import glibc-2.28-164.el8

SOURCES/glibc-rh1966472-1.patch

@@ -0,0 +1,159 @@
+nptl: Add __pthread_attr_copy for copying pthread_attr_t objects
+
+Also add the private type union pthread_attr_transparent, to reduce
+the amount of casting that is required.
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+Tested-by: Carlos O'Donell <carlos@redhat.com>
+(cherry picked from commit 331c6e8a184167dd21a9f0b3fc165aeefea6eeca)
+
+Difference from upstream:
+Unlike upstream, __pthread_attr_copy is in libpthread.so.
+
+# Conflicts:
+#	nptl/Makefile
+#	nptl/Versions
+
+diff --git a/nptl/Makefile b/nptl/Makefile
+index d6b37b6efd3b7d78..b14de3ffb330c10b 100644
+--- a/nptl/Makefile
++++ b/nptl/Makefile
+@@ -54,7 +54,8 @@ libpthread-routines = nptl-init nptlfreeres vars events version pt-interp \
+ 		      pthread_getconcurrency pthread_setconcurrency \
+ 		      pthread_getschedparam pthread_setschedparam \
+ 		      pthread_setschedprio \
+-		      pthread_attr_init pthread_attr_destroy \
++		      pthread_attr_init pthread_attr_copy \
++		      pthread_attr_destroy \
+ 		      pthread_attr_getdetachstate pthread_attr_setdetachstate \
+ 		      pthread_attr_getguardsize pthread_attr_setguardsize \
+ 		      pthread_attr_getschedparam pthread_attr_setschedparam \
+diff --git a/nptl/Versions b/nptl/Versions
+index 6007fd03e7ed117c..e38272aa187fbe78 100644
+--- a/nptl/Versions
++++ b/nptl/Versions
+@@ -283,5 +283,6 @@ libpthread {
+     __pthread_barrier_init; __pthread_barrier_wait;
+     __shm_directory;
+     __libpthread_freeres;
++    __pthread_attr_copy;
+   }
+ }
+diff --git a/nptl/pthreadP.h b/nptl/pthreadP.h
+index 00be8f92793e8710..a2d48b2015cd385c 100644
+--- a/nptl/pthreadP.h
++++ b/nptl/pthreadP.h
+@@ -464,6 +464,9 @@ extern int __pthread_attr_getstack (const pthread_attr_t *__restrict __attr,
+ 				    size_t *__restrict __stacksize);
+ extern int __pthread_attr_setstack (pthread_attr_t *__attr, void *__stackaddr,
+ 				    size_t __stacksize);
++extern int __pthread_attr_setaffinity_np (pthread_attr_t *attr,
++					  size_t cpusetsize,
++					  const cpu_set_t *cpuset);
+ extern int __pthread_rwlock_init (pthread_rwlock_t *__restrict __rwlock,
+ 				  const pthread_rwlockattr_t *__restrict
+ 				  __attr);
+@@ -605,6 +608,11 @@ extern void __wait_lookup_done (void) attribute_hidden;
+ # define PTHREAD_STATIC_FN_REQUIRE(name) __asm (".globl " #name);
+ #endif
+ 
++/* Make a deep copy of the attribute *SOURCE in *TARGET.  *TARGET is
++   not assumed to have been initialized.  Returns 0 on success, or a
++   positive error code otherwise.  */
++int __pthread_attr_copy (pthread_attr_t *target, const pthread_attr_t *source);
++
+ /* Returns 0 if POL is a valid scheduling policy.  */
+ static inline int
+ check_sched_policy_attr (int pol)
+diff --git a/nptl/pthread_attr_copy.c b/nptl/pthread_attr_copy.c
+new file mode 100644
+index 0000000000000000..67f272acf297100c
+--- /dev/null
++++ b/nptl/pthread_attr_copy.c
+@@ -0,0 +1,56 @@
++/* Deep copy of a pthread_attr_t object.
++   Copyright (C) 2020 Free Software Foundation, Inc.
++   This file is part of the GNU C Library.
++
++   The GNU C Library is free software; you can redistribute it and/or
++   modify it under the terms of the GNU Lesser General Public
++   License as published by the Free Software Foundation; either
++   version 2.1 of the License, or (at your option) any later version.
++
++   The GNU C Library is distributed in the hope that it will be useful,
++   but WITHOUT ANY WARRANTY; without even the implied warranty of
++   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
++   Lesser General Public License for more details.
++
++   You should have received a copy of the GNU Lesser General Public
++   License along with the GNU C Library; if not, see
++   <https://www.gnu.org/licenses/>.  */
++
++#include <errno.h>
++#include <pthreadP.h>
++#include <stdlib.h>
++
++int
++__pthread_attr_copy (pthread_attr_t *target, const pthread_attr_t *source)
++{
++  /* Avoid overwriting *TARGET until all allocations have
++     succeeded.  */
++  union pthread_attr_transparent temp;
++  temp.external = *source;
++
++  /* Force new allocation.  This function has full ownership of temp.  */
++  temp.internal.cpuset = NULL;
++  temp.internal.cpusetsize = 0;
++
++  int ret = 0;
++
++  struct pthread_attr *isource = (struct pthread_attr *) source;
++
++  /* Propagate affinity mask information.  */
++  if (isource->cpusetsize > 0)
++    ret = __pthread_attr_setaffinity_np (&temp.external,
++					 isource->cpusetsize,
++					 isource->cpuset);
++
++  if (ret != 0)
++    {
++      /* Deallocate because we have ownership.  */
++      __pthread_attr_destroy (&temp.external);
++      return ret;
++    }
++
++  /* Transfer ownership.  *target is not assumed to have been
++     initialized.  */
++  *target = temp.external;
++  return 0;
++}
+diff --git a/nptl/pthread_attr_setaffinity.c b/nptl/pthread_attr_setaffinity.c
+index 545b72c91e290216..914ebf6f9cbfd5ff 100644
+--- a/nptl/pthread_attr_setaffinity.c
++++ b/nptl/pthread_attr_setaffinity.c
+@@ -55,6 +55,7 @@ __pthread_attr_setaffinity_new (pthread_attr_t *attr, size_t cpusetsize,
+ 
+   return 0;
+ }
++strong_alias (__pthread_attr_setaffinity_new, __pthread_attr_setaffinity_np)
+ versioned_symbol (libpthread, __pthread_attr_setaffinity_new,
+ 		  pthread_attr_setaffinity_np, GLIBC_2_3_4);
+ 
+diff --git a/sysdeps/nptl/internaltypes.h b/sysdeps/nptl/internaltypes.h
+index b78ad99a888b4e3b..d3dce1278de989e2 100644
+--- a/sysdeps/nptl/internaltypes.h
++++ b/sysdeps/nptl/internaltypes.h
+@@ -49,6 +49,13 @@ struct pthread_attr
+ #define ATTR_FLAG_SCHED_SET		0x0020
+ #define ATTR_FLAG_POLICY_SET		0x0040
+ 
++/* Used to allocate a pthread_attr_t object which is also accessed
++   internally.  */
++union pthread_attr_transparent
++{
++  pthread_attr_t external;
++  struct pthread_attr internal;
++};
+ 
+ /* Mutex attribute data structure.  */
+ struct pthread_mutexattr

SOURCES/glibc-rh1966472-2.patch

@@ -0,0 +1,50 @@
+Use __pthread_attr_copy in mq_notify (bug 27896)
+
+Make a deep copy of the pthread attribute object to remove a potential
+use-after-free issue.
+
+(cherry picked from commit 42d359350510506b87101cf77202fefcbfc790cb)
+
+# Conflicts:
+#	NEWS
+
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index 3563e82cd4f4b552..c4091169306ffde8 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -135,8 +135,11 @@ helper_thread (void *arg)
+ 	    (void) __pthread_barrier_wait (&notify_barrier);
+ 	}
+       else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+-	/* The only state we keep is the copy of the thread attributes.  */
+-	free (data.attr);
++	{
++	  /* The only state we keep is the copy of the thread attributes.  */
++	  pthread_attr_destroy (data.attr);
++	  free (data.attr);
++	}
+     }
+   return NULL;
+ }
+@@ -257,8 +260,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+       if (data.attr == NULL)
+ 	return -1;
+ 
+-      memcpy (data.attr, notification->sigev_notify_attributes,
+-	      sizeof (pthread_attr_t));
++      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
+     }
+ 
+   /* Construct the new request.  */
+@@ -272,7 +274,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ 
+   /* If it failed, free the allocated memory.  */
+   if (__glibc_unlikely (retval != 0))
+-    free (data.attr);
++    {
++      pthread_attr_destroy (data.attr);
++      free (data.attr);
++    }
+ 
+   return retval;
+ }

SOURCES/glibc-rh1966472-3.patch

@@ -0,0 +1,44 @@
+Fix use of __pthread_attr_copy in mq_notify (bug 27896)
+
+__pthread_attr_copy can fail and does not initialize the attribute
+structure in that case.
+
+If __pthread_attr_copy is never called and there is no allocated
+attribute, pthread_attr_destroy should not be called, otherwise
+there is a null pointer dereference in rt/tst-mqueue6.
+
+Fixes commit 42d359350510506b87101cf77202fefcbfc790cb
+("Use __pthread_attr_copy in mq_notify (bug 27896)").
+
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+(cherry picked from commit 217b6dc298156bdb0d6aea9ea93e7e394a5ff091)
+
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index c4091169306ffde8..45449571d14c379f 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -260,7 +260,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+       if (data.attr == NULL)
+ 	return -1;
+ 
+-      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
++      int ret = __pthread_attr_copy (data.attr,
++				     notification->sigev_notify_attributes);
++      if (ret != 0)
++	{
++	  free (data.attr);
++	  __set_errno (ret);
++	  return -1;
++	}
+     }
+ 
+   /* Construct the new request.  */
+@@ -273,7 +280,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+   int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+ 
+   /* If it failed, free the allocated memory.  */
+-  if (__glibc_unlikely (retval != 0))
++  if (retval != 0 && data.attr != NULL)
+     {
+       pthread_attr_destroy (data.attr);
+       free (data.attr);

SOURCES/glibc-rh1966472-4.patch

@@ -0,0 +1,34 @@
+commit b805aebd42364fe696e417808a700fdb9800c9e8
+Author: Nikita Popov <npv1310@gmail.com>
+Date:   Mon Aug 9 20:17:34 2021 +0530
+
+    librt: fix NULL pointer dereference (bug 28213)
+    
+    Helper thread frees copied attribute on NOTIFY_REMOVED message
+    received from the OS kernel.  Unfortunately, it fails to check whether
+    copied attribute actually exists (data.attr != NULL).  This worked
+    earlier because free() checks passed pointer before actually
+    attempting to release corresponding memory.  But
+    __pthread_attr_destroy assumes pointer is not NULL.
+    
+    So passing NULL pointer to __pthread_attr_destroy will result in
+    segmentation fault.  This scenario is possible if
+    notification->sigev_notify_attributes == NULL (which means default
+    thread attributes should be used).
+    
+    Signed-off-by: Nikita Popov <npv1310@gmail.com>
+    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index 45449571d14c379f..581959d621135fb0 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -134,7 +134,7 @@ helper_thread (void *arg)
+ 	       to wait until it is done with it.  */
+ 	    (void) __pthread_barrier_wait (&notify_barrier);
+ 	}
+-      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
++      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
+ 	{
+ 	  /* The only state we keep is the copy of the thread attributes.  */
+ 	  pthread_attr_destroy (data.attr);

SPECS/glibc.spec

@@ -1,6 +1,6 @@
 %define glibcsrcdir glibc-2.28
 %define glibcversion 2.28
-%define glibcrelease 162%{?dist}
+%define glibcrelease 164%{?dist}
 # Pre-release tarballs are pulled in from git using a command that is
 # effectively:
 #
@@ -715,6 +715,10 @@ Patch578: glibc-rh1956357-6.patch
 Patch579: glibc-rh1956357-7.patch
 Patch580: glibc-rh1956357-8.patch
 Patch581: glibc-rh1979127.patch
+Patch582: glibc-rh1966472-1.patch
+Patch583: glibc-rh1966472-2.patch
+Patch584: glibc-rh1966472-3.patch
+Patch585: glibc-rh1966472-4.patch
 
 ##############################################################################
 # Continued list of core "glibc" package information:
@@ -2627,6 +2631,12 @@ fi
 %files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
 
 %changelog
+* Mon Aug  9 2021 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164
+- librt: fix NULL pointer dereference (#1966472).
+
+* Mon Aug  9 2021 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-163
+- CVE-2021-33574: Deep copy pthread attribute in mq_notify (#1966472)
+
 * Thu Jul  8 2021 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-162
 - CVE-2021-35942: wordexp: handle overflow in positional parameter number
   (#1979127)