forked from rpms/glibc
import glibc-2.28-164.el8_5.3
This commit is contained in:
parent
1862755f9f
commit
e3ace7a765
64
SOURCES/glibc-rh2032280-1.patch
Normal file
64
SOURCES/glibc-rh2032280-1.patch
Normal file
@ -0,0 +1,64 @@
|
||||
commit a7e9dbb7742954814643a8562dcad09abb0b0e5d
|
||||
Author: Alexandra Hájková <ahajkova@redhat.com>
|
||||
Date: Sat Dec 26 18:45:13 2020 +0100
|
||||
|
||||
Add xchdir to libsupport.
|
||||
|
||||
diff --git a/support/Makefile b/support/Makefile
|
||||
index dcf3c4baa2a31070..fb95a69ed9158e78 100644
|
||||
--- a/support/Makefile
|
||||
+++ b/support/Makefile
|
||||
@@ -82,6 +82,7 @@ libsupport-routines = \
|
||||
xasprintf \
|
||||
xbind \
|
||||
xcalloc \
|
||||
+ xchdir \
|
||||
xchroot \
|
||||
xclose \
|
||||
xconnect \
|
||||
diff --git a/support/xchdir.c b/support/xchdir.c
|
||||
new file mode 100644
|
||||
index 0000000000000000..beb4feff72832065
|
||||
--- /dev/null
|
||||
+++ b/support/xchdir.c
|
||||
@@ -0,0 +1,28 @@
|
||||
+/* chdir with error checking.
|
||||
+ Copyright (C) 2020 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <https://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#include <support/check.h>
|
||||
+#include <support/xunistd.h>
|
||||
+#include <unistd.h>
|
||||
+
|
||||
+void
|
||||
+xchdir (const char *path)
|
||||
+{
|
||||
+ if (chdir (path) != 0)
|
||||
+ FAIL_EXIT1 ("chdir (\"%s\"): %m", path);
|
||||
+}
|
||||
diff --git a/support/xunistd.h b/support/xunistd.h
|
||||
index f99f362cb4763c5b..74fd2771d12c36fe 100644
|
||||
--- a/support/xunistd.h
|
||||
+++ b/support/xunistd.h
|
||||
@@ -44,6 +44,7 @@ long xsysconf (int name);
|
||||
long long xlseek (int fd, long long offset, int whence);
|
||||
void xftruncate (int fd, long long length);
|
||||
void xsymlink (const char *target, const char *linkpath);
|
||||
+void xchdir (const char *path);
|
||||
|
||||
/* Equivalent of "mkdir -p". */
|
||||
void xmkdirp (const char *, mode_t);
|
72
SOURCES/glibc-rh2032280-2.patch
Normal file
72
SOURCES/glibc-rh2032280-2.patch
Normal file
@ -0,0 +1,72 @@
|
||||
commit 60854f40ea2d420867ed2f0f052ee7fca661dbff
|
||||
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
||||
Date: Thu Oct 15 15:14:22 2020 -0300
|
||||
|
||||
support: Add create_temp_file_in_dir
|
||||
|
||||
It allows created a temporary file in a specified directory.
|
||||
|
||||
diff --git a/support/support.h b/support/support.h
|
||||
index f50f8cc1496d657d..96833bd4e992e6d3 100644
|
||||
--- a/support/support.h
|
||||
+++ b/support/support.h
|
||||
@@ -23,6 +23,7 @@
|
||||
#ifndef SUPPORT_H
|
||||
#define SUPPORT_H
|
||||
|
||||
+#include <stdbool.h>
|
||||
#include <stddef.h>
|
||||
#include <sys/cdefs.h>
|
||||
/* For mode_t. */
|
||||
diff --git a/support/temp_file.c b/support/temp_file.c
|
||||
index 0bbc7f997264f758..5a2728c94a9c32ae 100644
|
||||
--- a/support/temp_file.c
|
||||
+++ b/support/temp_file.c
|
||||
@@ -60,14 +60,12 @@ add_temp_file (const char *name)
|
||||
}
|
||||
|
||||
int
|
||||
-create_temp_file (const char *base, char **filename)
|
||||
+create_temp_file_in_dir (const char *base, const char *dir, char **filename)
|
||||
{
|
||||
char *fname;
|
||||
int fd;
|
||||
|
||||
- fname = (char *) xmalloc (strlen (test_dir) + 1 + strlen (base)
|
||||
- + sizeof ("XXXXXX"));
|
||||
- strcpy (stpcpy (stpcpy (stpcpy (fname, test_dir), "/"), base), "XXXXXX");
|
||||
+ fname = xasprintf ("%s/%sXXXXXX", dir, base);
|
||||
|
||||
fd = mkstemp (fname);
|
||||
if (fd == -1)
|
||||
@@ -86,6 +84,12 @@ create_temp_file (const char *base, char **filename)
|
||||
return fd;
|
||||
}
|
||||
|
||||
+int
|
||||
+create_temp_file (const char *base, char **filename)
|
||||
+{
|
||||
+ return create_temp_file_in_dir (base, test_dir, filename);
|
||||
+}
|
||||
+
|
||||
char *
|
||||
support_create_temp_directory (const char *base)
|
||||
{
|
||||
diff --git a/support/temp_file.h b/support/temp_file.h
|
||||
index c7795cc577ca22a9..d64563f41f1f50cd 100644
|
||||
--- a/support/temp_file.h
|
||||
+++ b/support/temp_file.h
|
||||
@@ -32,6 +32,13 @@ void add_temp_file (const char *name);
|
||||
*FILENAME. */
|
||||
int create_temp_file (const char *base, char **filename);
|
||||
|
||||
+/* Create a temporary file in directory DIR. Return the opened file
|
||||
+ descriptor on success, or -1 on failure. Write the file name to
|
||||
+ *FILENAME if FILENAME is not NULL. In this case, the caller is
|
||||
+ expected to free *FILENAME. */
|
||||
+int create_temp_file_in_dir (const char *base, const char *dir,
|
||||
+ char **filename);
|
||||
+
|
||||
/* Create a temporary directory and schedule it for deletion. BASE is
|
||||
used as a prefix for the unique directory name, which the function
|
||||
returns. The caller should free this string. */
|
278
SOURCES/glibc-rh2032280-3.patch
Normal file
278
SOURCES/glibc-rh2032280-3.patch
Normal file
@ -0,0 +1,278 @@
|
||||
commit fb7bff12e81c677a6622f724edd4d4987dd9d971
|
||||
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
Date: Tue Jan 18 13:29:36 2022 +0530
|
||||
|
||||
support: Add helpers to create paths longer than PATH_MAX
|
||||
|
||||
Add new helpers support_create_and_chdir_toolong_temp_directory and
|
||||
support_chdir_toolong_temp_directory to create and descend into
|
||||
directory trees longer than PATH_MAX.
|
||||
|
||||
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
||||
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
|
||||
# Conflicts:
|
||||
# support/temp_file.c
|
||||
|
||||
diff --git a/support/temp_file.c b/support/temp_file.c
|
||||
index 5a2728c94a9c32ae..661c86bad5c0121f 100644
|
||||
--- a/support/temp_file.c
|
||||
+++ b/support/temp_file.c
|
||||
@@ -1,5 +1,6 @@
|
||||
/* Temporary file handling for tests.
|
||||
- Copyright (C) 1998-2018 Free Software Foundation, Inc.
|
||||
+ Copyright (C) 1998-2022 Free Software Foundation, Inc.
|
||||
+ Copyright The GNU Tools Authors.
|
||||
This file is part of the GNU C Library.
|
||||
|
||||
The GNU C Library is free software; you can redistribute it and/or
|
||||
@@ -20,15 +21,17 @@
|
||||
some 32-bit platforms. */
|
||||
#define _FILE_OFFSET_BITS 64
|
||||
|
||||
+#include <support/check.h>
|
||||
#include <support/temp_file.h>
|
||||
#include <support/temp_file-internal.h>
|
||||
#include <support/support.h>
|
||||
|
||||
+#include <errno.h>
|
||||
#include <paths.h>
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
-#include <unistd.h>
|
||||
+#include <xunistd.h>
|
||||
|
||||
/* List of temporary files. */
|
||||
static struct temp_name_list
|
||||
@@ -36,14 +39,20 @@ static struct temp_name_list
|
||||
struct temp_name_list *next;
|
||||
char *name;
|
||||
pid_t owner;
|
||||
+ bool toolong;
|
||||
} *temp_name_list;
|
||||
|
||||
/* Location of the temporary files. Set by the test skeleton via
|
||||
support_set_test_dir. The string is not be freed. */
|
||||
static const char *test_dir = _PATH_TMP;
|
||||
|
||||
-void
|
||||
-add_temp_file (const char *name)
|
||||
+/* Name of subdirectories in a too long temporary directory tree. */
|
||||
+static char toolong_subdir[NAME_MAX + 1];
|
||||
+static bool toolong_initialized;
|
||||
+static size_t toolong_path_max;
|
||||
+
|
||||
+static void
|
||||
+add_temp_file_internal (const char *name, bool toolong)
|
||||
{
|
||||
struct temp_name_list *newp
|
||||
= (struct temp_name_list *) xcalloc (sizeof (*newp), 1);
|
||||
@@ -53,12 +62,19 @@ add_temp_file (const char *name)
|
||||
newp->name = newname;
|
||||
newp->next = temp_name_list;
|
||||
newp->owner = getpid ();
|
||||
+ newp->toolong = toolong;
|
||||
temp_name_list = newp;
|
||||
}
|
||||
else
|
||||
free (newp);
|
||||
}
|
||||
|
||||
+void
|
||||
+add_temp_file (const char *name)
|
||||
+{
|
||||
+ add_temp_file_internal (name, false);
|
||||
+}
|
||||
+
|
||||
int
|
||||
create_temp_file_in_dir (const char *base, const char *dir, char **filename)
|
||||
{
|
||||
@@ -90,8 +106,8 @@ create_temp_file (const char *base, char **filename)
|
||||
return create_temp_file_in_dir (base, test_dir, filename);
|
||||
}
|
||||
|
||||
-char *
|
||||
-support_create_temp_directory (const char *base)
|
||||
+static char *
|
||||
+create_temp_directory_internal (const char *base, bool toolong)
|
||||
{
|
||||
char *path = xasprintf ("%s/%sXXXXXX", test_dir, base);
|
||||
if (mkdtemp (path) == NULL)
|
||||
@@ -99,16 +115,132 @@ support_create_temp_directory (const char *base)
|
||||
printf ("error: mkdtemp (\"%s\"): %m", path);
|
||||
exit (1);
|
||||
}
|
||||
- add_temp_file (path);
|
||||
+ add_temp_file_internal (path, toolong);
|
||||
return path;
|
||||
}
|
||||
|
||||
-/* Helper functions called by the test skeleton follow. */
|
||||
+char *
|
||||
+support_create_temp_directory (const char *base)
|
||||
+{
|
||||
+ return create_temp_directory_internal (base, false);
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+ensure_toolong_initialized (void)
|
||||
+{
|
||||
+ if (!toolong_initialized)
|
||||
+ FAIL_EXIT1 ("uninitialized toolong directory tree\n");
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+initialize_toolong (const char *base)
|
||||
+{
|
||||
+ long name_max = pathconf (base, _PC_NAME_MAX);
|
||||
+ name_max = (name_max < 0 ? 64
|
||||
+ : (name_max < sizeof (toolong_subdir) ? name_max
|
||||
+ : sizeof (toolong_subdir) - 1));
|
||||
+
|
||||
+ long path_max = pathconf (base, _PC_PATH_MAX);
|
||||
+ path_max = (path_max < 0 ? 1024
|
||||
+ : path_max <= PTRDIFF_MAX ? path_max : PTRDIFF_MAX);
|
||||
+
|
||||
+ /* Sanity check to ensure that the test does not create temporary directories
|
||||
+ in different filesystems because this API doesn't support it. */
|
||||
+ if (toolong_initialized)
|
||||
+ {
|
||||
+ if (name_max != strlen (toolong_subdir))
|
||||
+ FAIL_UNSUPPORTED ("name_max: Temporary directories in different"
|
||||
+ " filesystems not supported yet\n");
|
||||
+ if (path_max != toolong_path_max)
|
||||
+ FAIL_UNSUPPORTED ("path_max: Temporary directories in different"
|
||||
+ " filesystems not supported yet\n");
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ toolong_path_max = path_max;
|
||||
+
|
||||
+ size_t len = name_max;
|
||||
+ memset (toolong_subdir, 'X', len);
|
||||
+ toolong_initialized = true;
|
||||
+}
|
||||
+
|
||||
+char *
|
||||
+support_create_and_chdir_toolong_temp_directory (const char *basename)
|
||||
+{
|
||||
+ char *base = create_temp_directory_internal (basename, true);
|
||||
+ xchdir (base);
|
||||
+
|
||||
+ initialize_toolong (base);
|
||||
+
|
||||
+ size_t sz = strlen (toolong_subdir);
|
||||
+
|
||||
+ /* Create directories and descend into them so that the final path is larger
|
||||
+ than PATH_MAX. */
|
||||
+ for (size_t i = 0; i <= toolong_path_max / sz; i++)
|
||||
+ {
|
||||
+ int ret = mkdir (toolong_subdir, S_IRWXU);
|
||||
+ if (ret != 0 && errno == ENAMETOOLONG)
|
||||
+ FAIL_UNSUPPORTED ("Filesystem does not support creating too long "
|
||||
+ "directory trees\n");
|
||||
+ else if (ret != 0)
|
||||
+ FAIL_EXIT1 ("Failed to create directory tree: %m\n");
|
||||
+ xchdir (toolong_subdir);
|
||||
+ }
|
||||
+ return base;
|
||||
+}
|
||||
|
||||
void
|
||||
-support_set_test_dir (const char *path)
|
||||
+support_chdir_toolong_temp_directory (const char *base)
|
||||
{
|
||||
- test_dir = path;
|
||||
+ ensure_toolong_initialized ();
|
||||
+
|
||||
+ xchdir (base);
|
||||
+
|
||||
+ size_t sz = strlen (toolong_subdir);
|
||||
+ for (size_t i = 0; i <= toolong_path_max / sz; i++)
|
||||
+ xchdir (toolong_subdir);
|
||||
+}
|
||||
+
|
||||
+/* Helper functions called by the test skeleton follow. */
|
||||
+
|
||||
+static void
|
||||
+remove_toolong_subdirs (const char *base)
|
||||
+{
|
||||
+ ensure_toolong_initialized ();
|
||||
+
|
||||
+ if (chdir (base) != 0)
|
||||
+ {
|
||||
+ printf ("warning: toolong cleanup base failed: chdir (\"%s\"): %m\n",
|
||||
+ base);
|
||||
+ return;
|
||||
+ }
|
||||
+
|
||||
+ /* Descend. */
|
||||
+ int levels = 0;
|
||||
+ size_t sz = strlen (toolong_subdir);
|
||||
+ for (levels = 0; levels <= toolong_path_max / sz; levels++)
|
||||
+ if (chdir (toolong_subdir) != 0)
|
||||
+ {
|
||||
+ printf ("warning: toolong cleanup failed: chdir (\"%s\"): %m\n",
|
||||
+ toolong_subdir);
|
||||
+ break;
|
||||
+ }
|
||||
+
|
||||
+ /* Ascend and remove. */
|
||||
+ while (--levels >= 0)
|
||||
+ {
|
||||
+ if (chdir ("..") != 0)
|
||||
+ {
|
||||
+ printf ("warning: toolong cleanup failed: chdir (\"..\"): %m\n");
|
||||
+ return;
|
||||
+ }
|
||||
+ if (remove (toolong_subdir) != 0)
|
||||
+ {
|
||||
+ printf ("warning: could not remove subdirectory: %s: %m\n",
|
||||
+ toolong_subdir);
|
||||
+ return;
|
||||
+ }
|
||||
+ }
|
||||
}
|
||||
|
||||
void
|
||||
@@ -123,6 +255,9 @@ support_delete_temp_files (void)
|
||||
around, to prevent PID reuse.) */
|
||||
if (temp_name_list->owner == pid)
|
||||
{
|
||||
+ if (temp_name_list->toolong)
|
||||
+ remove_toolong_subdirs (temp_name_list->name);
|
||||
+
|
||||
if (remove (temp_name_list->name) != 0)
|
||||
printf ("warning: could not remove temporary file: %s: %m\n",
|
||||
temp_name_list->name);
|
||||
@@ -147,3 +282,9 @@ support_print_temp_files (FILE *f)
|
||||
fprintf (f, ")\n");
|
||||
}
|
||||
}
|
||||
+
|
||||
+void
|
||||
+support_set_test_dir (const char *path)
|
||||
+{
|
||||
+ test_dir = path;
|
||||
+}
|
||||
diff --git a/support/temp_file.h b/support/temp_file.h
|
||||
index d64563f41f1f50cd..055e31dcfb843ba6 100644
|
||||
--- a/support/temp_file.h
|
||||
+++ b/support/temp_file.h
|
||||
@@ -44,6 +44,15 @@ int create_temp_file_in_dir (const char *base, const char *dir,
|
||||
returns. The caller should free this string. */
|
||||
char *support_create_temp_directory (const char *base);
|
||||
|
||||
+/* Create a temporary directory tree that is longer than PATH_MAX and schedule
|
||||
+ it for deletion. BASENAME is used as a prefix for the unique directory
|
||||
+ name, which the function returns. The caller should free this string. */
|
||||
+char *support_create_and_chdir_toolong_temp_directory (const char *basename);
|
||||
+
|
||||
+/* Change into the innermost directory of the directory tree BASE, which was
|
||||
+ created using support_create_and_chdir_toolong_temp_directory. */
|
||||
+void support_chdir_toolong_temp_directory (const char *base);
|
||||
+
|
||||
__END_DECLS
|
||||
|
||||
#endif /* SUPPORT_TEMP_FILE_H */
|
331
SOURCES/glibc-rh2032280-4.patch
Normal file
331
SOURCES/glibc-rh2032280-4.patch
Normal file
@ -0,0 +1,331 @@
|
||||
commit 23e0e8f5f1fb5ed150253d986ecccdc90c2dcd5e
|
||||
Author: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
Date: Fri Jan 21 23:32:56 2022 +0530
|
||||
|
||||
getcwd: Set errno to ERANGE for size == 1 (CVE-2021-3999)
|
||||
|
||||
No valid path returned by getcwd would fit into 1 byte, so reject the
|
||||
size early and return NULL with errno set to ERANGE. This change is
|
||||
prompted by CVE-2021-3999, which describes a single byte buffer
|
||||
underflow and overflow when all of the following conditions are met:
|
||||
|
||||
- The buffer size (i.e. the second argument of getcwd) is 1 byte
|
||||
- The current working directory is too long
|
||||
- '/' is also mounted on the current working directory
|
||||
|
||||
Sequence of events:
|
||||
|
||||
- In sysdeps/unix/sysv/linux/getcwd.c, the syscall returns ENAMETOOLONG
|
||||
because the linux kernel checks for name length before it checks
|
||||
buffer size
|
||||
|
||||
- The code falls back to the generic getcwd in sysdeps/posix
|
||||
|
||||
- In the generic func, the buf[0] is set to '\0' on line 250
|
||||
|
||||
- this while loop on line 262 is bypassed:
|
||||
|
||||
while (!(thisdev == rootdev && thisino == rootino))
|
||||
|
||||
since the rootfs (/) is bind mounted onto the directory and the flow
|
||||
goes on to line 449, where it puts a '/' in the byte before the
|
||||
buffer.
|
||||
|
||||
- Finally on line 458, it moves 2 bytes (the underflowed byte and the
|
||||
'\0') to the buf[0] and buf[1], resulting in a 1 byte buffer overflow.
|
||||
|
||||
- buf is returned on line 469 and errno is not set.
|
||||
|
||||
This resolves BZ #28769.
|
||||
|
||||
Reviewed-by: Andreas Schwab <schwab@linux-m68k.org>
|
||||
Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
||||
Signed-off-by: Qualys Security Advisory <qsa@qualys.com>
|
||||
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
|
||||
# Conflicts:
|
||||
# sysdeps/posix/getcwd.c
|
||||
# sysdeps/unix/sysv/linux/Makefile
|
||||
|
||||
diff --git a/sysdeps/posix/getcwd.c b/sysdeps/posix/getcwd.c
|
||||
index b53433a2dc77fafa..fcd7aaea79c6477b 100644
|
||||
--- a/sysdeps/posix/getcwd.c
|
||||
+++ b/sysdeps/posix/getcwd.c
|
||||
@@ -238,6 +238,13 @@ __getcwd (char *buf, size_t size)
|
||||
bool fd_needs_closing = false;
|
||||
int fd = AT_FDCWD;
|
||||
|
||||
+ /* A size of 1 byte is never useful. */
|
||||
+ if (size == 1)
|
||||
+ {
|
||||
+ __set_errno (ERANGE);
|
||||
+ return NULL;
|
||||
+ }
|
||||
+
|
||||
char *path;
|
||||
#ifndef NO_ALLOCATION
|
||||
size_t allocated = size;
|
||||
diff --git a/sysdeps/unix/sysv/linux/Makefile b/sysdeps/unix/sysv/linux/Makefile
|
||||
index 688cf9fa9dea23a6..bb055f9d6b841ff5 100644
|
||||
--- a/sysdeps/unix/sysv/linux/Makefile
|
||||
+++ b/sysdeps/unix/sysv/linux/Makefile
|
||||
@@ -180,7 +180,11 @@ sysdep_routines += xstatconv internal_statvfs internal_statvfs64 \
|
||||
|
||||
sysdep_headers += bits/fcntl-linux.h
|
||||
|
||||
-tests += tst-fallocate tst-fallocate64
|
||||
+tests += \
|
||||
+ tst-fallocate \
|
||||
+ tst-fallocate64 \
|
||||
+ tst-getcwd-smallbuff \
|
||||
+# tests
|
||||
endif
|
||||
|
||||
ifeq ($(subdir),elf)
|
||||
diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
|
||||
new file mode 100644
|
||||
index 0000000000000000..d460d6e7662dc5e4
|
||||
--- /dev/null
|
||||
+++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
|
||||
@@ -0,0 +1,241 @@
|
||||
+/* Verify that getcwd returns ERANGE for size 1 byte and does not underflow
|
||||
+ buffer when the CWD is too long and is also a mount target of /. See bug
|
||||
+ #28769 or CVE-2021-3999 for more context.
|
||||
+ Copyright The GNU Toolchain Authors.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <https://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <fcntl.h>
|
||||
+#include <intprops.h>
|
||||
+#include <limits.h>
|
||||
+#include <stdio.h>
|
||||
+#include <stdlib.h>
|
||||
+#include <string.h>
|
||||
+#include <sys/mount.h>
|
||||
+#include <sys/stat.h>
|
||||
+#include <sys/types.h>
|
||||
+#include <sys/wait.h>
|
||||
+
|
||||
+#include <sys/socket.h>
|
||||
+#include <sys/un.h>
|
||||
+#include <support/check.h>
|
||||
+#include <support/temp_file.h>
|
||||
+#include <support/xsched.h>
|
||||
+#include <support/xunistd.h>
|
||||
+
|
||||
+static char *base;
|
||||
+#define BASENAME "tst-getcwd-smallbuff"
|
||||
+#define MOUNT_NAME "mpoint"
|
||||
+static int sockfd[2];
|
||||
+
|
||||
+static void
|
||||
+do_cleanup (void)
|
||||
+{
|
||||
+ support_chdir_toolong_temp_directory (base);
|
||||
+ TEST_VERIFY_EXIT (rmdir (MOUNT_NAME) == 0);
|
||||
+ free (base);
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+send_fd (const int sock, const int fd)
|
||||
+{
|
||||
+ struct msghdr msg = {0};
|
||||
+ union
|
||||
+ {
|
||||
+ struct cmsghdr hdr;
|
||||
+ char buf[CMSG_SPACE (sizeof (int))];
|
||||
+ } cmsgbuf = {0};
|
||||
+ struct cmsghdr *cmsg;
|
||||
+ struct iovec vec;
|
||||
+ char ch = 'A';
|
||||
+ ssize_t n;
|
||||
+
|
||||
+ msg.msg_control = &cmsgbuf.buf;
|
||||
+ msg.msg_controllen = sizeof (cmsgbuf.buf);
|
||||
+
|
||||
+ cmsg = CMSG_FIRSTHDR (&msg);
|
||||
+ cmsg->cmsg_len = CMSG_LEN (sizeof (int));
|
||||
+ cmsg->cmsg_level = SOL_SOCKET;
|
||||
+ cmsg->cmsg_type = SCM_RIGHTS;
|
||||
+ memcpy (CMSG_DATA (cmsg), &fd, sizeof (fd));
|
||||
+
|
||||
+ vec.iov_base = &ch;
|
||||
+ vec.iov_len = 1;
|
||||
+ msg.msg_iov = &vec;
|
||||
+ msg.msg_iovlen = 1;
|
||||
+
|
||||
+ while ((n = sendmsg (sock, &msg, 0)) == -1 && errno == EINTR);
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (n == 1);
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+recv_fd (const int sock)
|
||||
+{
|
||||
+ struct msghdr msg = {0};
|
||||
+ union
|
||||
+ {
|
||||
+ struct cmsghdr hdr;
|
||||
+ char buf[CMSG_SPACE(sizeof(int))];
|
||||
+ } cmsgbuf = {0};
|
||||
+ struct cmsghdr *cmsg;
|
||||
+ struct iovec vec;
|
||||
+ ssize_t n;
|
||||
+ char ch = '\0';
|
||||
+ int fd = -1;
|
||||
+
|
||||
+ vec.iov_base = &ch;
|
||||
+ vec.iov_len = 1;
|
||||
+ msg.msg_iov = &vec;
|
||||
+ msg.msg_iovlen = 1;
|
||||
+
|
||||
+ msg.msg_control = &cmsgbuf.buf;
|
||||
+ msg.msg_controllen = sizeof (cmsgbuf.buf);
|
||||
+
|
||||
+ while ((n = recvmsg (sock, &msg, 0)) == -1 && errno == EINTR);
|
||||
+ if (n != 1 || ch != 'A')
|
||||
+ return -1;
|
||||
+
|
||||
+ cmsg = CMSG_FIRSTHDR (&msg);
|
||||
+ if (cmsg == NULL)
|
||||
+ return -1;
|
||||
+ if (cmsg->cmsg_type != SCM_RIGHTS)
|
||||
+ return -1;
|
||||
+ memcpy (&fd, CMSG_DATA (cmsg), sizeof (fd));
|
||||
+ if (fd < 0)
|
||||
+ return -1;
|
||||
+ return fd;
|
||||
+}
|
||||
+
|
||||
+static int
|
||||
+child_func (void * const arg)
|
||||
+{
|
||||
+ xclose (sockfd[0]);
|
||||
+ const int sock = sockfd[1];
|
||||
+ char ch;
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1);
|
||||
+ TEST_VERIFY_EXIT (ch == '1');
|
||||
+
|
||||
+ if (mount ("/", MOUNT_NAME, NULL, MS_BIND | MS_REC, NULL))
|
||||
+ FAIL_EXIT1 ("mount failed: %m\n");
|
||||
+ const int fd = xopen ("mpoint",
|
||||
+ O_RDONLY | O_PATH | O_DIRECTORY | O_NOFOLLOW, 0);
|
||||
+
|
||||
+ send_fd (sock, fd);
|
||||
+ xclose (fd);
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (read (sock, &ch, 1) == 1);
|
||||
+ TEST_VERIFY_EXIT (ch == 'a');
|
||||
+
|
||||
+ xclose (sock);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+update_map (char * const mapping, const char * const map_file)
|
||||
+{
|
||||
+ const size_t map_len = strlen (mapping);
|
||||
+
|
||||
+ const int fd = xopen (map_file, O_WRONLY, 0);
|
||||
+ xwrite (fd, mapping, map_len);
|
||||
+ xclose (fd);
|
||||
+}
|
||||
+
|
||||
+static void
|
||||
+proc_setgroups_write (const long child_pid, const char * const str)
|
||||
+{
|
||||
+ const size_t str_len = strlen(str);
|
||||
+
|
||||
+ char setgroups_path[sizeof ("/proc//setgroups") + INT_STRLEN_BOUND (long)];
|
||||
+
|
||||
+ snprintf (setgroups_path, sizeof (setgroups_path),
|
||||
+ "/proc/%ld/setgroups", child_pid);
|
||||
+
|
||||
+ const int fd = open (setgroups_path, O_WRONLY);
|
||||
+
|
||||
+ if (fd < 0)
|
||||
+ {
|
||||
+ TEST_VERIFY_EXIT (errno == ENOENT);
|
||||
+ FAIL_UNSUPPORTED ("/proc/%ld/setgroups not found\n", child_pid);
|
||||
+ }
|
||||
+
|
||||
+ xwrite (fd, str, str_len);
|
||||
+ xclose(fd);
|
||||
+}
|
||||
+
|
||||
+static char child_stack[1024 * 1024];
|
||||
+
|
||||
+int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ base = support_create_and_chdir_toolong_temp_directory (BASENAME);
|
||||
+
|
||||
+ xmkdir (MOUNT_NAME, S_IRWXU);
|
||||
+ atexit (do_cleanup);
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0);
|
||||
+ pid_t child_pid = xclone (child_func, NULL, child_stack,
|
||||
+ sizeof (child_stack),
|
||||
+ CLONE_NEWUSER | CLONE_NEWNS | SIGCHLD);
|
||||
+
|
||||
+ xclose (sockfd[1]);
|
||||
+ const int sock = sockfd[0];
|
||||
+
|
||||
+ char map_path[sizeof ("/proc//uid_map") + INT_STRLEN_BOUND (long)];
|
||||
+ char map_buf[sizeof ("0 1") + INT_STRLEN_BOUND (long)];
|
||||
+
|
||||
+ snprintf (map_path, sizeof (map_path), "/proc/%ld/uid_map",
|
||||
+ (long) child_pid);
|
||||
+ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getuid());
|
||||
+ update_map (map_buf, map_path);
|
||||
+
|
||||
+ proc_setgroups_write ((long) child_pid, "deny");
|
||||
+ snprintf (map_path, sizeof (map_path), "/proc/%ld/gid_map",
|
||||
+ (long) child_pid);
|
||||
+ snprintf (map_buf, sizeof (map_buf), "0 %ld 1", (long) getgid());
|
||||
+ update_map (map_buf, map_path);
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (send (sock, "1", 1, MSG_NOSIGNAL) == 1);
|
||||
+ const int fd = recv_fd (sock);
|
||||
+ TEST_VERIFY_EXIT (fd >= 0);
|
||||
+ TEST_VERIFY_EXIT (fchdir (fd) == 0);
|
||||
+
|
||||
+ static char buf[2 * 10 + 1];
|
||||
+ memset (buf, 'A', sizeof (buf));
|
||||
+
|
||||
+ /* Finally, call getcwd and check if it resulted in a buffer underflow. */
|
||||
+ char * cwd = getcwd (buf + sizeof (buf) / 2, 1);
|
||||
+ TEST_VERIFY (cwd == NULL);
|
||||
+ TEST_VERIFY (errno == ERANGE);
|
||||
+
|
||||
+ for (int i = 0; i < sizeof (buf); i++)
|
||||
+ if (buf[i] != 'A')
|
||||
+ {
|
||||
+ printf ("buf[%d] = %02x\n", i, (unsigned int) buf[i]);
|
||||
+ support_record_failure ();
|
||||
+ }
|
||||
+
|
||||
+ TEST_VERIFY_EXIT (send (sock, "a", 1, MSG_NOSIGNAL) == 1);
|
||||
+ xclose (sock);
|
||||
+ TEST_VERIFY_EXIT (xwaitpid (child_pid, NULL, 0) == child_pid);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#define CLEANUP_HANDLER do_cleanup
|
||||
+#include <support/test-driver.c>
|
121
SOURCES/glibc-rh2032280-5.patch
Normal file
121
SOURCES/glibc-rh2032280-5.patch
Normal file
@ -0,0 +1,121 @@
|
||||
commit de8995a2a04163617c1a233b4b81356ef9f9741f
|
||||
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
|
||||
Date: Wed Mar 10 12:26:30 2021 -0300
|
||||
|
||||
support: Add xclone
|
||||
|
||||
It is a wrapper for Linux clone syscall, to simplify the call to the
|
||||
use only the most common arguments and remove architecture specific
|
||||
handling (such as ia64 different name and signature).
|
||||
|
||||
# Conflicts:
|
||||
# support/Makefile
|
||||
|
||||
diff --git a/support/Makefile b/support/Makefile
|
||||
index fb95a69ed9158e78..d2b95539403e416c 100644
|
||||
--- a/support/Makefile
|
||||
+++ b/support/Makefile
|
||||
@@ -84,6 +84,7 @@ libsupport-routines = \
|
||||
xcalloc \
|
||||
xchdir \
|
||||
xchroot \
|
||||
+ xclone \
|
||||
xclose \
|
||||
xconnect \
|
||||
xcopy_file_range \
|
||||
diff --git a/support/xclone.c b/support/xclone.c
|
||||
new file mode 100644
|
||||
index 0000000000000000..924d2b875402a819
|
||||
--- /dev/null
|
||||
+++ b/support/xclone.c
|
||||
@@ -0,0 +1,50 @@
|
||||
+/* Auxiliary functions to issue the clone syscall.
|
||||
+ Copyright (C) 2021 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <https://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#ifdef __linux__
|
||||
+# include <support/check.h>
|
||||
+# include <stackinfo.h> /* For _STACK_GROWS_{UP,DOWN}. */
|
||||
+# include <xsched.h>
|
||||
+
|
||||
+pid_t
|
||||
+xclone (int (*fn) (void *arg), void *arg, void *stack, size_t stack_size,
|
||||
+ int flags)
|
||||
+{
|
||||
+ pid_t r = -1;
|
||||
+
|
||||
+# ifdef __ia64__
|
||||
+ extern int __clone2 (int (*fn) (void *arg), void *stack, size_t stack_size,
|
||||
+ int flags, void *arg, ...);
|
||||
+ r = __clone2 (f, stack, stack_size, flags, arg, /* ptid */ NULL,
|
||||
+ /* tls */ NULL, /* ctid */ ctid);
|
||||
+# else
|
||||
+# if _STACK_GROWS_DOWN
|
||||
+ r = clone (fn, stack + stack_size, flags, arg, /* ptid */ NULL,
|
||||
+ /* tls */ NULL, /* ctid */ NULL);
|
||||
+# elif _STACK_GROWS_UP
|
||||
+ r = clone (fn, stack, flags, arg, /* ptid */ NULL, /* tls */ NULL,
|
||||
+ &ctid);
|
||||
+# endif
|
||||
+# endif
|
||||
+
|
||||
+ if (r < 0)
|
||||
+ FAIL_EXIT1 ("clone: %m");
|
||||
+
|
||||
+ return r;
|
||||
+}
|
||||
+#endif
|
||||
diff --git a/support/xsched.h b/support/xsched.h
|
||||
new file mode 100644
|
||||
index 0000000000000000..eefd731940187b39
|
||||
--- /dev/null
|
||||
+++ b/support/xsched.h
|
||||
@@ -0,0 +1,34 @@
|
||||
+/* Wrapper for sched.h functions.
|
||||
+ Copyright (C) 2021 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <https://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#ifndef SUPPORT_XSCHED_H
|
||||
+#define SUPPORT_XSCHED_H
|
||||
+
|
||||
+__BEGIN_DECLS
|
||||
+
|
||||
+#include <sched.h>
|
||||
+#include <sys/types.h>
|
||||
+
|
||||
+#ifdef __linux__
|
||||
+pid_t xclone (int (*fn) (void *arg), void *arg, void *stack,
|
||||
+ size_t stack_size, int flags);
|
||||
+#endif
|
||||
+
|
||||
+__END_DECLS
|
||||
+
|
||||
+#endif
|
46
SOURCES/glibc-rh2032280-6.patch
Normal file
46
SOURCES/glibc-rh2032280-6.patch
Normal file
@ -0,0 +1,46 @@
|
||||
commit 5b8e7980c5dabd9aaefeba4f0208baa8cf7653ee
|
||||
Author: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Mon Jan 24 18:14:24 2022 +0100
|
||||
|
||||
Linux: Detect user namespace support in io/tst-getcwd-smallbuff
|
||||
|
||||
Otherwise the test fails with certain container runtimes.
|
||||
|
||||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
|
||||
diff --git a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
|
||||
index d460d6e7662dc5e4..55362f6060a2b3be 100644
|
||||
--- a/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
|
||||
+++ b/sysdeps/unix/sysv/linux/tst-getcwd-smallbuff.c
|
||||
@@ -34,6 +34,7 @@
|
||||
#include <sys/un.h>
|
||||
#include <support/check.h>
|
||||
#include <support/temp_file.h>
|
||||
+#include <support/test-driver.h>
|
||||
#include <support/xsched.h>
|
||||
#include <support/xunistd.h>
|
||||
|
||||
@@ -188,6 +189,23 @@ do_test (void)
|
||||
xmkdir (MOUNT_NAME, S_IRWXU);
|
||||
atexit (do_cleanup);
|
||||
|
||||
+ /* Check whether user namespaces are supported. */
|
||||
+ {
|
||||
+ pid_t pid = xfork ();
|
||||
+ if (pid == 0)
|
||||
+ {
|
||||
+ if (unshare (CLONE_NEWUSER | CLONE_NEWNS) != 0)
|
||||
+ _exit (EXIT_UNSUPPORTED);
|
||||
+ else
|
||||
+ _exit (0);
|
||||
+ }
|
||||
+ int status;
|
||||
+ xwaitpid (pid, &status, 0);
|
||||
+ TEST_VERIFY_EXIT (WIFEXITED (status));
|
||||
+ if (WEXITSTATUS (status) != 0)
|
||||
+ return WEXITSTATUS (status);
|
||||
+ }
|
||||
+
|
||||
TEST_VERIFY_EXIT (socketpair (AF_UNIX, SOCK_STREAM, 0, sockfd) == 0);
|
||||
pid_t child_pid = xclone (child_func, NULL, child_stack,
|
||||
sizeof (child_stack),
|
24
SOURCES/glibc-rh2032280-7.patch
Normal file
24
SOURCES/glibc-rh2032280-7.patch
Normal file
@ -0,0 +1,24 @@
|
||||
commit 3842ba494963b1d76ad5f68b8d1e5c2279160e31
|
||||
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
|
||||
Date: Tue Jun 1 09:23:40 2021 +0100
|
||||
|
||||
aarch64: align stack in clone [BZ #27939]
|
||||
|
||||
The AArch64 PCS requires 16 byte aligned stack. Previously if the
|
||||
caller passed an unaligned stack to clone then the child crashed.
|
||||
|
||||
Fixes bug 27939.
|
||||
|
||||
diff --git a/sysdeps/unix/sysv/linux/aarch64/clone.S b/sysdeps/unix/sysv/linux/aarch64/clone.S
|
||||
index e0653048259dd9a3..4a1a999447ee5cf1 100644
|
||||
--- a/sysdeps/unix/sysv/linux/aarch64/clone.S
|
||||
+++ b/sysdeps/unix/sysv/linux/aarch64/clone.S
|
||||
@@ -48,6 +48,8 @@ ENTRY(__clone)
|
||||
/* Sanity check args. */
|
||||
mov x0, #-EINVAL
|
||||
cbz x10, .Lsyscall_error
|
||||
+ /* Align sp. */
|
||||
+ and x1, x1, -16
|
||||
cbz x1, .Lsyscall_error
|
||||
|
||||
/* Do the system call. */
|
164
SOURCES/glibc-rh2045062-1.patch
Normal file
164
SOURCES/glibc-rh2045062-1.patch
Normal file
@ -0,0 +1,164 @@
|
||||
commit e368b12f6c16b6888dda99ba641e999b9c9643c8
|
||||
Author: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Mon Jan 17 10:21:34 2022 +0100
|
||||
|
||||
socket: Add the __sockaddr_un_set function
|
||||
|
||||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
|
||||
# Conflicts:
|
||||
# socket/Makefile
|
||||
|
||||
diff --git a/include/sys/un.h b/include/sys/un.h
|
||||
index bdbee999806930f4..152afd9fc7426d8b 100644
|
||||
--- a/include/sys/un.h
|
||||
+++ b/include/sys/un.h
|
||||
@@ -1 +1,13 @@
|
||||
#include <socket/sys/un.h>
|
||||
+
|
||||
+#ifndef _ISOMAC
|
||||
+
|
||||
+/* Set ADDR->sun_family to AF_UNIX and ADDR->sun_path to PATHNAME.
|
||||
+ Return 0 on success or -1 on failure (due to overlong PATHNAME).
|
||||
+ The caller should always use sizeof (struct sockaddr_un) as the
|
||||
+ socket address length, disregaring the length of PATHNAME.
|
||||
+ Only concrete (non-abstract) pathnames are supported. */
|
||||
+int __sockaddr_un_set (struct sockaddr_un *addr, const char *pathname)
|
||||
+ attribute_hidden;
|
||||
+
|
||||
+#endif /* _ISOMAC */
|
||||
diff --git a/socket/Makefile b/socket/Makefile
|
||||
index b41eb071507a6271..8975a65c2aabbfbc 100644
|
||||
--- a/socket/Makefile
|
||||
+++ b/socket/Makefile
|
||||
@@ -29,10 +29,14 @@ headers := sys/socket.h sys/un.h bits/sockaddr.h bits/socket.h \
|
||||
routines := accept bind connect getpeername getsockname getsockopt \
|
||||
listen recv recvfrom recvmsg send sendmsg sendto \
|
||||
setsockopt shutdown socket socketpair isfdtype opensock \
|
||||
- sockatmark accept4 recvmmsg sendmmsg
|
||||
+ sockatmark accept4 recvmmsg sendmmsg sockaddr_un_set
|
||||
|
||||
tests := tst-accept4
|
||||
|
||||
+tests-internal := \
|
||||
+ tst-sockaddr_un_set \
|
||||
+ # tests-internal
|
||||
+
|
||||
aux := sa_len
|
||||
|
||||
include ../Rules
|
||||
diff --git a/socket/sockaddr_un_set.c b/socket/sockaddr_un_set.c
|
||||
new file mode 100644
|
||||
index 0000000000000000..0bd40dc34e3d7efc
|
||||
--- /dev/null
|
||||
+++ b/socket/sockaddr_un_set.c
|
||||
@@ -0,0 +1,41 @@
|
||||
+/* Set the sun_path member of struct sockaddr_un.
|
||||
+ Copyright (C) 2022 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <https://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <string.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <sys/un.h>
|
||||
+
|
||||
+int
|
||||
+__sockaddr_un_set (struct sockaddr_un *addr, const char *pathname)
|
||||
+{
|
||||
+ size_t name_length = strlen (pathname);
|
||||
+
|
||||
+ /* The kernel supports names of exactly sizeof (addr->sun_path)
|
||||
+ bytes, without a null terminator, but userspace does not; see the
|
||||
+ SUN_LEN macro. */
|
||||
+ if (name_length >= sizeof (addr->sun_path))
|
||||
+ {
|
||||
+ __set_errno (EINVAL); /* Error code used by the kernel. */
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
+ addr->sun_family = AF_UNIX;
|
||||
+ memcpy (addr->sun_path, pathname, name_length + 1);
|
||||
+ return 0;
|
||||
+}
|
||||
diff --git a/socket/tst-sockaddr_un_set.c b/socket/tst-sockaddr_un_set.c
|
||||
new file mode 100644
|
||||
index 0000000000000000..29c2a81afda81b5e
|
||||
--- /dev/null
|
||||
+++ b/socket/tst-sockaddr_un_set.c
|
||||
@@ -0,0 +1,62 @@
|
||||
+/* Test the __sockaddr_un_set function.
|
||||
+ Copyright (C) 2022 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <https://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+/* Re-compile the function because the version in libc is not
|
||||
+ exported. */
|
||||
+#include "sockaddr_un_set.c"
|
||||
+
|
||||
+#include <support/check.h>
|
||||
+
|
||||
+static int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ struct sockaddr_un sun;
|
||||
+
|
||||
+ memset (&sun, 0xcc, sizeof (sun));
|
||||
+ __sockaddr_un_set (&sun, "");
|
||||
+ TEST_COMPARE (sun.sun_family, AF_UNIX);
|
||||
+ TEST_COMPARE (__sockaddr_un_set (&sun, ""), 0);
|
||||
+
|
||||
+ memset (&sun, 0xcc, sizeof (sun));
|
||||
+ TEST_COMPARE (__sockaddr_un_set (&sun, "/example"), 0);
|
||||
+ TEST_COMPARE_STRING (sun.sun_path, "/example");
|
||||
+
|
||||
+ {
|
||||
+ char pathname[108]; /* Length of sun_path (ABI constant). */
|
||||
+ memset (pathname, 'x', sizeof (pathname));
|
||||
+ pathname[sizeof (pathname) - 1] = '\0';
|
||||
+ memset (&sun, 0xcc, sizeof (sun));
|
||||
+ TEST_COMPARE (__sockaddr_un_set (&sun, pathname), 0);
|
||||
+ TEST_COMPARE (sun.sun_family, AF_UNIX);
|
||||
+ TEST_COMPARE_STRING (sun.sun_path, pathname);
|
||||
+ }
|
||||
+
|
||||
+ {
|
||||
+ char pathname[109];
|
||||
+ memset (pathname, 'x', sizeof (pathname));
|
||||
+ pathname[sizeof (pathname) - 1] = '\0';
|
||||
+ memset (&sun, 0xcc, sizeof (sun));
|
||||
+ errno = 0;
|
||||
+ TEST_COMPARE (__sockaddr_un_set (&sun, pathname), -1);
|
||||
+ TEST_COMPARE (errno, EINVAL);
|
||||
+ }
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#include <support/test-driver.c>
|
32
SOURCES/glibc-rh2045062-2.patch
Normal file
32
SOURCES/glibc-rh2045062-2.patch
Normal file
@ -0,0 +1,32 @@
|
||||
commit 226b46770c82899b555986583294b049c6ec9b40
|
||||
Author: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Mon Jan 17 10:21:34 2022 +0100
|
||||
|
||||
CVE-2022-23219: Buffer overflow in sunrpc clnt_create for "unix" (bug 22542)
|
||||
|
||||
Processing an overlong pathname in the sunrpc clnt_create function
|
||||
results in a stack-based buffer overflow.
|
||||
|
||||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
|
||||
diff --git a/sunrpc/clnt_gen.c b/sunrpc/clnt_gen.c
|
||||
index 13ced8994e49d4ee..b44357cd88e60599 100644
|
||||
--- a/sunrpc/clnt_gen.c
|
||||
+++ b/sunrpc/clnt_gen.c
|
||||
@@ -57,9 +57,13 @@ clnt_create (const char *hostname, u_long prog, u_long vers,
|
||||
|
||||
if (strcmp (proto, "unix") == 0)
|
||||
{
|
||||
- memset ((char *)&sun, 0, sizeof (sun));
|
||||
- sun.sun_family = AF_UNIX;
|
||||
- strcpy (sun.sun_path, hostname);
|
||||
+ if (__sockaddr_un_set (&sun, hostname) < 0)
|
||||
+ {
|
||||
+ struct rpc_createerr *ce = &get_rpc_createerr ();
|
||||
+ ce->cf_stat = RPC_SYSTEMERROR;
|
||||
+ ce->cf_error.re_errno = errno;
|
||||
+ return NULL;
|
||||
+ }
|
||||
sock = RPC_ANYSOCK;
|
||||
client = clntunix_create (&sun, prog, vers, &sock, 0, 0);
|
||||
if (client == NULL)
|
80
SOURCES/glibc-rh2045062-3.patch
Normal file
80
SOURCES/glibc-rh2045062-3.patch
Normal file
@ -0,0 +1,80 @@
|
||||
commit ef972a4c50014a16132b5c75571cfb6b30bef136
|
||||
Author: Martin Sebor <msebor@redhat.com>
|
||||
Date: Mon Jan 17 10:21:34 2022 +0100
|
||||
|
||||
sunrpc: Test case for clnt_create "unix" buffer overflow (bug 22542)
|
||||
|
||||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
|
||||
# Conflicts:
|
||||
# sunrpc/Makefile
|
||||
|
||||
diff --git a/sunrpc/Makefile b/sunrpc/Makefile
|
||||
index 85b0b3356aaf81a3..2f8f0597c99e117f 100644
|
||||
--- a/sunrpc/Makefile
|
||||
+++ b/sunrpc/Makefile
|
||||
@@ -95,7 +95,8 @@ others += rpcgen
|
||||
endif
|
||||
|
||||
tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \
|
||||
- tst-udp-nonblocking
|
||||
+ tst-udp-nonblocking tst-bug22542
|
||||
+
|
||||
xtests := tst-getmyaddr
|
||||
|
||||
ifeq ($(have-thread-library),yes)
|
||||
@@ -246,3 +247,4 @@ $(objpfx)tst-udp-timeout: $(common-objpfx)linkobj/libc.so
|
||||
$(objpfx)tst-udp-nonblocking: $(common-objpfx)linkobj/libc.so
|
||||
$(objpfx)tst-udp-garbage: \
|
||||
$(common-objpfx)linkobj/libc.so $(shared-thread-library)
|
||||
+$(objpfx)tst-bug22542: $(common-objpfx)linkobj/libc.so
|
||||
diff --git a/sunrpc/tst-bug22542.c b/sunrpc/tst-bug22542.c
|
||||
new file mode 100644
|
||||
index 0000000000000000..d6cd79787bdef21d
|
||||
--- /dev/null
|
||||
+++ b/sunrpc/tst-bug22542.c
|
||||
@@ -0,0 +1,44 @@
|
||||
+/* Test to verify that overlong hostname is rejected by clnt_create
|
||||
+ and doesn't cause a buffer overflow (bug 22542).
|
||||
+
|
||||
+ Copyright (C) 2022 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <http://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <rpc/clnt.h>
|
||||
+#include <string.h>
|
||||
+#include <support/check.h>
|
||||
+#include <sys/socket.h>
|
||||
+#include <sys/un.h>
|
||||
+
|
||||
+static int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ /* Create an arbitrary hostname that's longer than fits in sun_path. */
|
||||
+ char name [sizeof ((struct sockaddr_un*)0)->sun_path * 2];
|
||||
+ memset (name, 'x', sizeof name - 1);
|
||||
+ name [sizeof name - 1] = '\0';
|
||||
+
|
||||
+ errno = 0;
|
||||
+ CLIENT *clnt = clnt_create (name, 0, 0, "unix");
|
||||
+
|
||||
+ TEST_VERIFY (clnt == NULL);
|
||||
+ TEST_COMPARE (errno, EINVAL);
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#include <support/test-driver.c>
|
101
SOURCES/glibc-rh2045062-4.patch
Normal file
101
SOURCES/glibc-rh2045062-4.patch
Normal file
@ -0,0 +1,101 @@
|
||||
commit f545ad4928fa1f27a3075265182b38a4f939a5f7
|
||||
Author: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Mon Jan 17 10:21:34 2022 +0100
|
||||
|
||||
CVE-2022-23218: Buffer overflow in sunrpc svcunix_create (bug 28768)
|
||||
|
||||
The sunrpc function svcunix_create suffers from a stack-based buffer
|
||||
overflow with overlong pathname arguments.
|
||||
|
||||
Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
||||
|
||||
diff --git a/sunrpc/Makefile b/sunrpc/Makefile
|
||||
index 2f8f0597c99e117f..5f7087aee494cc2e 100644
|
||||
--- a/sunrpc/Makefile
|
||||
+++ b/sunrpc/Makefile
|
||||
@@ -95,7 +95,7 @@ others += rpcgen
|
||||
endif
|
||||
|
||||
tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error tst-udp-timeout \
|
||||
- tst-udp-nonblocking tst-bug22542
|
||||
+ tst-udp-nonblocking tst-bug22542 tst-bug28768
|
||||
|
||||
xtests := tst-getmyaddr
|
||||
|
||||
diff --git a/sunrpc/svc_unix.c b/sunrpc/svc_unix.c
|
||||
index c2c076aa87f0a2ad..8fac2b35da1d38a5 100644
|
||||
--- a/sunrpc/svc_unix.c
|
||||
+++ b/sunrpc/svc_unix.c
|
||||
@@ -154,7 +154,10 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
|
||||
SVCXPRT *xprt;
|
||||
struct unix_rendezvous *r;
|
||||
struct sockaddr_un addr;
|
||||
- socklen_t len = sizeof (struct sockaddr_in);
|
||||
+ socklen_t len = sizeof (addr);
|
||||
+
|
||||
+ if (__sockaddr_un_set (&addr, path) < 0)
|
||||
+ return NULL;
|
||||
|
||||
if (sock == RPC_ANYSOCK)
|
||||
{
|
||||
@@ -165,12 +168,6 @@ svcunix_create (int sock, u_int sendsize, u_int recvsize, char *path)
|
||||
}
|
||||
madesock = TRUE;
|
||||
}
|
||||
- memset (&addr, '\0', sizeof (addr));
|
||||
- addr.sun_family = AF_UNIX;
|
||||
- len = strlen (path) + 1;
|
||||
- memcpy (addr.sun_path, path, len);
|
||||
- len += sizeof (addr.sun_family);
|
||||
-
|
||||
__bind (sock, (struct sockaddr *) &addr, len);
|
||||
|
||||
if (__getsockname (sock, (struct sockaddr *) &addr, &len) != 0
|
||||
diff --git a/sunrpc/tst-bug28768.c b/sunrpc/tst-bug28768.c
|
||||
new file mode 100644
|
||||
index 0000000000000000..35a4b7b0b3d34350
|
||||
--- /dev/null
|
||||
+++ b/sunrpc/tst-bug28768.c
|
||||
@@ -0,0 +1,42 @@
|
||||
+/* Test to verify that long path is rejected by svcunix_create (bug 28768).
|
||||
+ Copyright (C) 2022 Free Software Foundation, Inc.
|
||||
+ This file is part of the GNU C Library.
|
||||
+
|
||||
+ The GNU C Library is free software; you can redistribute it and/or
|
||||
+ modify it under the terms of the GNU Lesser General Public
|
||||
+ License as published by the Free Software Foundation; either
|
||||
+ version 2.1 of the License, or (at your option) any later version.
|
||||
+
|
||||
+ The GNU C Library is distributed in the hope that it will be useful,
|
||||
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
+ Lesser General Public License for more details.
|
||||
+
|
||||
+ You should have received a copy of the GNU Lesser General Public
|
||||
+ License along with the GNU C Library; if not, see
|
||||
+ <http://www.gnu.org/licenses/>. */
|
||||
+
|
||||
+#include <errno.h>
|
||||
+#include <rpc/svc.h>
|
||||
+#include <shlib-compat.h>
|
||||
+#include <string.h>
|
||||
+#include <support/check.h>
|
||||
+
|
||||
+/* svcunix_create does not have a default version in linkobj/libc.so. */
|
||||
+compat_symbol_reference (libc, svcunix_create, svcunix_create, GLIBC_2_1);
|
||||
+
|
||||
+static int
|
||||
+do_test (void)
|
||||
+{
|
||||
+ char pathname[109];
|
||||
+ memset (pathname, 'x', sizeof (pathname));
|
||||
+ pathname[sizeof (pathname) - 1] = '\0';
|
||||
+
|
||||
+ errno = 0;
|
||||
+ TEST_VERIFY (svcunix_create (RPC_ANYSOCK, 4096, 4096, pathname) == NULL);
|
||||
+ TEST_COMPARE (errno, EINVAL);
|
||||
+
|
||||
+ return 0;
|
||||
+}
|
||||
+
|
||||
+#include <support/test-driver.c>
|
54
SOURCES/glibc-rh2045062-5.patch
Normal file
54
SOURCES/glibc-rh2045062-5.patch
Normal file
@ -0,0 +1,54 @@
|
||||
commit 36f6e408845c8c539128f3fb9cb132bf1845a2c8
|
||||
Author: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Tue Mar 9 21:07:24 2021 +0100
|
||||
|
||||
<shlib-compat.h>: Support compat_symbol_reference for _ISOMAC
|
||||
|
||||
This is helpful for testing compat symbols in cases where _ISOMAC
|
||||
is activated implicitly due to -DMODULE_NAME=testsuite and cannot
|
||||
be disabled easily.
|
||||
|
||||
diff --git a/include/libc-symbols.h b/include/libc-symbols.h
|
||||
index 41436050d060b89f..44e12b63d40cc572 100644
|
||||
--- a/include/libc-symbols.h
|
||||
+++ b/include/libc-symbols.h
|
||||
@@ -59,6 +59,19 @@
|
||||
# define IN_MODULE (-1)
|
||||
#endif
|
||||
|
||||
+/* Use symbol_version_reference to specify the version a symbol
|
||||
+ reference should link to. Use symbol_version or
|
||||
+ default_symbol_version for the definition of a versioned symbol.
|
||||
+ The difference is that the latter is a no-op in non-shared
|
||||
+ builds. */
|
||||
+#ifdef __ASSEMBLER__
|
||||
+# define symbol_version_reference(real, name, version) \
|
||||
+ .symver real, name##@##version
|
||||
+#else /* !__ASSEMBLER__ */
|
||||
+# define symbol_version_reference(real, name, version) \
|
||||
+ __asm__ (".symver " #real "," #name "@" #version)
|
||||
+#endif
|
||||
+
|
||||
#ifndef _ISOMAC
|
||||
|
||||
/* This is defined for the compilation of all C library code. features.h
|
||||
@@ -388,19 +401,6 @@ for linking")
|
||||
past the last element in SET. */
|
||||
#define symbol_set_end_p(set, ptr) ((ptr) >= (void *const *) &__stop_##set)
|
||||
|
||||
-/* Use symbol_version_reference to specify the version a symbol
|
||||
- reference should link to. Use symbol_version or
|
||||
- default_symbol_version for the definition of a versioned symbol.
|
||||
- The difference is that the latter is a no-op in non-shared
|
||||
- builds. */
|
||||
-#ifdef __ASSEMBLER__
|
||||
-# define symbol_version_reference(real, name, version) \
|
||||
- .symver real, name##@##version
|
||||
-#else /* !__ASSEMBLER__ */
|
||||
-# define symbol_version_reference(real, name, version) \
|
||||
- __asm__ (".symver " #real "," #name "@" #version)
|
||||
-#endif
|
||||
-
|
||||
#ifdef SHARED
|
||||
# define symbol_version(real, name, version) \
|
||||
symbol_version_reference(real, name, version)
|
@ -1,6 +1,6 @@
|
||||
%define glibcsrcdir glibc-2.28
|
||||
%define glibcversion 2.28
|
||||
%define glibcrelease 164%{?dist}
|
||||
%define glibcrelease 164%{?dist}.3
|
||||
# Pre-release tarballs are pulled in from git using a command that is
|
||||
# effectively:
|
||||
#
|
||||
@ -719,6 +719,18 @@ Patch582: glibc-rh1966472-1.patch
|
||||
Patch583: glibc-rh1966472-2.patch
|
||||
Patch584: glibc-rh1966472-3.patch
|
||||
Patch585: glibc-rh1966472-4.patch
|
||||
Patch586: glibc-rh2032280-1.patch
|
||||
Patch587: glibc-rh2032280-2.patch
|
||||
Patch588: glibc-rh2032280-3.patch
|
||||
Patch589: glibc-rh2032280-4.patch
|
||||
Patch590: glibc-rh2032280-5.patch
|
||||
Patch591: glibc-rh2032280-6.patch
|
||||
Patch592: glibc-rh2032280-7.patch
|
||||
Patch593: glibc-rh2045062-1.patch
|
||||
Patch594: glibc-rh2045062-2.patch
|
||||
Patch595: glibc-rh2045062-3.patch
|
||||
Patch596: glibc-rh2045062-4.patch
|
||||
Patch597: glibc-rh2045062-5.patch
|
||||
|
||||
##############################################################################
|
||||
# Continued list of core "glibc" package information:
|
||||
@ -2631,6 +2643,17 @@ fi
|
||||
%files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared
|
||||
|
||||
%changelog
|
||||
* Thu Jan 27 2022 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164.3
|
||||
- CVE-2021-3999: getcwd: align stack on clone in aarch64 and fix a memory leak
|
||||
(#2032280)
|
||||
|
||||
* Wed Jan 26 2022 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164.2
|
||||
- CVE-2022-23218, CVE-2022-23219: Fix buffer overflows in sunrpc clnt_create
|
||||
for "unix" and svcunix_create (#2045062).
|
||||
|
||||
* Mon Jan 24 2022 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164.1
|
||||
- CVE-2021-3999: getcwd: Set errno to ERANGE for size == 1 (#2032280)
|
||||
|
||||
* Mon Aug 9 2021 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.28-164
|
||||
- librt: fix NULL pointer dereference (#1966472).
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user