..119dc9f00f 100644 +--- a/resolv/nss_dns/dns-host.c ++++ b/resolv/nss_dns/dns-host.c +@@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, + { + n = __res_context_search (ctx, name, C_IN, T_A, + dns_packet_buffer, sizeof (dns_packet_buffer), +- NULL, NULL, NULL, NULL, NULL); ++ &alt_dns_packet_buffer, NULL, NULL, NULL, NULL); + if (n >= 0) + status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n, + &abuf, pat, errnop, herrnop, ttlp); +diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c +new file mode 100644 +index 0000000000..9f5aebd99f +--- /dev/null ++++ b/resolv/tst-resolv-noaaaa-vc.c +@@ -0,0 +1,129 @@ ++/* Test the RES_NOAAAA resolver option with a large response. ++ Copyright (C) 2022-2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++/* Used to keep track of the number of queries. */ ++static volatile unsigned int queries; ++ ++/* If true, add a large TXT record at the start of the answer section. */ ++static volatile bool stuff_txt; ++ ++static void ++response (const struct resolv_response_context *ctx, ++ struct resolv_response_builder *b, ++ const char *qname, uint16_t qclass, uint16_t qtype) ++{ ++ /* If not using TCP, just force its use. */ ++ if (!ctx->tcp) ++ { ++ struct resolv_response_flags flags = {.tc = true}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ return; ++ } ++ ++ /* The test needs to send four queries, the first three are used to ++ grow the NSS buffer via the ERANGE handshake. */ ++ ++queries; ++ TEST_VERIFY (queries <= 4); ++ ++ /* AAAA queries are supposed to be disabled. */ ++ TEST_COMPARE (qtype, T_A); ++ TEST_COMPARE (qclass, C_IN); ++ TEST_COMPARE_STRING (qname, "example.com"); ++ ++ struct resolv_response_flags flags = {}; ++ resolv_response_init (b, flags); ++ resolv_response_add_question (b, qname, qclass, qtype); ++ ++ resolv_response_section (b, ns_s_an); ++ ++ if (stuff_txt) ++ { ++ resolv_response_open_record (b, qname, qclass, T_TXT, 60); ++ int zero = 0; ++ for (int i = 0; i <= 15000; ++i) ++ resolv_response_add_data (b, &zero, sizeof (zero)); ++ resolv_response_close_record (b); ++ } ++ ++ for (int i = 0; i < 200; ++i) ++ { ++ resolv_response_open_record (b, qname, qclass, qtype, 60); ++ char ipv4[4] = {192, 0, 2, i + 1}; ++ resolv_response_add_data (b, &ipv4, sizeof (ipv4)); ++ resolv_response_close_record (b); ++ } ++} ++ ++static int ++do_test (void) ++{ ++ struct resolv_test *obj = resolv_test_start ++ ((struct resolv_redirect_config) ++ { ++ .response_callback = response ++ }); ++ ++ _res.options |= RES_NOAAAA; ++ ++ for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt) ++ { ++ queries = 0; ++ stuff_txt = do_stuff_txt; ++ ++ struct addrinfo *ai = NULL; ++ int ret; ++ ret = getaddrinfo ("example.com", "80", ++ &(struct addrinfo) ++ { ++ .ai_family = AF_UNSPEC, ++ .ai_socktype = SOCK_STREAM, ++ }, &ai); ++ ++ char *expected_result; ++ { ++ struct xmemstream mem; ++ xopen_memstream (&mem); ++ for (int i = 0; i < 200; ++i) ++ fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1); ++ xfclose_memstream (&mem); ++ expected_result = mem.buffer; ++ } ++ ++ check_addrinfo ("example.com", ai, ret, expected_result); ++ ++ free (expected_result); ++ freeaddrinfo (ai); ++ } ++ ++ resolv_test_end (obj); ++ return 0; ++} ++ ++#include +-- +2.42.0 + From 366ef06a7bdc50905132b38cdfdf05ed3ba3ed2d1f35d06f97e6f96a044f53d0 Mon Sep 17 00:00:00 2001 From: Dirk Mueller Date: Mon, 18 Sep 2023 09:08:56 +0000 Subject: [PATCH 5/9] - add glibc-io-Do-not-implement-fstat-with-fstatat.diff - add glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch (bsc#1215281, CVE-2023-4806) - Regenerate it also in the %post of glibc-local-base- But to create clearly defined bootstrap projects, it's essential - Recognize ppc64p7 arch to build for power7 - add ld-linux.so.3 compat symlink also for armv6hl - Do not order nscd after syslog.target * bugfixes - Update manpages from Debian, includes new man pages for - Use _target_cpu instead of _build and _host. This makes the - check-build.sh: accept kernel 3.x - more libm optimizations - Revert last change, it caused some breakage. [bnc#715854] for vsyscall which is not anymore in 3.1 kernel - Further cleanup of ld.so.conf to remove duplicate directories - Fix warning about potential array subscript out of bounds - Work around shortest-stem feature in make 3.82+ (patch - Update to glibc-2.10.1-e38af591a8 of glibc/pb-stable.git glibc-2.10-branch - only do obsoletes for XXbit packages on ppc, not on x86 * Fix sched_getcpu error path on x86-64. - nptl/init.c (sigcancel_handler): Compare with correct PID even - Don't terminate strings twice in nis/netgroup code. - Fix invalidating of nscd caches and getaddrinfo() - Update to current CVS: - Update to current CVS version and update to - Add fixes from CVS: - forward umount to umount2 on ppc64 because umount syscall - really fix linux/percpu.h to compile in userland - Update to kernel header files from 2.6.0-test7 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=670 --- ...o-fix-use-after-free-in-getcanonname.patch | 337 ++++++++++++++++++ ...o-Do-not-implement-fstat-with-fstatat.diff | 137 +++++++ glibc.changes | 147 ++++---- glibc.spec | 7 + 4 files changed, 558 insertions(+), 70 deletions(-) create mode 100644 glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch create mode 100644 glibc-io-Do-not-implement-fstat-with-fstatat.diff diff --git a/glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch b/glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch new file mode 100644 index 0000000..39b3254 --- /dev/null +++ b/glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch @@ -0,0 +1,337 @@ +From 973fe93a5675c42798b2161c6f29c01b0e243994 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Fri, 15 Sep 2023 13:51:12 -0400 +Subject: [PATCH] getaddrinfo: Fix use after free in getcanonname + (CVE-2023-4806) + +When an NSS plugin only implements the _gethostbyname2_r and +_getcanonname_r callbacks, getaddrinfo could use memory that was freed +during tmpbuf resizing, through h_name in a previous query response. + +The backing store for res->at->name when doing a query with +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in +gethosts during the query. For AF_INET6 lookup with AI_ALL | +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second +for a v4 lookup. In this case, if the first call reallocates tmpbuf +enough number of times, resulting in a malloc, th->h_name (that +res->at->name refers to) ends up on a heap allocated storage in tmpbuf. +Now if the second call to gethosts also causes the plugin callback to +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF +reference in res->at->name. This then gets dereferenced in the +getcanonname_r plugin call, resulting in the use after free. + +Fix this by copying h_name over and freeing it at the end. This +resolves BZ #30843, which is assigned CVE-2023-4806. + +Signed-off-by: Siddhesh Poyarekar +--- + nss/Makefile | 15 ++++- + nss/nss_test_gai_hv2_canonname.c | 56 +++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.c | 63 +++++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.h | 1 + + .../postclean.req | 0 + .../tst-nss-gai-hv2-canonname.script | 2 + + sysdeps/posix/getaddrinfo.c | 25 +++++--- + 7 files changed, 152 insertions(+), 10 deletions(-) + create mode 100644 nss/nss_test_gai_hv2_canonname.c + create mode 100644 nss/tst-nss-gai-hv2-canonname.c + create mode 100644 nss/tst-nss-gai-hv2-canonname.h + create mode 100644 nss/tst-nss-gai-hv2-canonname.root/postclean.req + create mode 100644 nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script + +diff --git a/nss/Makefile b/nss/Makefile +index 06fcdc450f..8a5126ecf3 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -82,6 +82,7 @@ tests-container := \ + tst-nss-test3 \ + tst-reload1 \ + tst-reload2 \ ++ tst-nss-gai-hv2-canonname \ + # tests-container + + # Tests which need libdl +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) + ifeq ($(build-static-nss),yes) + tests-static += tst-nss-static + endif +-extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os ++extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ ++ nss_test_gai_hv2_canonname.os + + include ../Rules + +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver + libof-nss_test1 = extramodules + libof-nss_test2 = extramodules + libof-nss_test_errno = extramodules ++libof-nss_test_gai_hv2_canonname = extramodules + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) + $(build-module) + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) + $(build-module) + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) + $(build-module) ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \ ++ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) ++ $(build-module) + $(objpfx)nss_test2.os : nss_test1.c + # Use the nss_files suffix for these objects as well. + $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so +@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ + $(objpfx)/libnss_test_errno.so + $(make-link) ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ ++ $(objpfx)/libnss_test_gai_hv2_canonname.so ++ $(make-link) + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ + $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ + $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ +- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) ++ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ ++ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) + + ifeq (yes,$(have-thread-library)) + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags +diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c +new file mode 100644 +index 0000000000..4439c83c9f +--- /dev/null ++++ b/nss/nss_test_gai_hv2_canonname.c +@@ -0,0 +1,56 @@ ++/* NSS service provider that only provides gethostbyname2_r. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include "nss/tst-nss-gai-hv2-canonname.h" ++ ++/* Catch misnamed and functions. */ ++#pragma GCC diagnostic error "-Wmissing-prototypes" ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) ++ ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, ++ struct hostent *, char *, ++ size_t, int *, int *); ++ ++enum nss_status ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, ++ struct hostent *result, ++ char *buffer, size_t buflen, ++ int *errnop, int *herrnop) ++{ ++ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, ++ herrnop); ++} ++ ++enum nss_status ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, ++ size_t buflen, char **result, ++ int *errnop, int *h_errnop) ++{ ++ /* We expect QUERYNAME, which is a small enough string that it shouldn't fail ++ the test. */ ++ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) ++ || buflen < sizeof (QUERYNAME)) ++ abort (); ++ ++ strncpy (buffer, name, buflen); ++ *result = buffer; ++ return NSS_STATUS_SUCCESS; ++} +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c +new file mode 100644 +index 0000000000..d5f10c07d6 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.c +@@ -0,0 +1,63 @@ ++/* Test NSS query path for plugins that only implement gethostbyname2 ++ (#30843). ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "nss/tst-nss-gai-hv2-canonname.h" ++ ++#define PREPARE do_prepare ++ ++static void do_prepare (int a, char **av) ++{ ++ FILE *hosts = xfopen ("/etc/hosts", "w"); ++ for (unsigned i = 2; i < 255; i++) ++ { ++ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); ++ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); ++ } ++ xfclose (hosts); ++} ++ ++static int ++do_test (void) ++{ ++ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); ++ ++ struct addrinfo hints = {}; ++ struct addrinfo *result = NULL; ++ ++ hints.ai_family = AF_INET6; ++ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; ++ ++ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); ++ ++ if (ret != 0) ++ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); ++ ++ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); ++ ++ freeaddrinfo(result); ++ return 0; ++} ++ ++#include +diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h +new file mode 100644 +index 0000000000..14f2a9cb08 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.h +@@ -0,0 +1 @@ ++#define QUERYNAME "test.example.com" +diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req +new file mode 100644 +index 0000000000..e69de29bb2 +diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script +new file mode 100644 +index 0000000000..31848b4a28 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script +@@ -0,0 +1,2 @@ ++cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2 ++su +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 6ae6744fe4..47f421fddf 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -120,6 +120,7 @@ struct gaih_result + { + struct gaih_addrtuple *at; + char *canon; ++ char *h_name; + bool free_at; + bool got_ipv6; + }; +@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) + if (res->free_at) + free (res->at); + free (res->canon); ++ free (res->h_name); + memset (res, 0, sizeof (*res)); + } + +@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, + return 0; + } + +-/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name +- is not copied, and the struct hostent object must not be deallocated +- prematurely. The new addresses are appended to the tuple array in RES. */ ++/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new ++ addresses are appended to the tuple array in RES. */ + static bool + convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + struct hostent *h, struct gaih_result *res) +@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + res->at = array; + res->free_at = true; + ++ /* Duplicate h_name because it may get reclaimed when the underlying storage ++ is freed. */ ++ if (res->h_name == NULL) ++ { ++ res->h_name = __strdup (h->h_name); ++ if (res->h_name == NULL) ++ return false; ++ } ++ + /* Update the next pointers on reallocation. */ + for (size_t i = 0; i < old; i++) + array[i].next = array + i + 1; +@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + } + array[i].next = array + i + 1; + } +- array[0].name = h->h_name; + array[count - 1].next = NULL; + + return true; +@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name, + memory allocation failure. The returned string is allocated on the + heap; the caller has to free it. */ + static char * +-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name) ++getcanonname (nss_action_list nip, const char *hname, const char *name) + { + nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r"); + char *s = (char *) name; + if (cfct != NULL) + { + char buf[256]; +- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), +- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) ++ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, ++ &h_errno)) != NSS_STATUS_SUCCESS) + /* If the canonical name cannot be determined, use the passed + string. */ + s = (char *) name; +@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, + if ((req->ai_flags & AI_CANONNAME) != 0 + && res->canon == NULL) + { +- char *canonbuf = getcanonname (nip, res->at, name); ++ char *canonbuf = getcanonname (nip, res->h_name, name); + if (canonbuf == NULL) + { + __resolv_context_put (res_ctx); +-- +2.39.3 + diff --git a/glibc-io-Do-not-implement-fstat-with-fstatat.diff b/glibc-io-Do-not-implement-fstat-with-fstatat.diff new file mode 100644 index 0000000..449232c --- /dev/null +++ b/glibc-io-Do-not-implement-fstat-with-fstatat.diff @@ -0,0 +1,137 @@ +diff --git a/sysdeps/unix/sysv/linux/fstat64.c b/sysdeps/unix/sysv/linux/fstat64.c +index 124384e57f..a291f0825b 100644 +--- a/sysdeps/unix/sysv/linux/fstat64.c ++++ b/sysdeps/unix/sysv/linux/fstat64.c +@@ -19,20 +19,53 @@ + #define __fstat __redirect___fstat + #define fstat __redirect_fstat + #include ++#undef __fstat ++#undef fstat + #include +-#include +-#include ++#include + #include + + int + __fstat64_time64 (int fd, struct __stat64_t64 *buf) + { ++#if !FSTATAT_USE_STATX ++# if XSTAT_IS_XSTAT64 ++# ifdef __NR_fstat ++ /* 64-bit kABI, e.g. aarch64, ia64, powerpc64*, s390x, riscv64, and ++ x86_64. */ ++ return INLINE_SYSCALL_CALL (fstat, fd, buf); ++# elif defined __NR_fstat64 ++# if STAT64_IS_KERNEL_STAT64 ++ /* 64-bit kABI outlier, e.g. alpha */ ++ return INLINE_SYSCALL_CALL (fstat64, fd, buf); ++# else ++ /* 64-bit kABI outlier, e.g. sparc64. */ ++ struct kernel_stat64 kst64; ++ int r = INLINE_SYSCALL_CALL (fstat64, fd, &kst64); ++ if (r == 0) ++ __cp_stat64_kstat64 (buf, &kst64); ++ return r; ++# endif /* STAT64_IS_KERNEL_STAT64 */ ++# endif ++# else /* XSTAT_IS_XSTAT64 */ ++ /* 64-bit kabi outlier, e.g. mips64 and mips64-n32. */ ++ struct kernel_stat kst; ++ int r = INLINE_SYSCALL_CALL (fstat, fd, &kst); ++ if (r == 0) ++ __cp_kstat_stat64_t64 (&kst, buf); ++ return r; ++# endif ++#else /* !FSTATAT_USE_STATX */ ++ /* All kABIs with non-LFS support and with old 32-bit time_t support ++ e.g. arm, csky, i386, hppa, m68k, microblaze, nios2, sh, powerpc32, ++ and sparc32. */ + if (fd < 0) + { + __set_errno (EBADF); + return -1; + } + return __fstatat64_time64 (fd, "", buf, AT_EMPTY_PATH); ++#endif + } + #if __TIMESIZE != 64 + hidden_def (__fstat64_time64) +diff --git a/sysdeps/unix/sysv/linux/fstatat64.c b/sysdeps/unix/sysv/linux/fstatat64.c +index 3509d3ca6d..127c6ff601 100644 +--- a/sysdeps/unix/sysv/linux/fstatat64.c ++++ b/sysdeps/unix/sysv/linux/fstatat64.c +@@ -21,12 +21,10 @@ + #include + #include + #include +-#include + #include + #include +-#include +-#include + #include ++#include + + #if __TIMESIZE == 64 \ + && (__WORDSIZE == 32 \ +@@ -40,11 +38,7 @@ _Static_assert (sizeof (__blkcnt_t) == sizeof (__blkcnt64_t), + "__blkcnt_t and __blkcnt64_t must match"); + #endif + +-#if (__WORDSIZE == 32 \ +- && (!defined __SYSCALL_WORDSIZE || __SYSCALL_WORDSIZE == 32)) \ +- || defined STAT_HAS_TIME32 \ +- || (!defined __NR_newfstatat && !defined __NR_fstatat64) +-# define FSTATAT_USE_STATX 1 ++#if FSTATAT_USE_STATX + + static inline int + fstatat64_time64_statx (int fd, const char *file, struct __stat64_t64 *buf, +@@ -79,8 +73,6 @@ fstatat64_time64_statx (int fd, const char *file, struct __stat64_t64 *buf, + + return r; + } +-#else +-# define FSTATAT_USE_STATX 0 + #endif + + /* Only statx supports 64-bit timestamps for 32-bit architectures with +diff --git a/sysdeps/unix/sysv/linux/internal-stat.h b/sysdeps/unix/sysv/linux/internal-stat.h +new file mode 100644 +index 0000000000..e3b0569853 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/internal-stat.h +@@ -0,0 +1,31 @@ ++/* Internal stat definitions. ++ Copyright (C) 2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++ ++#if (__WORDSIZE == 32 \ ++ && (!defined __SYSCALL_WORDSIZE || __SYSCALL_WORDSIZE == 32)) \ ++ || defined STAT_HAS_TIME32 \ ++ || (!defined __NR_newfstatat && !defined __NR_fstatat64) ++# define FSTATAT_USE_STATX 1 ++#else ++# define FSTATAT_USE_STATX 0 ++#endif diff --git a/glibc.changes b/glibc.changes index f78d8e6..784ab69 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Sep 18 08:50:20 UTC 2023 - Dirk Müller + +- add glibc-io-Do-not-implement-fstat-with-fstatat.diff +- add glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch + (bsc#1215281, CVE-2023-4806) + ------------------------------------------------------------------- Wed Sep 13 12:25:56 UTC 2023 - Andreas Schwab @@ -881,7 +888,7 @@ Thu Oct 10 14:39:24 UTC 2019 - Andreas Schwab Mon Sep 23 14:00:09 UTC 2019 - Andreas Schwab - Package gconv-modules.cache as %ghost -- Regenerate it also in the %post of glibc-local-base- +- Regenerate it also in the %post of glibc-local-base- ------------------------------------------------------------------- Mon Sep 23 13:01:24 UTC 2019 - Ludwig Nussel @@ -2591,7 +2598,7 @@ Wed Jan 8 12:38:29 UTC 2014 - coolo@suse.com - make pwdutils a real buildrequire Requires(pre) are used during builds, but don't trigger rebuilds. - But to create clearly defined bootstrap projects, it's essential + But to create clearly defined bootstrap projects, it's essential to know what packages are required for others. So move this requires to build to a buildrequire @@ -2766,7 +2773,7 @@ Tue Aug 6 09:20:04 UTC 2013 - schwab@suse.de aarch64-sigsetjmp.patch - Rediff all remaining patches - Reenable stackguard randomization on arm -- Recognize ppc64p7 arch to build for power7 +- Recognize ppc64p7 arch to build for power7 - Remove all ABI extensions from libcrypt - cbrtl-ldbl-96.patch: fix cbrtl for ldbl-96 @@ -2800,7 +2807,7 @@ Thu Jul 4 12:14:27 UTC 2013 - schwab@suse.de ------------------------------------------------------------------- Fri Jun 28 12:26:38 UTC 2013 - dmueller@suse.com -- add ld-linux.so.3 compat symlink also for armv6hl +- add ld-linux.so.3 compat symlink also for armv6hl - remove deprecated armv7l ------------------------------------------------------------------- @@ -2862,7 +2869,7 @@ Tue May 7 10:00:00 UTC 2013 - schwab@suse.de ------------------------------------------------------------------- Sun Apr 14 02:41:52 UTC 2013 - crrodriguez@opensuse.org -- Do not order nscd after syslog.target +- Do not order nscd after syslog.target ------------------------------------------------------------------- Mon Mar 4 14:16:43 UTC 2013 - schwab@suse.de @@ -3013,7 +3020,7 @@ Wed Nov 28 15:48:32 UTC 2012 - aj@suse.de - Update to e3c6aa3a5848: * Fix powerpc64 make abi check failure - * bugfixes + * bugfixes - Install nscd.socket to new /usr location ------------------------------------------------------------------- @@ -3156,7 +3163,7 @@ Fri Jul 20 17:00:00 UTC 2012 - aj@suse.de - Update to glibc 2.16 release. * update version numbers * Documentation updates -- Update manpages from Debian, includes new man pages for +- Update manpages from Debian, includes new man pages for locale.1, mtrace.1, gencat.1 iconvconfig.8. - Remove getent.1 man page, use the one from man-pages. @@ -3438,7 +3445,7 @@ Thu Jan 12 15:42:36 UTC 2012 - aj@suse.de ------------------------------------------------------------------- Thu Jan 12 11:01:41 UTC 2012 - aj@suse.de -- Use _target_cpu instead of _build and _host. This makes the +- Use _target_cpu instead of _build and _host. This makes the i686 library really build for i686. ------------------------------------------------------------------- @@ -3570,7 +3577,7 @@ Tue Nov 15 12:10:32 UTC 2011 - aj@suse.de ------------------------------------------------------------------- Mon Nov 14 12:02:06 CET 2011 - ro@suse.de -- check-build.sh: accept kernel 3.x +- check-build.sh: accept kernel 3.x ------------------------------------------------------------------- Tue Nov 8 22:55:40 CET 2011 - dmueller@suse.de @@ -3612,7 +3619,7 @@ Sat Oct 29 18:37:46 UTC 2011 - aj@suse.de Thu Oct 27 08:44:14 UTC 2011 - aj@suse.de - Update to 804791474dc1: - - more libm optimizations + - more libm optimizations - Remove AMD libm routines due to new upstream libm optimizations and interfaces. - Fix build on x86. @@ -3778,13 +3785,13 @@ Mon Sep 5 08:26:24 UTC 2011 - aj@suse.de ------------------------------------------------------------------- Sat Sep 3 19:39:03 UTC 2011 - aj@suse.de -- Revert last change, it caused some breakage. [bnc#715854] +- Revert last change, it caused some breakage. [bnc#715854] ------------------------------------------------------------------- Thu Sep 1 20:49:16 UTC 2011 - aj@suse.de - Add support for new vdso (3.1 kernel) and only then - for vsyscall which is not anymore in 3.1 kernel + for vsyscall which is not anymore in 3.1 kernel (patch glibc-2.15-vsyscall.patch) ------------------------------------------------------------------- @@ -3919,7 +3926,7 @@ Tue Jul 5 08:03:26 UTC 2011 - aj@suse.de ------------------------------------------------------------------- Mon Jul 4 10:00:46 UTC 2011 - aj@suse.de -- Further cleanup of ld.so.conf to remove duplicate directories +- Further cleanup of ld.so.conf to remove duplicate directories and allow override of system directories (bnc#671725) - Fix futex bug (added patch glibc-fix-rwlock-stack-imbalance.patch from sourceware bug #12403). @@ -3963,7 +3970,7 @@ Mon Jun 27 11:00:33 UTC 2011 - aj@suse.de upstream. - Add glibc-2.15-getsysstats-speedup.patch to "Fix Linux sysconf(_SC_NPROCESSORS_[CONF|ONLN]) performance problem" -- Fix warning about potential array subscript out of bounds +- Fix warning about potential array subscript out of bounds (glibc-2.13-wranings.fix). - Fix some rpmlint warnings. @@ -4192,7 +4199,7 @@ Mon Sep 13 14:36:26 UTC 2010 - aj@suse.de ------------------------------------------------------------------- Sun Sep 12 08:00:57 UTC 2010 - aj@suse.de -- Work around shortest-stem feature in make 3.82+ (patch +- Work around shortest-stem feature in make 3.82+ (patch glibc-make-3.82.patch) ------------------------------------------------------------------- @@ -4578,7 +4585,7 @@ Fri Jun 5 00:46:59 CEST 2009 - pbaudis@suse.cz ------------------------------------------------------------------- Fri May 22 22:45:10 CEST 2009 - pbaudis@suse.cz -- Update to glibc-2.10.1-e38af591a8 of glibc/pb-stable.git glibc-2.10-branch +- Update to glibc-2.10.1-e38af591a8 of glibc/pb-stable.git glibc-2.10-branch maintained by me at repo.or.cz; contains backports of various bugfixes. (Still the same source is used for glibc-ports.) - Stop using separate tarball for nptl. @@ -4778,7 +4785,7 @@ Tue Oct 28 09:45:22 CET 2008 - olh@suse.de ------------------------------------------------------------------- Thu Oct 23 22:20:28 CEST 2008 - ro@suse.de -- only do obsoletes for XXbit packages on ppc, not on x86 +- only do obsoletes for XXbit packages on ppc, not on x86 ------------------------------------------------------------------- Wed Oct 23 13:46:25 CEST 2008 - matz@suse.de @@ -5064,7 +5071,7 @@ Mon Aug 13 19:09:31 CEST 2007 - aj@suse.de - Backport: * Update kernel-features.h. - * Fix sched_getcpu error path on x86-64. + * Fix sched_getcpu error path on x86-64. * Use upstreamed version of ldconfig cache speed ups. ------------------------------------------------------------------- @@ -5372,7 +5379,7 @@ Thu Apr 13 13:34:07 CEST 2006 - kukuk@suse.de ------------------------------------------------------------------- Tue Apr 11 12:20:57 CEST 2006 - kukuk@suse.de -- nptl/init.c (sigcancel_handler): Compare with correct PID even +- nptl/init.c (sigcancel_handler): Compare with correct PID even if the thread is in the middle of a fork call. (sighandler_setxid): Likewise. @@ -5869,7 +5876,7 @@ Thu Jun 16 17:03:43 CEST 2005 - kukuk@suse.de ------------------------------------------------------------------- Mon Jun 13 14:48:53 CEST 2005 - kukuk@suse.de -- Don't terminate strings twice in nis/netgroup code. +- Don't terminate strings twice in nis/netgroup code. - netinet/if_tr.h: don't include kernel headers. ------------------------------------------------------------------- @@ -6244,7 +6251,7 @@ Wed Sep 22 15:33:10 CEST 2004 - kukuk@suse.de ------------------------------------------------------------------- Mon Sep 20 17:58:13 CEST 2004 - kukuk@suse.de -- Fix invalidating of nscd caches and getaddrinfo() +- Fix invalidating of nscd caches and getaddrinfo() ------------------------------------------------------------------- Fri Sep 17 07:13:01 CEST 2004 - kukuk@suse.de @@ -6297,7 +6304,7 @@ Wed Aug 25 16:16:32 CEST 2004 - kukuk@suse.de ------------------------------------------------------------------- Mon Aug 23 10:20:09 CEST 2004 - kukuk@suse.de -- Update to current CVS: +- Update to current CVS: - Use CVS version for last fix. - Add malloc sanity checks for double free. @@ -6336,7 +6343,7 @@ Tue Aug 17 12:13:41 CEST 2004 - kukuk@suse.de ------------------------------------------------------------------- Mon Aug 16 11:51:37 CEST 2004 - kukuk@suse.de -- Update to current CVS version and update to +- Update to current CVS version and update to kernel-headers 2.6.8.1 to fix NPTL deadlock problems - Disable linuxthreads/tst-clock1, does not work on i586 and lower @@ -6361,7 +6368,7 @@ Wed Jun 16 07:45:07 CEST 2004 - meissner@suse.de ------------------------------------------------------------------- Mon Jun 14 20:12:00 CEST 2004 - kukuk@suse.de -- Add fixes from CVS: +- Add fixes from CVS: - sysconf return value fixes - nscd host caching deadlock - backtrace for s390/s390x/ia64 static linked binaries @@ -6496,7 +6503,7 @@ Fri Apr 9 16:22:31 CEST 2004 - kukuk@suse.de ------------------------------------------------------------------- Thu Apr 8 00:24:46 CEST 2004 - meissner@suse.de -- forward umount to umount2 on ppc64 because umount syscall +- forward umount to umount2 on ppc64 because umount syscall does not exist ------------------------------------------------------------------- @@ -6785,7 +6792,7 @@ Wed Jan 21 10:23:42 CET 2004 - aj@suse.de ------------------------------------------------------------------- Mon Jan 19 15:49:51 CET 2004 - ro@suse.de -- really fix linux/percpu.h to compile in userland +- really fix linux/percpu.h to compile in userland ------------------------------------------------------------------- Fri Jan 16 11:14:49 CET 2004 - kukuk@suse.de @@ -6955,7 +6962,7 @@ Tue Oct 14 10:49:36 CEST 2003 - kukuk@suse.de ------------------------------------------------------------------- Mon Oct 13 12:11:53 CEST 2003 - kukuk@suse.de -- Update to kernel header files from 2.6.0-test7 +- Update to kernel header files from 2.6.0-test7 ------------------------------------------------------------------- Fri Oct 10 17:11:01 CEST 2003 - schwab@suse.de @@ -7431,7 +7438,7 @@ Fri Feb 14 14:51:11 CET 2003 - kukuk@suse.de ------------------------------------------------------------------- Thu Feb 13 18:34:50 CET 2003 - kukuk@suse.de -- Update to current snapshot +- Update to current snapshot ------------------------------------------------------------------- Wed Feb 12 11:50:54 CET 2003 - kukuk@suse.de @@ -7499,7 +7506,7 @@ Thu Jan 30 16:05:32 CET 2003 - aj@suse.de Wed Jan 29 12:57:23 CET 2003 - kukuk@suse.de - Update to current glibc cvs -- Fix libm-ulps for x86-64 and ia64 +- Fix libm-ulps for x86-64 and ia64 ------------------------------------------------------------------- Thu Jan 23 16:47:33 CET 2003 - schwab@suse.de @@ -7534,7 +7541,7 @@ Sun Jan 12 19:16:13 CET 2003 - kukuk@suse.de ------------------------------------------------------------------- Fri Jan 3 19:09:36 CET 2003 - bg@suse.de -- removed obsolete patch for hppa +- removed obsolete patch for hppa ------------------------------------------------------------------- Fri Dec 20 23:15:48 CET 2002 - kukuk@suse.de @@ -7549,8 +7556,8 @@ Fri Dec 20 23:15:48 CET 2002 - kukuk@suse.de ------------------------------------------------------------------- Tue Dec 17 16:01:13 CET 2002 - olh@suse.de -- remove glibc-2.2.5-ppc64-bits-socket_h.diff - add glibc-2.3-setjmp-ppc64.diff +- remove glibc-2.2.5-ppc64-bits-socket_h.diff + add glibc-2.3-setjmp-ppc64.diff add libc23-ppc64-cvshead20021210.patch dont run configure in subshell, it can fail and rpm cant catch it @@ -7575,7 +7582,7 @@ Tue Dec 3 11:16:30 CET 2002 - aj@suse.de ------------------------------------------------------------------- Fri Nov 29 11:08:03 CET 2002 - bg@suse.de -- Fix build on hppa. +- Fix build on hppa. ------------------------------------------------------------------- Thu Nov 28 21:31:09 CET 2002 - aj@suse.de @@ -7592,7 +7599,7 @@ Thu Nov 28 15:45:09 CET 2002 - aj@suse.de ------------------------------------------------------------------- Tue Nov 12 12:41:17 CET 2002 - bg@suse.de -- Updated hppa patches +- Updated hppa patches ------------------------------------------------------------------- Thu Nov 7 14:00:04 CET 2002 - kukuk@suse.de @@ -7603,14 +7610,14 @@ Thu Nov 7 14:00:04 CET 2002 - kukuk@suse.de ------------------------------------------------------------------- Thu Nov 7 12:11:29 CET 2002 - bg@suse.de -- Fix build of linuxthreads for hppa +- Fix build of linuxthreads for hppa ------------------------------------------------------------------- Tue Nov 5 16:31:11 CET 2002 - bg@suse.de - Use current kernel-headers for parisc -- Add support for hppa - +- Add support for hppa + ------------------------------------------------------------------- Tue Nov 5 15:29:32 CET 2002 - kukuk@suse.de @@ -7665,7 +7672,7 @@ Mon Sep 16 17:24:01 CEST 2002 - meissner@suse.de Thu Sep 12 15:56:07 CEST 2002 - meissner@suse.de - ppc/ppc64: added more biarch things to the SystemV IPC headers - which are needed to get 64bit ipc / IPC_STAT to work. + which are needed to get 64bit ipc / IPC_STAT to work. ------------------------------------------------------------------- Mon Sep 9 18:52:53 CEST 2002 - bk@suse.de @@ -7719,7 +7726,7 @@ Tue Aug 27 15:52:49 CEST 2002 - olh@suse.de Mon Aug 26 21:56:22 CEST 2002 - olh@suse.de - add ppc64_glibc_2.2.5_sunrpc-fix.patch - * sysdeps/unix/sysv/linux/powerpc/bits/socket.h: New file that adds + * sysdeps/unix/sysv/linux/powerpc/bits/socket.h: New file that adds __powerpc64__ specific fields and adjust size/alignment for 64-bit. ------------------------------------------------------------------- @@ -7826,7 +7833,7 @@ Fri Jul 12 18:29:17 CEST 2002 - aj@suse.de ------------------------------------------------------------------- Mon Jul 8 10:45:49 CEST 2002 - aj@suse.de -- Add some optimized x86-64 math routines and a fixed lgammal +- Add some optimized x86-64 math routines and a fixed lgammal implementation. - Testsuite on x86-64 should pass now. - Run ldconfig in postinstall. @@ -7903,7 +7910,7 @@ Tue Jun 11 10:04:55 CEST 2002 - sf@suse.de - made new kernel-header archive from kernel-source - added asm-ppc64 to kernel-headers -- removed patch9 as it is obsoleted by the new kernel-headers +- removed patch9 as it is obsoleted by the new kernel-headers ------------------------------------------------------------------- Fri Jun 7 14:29:30 CEST 2002 - olh@suse.de @@ -8101,8 +8108,8 @@ Thu Feb 28 14:53:42 CET 2002 - kukuk@suse.de ------------------------------------------------------------------- Mon Feb 18 13:22:05 CET 2002 - kukuk@suse.de -- When a dlopened module references a weak symbol from another - dlopened module (loaded with RTLD_GLOBAL) no dependency was +- When a dlopened module references a weak symbol from another + dlopened module (loaded with RTLD_GLOBAL) no dependency was generated for this fact, so the second module was unloaded even if the first one was still around. @@ -8131,7 +8138,7 @@ Wed Feb 13 16:03:20 CET 2002 - kukuk@suse.de ------------------------------------------------------------------- Tue Feb 12 02:01:42 CET 2002 - ro@suse.de -- fix owner/group for kernel headers +- fix owner/group for kernel headers ------------------------------------------------------------------- Mon Feb 11 15:17:18 CET 2002 - kukuk@suse.de @@ -8568,12 +8575,12 @@ Thu Mar 29 08:33:19 CEST 2001 - aj@suse.de ------------------------------------------------------------------- Thu Mar 29 01:18:52 CEST 2001 - ro@suse.de -- added db-splitmask fix from mls (hopefully work around bug in db1) +- added db-splitmask fix from mls (hopefully work around bug in db1) ------------------------------------------------------------------- Wed Mar 28 09:02:54 CEST 2001 - aj@suse.de -- Fix s390 to not generate wrong relocations, work around compiler +- Fix s390 to not generate wrong relocations, work around compiler error. ------------------------------------------------------------------- @@ -8615,12 +8622,12 @@ Fri Mar 9 15:33:55 CET 2001 - kukuk@suse.de ------------------------------------------------------------------- Thu Mar 8 16:02:45 CET 2001 - ro@suse.de -- update kernel-headers to 2.4.2 +- update kernel-headers to 2.4.2 ------------------------------------------------------------------- Thu Mar 8 12:53:56 CET 2001 - ro@suse.de -- kernel-header fixes to build on s390 +- kernel-header fixes to build on s390 ------------------------------------------------------------------- Thu Feb 22 11:22:08 CET 2001 - schwab@suse.de @@ -8833,7 +8840,7 @@ Fri Oct 27 15:39:17 CEST 2000 - aj@suse.de ------------------------------------------------------------------- Wed Oct 25 16:47:22 CEST 2000 - kukuk@suse.de -- Update to glibc-2.2-20001025 +- Update to glibc-2.2-20001025 ------------------------------------------------------------------- Sun Oct 22 16:31:32 CEST 2000 - kukuk@suse.de @@ -8918,7 +8925,7 @@ Mon Aug 21 19:56:06 CEST 2000 - garloff@suse.de Tue Jul 25 08:41:48 CEST 2000 - kukuk@suse.de - Add mmap fix for PowerPC - + ------------------------------------------------------------------- Tue Jul 11 10:02:41 CEST 2000 - kukuk@suse.de @@ -8964,7 +8971,7 @@ Fri May 26 11:07:39 CEST 2000 - kukuk@suse.de ------------------------------------------------------------------- Wed May 24 22:23:12 CEST 2000 - kukuk@suse.de -- Fix ldconfig.8 manual page +- Fix ldconfig.8 manual page ------------------------------------------------------------------- Thu May 18 17:53:09 CEST 2000 - bk@suse.de @@ -8999,7 +9006,7 @@ Tue May 9 22:21:23 CEST 2000 - kukuk@suse.de ------------------------------------------------------------------- Mon May 8 11:59:48 CEST 2000 - kukuk@suse.de -- Add lot of bug fixes from CVS +- Add lot of bug fixes from CVS ------------------------------------------------------------------- Tue Apr 25 14:20:43 CEST 2000 - kukuk@suse.de @@ -9059,13 +9066,13 @@ Mon Apr 3 14:42:03 MEST 2000 - bk@suse.de ------------------------------------------------------------------- Wed Mar 22 12:10:02 CET 2000 - kukuk@suse.de -- Fix last SPARC patch +- Fix last SPARC patch ------------------------------------------------------------------- Tue Mar 21 17:48:01 CET 2000 - kukuk@suse.de - Add SPARC patches -- Add IA64 patches +- Add IA64 patches ------------------------------------------------------------------- Wed Mar 15 14:35:47 CET 2000 - kukuk@suse.de @@ -9095,7 +9102,7 @@ Thu Feb 24 16:12:39 CET 2000 - kukuk@suse.de ------------------------------------------------------------------- Tue Feb 22 16:40:35 CET 2000 - kukuk@suse.de -- Update to current glibc cvs snapshot (2.1.3pre4) +- Update to current glibc cvs snapshot (2.1.3pre4) ------------------------------------------------------------------- Sat Feb 5 14:40:33 CET 2000 - kukuk@suse.de @@ -9132,7 +9139,7 @@ Wed Jan 19 15:53:18 CET 2000 - kukuk@suse.de ------------------------------------------------------------------- Sat Jan 15 01:31:16 CET 2000 - ro@suse.de --fixed ppc db2-patch +-fixed ppc db2-patch ------------------------------------------------------------------- Fri Jan 14 16:54:26 CET 2000 - kukuk@suse.de @@ -9142,22 +9149,22 @@ Fri Jan 14 16:54:26 CET 2000 - kukuk@suse.de ------------------------------------------------------------------- Fri Jan 14 00:27:03 CET 2000 - kukuk@suse.de -- Add patch for SPARC +- Add patch for SPARC ------------------------------------------------------------------- Thu Jan 13 15:23:54 CET 2000 - kukuk@suse.de -- Move info pages to /usr/share/info +- Move info pages to /usr/share/info ------------------------------------------------------------------- Mon Jan 10 14:49:14 CET 2000 - kukuk@suse.de -- Add ipv6 patches for getent +- Add ipv6 patches for getent ------------------------------------------------------------------- Mon Jan 10 11:23:57 CET 2000 - kukuk@suse.de -- Move manual pages for applications and config files into +- Move manual pages for applications and config files into shlibs package - Update to current glibc 2.1.3 snapshot @@ -9222,7 +9229,7 @@ Sat Oct 16 16:29:44 MEST 1999 - kukuk@suse.de Mon Oct 11 19:19:00 MEST 1999 - kukuk@suse.de - Add linuxthreads/signals.c fix from Andreas Schwab -- Remove dangling symlink (Bug #544) +- Remove dangling symlink (Bug #544) - Add more bug fixes ------------------------------------------------------------------- @@ -9255,7 +9262,7 @@ Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de Mon Sep 6 10:25:03 MEST 1999 - kukuk@suse.de - Update to current glibc 2.1.2 cvs snapshot -- Remove use auf automake in spec file +- Remove use auf automake in spec file ------------------------------------------------------------------- Fri Sep 3 14:35:42 MEST 1999 - kukuk@suse.de @@ -9266,7 +9273,7 @@ Fri Sep 3 14:35:42 MEST 1999 - kukuk@suse.de ------------------------------------------------------------------- Wed Aug 25 17:07:09 MEST 1999 - kukuk@suse.de -- Update to current glibc 2.1.2 cvs snapshot +- Update to current glibc 2.1.2 cvs snapshot ------------------------------------------------------------------- Thu Aug 19 15:20:26 MEST 1999 - kukuk@suse.de @@ -9279,7 +9286,7 @@ Thu Aug 19 15:20:26 MEST 1999 - kukuk@suse.de Sat Aug 14 19:58:45 MEST 1999 - kukuk@suse.de - disable nscd hosts caching by default -- Apply patch from HJL for broken gethostbyname_r in libnss_dns +- Apply patch from HJL for broken gethostbyname_r in libnss_dns ------------------------------------------------------------------- Fri Jul 16 17:01:51 MEST 1999 - kukuk@suse.de @@ -9290,7 +9297,7 @@ Fri Jul 16 17:01:51 MEST 1999 - kukuk@suse.de ------------------------------------------------------------------- Wed Jul 14 16:05:14 MEST 1999 - kukuk@suse.de -- Remove /etc/localtime from filelist +- Remove /etc/localtime from filelist ------------------------------------------------------------------- Mon Jul 12 09:54:43 MEST 1999 - kukuk@suse.de @@ -9301,7 +9308,7 @@ Mon Jul 12 09:54:43 MEST 1999 - kukuk@suse.de ------------------------------------------------------------------- Thu Jul 8 17:25:43 MEST 1999 - kukuk@suse.de -- configure for i386-unknown-linux +- configure for i386-unknown-linux ------------------------------------------------------------------- Wed Jul 7 12:28:43 MEST 1999 - kukuk@suse.de @@ -9341,7 +9348,7 @@ Mon Jun 14 09:17:26 MEST 1999 - kukuk@suse.de ------------------------------------------------------------------- Thu Jun 10 10:04:11 MEST 1999 - kukuk@suse.de -- Fix daemon() for MT programs +- Fix daemon() for MT programs - Add libio fixes ------------------------------------------------------------------- @@ -9379,7 +9386,7 @@ Wed Apr 28 17:48:51 MEST 1999 - kukuk@suse.de ------------------------------------------------------------------- Tue Apr 27 11:48:46 MEST 1999 - kukuk@suse.de -- update to cvs version of Apr 26 1999 +- update to cvs version of Apr 26 1999 - fix pmap_set/pmap_unset for DHCP clients - Rename libdb1.so.2[.1] to libdb.so.2[.1] since we don't create the symbolic links. @@ -9426,7 +9433,7 @@ Sat Feb 20 19:29:32 MET 1999 - ro@suse.de ------------------------------------------------------------------- Sat Feb 20 18:41:22 MET 1999 - ro@suse.de -- fixed specfile ... +- fixed specfile ... ------------------------------------------------------------------- Sat Feb 20 18:31:30 MET 1999 - ro@suse.de @@ -9462,7 +9469,7 @@ Mon Sep 21 19:43:16 MEST 1998 - ro@suse.de ------------------------------------------------------------------- Mon Sep 14 14:28:21 MEST 1998 - ro@suse.de -- update: use today's cvs-version +- update: use today's cvs-version ------------------------------------------------------------------- Wed Sep 2 16:56:04 MEST 1998 - ro@suse.de diff --git a/glibc.spec b/glibc.spec index 1f623a6..974007e 100644 --- a/glibc.spec +++ b/glibc.spec @@ -317,12 +317,16 @@ Patch1007: call-init-proxy-objects.patch Patch1008: dtors-reverse-ctor-order.patch # PATCH-FIX-UPSTREAM Stack read overflow with large TCP responses in no-aaaa mode (CVE-2023-4527, BZ #30842) Patch1009: no-aaaa-read-overflow.patch +# PATCH-FIX-UPSTREAM use-after-free in getaddrinfo() (CVE-2023-4806, BSC#1215281) +Patch1010: glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch ### # Patches awaiting upstream approval ### # PATCH-FIX-UPSTREAM Avoid concurrency problem in ldconfig (BZ #23973) Patch2000: ldconfig-concurrency.patch +# https://patchwork.sourceware.org/project/glibc/patch/20230911132548.1981093-1-adhemerval.zanella@linaro.org/ +Patch2001: glibc-io-Do-not-implement-fstat-with-fstatat.diff # Non-glibc patches # PATCH-FIX-OPENSUSE Remove debianisms from manpages @@ -549,9 +553,11 @@ library in a cross compilation setting. %patch1007 -p1 %patch1008 -p1 %patch1009 -p1 +%patch1010 -p1 %endif %patch2000 -p1 +%patch2001 -p1 %patch3000 rm -f manpages/catchsegv.1 @@ -683,6 +689,7 @@ profile="--disable-profile" --libexecdir=%{_libexecdir} --infodir=%{_infodir} \ $profile \ --build=%{build} --host=${target} \ + --with-selinux \ %if %{build_cross} --with-headers=%{sysroot}/usr/include \ %else From 3e5ba0b46af73aa1673219fe88e944548be8cf96422a01b94016f2da3b6af121 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Mon, 18 Sep 2023 09:20:34 +0000 Subject: [PATCH 6/9] osc copypac from project:Base:System package:glibc revision:669 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=671 --- ...o-fix-use-after-free-in-getcanonname.patch | 337 ------------------ ...o-Do-not-implement-fstat-with-fstatat.diff | 137 ------- glibc.changes | 147 ++++---- glibc.spec | 7 - 4 files changed, 70 insertions(+), 558 deletions(-) delete mode 100644 glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch delete mode 100644 glibc-io-Do-not-implement-fstat-with-fstatat.diff diff --git a/glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch b/glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch deleted file mode 100644 index 39b3254..0000000 --- a/glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch +++ /dev/null @@ -1,337 +0,0 @@ -From 973fe93a5675c42798b2161c6f29c01b0e243994 Mon Sep 17 00:00:00 2001 -From: Siddhesh Poyarekar -Date: Fri, 15 Sep 2023 13:51:12 -0400 -Subject: [PATCH] getaddrinfo: Fix use after free in getcanonname - (CVE-2023-4806) - -When an NSS plugin only implements the _gethostbyname2_r and -_getcanonname_r callbacks, getaddrinfo could use memory that was freed -during tmpbuf resizing, through h_name in a previous query response. - -The backing store for res->at->name when doing a query with -gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in -gethosts during the query. For AF_INET6 lookup with AI_ALL | -AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second -for a v4 lookup. In this case, if the first call reallocates tmpbuf -enough number of times, resulting in a malloc, th->h_name (that -res->at->name refers to) ends up on a heap allocated storage in tmpbuf. -Now if the second call to gethosts also causes the plugin callback to -return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF -reference in res->at->name. This then gets dereferenced in the -getcanonname_r plugin call, resulting in the use after free. - -Fix this by copying h_name over and freeing it at the end. This -resolves BZ #30843, which is assigned CVE-2023-4806. - -Signed-off-by: Siddhesh Poyarekar ---- - nss/Makefile | 15 ++++- - nss/nss_test_gai_hv2_canonname.c | 56 +++++++++++++++++ - nss/tst-nss-gai-hv2-canonname.c | 63 +++++++++++++++++++ - nss/tst-nss-gai-hv2-canonname.h | 1 + - .../postclean.req | 0 - .../tst-nss-gai-hv2-canonname.script | 2 + - sysdeps/posix/getaddrinfo.c | 25 +++++--- - 7 files changed, 152 insertions(+), 10 deletions(-) - create mode 100644 nss/nss_test_gai_hv2_canonname.c - create mode 100644 nss/tst-nss-gai-hv2-canonname.c - create mode 100644 nss/tst-nss-gai-hv2-canonname.h - create mode 100644 nss/tst-nss-gai-hv2-canonname.root/postclean.req - create mode 100644 nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script - -diff --git a/nss/Makefile b/nss/Makefile -index 06fcdc450f..8a5126ecf3 100644 ---- a/nss/Makefile -+++ b/nss/Makefile -@@ -82,6 +82,7 @@ tests-container := \ - tst-nss-test3 \ - tst-reload1 \ - tst-reload2 \ -+ tst-nss-gai-hv2-canonname \ - # tests-container - - # Tests which need libdl -@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) - ifeq ($(build-static-nss),yes) - tests-static += tst-nss-static - endif --extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os -+extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ -+ nss_test_gai_hv2_canonname.os - - include ../Rules - -@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver - libof-nss_test1 = extramodules - libof-nss_test2 = extramodules - libof-nss_test_errno = extramodules -+libof-nss_test_gai_hv2_canonname = extramodules - $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) - $(build-module) - $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) - $(build-module) - $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) - $(build-module) -+$(objpfx)/libnss_test_gai_hv2_canonname.so: \ -+ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) -+ $(build-module) - $(objpfx)nss_test2.os : nss_test1.c - # Use the nss_files suffix for these objects as well. - $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so -@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so - $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ - $(objpfx)/libnss_test_errno.so - $(make-link) -+$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ -+ $(objpfx)/libnss_test_gai_hv2_canonname.so -+ $(make-link) - $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ - $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ - $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ -- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) -+ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ -+ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) - - ifeq (yes,$(have-thread-library)) - $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) -@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags - LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags - LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags - LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags -+LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags -diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c -new file mode 100644 -index 0000000000..4439c83c9f ---- /dev/null -+++ b/nss/nss_test_gai_hv2_canonname.c -@@ -0,0 +1,56 @@ -+/* NSS service provider that only provides gethostbyname2_r. -+ Copyright The GNU Toolchain Authors. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include "nss/tst-nss-gai-hv2-canonname.h" -+ -+/* Catch misnamed and functions. */ -+#pragma GCC diagnostic error "-Wmissing-prototypes" -+NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) -+ -+extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, -+ struct hostent *, char *, -+ size_t, int *, int *); -+ -+enum nss_status -+_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, -+ struct hostent *result, -+ char *buffer, size_t buflen, -+ int *errnop, int *herrnop) -+{ -+ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, -+ herrnop); -+} -+ -+enum nss_status -+_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, -+ size_t buflen, char **result, -+ int *errnop, int *h_errnop) -+{ -+ /* We expect QUERYNAME, which is a small enough string that it shouldn't fail -+ the test. */ -+ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) -+ || buflen < sizeof (QUERYNAME)) -+ abort (); -+ -+ strncpy (buffer, name, buflen); -+ *result = buffer; -+ return NSS_STATUS_SUCCESS; -+} -diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c -new file mode 100644 -index 0000000000..d5f10c07d6 ---- /dev/null -+++ b/nss/tst-nss-gai-hv2-canonname.c -@@ -0,0 +1,63 @@ -+/* Test NSS query path for plugins that only implement gethostbyname2 -+ (#30843). -+ Copyright The GNU Toolchain Authors. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include "nss/tst-nss-gai-hv2-canonname.h" -+ -+#define PREPARE do_prepare -+ -+static void do_prepare (int a, char **av) -+{ -+ FILE *hosts = xfopen ("/etc/hosts", "w"); -+ for (unsigned i = 2; i < 255; i++) -+ { -+ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); -+ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); -+ } -+ xfclose (hosts); -+} -+ -+static int -+do_test (void) -+{ -+ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); -+ -+ struct addrinfo hints = {}; -+ struct addrinfo *result = NULL; -+ -+ hints.ai_family = AF_INET6; -+ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; -+ -+ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); -+ -+ if (ret != 0) -+ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); -+ -+ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); -+ -+ freeaddrinfo(result); -+ return 0; -+} -+ -+#include -diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h -new file mode 100644 -index 0000000000..14f2a9cb08 ---- /dev/null -+++ b/nss/tst-nss-gai-hv2-canonname.h -@@ -0,0 +1 @@ -+#define QUERYNAME "test.example.com" -diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req -new file mode 100644 -index 0000000000..e69de29bb2 -diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script -new file mode 100644 -index 0000000000..31848b4a28 ---- /dev/null -+++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script -@@ -0,0 +1,2 @@ -+cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2 -+su -diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c -index 6ae6744fe4..47f421fddf 100644 ---- a/sysdeps/posix/getaddrinfo.c -+++ b/sysdeps/posix/getaddrinfo.c -@@ -120,6 +120,7 @@ struct gaih_result - { - struct gaih_addrtuple *at; - char *canon; -+ char *h_name; - bool free_at; - bool got_ipv6; - }; -@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) - if (res->free_at) - free (res->at); - free (res->canon); -+ free (res->h_name); - memset (res, 0, sizeof (*res)); - } - -@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, - return 0; - } - --/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name -- is not copied, and the struct hostent object must not be deallocated -- prematurely. The new addresses are appended to the tuple array in RES. */ -+/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new -+ addresses are appended to the tuple array in RES. */ - static bool - convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, - struct hostent *h, struct gaih_result *res) -@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, - res->at = array; - res->free_at = true; - -+ /* Duplicate h_name because it may get reclaimed when the underlying storage -+ is freed. */ -+ if (res->h_name == NULL) -+ { -+ res->h_name = __strdup (h->h_name); -+ if (res->h_name == NULL) -+ return false; -+ } -+ - /* Update the next pointers on reallocation. */ - for (size_t i = 0; i < old; i++) - array[i].next = array + i + 1; -@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, - } - array[i].next = array + i + 1; - } -- array[0].name = h->h_name; - array[count - 1].next = NULL; - - return true; -@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name, - memory allocation failure. The returned string is allocated on the - heap; the caller has to free it. */ - static char * --getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name) -+getcanonname (nss_action_list nip, const char *hname, const char *name) - { - nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r"); - char *s = (char *) name; - if (cfct != NULL) - { - char buf[256]; -- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), -- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) -+ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, -+ &h_errno)) != NSS_STATUS_SUCCESS) - /* If the canonical name cannot be determined, use the passed - string. */ - s = (char *) name; -@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, - if ((req->ai_flags & AI_CANONNAME) != 0 - && res->canon == NULL) - { -- char *canonbuf = getcanonname (nip, res->at, name); -+ char *canonbuf = getcanonname (nip, res->h_name, name); - if (canonbuf == NULL) - { - __resolv_context_put (res_ctx); --- -2.39.3 - diff --git a/glibc-io-Do-not-implement-fstat-with-fstatat.diff b/glibc-io-Do-not-implement-fstat-with-fstatat.diff deleted file mode 100644 index 449232c..0000000 --- a/glibc-io-Do-not-implement-fstat-with-fstatat.diff +++ /dev/null @@ -1,137 +0,0 @@ -diff --git a/sysdeps/unix/sysv/linux/fstat64.c b/sysdeps/unix/sysv/linux/fstat64.c -index 124384e57f..a291f0825b 100644 ---- a/sysdeps/unix/sysv/linux/fstat64.c -+++ b/sysdeps/unix/sysv/linux/fstat64.c -@@ -19,20 +19,53 @@ - #define __fstat __redirect___fstat - #define fstat __redirect_fstat - #include -+#undef __fstat -+#undef fstat - #include --#include --#include -+#include - #include - - int - __fstat64_time64 (int fd, struct __stat64_t64 *buf) - { -+#if !FSTATAT_USE_STATX -+# if XSTAT_IS_XSTAT64 -+# ifdef __NR_fstat -+ /* 64-bit kABI, e.g. aarch64, ia64, powerpc64*, s390x, riscv64, and -+ x86_64. */ -+ return INLINE_SYSCALL_CALL (fstat, fd, buf); -+# elif defined __NR_fstat64 -+# if STAT64_IS_KERNEL_STAT64 -+ /* 64-bit kABI outlier, e.g. alpha */ -+ return INLINE_SYSCALL_CALL (fstat64, fd, buf); -+# else -+ /* 64-bit kABI outlier, e.g. sparc64. */ -+ struct kernel_stat64 kst64; -+ int r = INLINE_SYSCALL_CALL (fstat64, fd, &kst64); -+ if (r == 0) -+ __cp_stat64_kstat64 (buf, &kst64); -+ return r; -+# endif /* STAT64_IS_KERNEL_STAT64 */ -+# endif -+# else /* XSTAT_IS_XSTAT64 */ -+ /* 64-bit kabi outlier, e.g. mips64 and mips64-n32. */ -+ struct kernel_stat kst; -+ int r = INLINE_SYSCALL_CALL (fstat, fd, &kst); -+ if (r == 0) -+ __cp_kstat_stat64_t64 (&kst, buf); -+ return r; -+# endif -+#else /* !FSTATAT_USE_STATX */ -+ /* All kABIs with non-LFS support and with old 32-bit time_t support -+ e.g. arm, csky, i386, hppa, m68k, microblaze, nios2, sh, powerpc32, -+ and sparc32. */ - if (fd < 0) - { - __set_errno (EBADF); - return -1; - } - return __fstatat64_time64 (fd, "", buf, AT_EMPTY_PATH); -+#endif - } - #if __TIMESIZE != 64 - hidden_def (__fstat64_time64) -diff --git a/sysdeps/unix/sysv/linux/fstatat64.c b/sysdeps/unix/sysv/linux/fstatat64.c -index 3509d3ca6d..127c6ff601 100644 ---- a/sysdeps/unix/sysv/linux/fstatat64.c -+++ b/sysdeps/unix/sysv/linux/fstatat64.c -@@ -21,12 +21,10 @@ - #include - #include - #include --#include - #include - #include --#include --#include - #include -+#include - - #if __TIMESIZE == 64 \ - && (__WORDSIZE == 32 \ -@@ -40,11 +38,7 @@ _Static_assert (sizeof (__blkcnt_t) == sizeof (__blkcnt64_t), - "__blkcnt_t and __blkcnt64_t must match"); - #endif - --#if (__WORDSIZE == 32 \ -- && (!defined __SYSCALL_WORDSIZE || __SYSCALL_WORDSIZE == 32)) \ -- || defined STAT_HAS_TIME32 \ -- || (!defined __NR_newfstatat && !defined __NR_fstatat64) --# define FSTATAT_USE_STATX 1 -+#if FSTATAT_USE_STATX - - static inline int - fstatat64_time64_statx (int fd, const char *file, struct __stat64_t64 *buf, -@@ -79,8 +73,6 @@ fstatat64_time64_statx (int fd, const char *file, struct __stat64_t64 *buf, - - return r; - } --#else --# define FSTATAT_USE_STATX 0 - #endif - - /* Only statx supports 64-bit timestamps for 32-bit architectures with -diff --git a/sysdeps/unix/sysv/linux/internal-stat.h b/sysdeps/unix/sysv/linux/internal-stat.h -new file mode 100644 -index 0000000000..e3b0569853 ---- /dev/null -+++ b/sysdeps/unix/sysv/linux/internal-stat.h -@@ -0,0 +1,31 @@ -+/* Internal stat definitions. -+ Copyright (C) 2023 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+ -+#if (__WORDSIZE == 32 \ -+ && (!defined __SYSCALL_WORDSIZE || __SYSCALL_WORDSIZE == 32)) \ -+ || defined STAT_HAS_TIME32 \ -+ || (!defined __NR_newfstatat && !defined __NR_fstatat64) -+# define FSTATAT_USE_STATX 1 -+#else -+# define FSTATAT_USE_STATX 0 -+#endif diff --git a/glibc.changes b/glibc.changes index 784ab69..f78d8e6 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,10 +1,3 @@ -------------------------------------------------------------------- -Mon Sep 18 08:50:20 UTC 2023 - Dirk Müller - -- add glibc-io-Do-not-implement-fstat-with-fstatat.diff -- add glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch - (bsc#1215281, CVE-2023-4806) - ------------------------------------------------------------------- Wed Sep 13 12:25:56 UTC 2023 - Andreas Schwab @@ -888,7 +881,7 @@ Thu Oct 10 14:39:24 UTC 2019 - Andreas Schwab Mon Sep 23 14:00:09 UTC 2019 - Andreas Schwab - Package gconv-modules.cache as %ghost -- Regenerate it also in the %post of glibc-local-base- +- Regenerate it also in the %post of glibc-local-base- ------------------------------------------------------------------- Mon Sep 23 13:01:24 UTC 2019 - Ludwig Nussel @@ -2598,7 +2591,7 @@ Wed Jan 8 12:38:29 UTC 2014 - coolo@suse.com - make pwdutils a real buildrequire Requires(pre) are used during builds, but don't trigger rebuilds. - But to create clearly defined bootstrap projects, it's essential + But to create clearly defined bootstrap projects, it's essential to know what packages are required for others. So move this requires to build to a buildrequire @@ -2773,7 +2766,7 @@ Tue Aug 6 09:20:04 UTC 2013 - schwab@suse.de aarch64-sigsetjmp.patch - Rediff all remaining patches - Reenable stackguard randomization on arm -- Recognize ppc64p7 arch to build for power7 +- Recognize ppc64p7 arch to build for power7 - Remove all ABI extensions from libcrypt - cbrtl-ldbl-96.patch: fix cbrtl for ldbl-96 @@ -2807,7 +2800,7 @@ Thu Jul 4 12:14:27 UTC 2013 - schwab@suse.de ------------------------------------------------------------------- Fri Jun 28 12:26:38 UTC 2013 - dmueller@suse.com -- add ld-linux.so.3 compat symlink also for armv6hl +- add ld-linux.so.3 compat symlink also for armv6hl - remove deprecated armv7l ------------------------------------------------------------------- @@ -2869,7 +2862,7 @@ Tue May 7 10:00:00 UTC 2013 - schwab@suse.de ------------------------------------------------------------------- Sun Apr 14 02:41:52 UTC 2013 - crrodriguez@opensuse.org -- Do not order nscd after syslog.target +- Do not order nscd after syslog.target ------------------------------------------------------------------- Mon Mar 4 14:16:43 UTC 2013 - schwab@suse.de @@ -3020,7 +3013,7 @@ Wed Nov 28 15:48:32 UTC 2012 - aj@suse.de - Update to e3c6aa3a5848: * Fix powerpc64 make abi check failure - * bugfixes + * bugfixes - Install nscd.socket to new /usr location ------------------------------------------------------------------- @@ -3163,7 +3156,7 @@ Fri Jul 20 17:00:00 UTC 2012 - aj@suse.de - Update to glibc 2.16 release. * update version numbers * Documentation updates -- Update manpages from Debian, includes new man pages for +- Update manpages from Debian, includes new man pages for locale.1, mtrace.1, gencat.1 iconvconfig.8. - Remove getent.1 man page, use the one from man-pages. @@ -3445,7 +3438,7 @@ Thu Jan 12 15:42:36 UTC 2012 - aj@suse.de ------------------------------------------------------------------- Thu Jan 12 11:01:41 UTC 2012 - aj@suse.de -- Use _target_cpu instead of _build and _host. This makes the +- Use _target_cpu instead of _build and _host. This makes the i686 library really build for i686. ------------------------------------------------------------------- @@ -3577,7 +3570,7 @@ Tue Nov 15 12:10:32 UTC 2011 - aj@suse.de ------------------------------------------------------------------- Mon Nov 14 12:02:06 CET 2011 - ro@suse.de -- check-build.sh: accept kernel 3.x +- check-build.sh: accept kernel 3.x ------------------------------------------------------------------- Tue Nov 8 22:55:40 CET 2011 - dmueller@suse.de @@ -3619,7 +3612,7 @@ Sat Oct 29 18:37:46 UTC 2011 - aj@suse.de Thu Oct 27 08:44:14 UTC 2011 - aj@suse.de - Update to 804791474dc1: - - more libm optimizations + - more libm optimizations - Remove AMD libm routines due to new upstream libm optimizations and interfaces. - Fix build on x86. @@ -3785,13 +3778,13 @@ Mon Sep 5 08:26:24 UTC 2011 - aj@suse.de ------------------------------------------------------------------- Sat Sep 3 19:39:03 UTC 2011 - aj@suse.de -- Revert last change, it caused some breakage. [bnc#715854] +- Revert last change, it caused some breakage. [bnc#715854] ------------------------------------------------------------------- Thu Sep 1 20:49:16 UTC 2011 - aj@suse.de - Add support for new vdso (3.1 kernel) and only then - for vsyscall which is not anymore in 3.1 kernel + for vsyscall which is not anymore in 3.1 kernel (patch glibc-2.15-vsyscall.patch) ------------------------------------------------------------------- @@ -3926,7 +3919,7 @@ Tue Jul 5 08:03:26 UTC 2011 - aj@suse.de ------------------------------------------------------------------- Mon Jul 4 10:00:46 UTC 2011 - aj@suse.de -- Further cleanup of ld.so.conf to remove duplicate directories +- Further cleanup of ld.so.conf to remove duplicate directories and allow override of system directories (bnc#671725) - Fix futex bug (added patch glibc-fix-rwlock-stack-imbalance.patch from sourceware bug #12403). @@ -3970,7 +3963,7 @@ Mon Jun 27 11:00:33 UTC 2011 - aj@suse.de upstream. - Add glibc-2.15-getsysstats-speedup.patch to "Fix Linux sysconf(_SC_NPROCESSORS_[CONF|ONLN]) performance problem" -- Fix warning about potential array subscript out of bounds +- Fix warning about potential array subscript out of bounds (glibc-2.13-wranings.fix). - Fix some rpmlint warnings. @@ -4199,7 +4192,7 @@ Mon Sep 13 14:36:26 UTC 2010 - aj@suse.de ------------------------------------------------------------------- Sun Sep 12 08:00:57 UTC 2010 - aj@suse.de -- Work around shortest-stem feature in make 3.82+ (patch +- Work around shortest-stem feature in make 3.82+ (patch glibc-make-3.82.patch) ------------------------------------------------------------------- @@ -4585,7 +4578,7 @@ Fri Jun 5 00:46:59 CEST 2009 - pbaudis@suse.cz ------------------------------------------------------------------- Fri May 22 22:45:10 CEST 2009 - pbaudis@suse.cz -- Update to glibc-2.10.1-e38af591a8 of glibc/pb-stable.git glibc-2.10-branch +- Update to glibc-2.10.1-e38af591a8 of glibc/pb-stable.git glibc-2.10-branch maintained by me at repo.or.cz; contains backports of various bugfixes. (Still the same source is used for glibc-ports.) - Stop using separate tarball for nptl. @@ -4785,7 +4778,7 @@ Tue Oct 28 09:45:22 CET 2008 - olh@suse.de ------------------------------------------------------------------- Thu Oct 23 22:20:28 CEST 2008 - ro@suse.de -- only do obsoletes for XXbit packages on ppc, not on x86 +- only do obsoletes for XXbit packages on ppc, not on x86 ------------------------------------------------------------------- Wed Oct 23 13:46:25 CEST 2008 - matz@suse.de @@ -5071,7 +5064,7 @@ Mon Aug 13 19:09:31 CEST 2007 - aj@suse.de - Backport: * Update kernel-features.h. - * Fix sched_getcpu error path on x86-64. + * Fix sched_getcpu error path on x86-64. * Use upstreamed version of ldconfig cache speed ups. ------------------------------------------------------------------- @@ -5379,7 +5372,7 @@ Thu Apr 13 13:34:07 CEST 2006 - kukuk@suse.de ------------------------------------------------------------------- Tue Apr 11 12:20:57 CEST 2006 - kukuk@suse.de -- nptl/init.c (sigcancel_handler): Compare with correct PID even +- nptl/init.c (sigcancel_handler): Compare with correct PID even if the thread is in the middle of a fork call. (sighandler_setxid): Likewise. @@ -5876,7 +5869,7 @@ Thu Jun 16 17:03:43 CEST 2005 - kukuk@suse.de ------------------------------------------------------------------- Mon Jun 13 14:48:53 CEST 2005 - kukuk@suse.de -- Don't terminate strings twice in nis/netgroup code. +- Don't terminate strings twice in nis/netgroup code. - netinet/if_tr.h: don't include kernel headers. ------------------------------------------------------------------- @@ -6251,7 +6244,7 @@ Wed Sep 22 15:33:10 CEST 2004 - kukuk@suse.de ------------------------------------------------------------------- Mon Sep 20 17:58:13 CEST 2004 - kukuk@suse.de -- Fix invalidating of nscd caches and getaddrinfo() +- Fix invalidating of nscd caches and getaddrinfo() ------------------------------------------------------------------- Fri Sep 17 07:13:01 CEST 2004 - kukuk@suse.de @@ -6304,7 +6297,7 @@ Wed Aug 25 16:16:32 CEST 2004 - kukuk@suse.de ------------------------------------------------------------------- Mon Aug 23 10:20:09 CEST 2004 - kukuk@suse.de -- Update to current CVS: +- Update to current CVS: - Use CVS version for last fix. - Add malloc sanity checks for double free. @@ -6343,7 +6336,7 @@ Tue Aug 17 12:13:41 CEST 2004 - kukuk@suse.de ------------------------------------------------------------------- Mon Aug 16 11:51:37 CEST 2004 - kukuk@suse.de -- Update to current CVS version and update to +- Update to current CVS version and update to kernel-headers 2.6.8.1 to fix NPTL deadlock problems - Disable linuxthreads/tst-clock1, does not work on i586 and lower @@ -6368,7 +6361,7 @@ Wed Jun 16 07:45:07 CEST 2004 - meissner@suse.de ------------------------------------------------------------------- Mon Jun 14 20:12:00 CEST 2004 - kukuk@suse.de -- Add fixes from CVS: +- Add fixes from CVS: - sysconf return value fixes - nscd host caching deadlock - backtrace for s390/s390x/ia64 static linked binaries @@ -6503,7 +6496,7 @@ Fri Apr 9 16:22:31 CEST 2004 - kukuk@suse.de ------------------------------------------------------------------- Thu Apr 8 00:24:46 CEST 2004 - meissner@suse.de -- forward umount to umount2 on ppc64 because umount syscall +- forward umount to umount2 on ppc64 because umount syscall does not exist ------------------------------------------------------------------- @@ -6792,7 +6785,7 @@ Wed Jan 21 10:23:42 CET 2004 - aj@suse.de ------------------------------------------------------------------- Mon Jan 19 15:49:51 CET 2004 - ro@suse.de -- really fix linux/percpu.h to compile in userland +- really fix linux/percpu.h to compile in userland ------------------------------------------------------------------- Fri Jan 16 11:14:49 CET 2004 - kukuk@suse.de @@ -6962,7 +6955,7 @@ Tue Oct 14 10:49:36 CEST 2003 - kukuk@suse.de ------------------------------------------------------------------- Mon Oct 13 12:11:53 CEST 2003 - kukuk@suse.de -- Update to kernel header files from 2.6.0-test7 +- Update to kernel header files from 2.6.0-test7 ------------------------------------------------------------------- Fri Oct 10 17:11:01 CEST 2003 - schwab@suse.de @@ -7438,7 +7431,7 @@ Fri Feb 14 14:51:11 CET 2003 - kukuk@suse.de ------------------------------------------------------------------- Thu Feb 13 18:34:50 CET 2003 - kukuk@suse.de -- Update to current snapshot +- Update to current snapshot ------------------------------------------------------------------- Wed Feb 12 11:50:54 CET 2003 - kukuk@suse.de @@ -7506,7 +7499,7 @@ Thu Jan 30 16:05:32 CET 2003 - aj@suse.de Wed Jan 29 12:57:23 CET 2003 - kukuk@suse.de - Update to current glibc cvs -- Fix libm-ulps for x86-64 and ia64 +- Fix libm-ulps for x86-64 and ia64 ------------------------------------------------------------------- Thu Jan 23 16:47:33 CET 2003 - schwab@suse.de @@ -7541,7 +7534,7 @@ Sun Jan 12 19:16:13 CET 2003 - kukuk@suse.de ------------------------------------------------------------------- Fri Jan 3 19:09:36 CET 2003 - bg@suse.de -- removed obsolete patch for hppa +- removed obsolete patch for hppa ------------------------------------------------------------------- Fri Dec 20 23:15:48 CET 2002 - kukuk@suse.de @@ -7556,8 +7549,8 @@ Fri Dec 20 23:15:48 CET 2002 - kukuk@suse.de ------------------------------------------------------------------- Tue Dec 17 16:01:13 CET 2002 - olh@suse.de -- remove glibc-2.2.5-ppc64-bits-socket_h.diff - add glibc-2.3-setjmp-ppc64.diff +- remove glibc-2.2.5-ppc64-bits-socket_h.diff + add glibc-2.3-setjmp-ppc64.diff add libc23-ppc64-cvshead20021210.patch dont run configure in subshell, it can fail and rpm cant catch it @@ -7582,7 +7575,7 @@ Tue Dec 3 11:16:30 CET 2002 - aj@suse.de ------------------------------------------------------------------- Fri Nov 29 11:08:03 CET 2002 - bg@suse.de -- Fix build on hppa. +- Fix build on hppa. ------------------------------------------------------------------- Thu Nov 28 21:31:09 CET 2002 - aj@suse.de @@ -7599,7 +7592,7 @@ Thu Nov 28 15:45:09 CET 2002 - aj@suse.de ------------------------------------------------------------------- Tue Nov 12 12:41:17 CET 2002 - bg@suse.de -- Updated hppa patches +- Updated hppa patches ------------------------------------------------------------------- Thu Nov 7 14:00:04 CET 2002 - kukuk@suse.de @@ -7610,14 +7603,14 @@ Thu Nov 7 14:00:04 CET 2002 - kukuk@suse.de ------------------------------------------------------------------- Thu Nov 7 12:11:29 CET 2002 - bg@suse.de -- Fix build of linuxthreads for hppa +- Fix build of linuxthreads for hppa ------------------------------------------------------------------- Tue Nov 5 16:31:11 CET 2002 - bg@suse.de - Use current kernel-headers for parisc -- Add support for hppa - +- Add support for hppa + ------------------------------------------------------------------- Tue Nov 5 15:29:32 CET 2002 - kukuk@suse.de @@ -7672,7 +7665,7 @@ Mon Sep 16 17:24:01 CEST 2002 - meissner@suse.de Thu Sep 12 15:56:07 CEST 2002 - meissner@suse.de - ppc/ppc64: added more biarch things to the SystemV IPC headers - which are needed to get 64bit ipc / IPC_STAT to work. + which are needed to get 64bit ipc / IPC_STAT to work. ------------------------------------------------------------------- Mon Sep 9 18:52:53 CEST 2002 - bk@suse.de @@ -7726,7 +7719,7 @@ Tue Aug 27 15:52:49 CEST 2002 - olh@suse.de Mon Aug 26 21:56:22 CEST 2002 - olh@suse.de - add ppc64_glibc_2.2.5_sunrpc-fix.patch - * sysdeps/unix/sysv/linux/powerpc/bits/socket.h: New file that adds + * sysdeps/unix/sysv/linux/powerpc/bits/socket.h: New file that adds __powerpc64__ specific fields and adjust size/alignment for 64-bit. ------------------------------------------------------------------- @@ -7833,7 +7826,7 @@ Fri Jul 12 18:29:17 CEST 2002 - aj@suse.de ------------------------------------------------------------------- Mon Jul 8 10:45:49 CEST 2002 - aj@suse.de -- Add some optimized x86-64 math routines and a fixed lgammal +- Add some optimized x86-64 math routines and a fixed lgammal implementation. - Testsuite on x86-64 should pass now. - Run ldconfig in postinstall. @@ -7910,7 +7903,7 @@ Tue Jun 11 10:04:55 CEST 2002 - sf@suse.de - made new kernel-header archive from kernel-source - added asm-ppc64 to kernel-headers -- removed patch9 as it is obsoleted by the new kernel-headers +- removed patch9 as it is obsoleted by the new kernel-headers ------------------------------------------------------------------- Fri Jun 7 14:29:30 CEST 2002 - olh@suse.de @@ -8108,8 +8101,8 @@ Thu Feb 28 14:53:42 CET 2002 - kukuk@suse.de ------------------------------------------------------------------- Mon Feb 18 13:22:05 CET 2002 - kukuk@suse.de -- When a dlopened module references a weak symbol from another - dlopened module (loaded with RTLD_GLOBAL) no dependency was +- When a dlopened module references a weak symbol from another + dlopened module (loaded with RTLD_GLOBAL) no dependency was generated for this fact, so the second module was unloaded even if the first one was still around. @@ -8138,7 +8131,7 @@ Wed Feb 13 16:03:20 CET 2002 - kukuk@suse.de ------------------------------------------------------------------- Tue Feb 12 02:01:42 CET 2002 - ro@suse.de -- fix owner/group for kernel headers +- fix owner/group for kernel headers ------------------------------------------------------------------- Mon Feb 11 15:17:18 CET 2002 - kukuk@suse.de @@ -8575,12 +8568,12 @@ Thu Mar 29 08:33:19 CEST 2001 - aj@suse.de ------------------------------------------------------------------- Thu Mar 29 01:18:52 CEST 2001 - ro@suse.de -- added db-splitmask fix from mls (hopefully work around bug in db1) +- added db-splitmask fix from mls (hopefully work around bug in db1) ------------------------------------------------------------------- Wed Mar 28 09:02:54 CEST 2001 - aj@suse.de -- Fix s390 to not generate wrong relocations, work around compiler +- Fix s390 to not generate wrong relocations, work around compiler error. ------------------------------------------------------------------- @@ -8622,12 +8615,12 @@ Fri Mar 9 15:33:55 CET 2001 - kukuk@suse.de ------------------------------------------------------------------- Thu Mar 8 16:02:45 CET 2001 - ro@suse.de -- update kernel-headers to 2.4.2 +- update kernel-headers to 2.4.2 ------------------------------------------------------------------- Thu Mar 8 12:53:56 CET 2001 - ro@suse.de -- kernel-header fixes to build on s390 +- kernel-header fixes to build on s390 ------------------------------------------------------------------- Thu Feb 22 11:22:08 CET 2001 - schwab@suse.de @@ -8840,7 +8833,7 @@ Fri Oct 27 15:39:17 CEST 2000 - aj@suse.de ------------------------------------------------------------------- Wed Oct 25 16:47:22 CEST 2000 - kukuk@suse.de -- Update to glibc-2.2-20001025 +- Update to glibc-2.2-20001025 ------------------------------------------------------------------- Sun Oct 22 16:31:32 CEST 2000 - kukuk@suse.de @@ -8925,7 +8918,7 @@ Mon Aug 21 19:56:06 CEST 2000 - garloff@suse.de Tue Jul 25 08:41:48 CEST 2000 - kukuk@suse.de - Add mmap fix for PowerPC - + ------------------------------------------------------------------- Tue Jul 11 10:02:41 CEST 2000 - kukuk@suse.de @@ -8971,7 +8964,7 @@ Fri May 26 11:07:39 CEST 2000 - kukuk@suse.de ------------------------------------------------------------------- Wed May 24 22:23:12 CEST 2000 - kukuk@suse.de -- Fix ldconfig.8 manual page +- Fix ldconfig.8 manual page ------------------------------------------------------------------- Thu May 18 17:53:09 CEST 2000 - bk@suse.de @@ -9006,7 +8999,7 @@ Tue May 9 22:21:23 CEST 2000 - kukuk@suse.de ------------------------------------------------------------------- Mon May 8 11:59:48 CEST 2000 - kukuk@suse.de -- Add lot of bug fixes from CVS +- Add lot of bug fixes from CVS ------------------------------------------------------------------- Tue Apr 25 14:20:43 CEST 2000 - kukuk@suse.de @@ -9066,13 +9059,13 @@ Mon Apr 3 14:42:03 MEST 2000 - bk@suse.de ------------------------------------------------------------------- Wed Mar 22 12:10:02 CET 2000 - kukuk@suse.de -- Fix last SPARC patch +- Fix last SPARC patch ------------------------------------------------------------------- Tue Mar 21 17:48:01 CET 2000 - kukuk@suse.de - Add SPARC patches -- Add IA64 patches +- Add IA64 patches ------------------------------------------------------------------- Wed Mar 15 14:35:47 CET 2000 - kukuk@suse.de @@ -9102,7 +9095,7 @@ Thu Feb 24 16:12:39 CET 2000 - kukuk@suse.de ------------------------------------------------------------------- Tue Feb 22 16:40:35 CET 2000 - kukuk@suse.de -- Update to current glibc cvs snapshot (2.1.3pre4) +- Update to current glibc cvs snapshot (2.1.3pre4) ------------------------------------------------------------------- Sat Feb 5 14:40:33 CET 2000 - kukuk@suse.de @@ -9139,7 +9132,7 @@ Wed Jan 19 15:53:18 CET 2000 - kukuk@suse.de ------------------------------------------------------------------- Sat Jan 15 01:31:16 CET 2000 - ro@suse.de --fixed ppc db2-patch +-fixed ppc db2-patch ------------------------------------------------------------------- Fri Jan 14 16:54:26 CET 2000 - kukuk@suse.de @@ -9149,22 +9142,22 @@ Fri Jan 14 16:54:26 CET 2000 - kukuk@suse.de ------------------------------------------------------------------- Fri Jan 14 00:27:03 CET 2000 - kukuk@suse.de -- Add patch for SPARC +- Add patch for SPARC ------------------------------------------------------------------- Thu Jan 13 15:23:54 CET 2000 - kukuk@suse.de -- Move info pages to /usr/share/info +- Move info pages to /usr/share/info ------------------------------------------------------------------- Mon Jan 10 14:49:14 CET 2000 - kukuk@suse.de -- Add ipv6 patches for getent +- Add ipv6 patches for getent ------------------------------------------------------------------- Mon Jan 10 11:23:57 CET 2000 - kukuk@suse.de -- Move manual pages for applications and config files into +- Move manual pages for applications and config files into shlibs package - Update to current glibc 2.1.3 snapshot @@ -9229,7 +9222,7 @@ Sat Oct 16 16:29:44 MEST 1999 - kukuk@suse.de Mon Oct 11 19:19:00 MEST 1999 - kukuk@suse.de - Add linuxthreads/signals.c fix from Andreas Schwab -- Remove dangling symlink (Bug #544) +- Remove dangling symlink (Bug #544) - Add more bug fixes ------------------------------------------------------------------- @@ -9262,7 +9255,7 @@ Mon Sep 13 17:23:57 CEST 1999 - bs@suse.de Mon Sep 6 10:25:03 MEST 1999 - kukuk@suse.de - Update to current glibc 2.1.2 cvs snapshot -- Remove use auf automake in spec file +- Remove use auf automake in spec file ------------------------------------------------------------------- Fri Sep 3 14:35:42 MEST 1999 - kukuk@suse.de @@ -9273,7 +9266,7 @@ Fri Sep 3 14:35:42 MEST 1999 - kukuk@suse.de ------------------------------------------------------------------- Wed Aug 25 17:07:09 MEST 1999 - kukuk@suse.de -- Update to current glibc 2.1.2 cvs snapshot +- Update to current glibc 2.1.2 cvs snapshot ------------------------------------------------------------------- Thu Aug 19 15:20:26 MEST 1999 - kukuk@suse.de @@ -9286,7 +9279,7 @@ Thu Aug 19 15:20:26 MEST 1999 - kukuk@suse.de Sat Aug 14 19:58:45 MEST 1999 - kukuk@suse.de - disable nscd hosts caching by default -- Apply patch from HJL for broken gethostbyname_r in libnss_dns +- Apply patch from HJL for broken gethostbyname_r in libnss_dns ------------------------------------------------------------------- Fri Jul 16 17:01:51 MEST 1999 - kukuk@suse.de @@ -9297,7 +9290,7 @@ Fri Jul 16 17:01:51 MEST 1999 - kukuk@suse.de ------------------------------------------------------------------- Wed Jul 14 16:05:14 MEST 1999 - kukuk@suse.de -- Remove /etc/localtime from filelist +- Remove /etc/localtime from filelist ------------------------------------------------------------------- Mon Jul 12 09:54:43 MEST 1999 - kukuk@suse.de @@ -9308,7 +9301,7 @@ Mon Jul 12 09:54:43 MEST 1999 - kukuk@suse.de ------------------------------------------------------------------- Thu Jul 8 17:25:43 MEST 1999 - kukuk@suse.de -- configure for i386-unknown-linux +- configure for i386-unknown-linux ------------------------------------------------------------------- Wed Jul 7 12:28:43 MEST 1999 - kukuk@suse.de @@ -9348,7 +9341,7 @@ Mon Jun 14 09:17:26 MEST 1999 - kukuk@suse.de ------------------------------------------------------------------- Thu Jun 10 10:04:11 MEST 1999 - kukuk@suse.de -- Fix daemon() for MT programs +- Fix daemon() for MT programs - Add libio fixes ------------------------------------------------------------------- @@ -9386,7 +9379,7 @@ Wed Apr 28 17:48:51 MEST 1999 - kukuk@suse.de ------------------------------------------------------------------- Tue Apr 27 11:48:46 MEST 1999 - kukuk@suse.de -- update to cvs version of Apr 26 1999 +- update to cvs version of Apr 26 1999 - fix pmap_set/pmap_unset for DHCP clients - Rename libdb1.so.2[.1] to libdb.so.2[.1] since we don't create the symbolic links. @@ -9433,7 +9426,7 @@ Sat Feb 20 19:29:32 MET 1999 - ro@suse.de ------------------------------------------------------------------- Sat Feb 20 18:41:22 MET 1999 - ro@suse.de -- fixed specfile ... +- fixed specfile ... ------------------------------------------------------------------- Sat Feb 20 18:31:30 MET 1999 - ro@suse.de @@ -9469,7 +9462,7 @@ Mon Sep 21 19:43:16 MEST 1998 - ro@suse.de ------------------------------------------------------------------- Mon Sep 14 14:28:21 MEST 1998 - ro@suse.de -- update: use today's cvs-version +- update: use today's cvs-version ------------------------------------------------------------------- Wed Sep 2 16:56:04 MEST 1998 - ro@suse.de diff --git a/glibc.spec b/glibc.spec index 974007e..1f623a6 100644 --- a/glibc.spec +++ b/glibc.spec @@ -317,16 +317,12 @@ Patch1007: call-init-proxy-objects.patch Patch1008: dtors-reverse-ctor-order.patch # PATCH-FIX-UPSTREAM Stack read overflow with large TCP responses in no-aaaa mode (CVE-2023-4527, BZ #30842) Patch1009: no-aaaa-read-overflow.patch -# PATCH-FIX-UPSTREAM use-after-free in getaddrinfo() (CVE-2023-4806, BSC#1215281) -Patch1010: glibc-getaddrinfo-fix-use-after-free-in-getcanonname.patch ### # Patches awaiting upstream approval ### # PATCH-FIX-UPSTREAM Avoid concurrency problem in ldconfig (BZ #23973) Patch2000: ldconfig-concurrency.patch -# https://patchwork.sourceware.org/project/glibc/patch/20230911132548.1981093-1-adhemerval.zanella@linaro.org/ -Patch2001: glibc-io-Do-not-implement-fstat-with-fstatat.diff # Non-glibc patches # PATCH-FIX-OPENSUSE Remove debianisms from manpages @@ -553,11 +549,9 @@ library in a cross compilation setting. %patch1007 -p1 %patch1008 -p1 %patch1009 -p1 -%patch1010 -p1 %endif %patch2000 -p1 -%patch2001 -p1 %patch3000 rm -f manpages/catchsegv.1 @@ -689,7 +683,6 @@ profile="--disable-profile" --libexecdir=%{_libexecdir} --infodir=%{_infodir} \ $profile \ --build=%{build} --host=${target} \ - --with-selinux \ %if %{build_cross} --with-headers=%{sysroot}/usr/include \ %else From 6e23f72fe710b9ac8258feb75ef1a561c6d1002d4d844826297c9cb47970d128 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Tue, 19 Sep 2023 14:01:57 +0000 Subject: [PATCH 7/9] Accepting request 1112308 from home:Andreas_Schwab:Factory - getcanonname-use-after-free.patch: getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806, bsc#1215281, BZ #30843) - Do not build any cross packages in SLES OBS-URL: https://build.opensuse.org/request/show/1112308 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=672 --- getcanonname-use-after-free.patch | 338 ++++++++++++++++++++++++++++++ glibc.changes | 7 + glibc.spec | 6 + 3 files changed, 351 insertions(+) create mode 100644 getcanonname-use-after-free.patch diff --git a/getcanonname-use-after-free.patch b/getcanonname-use-after-free.patch new file mode 100644 index 0000000..94a0b37 --- /dev/null +++ b/getcanonname-use-after-free.patch @@ -0,0 +1,338 @@ +From 00ae4f10b504bc4564e9f22f00907093f1ab9338 Mon Sep 17 00:00:00 2001 +From: Siddhesh Poyarekar +Date: Fri, 15 Sep 2023 13:51:12 -0400 +Subject: [PATCH] getaddrinfo: Fix use after free in getcanonname + (CVE-2023-4806) + +When an NSS plugin only implements the _gethostbyname2_r and +_getcanonname_r callbacks, getaddrinfo could use memory that was freed +during tmpbuf resizing, through h_name in a previous query response. + +The backing store for res->at->name when doing a query with +gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in +gethosts during the query. For AF_INET6 lookup with AI_ALL | +AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second +for a v4 lookup. In this case, if the first call reallocates tmpbuf +enough number of times, resulting in a malloc, th->h_name (that +res->at->name refers to) ends up on a heap allocated storage in tmpbuf. +Now if the second call to gethosts also causes the plugin callback to +return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF +reference in res->at->name. This then gets dereferenced in the +getcanonname_r plugin call, resulting in the use after free. + +Fix this by copying h_name over and freeing it at the end. This +resolves BZ #30843, which is assigned CVE-2023-4806. + +Signed-off-by: Siddhesh Poyarekar +(cherry picked from commit 973fe93a5675c42798b2161c6f29c01b0e243994) +--- + nss/Makefile | 15 ++++- + nss/nss_test_gai_hv2_canonname.c | 56 +++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.c | 63 +++++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.h | 1 + + .../postclean.req | 0 + .../tst-nss-gai-hv2-canonname.script | 2 + + sysdeps/posix/getaddrinfo.c | 25 +++++--- + 7 files changed, 152 insertions(+), 10 deletions(-) + create mode 100644 nss/nss_test_gai_hv2_canonname.c + create mode 100644 nss/tst-nss-gai-hv2-canonname.c + create mode 100644 nss/tst-nss-gai-hv2-canonname.h + create mode 100644 nss/tst-nss-gai-hv2-canonname.root/postclean.req + create mode 100644 nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script + +diff --git a/nss/Makefile b/nss/Makefile +index 06fcdc450f..8a5126ecf3 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -82,6 +82,7 @@ tests-container := \ + tst-nss-test3 \ + tst-reload1 \ + tst-reload2 \ ++ tst-nss-gai-hv2-canonname \ + # tests-container + + # Tests which need libdl +@@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) + ifeq ($(build-static-nss),yes) + tests-static += tst-nss-static + endif +-extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os ++extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ ++ nss_test_gai_hv2_canonname.os + + include ../Rules + +@@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver + libof-nss_test1 = extramodules + libof-nss_test2 = extramodules + libof-nss_test_errno = extramodules ++libof-nss_test_gai_hv2_canonname = extramodules + $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) + $(build-module) + $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) + $(build-module) + $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) + $(build-module) ++$(objpfx)/libnss_test_gai_hv2_canonname.so: \ ++ $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) ++ $(build-module) + $(objpfx)nss_test2.os : nss_test1.c + # Use the nss_files suffix for these objects as well. + $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so +@@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ + $(objpfx)/libnss_test_errno.so + $(make-link) ++$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ ++ $(objpfx)/libnss_test_gai_hv2_canonname.so ++ $(make-link) + $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ + $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ + $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ +- $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) ++ $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ ++ $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) + + ifeq (yes,$(have-thread-library)) + $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) +@@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags + LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags ++LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags +diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c +new file mode 100644 +index 0000000000..4439c83c9f +--- /dev/null ++++ b/nss/nss_test_gai_hv2_canonname.c +@@ -0,0 +1,56 @@ ++/* NSS service provider that only provides gethostbyname2_r. ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include "nss/tst-nss-gai-hv2-canonname.h" ++ ++/* Catch misnamed and functions. */ ++#pragma GCC diagnostic error "-Wmissing-prototypes" ++NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) ++ ++extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, ++ struct hostent *, char *, ++ size_t, int *, int *); ++ ++enum nss_status ++_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, ++ struct hostent *result, ++ char *buffer, size_t buflen, ++ int *errnop, int *herrnop) ++{ ++ return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, ++ herrnop); ++} ++ ++enum nss_status ++_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, ++ size_t buflen, char **result, ++ int *errnop, int *h_errnop) ++{ ++ /* We expect QUERYNAME, which is a small enough string that it shouldn't fail ++ the test. */ ++ if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) ++ || buflen < sizeof (QUERYNAME)) ++ abort (); ++ ++ strncpy (buffer, name, buflen); ++ *result = buffer; ++ return NSS_STATUS_SUCCESS; ++} +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c +new file mode 100644 +index 0000000000..d5f10c07d6 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.c +@@ -0,0 +1,63 @@ ++/* Test NSS query path for plugins that only implement gethostbyname2 ++ (#30843). ++ Copyright The GNU Toolchain Authors. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include "nss/tst-nss-gai-hv2-canonname.h" ++ ++#define PREPARE do_prepare ++ ++static void do_prepare (int a, char **av) ++{ ++ FILE *hosts = xfopen ("/etc/hosts", "w"); ++ for (unsigned i = 2; i < 255; i++) ++ { ++ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); ++ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); ++ } ++ xfclose (hosts); ++} ++ ++static int ++do_test (void) ++{ ++ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); ++ ++ struct addrinfo hints = {}; ++ struct addrinfo *result = NULL; ++ ++ hints.ai_family = AF_INET6; ++ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; ++ ++ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); ++ ++ if (ret != 0) ++ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); ++ ++ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); ++ ++ freeaddrinfo(result); ++ return 0; ++} ++ ++#include +diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h +new file mode 100644 +index 0000000000..14f2a9cb08 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.h +@@ -0,0 +1 @@ ++#define QUERYNAME "test.example.com" +diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req +new file mode 100644 +index 0000000000..e69de29bb2 +diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script +new file mode 100644 +index 0000000000..31848b4a28 +--- /dev/null ++++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script +@@ -0,0 +1,2 @@ ++cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2 ++su +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 0356b622be..b2236b105c 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -120,6 +120,7 @@ struct gaih_result + { + struct gaih_addrtuple *at; + char *canon; ++ char *h_name; + bool free_at; + bool got_ipv6; + }; +@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) + if (res->free_at) + free (res->at); + free (res->canon); ++ free (res->h_name); + memset (res, 0, sizeof (*res)); + } + +@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, + return 0; + } + +-/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name +- is not copied, and the struct hostent object must not be deallocated +- prematurely. The new addresses are appended to the tuple array in RES. */ ++/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new ++ addresses are appended to the tuple array in RES. */ + static bool + convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + struct hostent *h, struct gaih_result *res) +@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + res->at = array; + res->free_at = true; + ++ /* Duplicate h_name because it may get reclaimed when the underlying storage ++ is freed. */ ++ if (res->h_name == NULL) ++ { ++ res->h_name = __strdup (h->h_name); ++ if (res->h_name == NULL) ++ return false; ++ } ++ + /* Update the next pointers on reallocation. */ + for (size_t i = 0; i < old; i++) + array[i].next = array + i + 1; +@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, + } + array[i].next = array + i + 1; + } +- array[0].name = h->h_name; + array[count - 1].next = NULL; + + return true; +@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name, + memory allocation failure. The returned string is allocated on the + heap; the caller has to free it. */ + static char * +-getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name) ++getcanonname (nss_action_list nip, const char *hname, const char *name) + { + nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r"); + char *s = (char *) name; + if (cfct != NULL) + { + char buf[256]; +- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), +- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) ++ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, ++ &h_errno)) != NSS_STATUS_SUCCESS) + /* If the canonical name cannot be determined, use the passed + string. */ + s = (char *) name; +@@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, + if ((req->ai_flags & AI_CANONNAME) != 0 + && res->canon == NULL) + { +- char *canonbuf = getcanonname (nip, res->at, name); ++ char *canonbuf = getcanonname (nip, res->h_name, name); + if (canonbuf == NULL) + { + __resolv_context_put (res_ctx); +-- +2.42.0 + diff --git a/glibc.changes b/glibc.changes index f78d8e6..667713e 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Mon Sep 18 08:48:59 UTC 2023 - Andreas Schwab + +- getcanonname-use-after-free.patch: getaddrinfo: Fix use after free in + getcanonname (CVE-2023-4806, bsc#1215281, BZ #30843) +- Do not build any cross packages in SLES + ------------------------------------------------------------------- Wed Sep 13 12:25:56 UTC 2023 - Andreas Schwab diff --git a/glibc.spec b/glibc.spec index 1f623a6..8c021ad 100644 --- a/glibc.spec +++ b/glibc.spec @@ -96,6 +96,9 @@ ExclusiveArch: do_not_build %define build_cross 1 %undefine _build_create_debug ExcludeArch: %{cross_arch} +%if 0%{?suse_version} < 1600 +ExclusiveArch: do_not_build +%endif %endif %define host_arch %{?cross_cpu}%{!?cross_cpu:%{_target_cpu}} @@ -317,6 +320,8 @@ Patch1007: call-init-proxy-objects.patch Patch1008: dtors-reverse-ctor-order.patch # PATCH-FIX-UPSTREAM Stack read overflow with large TCP responses in no-aaaa mode (CVE-2023-4527, BZ #30842) Patch1009: no-aaaa-read-overflow.patch +# PATCH-FIX-UPSTREAM getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806, BZ #30843) +Patch1010: getcanonname-use-after-free.patch ### # Patches awaiting upstream approval @@ -549,6 +554,7 @@ library in a cross compilation setting. %patch1007 -p1 %patch1008 -p1 %patch1009 -p1 +%patch1010 -p1 %endif %patch2000 -p1 From 8f698eb0bf31d6e9f743f7d5b786c612f9a022e7a6bd8c9f9338f0ac1c1a1c13 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Tue, 26 Sep 2023 11:26:02 +0000 Subject: [PATCH 8/9] Accepting request 1113655 from home:Andreas_Schwab:Factory - getaddrinfo-memory-leak.patch: Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 (CVE-2023-5156, bsc#1215714, BZ #30884) OBS-URL: https://build.opensuse.org/request/show/1113655 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=673 --- getaddrinfo-memory-leak.patch | 92 +++++++++++++++++++++++++++++++++++ glibc.changes | 6 +++ glibc.spec | 3 ++ 3 files changed, 101 insertions(+) create mode 100644 getaddrinfo-memory-leak.patch diff --git a/getaddrinfo-memory-leak.patch b/getaddrinfo-memory-leak.patch new file mode 100644 index 0000000..b8cc3a8 --- /dev/null +++ b/getaddrinfo-memory-leak.patch @@ -0,0 +1,92 @@ +From ec6b95c3303c700eb89eebeda2d7264cc184a796 Mon Sep 17 00:00:00 2001 +From: Romain Geissler +Date: Mon, 25 Sep 2023 01:21:51 +0100 +Subject: [PATCH] Fix leak in getaddrinfo introduced by the fix for + CVE-2023-4806 [BZ #30843] + +This patch fixes a very recently added leak in getaddrinfo. + +Reviewed-by: Siddhesh Poyarekar +--- + nss/Makefile | 20 ++++++++++++++++++++ + nss/tst-nss-gai-hv2-canonname.c | 3 +++ + sysdeps/posix/getaddrinfo.c | 4 +--- + 3 files changed, 24 insertions(+), 3 deletions(-) + +diff --git a/nss/Makefile b/nss/Makefile +index 8a5126ecf3..668ba34b18 100644 +--- a/nss/Makefile ++++ b/nss/Makefile +@@ -149,6 +149,15 @@ endif + extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ + nss_test_gai_hv2_canonname.os + ++ifeq ($(run-built-tests),yes) ++ifneq (no,$(PERL)) ++tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out ++endif ++endif ++ ++generated += mtrace-tst-nss-gai-hv2-canonname.out \ ++ tst-nss-gai-hv2-canonname.mtrace ++ + include ../Rules + + ifeq (yes,$(have-selinux)) +@@ -217,6 +226,17 @@ endif + $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so + $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so + ++tst-nss-gai-hv2-canonname-ENV = \ ++ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \ ++ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so ++$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \ ++ $(objpfx)tst-nss-gai-hv2-canonname.out ++ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \ ++ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \ ++ && $(common-objpfx)malloc/mtrace \ ++ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \ ++ $(evaluate-test) ++ + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS + # functions can load testing NSS modules via DT_RPATH. + LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags +diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c +index d5f10c07d6..7db53cf09d 100644 +--- a/nss/tst-nss-gai-hv2-canonname.c ++++ b/nss/tst-nss-gai-hv2-canonname.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include "nss/tst-nss-gai-hv2-canonname.h" +@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av) + static int + do_test (void) + { ++ mtrace (); ++ + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); + + struct addrinfo hints = {}; +diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c +index 47f421fddf..531124958d 100644 +--- a/sysdeps/posix/getaddrinfo.c ++++ b/sysdeps/posix/getaddrinfo.c +@@ -1196,9 +1196,7 @@ free_and_return: + if (malloc_name) + free ((char *) name); + free (addrmem); +- if (res.free_at) +- free (res.at); +- free (res.canon); ++ gaih_result_reset (&res); + + return result; + } +-- +2.42.0 + diff --git a/glibc.changes b/glibc.changes index 667713e..97961d0 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Mon Sep 25 07:58:08 UTC 2023 - Andreas Schwab + +- getaddrinfo-memory-leak.patch: Fix leak in getaddrinfo introduced by the + fix for CVE-2023-4806 (CVE-2023-5156, bsc#1215714, BZ #30884) + ------------------------------------------------------------------- Mon Sep 18 08:48:59 UTC 2023 - Andreas Schwab diff --git a/glibc.spec b/glibc.spec index 8c021ad..6882fba 100644 --- a/glibc.spec +++ b/glibc.spec @@ -322,6 +322,8 @@ Patch1008: dtors-reverse-ctor-order.patch Patch1009: no-aaaa-read-overflow.patch # PATCH-FIX-UPSTREAM getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806, BZ #30843) Patch1010: getcanonname-use-after-free.patch +# PATCH-FIX-UPSTREAM Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 (CVE-2023-5156, BZ #30884) +Patch1011: getaddrinfo-memory-leak.patch ### # Patches awaiting upstream approval @@ -555,6 +557,7 @@ library in a cross compilation setting. %patch1008 -p1 %patch1009 -p1 %patch1010 -p1 +%patch1011 -p1 %endif %patch2000 -p1 From ef301235ed978b73b4ccecc99683b0dcf8688f96b0add410daadcd80e03e971e Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Thu, 28 Sep 2023 07:54:57 +0000 Subject: [PATCH 9/9] Accepting request 1114022 from home:Andreas_Schwab:Factory - fstat-implementation.patch: io: Do not implement fstat with fstatat OBS-URL: https://build.opensuse.org/request/show/1114022 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=674 --- fstat-implementation.patch | 165 +++++++++++++++++++++++++++++++++++++ glibc.changes | 5 ++ glibc.spec | 3 + 3 files changed, 173 insertions(+) create mode 100644 fstat-implementation.patch diff --git a/fstat-implementation.patch b/fstat-implementation.patch new file mode 100644 index 0000000..93a2d42 --- /dev/null +++ b/fstat-implementation.patch @@ -0,0 +1,165 @@ +From 551101e8240b7514fc646d1722f8b79c90362b8f Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella +Date: Mon, 11 Sep 2023 10:25:48 -0300 +Subject: [PATCH] io: Do not implement fstat with fstatat + +AT_EMPTY_PATH is a requirement to implement fstat over fstatat, +however it does not prevent the kernel to read the path argument. +It is not an issue, but on x86-64 with SMAP-capable CPUs the kernel is +forced to perform expensive user memory access. After that regular +lookup is performed which adds even more overhead. + +Instead, issue the fstat syscall directly on LFS fstat implementation +(32 bit architectures will still continue to use statx, which is +required to have 64 bit time_t support). it should be even a +small performance gain on non x86_64, since there is no need +to handle the path argument. + +Checked on x86_64-linux-gnu. +--- + sysdeps/unix/sysv/linux/fstat64.c | 37 +++++++++++++++++++++++-- + sysdeps/unix/sysv/linux/fstatat64.c | 12 ++------ + sysdeps/unix/sysv/linux/internal-stat.h | 31 +++++++++++++++++++++ + 3 files changed, 68 insertions(+), 12 deletions(-) + create mode 100644 sysdeps/unix/sysv/linux/internal-stat.h + +diff --git a/sysdeps/unix/sysv/linux/fstat64.c b/sysdeps/unix/sysv/linux/fstat64.c +index 124384e57f..a291f0825b 100644 +--- a/sysdeps/unix/sysv/linux/fstat64.c ++++ b/sysdeps/unix/sysv/linux/fstat64.c +@@ -19,20 +19,53 @@ + #define __fstat __redirect___fstat + #define fstat __redirect_fstat + #include ++#undef __fstat ++#undef fstat + #include +-#include +-#include ++#include + #include + + int + __fstat64_time64 (int fd, struct __stat64_t64 *buf) + { ++#if !FSTATAT_USE_STATX ++# if XSTAT_IS_XSTAT64 ++# ifdef __NR_fstat ++ /* 64-bit kABI, e.g. aarch64, ia64, powerpc64*, s390x, riscv64, and ++ x86_64. */ ++ return INLINE_SYSCALL_CALL (fstat, fd, buf); ++# elif defined __NR_fstat64 ++# if STAT64_IS_KERNEL_STAT64 ++ /* 64-bit kABI outlier, e.g. alpha */ ++ return INLINE_SYSCALL_CALL (fstat64, fd, buf); ++# else ++ /* 64-bit kABI outlier, e.g. sparc64. */ ++ struct kernel_stat64 kst64; ++ int r = INLINE_SYSCALL_CALL (fstat64, fd, &kst64); ++ if (r == 0) ++ __cp_stat64_kstat64 (buf, &kst64); ++ return r; ++# endif /* STAT64_IS_KERNEL_STAT64 */ ++# endif ++# else /* XSTAT_IS_XSTAT64 */ ++ /* 64-bit kabi outlier, e.g. mips64 and mips64-n32. */ ++ struct kernel_stat kst; ++ int r = INLINE_SYSCALL_CALL (fstat, fd, &kst); ++ if (r == 0) ++ __cp_kstat_stat64_t64 (&kst, buf); ++ return r; ++# endif ++#else /* !FSTATAT_USE_STATX */ ++ /* All kABIs with non-LFS support and with old 32-bit time_t support ++ e.g. arm, csky, i386, hppa, m68k, microblaze, nios2, sh, powerpc32, ++ and sparc32. */ + if (fd < 0) + { + __set_errno (EBADF); + return -1; + } + return __fstatat64_time64 (fd, "", buf, AT_EMPTY_PATH); ++#endif + } + #if __TIMESIZE != 64 + hidden_def (__fstat64_time64) +diff --git a/sysdeps/unix/sysv/linux/fstatat64.c b/sysdeps/unix/sysv/linux/fstatat64.c +index 3509d3ca6d..127c6ff601 100644 +--- a/sysdeps/unix/sysv/linux/fstatat64.c ++++ b/sysdeps/unix/sysv/linux/fstatat64.c +@@ -21,12 +21,10 @@ + #include + #include + #include +-#include + #include + #include +-#include +-#include + #include ++#include + + #if __TIMESIZE == 64 \ + && (__WORDSIZE == 32 \ +@@ -40,11 +38,7 @@ _Static_assert (sizeof (__blkcnt_t) == sizeof (__blkcnt64_t), + "__blkcnt_t and __blkcnt64_t must match"); + #endif + +-#if (__WORDSIZE == 32 \ +- && (!defined __SYSCALL_WORDSIZE || __SYSCALL_WORDSIZE == 32)) \ +- || defined STAT_HAS_TIME32 \ +- || (!defined __NR_newfstatat && !defined __NR_fstatat64) +-# define FSTATAT_USE_STATX 1 ++#if FSTATAT_USE_STATX + + static inline int + fstatat64_time64_statx (int fd, const char *file, struct __stat64_t64 *buf, +@@ -79,8 +73,6 @@ fstatat64_time64_statx (int fd, const char *file, struct __stat64_t64 *buf, + + return r; + } +-#else +-# define FSTATAT_USE_STATX 0 + #endif + + /* Only statx supports 64-bit timestamps for 32-bit architectures with +diff --git a/sysdeps/unix/sysv/linux/internal-stat.h b/sysdeps/unix/sysv/linux/internal-stat.h +new file mode 100644 +index 0000000000..e3b0569853 +--- /dev/null ++++ b/sysdeps/unix/sysv/linux/internal-stat.h +@@ -0,0 +1,31 @@ ++/* Internal stat definitions. ++ Copyright (C) 2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++ ++#if (__WORDSIZE == 32 \ ++ && (!defined __SYSCALL_WORDSIZE || __SYSCALL_WORDSIZE == 32)) \ ++ || defined STAT_HAS_TIME32 \ ++ || (!defined __NR_newfstatat && !defined __NR_fstatat64) ++# define FSTATAT_USE_STATX 1 ++#else ++# define FSTATAT_USE_STATX 0 ++#endif +-- +2.42.0 + diff --git a/glibc.changes b/glibc.changes index 97961d0..6074a91 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Sep 27 14:08:48 UTC 2023 - Andreas Schwab + +- fstat-implementation.patch: io: Do not implement fstat with fstatat + ------------------------------------------------------------------- Mon Sep 25 07:58:08 UTC 2023 - Andreas Schwab diff --git a/glibc.spec b/glibc.spec index 6882fba..3d7993c 100644 --- a/glibc.spec +++ b/glibc.spec @@ -324,6 +324,8 @@ Patch1009: no-aaaa-read-overflow.patch Patch1010: getcanonname-use-after-free.patch # PATCH-FIX-UPSTREAM Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 (CVE-2023-5156, BZ #30884) Patch1011: getaddrinfo-memory-leak.patch +# PATCH-FIX-UPSTREAM io: Do not implement fstat with fstatat +Patch1012: fstat-implementation.patch ### # Patches awaiting upstream approval @@ -558,6 +560,7 @@ library in a cross compilation setting. %patch1009 -p1 %patch1010 -p1 %patch1011 -p1 +%patch1012 -p1 %endif %patch2000 -p1