From f64bffe28e43b2b7c598d46100153a5a4113277e Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar Date: Tue, 26 Aug 2014 14:07:54 +0530 Subject: [PATCH] Fix #1133134, #1119128 and sync with upstream master - Use INTERNAL_SYSCALL in TLS_INIT_TP (#1133134). - Remove gconv loadable module transliteration support (#1119128). --- glibc-rh1119128.patch | 199 +++++++++++++++++++++++++++++ glibc-rh1133134-i386-tlsinit.patch | 19 +++ glibc.spec | 15 ++- sources | 2 +- 4 files changed, 232 insertions(+), 3 deletions(-) create mode 100644 glibc-rh1119128.patch create mode 100644 glibc-rh1133134-i386-tlsinit.patch diff --git a/glibc-rh1119128.patch b/glibc-rh1119128.patch new file mode 100644 index 0000000..12b9949 --- /dev/null +++ b/glibc-rh1119128.patch @@ -0,0 +1,199 @@ +2014-08-21 Florian Weimer + + [BZ #17187] + * iconv/gconv_trans.c (struct known_trans, search_tree, lock, + trans_compare, open_translit, __gconv_translit_find): + Remove module loading code. + +diff --git a/iconv/gconv_trans.c b/iconv/gconv_trans.c +index 1e25854..d71c029 100644 +--- a/iconv/gconv_trans.c ++++ b/iconv/gconv_trans.c +@@ -238,181 +238,11 @@ __gconv_transliterate (struct __gconv_step *step, + return __GCONV_ILLEGAL_INPUT; + } + +- +-/* Structure to represent results of found (or not) transliteration +- modules. */ +-struct known_trans +-{ +- /* This structure must remain the first member. */ +- struct trans_struct info; +- +- char *fname; +- void *handle; +- int open_count; +-}; +- +- +-/* Tree with results of previous calls to __gconv_translit_find. */ +-static void *search_tree; +- +-/* We modify global data. */ +-__libc_lock_define_initialized (static, lock); +- +- +-/* Compare two transliteration entries. */ +-static int +-trans_compare (const void *p1, const void *p2) +-{ +- const struct known_trans *s1 = (const struct known_trans *) p1; +- const struct known_trans *s2 = (const struct known_trans *) p2; +- +- return strcmp (s1->info.name, s2->info.name); +-} +- +- +-/* Open (maybe reopen) the module named in the struct. Get the function +- and data structure pointers we need. */ +-static int +-open_translit (struct known_trans *trans) +-{ +- __gconv_trans_query_fct queryfct; +- +- trans->handle = __libc_dlopen (trans->fname); +- if (trans->handle == NULL) +- /* Not available. */ +- return 1; +- +- /* Find the required symbol. */ +- queryfct = __libc_dlsym (trans->handle, "gconv_trans_context"); +- if (queryfct == NULL) +- { +- /* We cannot live with that. */ +- close_and_out: +- __libc_dlclose (trans->handle); +- trans->handle = NULL; +- return 1; +- } +- +- /* Get the context. */ +- if (queryfct (trans->info.name, &trans->info.csnames, &trans->info.ncsnames) +- != 0) +- goto close_and_out; +- +- /* Of course we also have to have the actual function. */ +- trans->info.trans_fct = __libc_dlsym (trans->handle, "gconv_trans"); +- if (trans->info.trans_fct == NULL) +- goto close_and_out; +- +- /* Now the optional functions. */ +- trans->info.trans_init_fct = +- __libc_dlsym (trans->handle, "gconv_trans_init"); +- trans->info.trans_context_fct = +- __libc_dlsym (trans->handle, "gconv_trans_context"); +- trans->info.trans_end_fct = +- __libc_dlsym (trans->handle, "gconv_trans_end"); +- +- trans->open_count = 1; +- +- return 0; +-} +- +- + int + internal_function + __gconv_translit_find (struct trans_struct *trans) + { +- struct known_trans **found; +- const struct path_elem *runp; +- int res = 1; +- +- /* We have to have a name. */ +- assert (trans->name != NULL); +- +- /* Acquire the lock. */ +- __libc_lock_lock (lock); +- +- /* See whether we know this module already. */ +- found = __tfind (trans, &search_tree, trans_compare); +- if (found != NULL) +- { +- /* Is this module available? */ +- if ((*found)->handle != NULL) +- { +- /* Maybe we have to reopen the file. */ +- if ((*found)->handle != (void *) -1) +- /* The object is not unloaded. */ +- res = 0; +- else if (open_translit (*found) == 0) +- { +- /* Copy the data. */ +- *trans = (*found)->info; +- (*found)->open_count++; +- res = 0; +- } +- } +- } +- else +- { +- size_t name_len = strlen (trans->name) + 1; +- int need_so = 0; +- struct known_trans *newp; +- +- /* We have to continue looking for the module. */ +- if (__gconv_path_elem == NULL) +- __gconv_get_path (); +- +- /* See whether we have to append .so. */ +- if (name_len <= 4 || memcmp (&trans->name[name_len - 4], ".so", 3) != 0) +- need_so = 1; +- +- /* Create a new entry. */ +- newp = (struct known_trans *) malloc (sizeof (struct known_trans) +- + (__gconv_max_path_elem_len +- + name_len + 3) +- + name_len); +- if (newp != NULL) +- { +- char *cp; +- +- /* Clear the struct. */ +- memset (newp, '\0', sizeof (struct known_trans)); +- +- /* Store a copy of the module name. */ +- newp->info.name = cp = (char *) (newp + 1); +- cp = __mempcpy (cp, trans->name, name_len); +- +- newp->fname = cp; +- +- /* Search in all the directories. */ +- for (runp = __gconv_path_elem; runp->name != NULL; ++runp) +- { +- cp = __mempcpy (__stpcpy ((char *) newp->fname, runp->name), +- trans->name, name_len); +- if (need_so) +- memcpy (cp, ".so", sizeof (".so")); +- +- if (open_translit (newp) == 0) +- { +- /* We found a module. */ +- res = 0; +- break; +- } +- } +- +- if (res) +- newp->fname = NULL; +- +- /* In any case we'll add the entry to our search tree. */ +- if (__tsearch (newp, &search_tree, trans_compare) == NULL) +- { +- /* Yickes, this should not happen. Unload the object. */ +- res = 1; +- /* XXX unload here. */ +- } +- } +- } +- +- __libc_lock_unlock (lock); +- +- return res; ++ /* This function always fails. Transliteration module loading is ++ not implemented. */ ++ return 1; + } +-- +1.9.3 + diff --git a/glibc-rh1133134-i386-tlsinit.patch b/glibc-rh1133134-i386-tlsinit.patch new file mode 100644 index 0000000..648c527 --- /dev/null +++ b/glibc-rh1133134-i386-tlsinit.patch @@ -0,0 +1,19 @@ +diff --git a/sysdeps/i386/nptl/tls.h b/sysdeps/i386/nptl/tls.h +index ac9c9a2..052ea64 100644 +--- a/sysdeps/i386/nptl/tls.h ++++ b/sysdeps/i386/nptl/tls.h +@@ -231,12 +231,8 @@ tls_fill_user_desc (union user_desc_init *desc, + tls_fill_user_desc (&_segdescr, -1, _thrdescr); \ + \ + /* Install the TLS. */ \ +- asm volatile (TLS_LOAD_EBX \ +- "int $0x80\n\t" \ +- TLS_LOAD_EBX \ +- : "=a" (_result), "=m" (_segdescr.desc.entry_number) \ +- : "0" (__NR_set_thread_area), \ +- TLS_EBX_ARG (&_segdescr.desc), "m" (_segdescr.desc)); \ ++ INTERNAL_SYSCALL_DECL (err); \ ++ _result = INTERNAL_SYSCALL (set_thread_area, err, 1, &_segdescr.desc); \ + \ + if (_result == 0) \ + /* We know the index in the GDT, now load the segment register. \ diff --git a/glibc.spec b/glibc.spec index 68aed24..7f6e6fb 100644 --- a/glibc.spec +++ b/glibc.spec @@ -1,6 +1,6 @@ -%define glibcsrcdir glibc-2.19-883-g7e54fd0 +%define glibcsrcdir glibc-2.19-886-gdd763fd %define glibcversion 2.19.90 -%define glibcrelease 34%{?dist} +%define glibcrelease 35%{?dist} # Pre-release tarballs are pulled in from git using a command that is # effectively: # @@ -185,6 +185,10 @@ Patch0046: %{name}-rh1013801.patch Patch0047: %{name}-nscd-sysconfig.patch +Patch0048: %{name}-rh1133134-i386-tlsinit.patch + +Patch0049: %{name}-rh1119128.patch + ############################################################################## # # Patches from upstream @@ -555,6 +559,8 @@ package or when debugging this package. %patch2033 -p1 %patch2034 -p1 %patch2035 -p1 +%patch0048 -p1 +%patch0049 -p1 ############################################################################## # %%prep - Additional prep required... @@ -1660,6 +1666,11 @@ rm -f *.filelist* %endif %changelog +* Tue Aug 26 2014 Siddhesh Poyarekar - 2.19.90-35 +- Sync with upstream master. +- Use INTERNAL_SYSCALL in TLS_INIT_TP (#1133134). +- Remove gconv loadable module transliteration support (CVE-2014-5119, #1119128). + * Fri Aug 22 2014 Dennis Gilmore - 2.19.90-34 - add back sss to nsswitch.conf we have added workarounds in the tools diff --git a/sources b/sources index 9968a00..f0a7ec7 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -d38c767ab249c9865b81070fe4d3b752 glibc-2.19-883-g7e54fd0.tar.gz +6b7d687c4bf371fc6fd5b100b9ded870 glibc-2.19-886-gdd763fd.tar.gz