- Fix bogus underflow (#760935)

- Correctly handle dns request where large numbers of A and AAA
    records
    are returned (#795498)
  - Fix nscd crash when group has many members (#788959)
This commit is contained in:
Jeff Law 2012-02-24 10:41:06 -07:00
parent 0e190d479d
commit c0564b95e0
4 changed files with 179 additions and 1 deletions

18
glibc-rh760935.patch Normal file
View File

@ -0,0 +1,18 @@
diff -rup a/sysdeps/ieee754/dbl-64/w_exp.c b/sysdeps/ieee754/dbl-64/w_exp.c
--- a/sysdeps/ieee754/dbl-64/w_exp.c 2012-01-01 05:16:32.000000000 -0700
+++ b/sysdeps/ieee754/dbl-64/w_exp.c 2012-02-24 10:32:52.769230965 -0700
@@ -32,12 +32,12 @@ __exp (double x)
if (__builtin_expect (x > o_threshold, 0))
{
if (_LIB_VERSION != _IEEE_)
- return __kernel_standard_f (x, x, 6);
+ return __kernel_standard (x, x, 6);
}
else if (__builtin_expect (x < u_threshold, 0))
{
if (_LIB_VERSION != _IEEE_)
- return __kernel_standard_f (x, x, 7);
+ return __kernel_standard (x, x, 7);
}
return __ieee754_exp (x);

131
glibc-rh788989.patch Normal file
View File

@ -0,0 +1,131 @@
diff --git a/nis/nss_compat/compat-initgroups.c b/nis/nss_compat/compat-initgroups.c
index a70d66d..ad6ab35 100644
--- a/nis/nss_compat/compat-initgroups.c
+++ b/nis/nss_compat/compat-initgroups.c
@@ -296,6 +296,8 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
if (nss_initgroups_dyn (user, group, &mystart, &mysize, &mygroups,
limit, errnop) == NSS_STATUS_SUCCESS)
{
+ status = NSS_STATUS_NOTFOUND;
+
/* If there is no blacklist we can trust the underlying
initgroups implementation. */
if (ent->blacklist.current <= 1)
@@ -308,6 +310,7 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
overwrite the pointer with one to a bigger buffer. */
char *tmpbuf = buffer;
size_t tmplen = buflen;
+ bool use_malloc = false;
for (int i = 0; i < mystart; i++)
{
@@ -315,21 +318,36 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
tmpbuf, tmplen, errnop))
== NSS_STATUS_TRYAGAIN
&& *errnop == ERANGE)
- if (tmpbuf == buffer)
- {
- tmplen *= 2;
- tmpbuf = __alloca (tmplen);
- }
- else
- tmpbuf = extend_alloca (tmpbuf, tmplen, 2 * tmplen);
+ {
+ if (__libc_use_alloca (tmplen * 2))
+ {
+ if (tmpbuf == buffer)
+ {
+ tmplen *= 2;
+ tmpbuf = __alloca (tmplen);
+ }
+ else
+ tmpbuf = extend_alloca (tmpbuf, tmplen, tmplen * 2);
+ }
+ else
+ {
+ tmplen *= 2;
+ char *newbuf = realloc (use_malloc ? tmpbuf : NULL, tmplen);
+
+ if (newbuf == NULL)
+ {
+ status = NSS_STATUS_TRYAGAIN;
+ goto done;
+ }
+ use_malloc = true;
+ tmpbuf = newbuf;
+ }
+ }
if (__builtin_expect (status != NSS_STATUS_NOTFOUND, 1))
{
if (__builtin_expect (status != NSS_STATUS_SUCCESS, 0))
- {
- free (mygroups);
- return status;
- }
+ goto done;
if (!in_blacklist (grpbuf.gr_name,
strlen (grpbuf.gr_name), ent)
@@ -347,11 +365,17 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
}
}
}
+
+ status = NSS_STATUS_NOTFOUND;
+
+ done:
+ if (use_malloc)
+ free (tmpbuf);
}
free (mygroups);
- return NSS_STATUS_NOTFOUND;
+ return status;
}
free (mygroups);
@@ -508,6 +532,7 @@ _nss_compat_initgroups_dyn (const char *user, gid_t group, long int *start,
char *tmpbuf;
enum nss_status status;
ent_t intern = { true, false, false, NULL, {NULL, 0, 0} };
+ bool use_malloc = false;
status = internal_setgrent (&intern);
if (status != NSS_STATUS_SUCCESS)
@@ -521,13 +546,32 @@ _nss_compat_initgroups_dyn (const char *user, gid_t group, long int *start,
user, group, start, size,
groupsp, limit, errnop))
== NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
- tmpbuf = extend_alloca (tmpbuf, buflen, 2 * buflen);
+ if (__libc_use_alloca (buflen * 2))
+ tmpbuf = extend_alloca (tmpbuf, buflen, 2 * buflen);
+ else
+ {
+ buflen *= 2;
+ char *newbuf = realloc (use_malloc ? tmpbuf : NULL, buflen);
+ if (newbuf == NULL)
+ {
+ status = NSS_STATUS_TRYAGAIN;
+ goto done;
+ }
+ use_malloc = true;
+ tmpbuf = newbuf;
+ }
}
while (status == NSS_STATUS_SUCCESS);
+ status = NSS_STATUS_SUCCESS;
+
+ done:
+ if (use_malloc)
+ free (tmpbuf);
+
internal_endgrent (&intern);
- return NSS_STATUS_SUCCESS;
+ return status;
}

13
glibc-rh795498.patch Normal file
View File

@ -0,0 +1,13 @@
diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
index 01369f6..44ad04d 100644
--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
@@ -1219,7 +1219,7 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
&first);
if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
|| (status == NSS_STATUS_TRYAGAIN
- && (errno != ERANGE || *h_errnop != NO_RECOVERY)))
+ && (*errnop != ERANGE || *h_errnop == NO_RECOVERY)))
&& answer2 != NULL && anslen2 > 0)
{
enum nss_status status2 = gaih_getanswer_slice(answer2, anslen2, qname,

View File

@ -28,7 +28,7 @@
Summary: The GNU libc libraries
Name: glibc
Version: %{glibcversion}
Release: 23%{?dist}
Release: 24%{?dist}
# GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
# Things that are linked directly into dynamically linked programs
# and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@ -100,6 +100,13 @@ Patch32 : %{name}-rh739743.patch
Patch33 : %{name}-rh789238.patch
# Patch posted upstream, discussion ongoing, Paul E. seems to think it's OK
Patch34 : %{name}-rh794797.patch
# Posted upstream
Patch35 : %{name}-rh788989.patch
# Posted upstream
Patch36 : %{name}-rh795498.patch
# Posted upstream (bz 13705)
Patch37 : %{name}-rh795498.patch
Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -353,6 +360,9 @@ rm -rf %{glibcportsdir}
%patch32 -p1
%patch33 -p1
%patch34 -p1
%patch35 -p1
%patch36 -p1
%patch37 -p1
# A lot of programs still misuse memcpy when they have to use
# memmove. The memcpy implementation below is not tolerant at
@ -1205,6 +1215,12 @@ rm -f *.filelist*
%endif
%changelog
* Fri Feb 24 2012 Jeff Law <law@redhat.com> - 2.15-24
- Fix bogus underflow (#760935)
- Correctly handle dns request where large numbers of A and AAA records
are returned (#795498)
- Fix nscd crash when group has many members (#788959)
* Mon Feb 20 2012 Jeff Law <law@redhat.com> - 2.15-23
- Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE (#794797)