From 257877d3c339deb143a5404f1624765060474e2e1c8ef0779d90c8782b28c2f1 Mon Sep 17 00:00:00 2001 From: Andreas Jaeger Date: Thu, 18 Aug 2011 11:43:18 +0000 Subject: [PATCH] Accepting request 79220 from home:a_jaeger:branches:openSUSE:Factory Fix crash (access-after-free) in dl_lookup_x. [bnc#703140] OBS-URL: https://build.opensuse.org/request/show/79220 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=89 --- glibc-fix-lookup-crash.patch | 19 +++++++++++++++++++ glibc.changes | 6 ++++++ glibc.spec | 3 +++ 3 files changed, 28 insertions(+) create mode 100644 glibc-fix-lookup-crash.patch diff --git a/glibc-fix-lookup-crash.patch b/glibc-fix-lookup-crash.patch new file mode 100644 index 0000000..d4aaf5c --- /dev/null +++ b/glibc-fix-lookup-crash.patch @@ -0,0 +1,19 @@ +Index: glibc-2.11.3/elf/dl-close.c +=================================================================== +--- glibc-2.11.3.orig/elf/dl-close.c 2011-05-27 15:08:23.000000000 +0200 ++++ glibc-2.11.3/elf/dl-close.c 2011-07-13 19:28:52.000000000 +0200 +@@ -127,7 +127,13 @@ _dl_close_worker (struct link_map *map) + { + struct link_map **oldp = map->l_initfini; + map->l_initfini = map->l_orig_initfini; +- _dl_scope_free (oldp); ++ /* We can't remove the l_initfini memory because ++ it's shared with l_searchlist.r_list. We don't clear ++ the latter so when we dlopen this object again that ++ entry would point to stale memory. And we don't want ++ to recompute it as it would involve a new call to ++ map_object_deps. ++ _dl_scope_free (oldp); */ + } + } + diff --git a/glibc.changes b/glibc.changes index be00dc8..16fc211 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,8 @@ +------------------------------------------------------------------- +Wed Aug 17 18:57:00 UTC 2011 - matz@suse.de + +- Fix crash (access-after-free) in dl_lookup_x. [bnc#703140] + ------------------------------------------------------------------- Wed Aug 17 18:56:03 UTC 2011 - aj@suse.de @@ -29,6 +34,7 @@ Thu Jul 21 12:37:09 UTC 2011 - rhafer@suse.de - Disable rewriting ::1 to 127.0.0.1 for /etc/hosts entries. (bnc#684534, bnc#706719) + (patch glibc-fix-double-loopback.diff) ------------------------------------------------------------------- Wed Jul 20 15:04:33 UTC 2011 - lnussel@suse.de diff --git a/glibc.spec b/glibc.spec index d33fa26..06fe12e 100644 --- a/glibc.spec +++ b/glibc.spec @@ -194,6 +194,8 @@ Patch65: glibc-fix-double-loopback.diff Patch66: glibc2.14-revert-sunrpc-removal.patch # PATCH-FIX-OPENSUSE revert seeking on fclose for now bnc#711829 matz@suse.de Patch67: glibc-revert-fseek-on-fclose.diff +# PATCH-FIX-OPENSUSE Fix crash (access-after-free) in dl_lookup_x bnc#703140 matz@suse.de +Patch68: glibc-fix-lookup-crash.patch # PATCH-FEATURE-OPENSUSE -- add sha support to crypt_blowfish lnussel@suse.de Patch80: crypt_blowfish-1.1-sha.diff @@ -420,6 +422,7 @@ rm nscd/s-stamp %patch65 -p1 %patch66 -p1 %patch67 -p1 +%patch68 -p1 # # Inconsistency detected by ld.so: dl-close.c: 719: _dl_close: Assertion `map->l_init_called' failed!