From fb3d49c3bfe0e81282940b08de2387260cb51e6c Mon Sep 17 00:00:00 2001 From: Florian Weimer Date: Mon, 5 Dec 2022 18:01:18 +0100 Subject: [PATCH] Import Import glibc-2.34-52.fc35 from f35 * Wed Nov 30 2022 Florian Weimer - 2.34-52 - Add noarch sysroot subpackages (#2149644) * Tue Nov 29 2022 Florian Weimer - 2.34-51 - Prepare for integration of GCC 8 compatible _Static_assert (#2149102) * Fri Nov 25 2022 Arjun Shankar - 2.34-50 - Sync with upstream branch release/2.34/master, commit 405b8ae13540e9fd614df614e3361ebf9abd14cf: - elf: Fix wrong fscanf usage on tst-pldd - Allow for unpriviledged nested containers - elf: Fix wrong fscanf usage on tst-pldd - x86: Fix wcsnlen-avx2 page cross length comparison [BZ #29591] - elf: Fix rtld-audit trampoline for aarch64 Resolves: #2149102 Resolves: #2149644 --- glibc-rh2149102.patch | 19 ++ glibc-upstream-2.34-361.patch | 46 +++++ glibc-upstream-2.34-362.patch | 128 ++++++++++++ glibc-upstream-2.34-363.patch | 26 +++ glibc-upstream-2.34-364.patch | 362 ++++++++++++++++++++++++++++++++++ glibc-upstream-2.34-365.patch | 39 ++++ glibc.spec | 113 ++++++++++- wrap-find-debuginfo.sh | 9 +- 8 files changed, 733 insertions(+), 9 deletions(-) create mode 100644 glibc-rh2149102.patch create mode 100644 glibc-upstream-2.34-361.patch create mode 100644 glibc-upstream-2.34-362.patch create mode 100644 glibc-upstream-2.34-363.patch create mode 100644 glibc-upstream-2.34-364.patch create mode 100644 glibc-upstream-2.34-365.patch diff --git a/glibc-rh2149102.patch b/glibc-rh2149102.patch new file mode 100644 index 0000000..6516cc0 --- /dev/null +++ b/glibc-rh2149102.patch @@ -0,0 +1,19 @@ +commit b8c6166b1b75036ab3e4127a1c0aacf52ca93651 +Author: Florian Weimer +Date: Mon Sep 6 19:43:37 2021 +0200 + + locale: Add missing second argument to _Static_assert in C-collate-seq.c + +diff --git a/locale/C-collate-seq.c b/locale/C-collate-seq.c +index 4fb82cb8357936b6..40b17f4f90313144 100644 +--- a/locale/C-collate-seq.c ++++ b/locale/C-collate-seq.c +@@ -55,7 +55,7 @@ static const char collseqmb[] = + + /* This table must be 256 bytes in size. We index bytes into the + table to find the collation sequence. */ +-_Static_assert (sizeof (collseqmb) == 256); ++_Static_assert (sizeof (collseqmb) == 256, "sizeof (collseqmb)"); + + static const uint32_t collseqwc[] = + { diff --git a/glibc-upstream-2.34-361.patch b/glibc-upstream-2.34-361.patch new file mode 100644 index 0000000..b6b86ca --- /dev/null +++ b/glibc-upstream-2.34-361.patch @@ -0,0 +1,46 @@ +commit 691f70b84a1284f35c8cf9fbf3ef3b1cec41c234 +Author: Vladislav Khmelevsky +Date: Thu Nov 17 12:47:29 2022 +0400 + + elf: Fix rtld-audit trampoline for aarch64 + + This patch fixes two problems with audit: + + 1. The DL_OFFSET_RV_VPCS offset was mixed up with DL_OFFSET_RG_VPCS, + resulting in x2 register value nulling in RG structure. + + 2. We need to preserve the x8 register before function call, but + don't have to save it's new value and restore it before return. + + Anyway the final restore was using OFFSET_RV instead of OFFSET_RG value + which is wrong (althoug doesn't affect anything). + + Reviewed-by: Adhemerval Zanella + (cherry picked from commit eb4181e9f4a512de37dad4ba623c921671584dea) + +diff --git a/sysdeps/aarch64/dl-trampoline.S b/sysdeps/aarch64/dl-trampoline.S +index 457570e7df5148c0..b84c53d1a544c1b1 100644 +--- a/sysdeps/aarch64/dl-trampoline.S ++++ b/sysdeps/aarch64/dl-trampoline.S +@@ -298,12 +298,11 @@ _dl_runtime_profile: + stp x2, x3, [x29, #OFFSET_RV + DL_OFFSET_RV_X0 + 16*1] + stp x4, x5, [x29, #OFFSET_RV + DL_OFFSET_RV_X0 + 16*2] + stp x6, x7, [x29, #OFFSET_RV + DL_OFFSET_RV_X0 + 16*3] +- str x8, [x29, #OFFSET_RG + DL_OFFSET_RG_X0 + 16*4] + stp q0, q1, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*0] + stp q2, q3, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*1] + stp q4, q5, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*2] + stp q6, q7, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*3] +- str xzr, [X29, #OFFSET_RV + DL_OFFSET_RG_VPCS] ++ str xzr, [X29, #OFFSET_RV + DL_OFFSET_RV_VPCS] + + /* Setup call to pltexit */ + ldp x0, x1, [x29, #OFFSET_SAVED_CALL_X0] +@@ -315,7 +314,6 @@ _dl_runtime_profile: + ldp x2, x3, [x29, #OFFSET_RV + DL_OFFSET_RV_X0 + 16*1] + ldp x4, x5, [x29, #OFFSET_RV + DL_OFFSET_RV_X0 + 16*2] + ldp x6, x7, [x29, #OFFSET_RV + DL_OFFSET_RV_X0 + 16*3] +- ldr x8, [x29, #OFFSET_RV + DL_OFFSET_RV_X0 + 16*4] + ldp q0, q1, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*0] + ldp q2, q3, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*1] + ldp q4, q5, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*2] diff --git a/glibc-upstream-2.34-362.patch b/glibc-upstream-2.34-362.patch new file mode 100644 index 0000000..d7b4767 --- /dev/null +++ b/glibc-upstream-2.34-362.patch @@ -0,0 +1,128 @@ +commit e3255e7d2188d1731aad83ad0dc147513560aa1e +Author: Noah Goldstein +Date: Tue Sep 20 17:58:04 2022 -0700 + + x86: Fix wcsnlen-avx2 page cross length comparison [BZ #29591] + + Previous implementation was adjusting length (rsi) to match + bytes (eax), but since there is no bound to length this can cause + overflow. + + Fix is to just convert the byte-count (eax) to length by dividing by + sizeof (wchar_t) before the comparison. + + Full check passes on x86-64 and build succeeds w/ and w/o multiarch. + + (cherry picked from commit b0969fa53a28b4ab2159806bf6c99a98999502ee) + +diff --git a/string/test-strnlen.c b/string/test-strnlen.c +index bb5d9b5f04fa6586..eac84cd17526d5d9 100644 +--- a/string/test-strnlen.c ++++ b/string/test-strnlen.c +@@ -75,7 +75,7 @@ do_test (size_t align, size_t len, size_t maxlen, int max_char) + { + size_t i; + +- align &= 63; ++ align &= (getpagesize () / sizeof (CHAR) - 1); + if ((align + len) * sizeof (CHAR) >= page_size) + return; + +@@ -92,36 +92,50 @@ do_test (size_t align, size_t len, size_t maxlen, int max_char) + static void + do_overflow_tests (void) + { +- size_t i, j, len; ++ size_t i, j, al_idx, repeats, len; + const size_t one = 1; + uintptr_t buf_addr = (uintptr_t) buf1; ++ const size_t alignments[] = { 0, 1, 7, 9, 31, 33, 63, 65, 95, 97, 127, 129 }; + +- for (i = 0; i < 750; ++i) ++ for (al_idx = 0; al_idx < sizeof (alignments) / sizeof (alignments[0]); ++ al_idx++) + { +- do_test (0, i, SIZE_MAX - i, BIG_CHAR); +- do_test (0, i, i - buf_addr, BIG_CHAR); +- do_test (0, i, -buf_addr - i, BIG_CHAR); +- do_test (0, i, SIZE_MAX - buf_addr - i, BIG_CHAR); +- do_test (0, i, SIZE_MAX - buf_addr + i, BIG_CHAR); +- +- len = 0; +- for (j = 8 * sizeof(size_t) - 1; j ; --j) +- { +- len |= one << j; +- do_test (0, i, len - i, BIG_CHAR); +- do_test (0, i, len + i, BIG_CHAR); +- do_test (0, i, len - buf_addr - i, BIG_CHAR); +- do_test (0, i, len - buf_addr + i, BIG_CHAR); +- +- do_test (0, i, ~len - i, BIG_CHAR); +- do_test (0, i, ~len + i, BIG_CHAR); +- do_test (0, i, ~len - buf_addr - i, BIG_CHAR); +- do_test (0, i, ~len - buf_addr + i, BIG_CHAR); +- +- do_test (0, i, -buf_addr, BIG_CHAR); +- do_test (0, i, j - buf_addr, BIG_CHAR); +- do_test (0, i, -buf_addr - j, BIG_CHAR); +- } ++ for (repeats = 0; repeats < 2; ++repeats) ++ { ++ size_t align = repeats ? (getpagesize () - alignments[al_idx]) ++ : alignments[al_idx]; ++ align /= sizeof (CHAR); ++ for (i = 0; i < 750; ++i) ++ { ++ do_test (align, i, SIZE_MAX, BIG_CHAR); ++ ++ do_test (align, i, SIZE_MAX - i, BIG_CHAR); ++ do_test (align, i, i - buf_addr, BIG_CHAR); ++ do_test (align, i, -buf_addr - i, BIG_CHAR); ++ do_test (align, i, SIZE_MAX - buf_addr - i, BIG_CHAR); ++ do_test (align, i, SIZE_MAX - buf_addr + i, BIG_CHAR); ++ ++ len = 0; ++ for (j = 8 * sizeof (size_t) - 1; j; --j) ++ { ++ len |= one << j; ++ do_test (align, i, len, BIG_CHAR); ++ do_test (align, i, len - i, BIG_CHAR); ++ do_test (align, i, len + i, BIG_CHAR); ++ do_test (align, i, len - buf_addr - i, BIG_CHAR); ++ do_test (align, i, len - buf_addr + i, BIG_CHAR); ++ ++ do_test (align, i, ~len - i, BIG_CHAR); ++ do_test (align, i, ~len + i, BIG_CHAR); ++ do_test (align, i, ~len - buf_addr - i, BIG_CHAR); ++ do_test (align, i, ~len - buf_addr + i, BIG_CHAR); ++ ++ do_test (align, i, -buf_addr, BIG_CHAR); ++ do_test (align, i, j - buf_addr, BIG_CHAR); ++ do_test (align, i, -buf_addr - j, BIG_CHAR); ++ } ++ } ++ } + } + } + +diff --git a/sysdeps/x86_64/multiarch/strlen-avx2.S b/sysdeps/x86_64/multiarch/strlen-avx2.S +index b282a75613bf52ab..4d7d68396bcd4049 100644 +--- a/sysdeps/x86_64/multiarch/strlen-avx2.S ++++ b/sysdeps/x86_64/multiarch/strlen-avx2.S +@@ -542,14 +542,11 @@ L(return_vzeroupper): + L(cross_page_less_vec): + tzcntl %eax, %eax + # ifdef USE_AS_WCSLEN +- /* NB: Multiply length by 4 to get byte count. */ +- sall $2, %esi ++ /* NB: Divide by 4 to convert from byte-count to length. */ ++ shrl $2, %eax + # endif + cmpq %rax, %rsi + cmovb %esi, %eax +-# ifdef USE_AS_WCSLEN +- shrl $2, %eax +-# endif + VZEROUPPER_RETURN + # endif + diff --git a/glibc-upstream-2.34-363.patch b/glibc-upstream-2.34-363.patch new file mode 100644 index 0000000..4428f12 --- /dev/null +++ b/glibc-upstream-2.34-363.patch @@ -0,0 +1,26 @@ +commit 309c4708aca762f57263a66e5bea926fdbfd82eb +Author: Adhemerval Zanella +Date: Fri Mar 25 11:16:49 2022 -0300 + + elf: Fix wrong fscanf usage on tst-pldd + + To take in consideration the extra '\0'. + + Checked on x86_64-linux-gnu. + + (cherry picked from commit b2cd93fce666fdc8c9a5c64af2741a8a6940ac99) + +diff --git a/elf/tst-pldd.c b/elf/tst-pldd.c +index 210ca4d24b8338ab..72b7a99b369a105d 100644 +--- a/elf/tst-pldd.c ++++ b/elf/tst-pldd.c +@@ -113,7 +113,8 @@ do_test (void) + TEST_VERIFY (out != NULL); + + /* First line is in the form of : */ +- TEST_COMPARE (fscanf (out, "%u: " STRINPUT (512), &pid, buffer), 2); ++ TEST_COMPARE (fscanf (out, "%u: " STRINPUT (sizeof (buffer) - 1), &pid, ++ buffer), 2); + + TEST_COMPARE (pid, *target_pid_ptr); + TEST_COMPARE (strcmp (basename (buffer), "tst-pldd"), 0); diff --git a/glibc-upstream-2.34-364.patch b/glibc-upstream-2.34-364.patch new file mode 100644 index 0000000..cf76f9b --- /dev/null +++ b/glibc-upstream-2.34-364.patch @@ -0,0 +1,362 @@ +commit 42b9d7def8fd7d26f1926cbc801923aa2c8a386a +Author: DJ Delorie +Date: Mon Mar 28 23:53:33 2022 -0400 + + Allow for unpriviledged nested containers + + If the build itself is run in a container, we may not be able to + fully set up a nested container for test-container testing. + Notably is the mounting of /proc, since it's critical that it + be mounted from within the same PID namespace as its users, and + thus cannot be bind mounted from outside the container like other + mounts. + + This patch defaults to using the parent's PID namespace instead of + creating a new one, as this is more likely to be allowed. + + If the test needs an isolated PID namespace, it should add the "pidns" + command to its init script. + + Reviewed-by: Carlos O'Donell + (cherry picked from commit 2fe64148a81f0d78050c302f34a6853d21f7cae4) + +diff --git a/elf/tst-pldd.c b/elf/tst-pldd.c +index 72b7a99b369a105d..6e4174cbf95b15c0 100644 +--- a/elf/tst-pldd.c ++++ b/elf/tst-pldd.c +@@ -85,6 +85,8 @@ in_str_list (const char *libname, const char *const strlist[]) + static int + do_test (void) + { ++ support_need_proc ("needs /proc/sys/kernel/yama/ptrace_scope and /proc/$child"); ++ + /* Check if our subprocess can be debugged with ptrace. */ + { + int ptrace_scope = support_ptrace_scope (); +diff --git a/nptl/tst-pthread-getattr.c b/nptl/tst-pthread-getattr.c +index 5f60cf9722b77a1a..6128402b2673c010 100644 +--- a/nptl/tst-pthread-getattr.c ++++ b/nptl/tst-pthread-getattr.c +@@ -28,6 +28,8 @@ + #include + #include + ++#include ++ + /* There is an obscure bug in the kernel due to which RLIMIT_STACK is sometimes + returned as unlimited when it is not, which may cause this test to fail. + There is also the other case where RLIMIT_STACK is intentionally set as +@@ -153,6 +155,8 @@ check_stack_top (void) + static int + do_test (void) + { ++ support_need_proc ("Reads /proc/self/maps to get stack size."); ++ + pagesize = sysconf (_SC_PAGESIZE); + return check_stack_top (); + } +diff --git a/nss/tst-reload2.c b/nss/tst-reload2.c +index 5ecb032e9fcd6868..a494145dd679099d 100644 +--- a/nss/tst-reload2.c ++++ b/nss/tst-reload2.c +@@ -95,6 +95,8 @@ do_test (void) + char buf1[PATH_MAX]; + char buf2[PATH_MAX]; + ++ support_need_proc ("Our xmkdirp fails if we can't map our uid, which requires /proc."); ++ + sprintf (buf1, "/subdir%s", support_slibdir_prefix); + xmkdirp (buf1, 0777); + +diff --git a/support/Makefile b/support/Makefile +index 6a5fc9faf2ca2e2d..0aa9d41c5a890087 100644 +--- a/support/Makefile ++++ b/support/Makefile +@@ -63,6 +63,7 @@ libsupport-routines = \ + support_format_hostent \ + support_format_netent \ + support_isolate_in_subprocess \ ++ support_need_proc \ + support_path_support_time64 \ + support_process_state \ + support_ptrace \ +diff --git a/support/support.h b/support/support.h +index ecfc9a336d272a30..b69f588e2edce6be 100644 +--- a/support/support.h ++++ b/support/support.h +@@ -90,6 +90,11 @@ char *support_quote_string (const char *); + regular file open for writing, and initially empty. */ + int support_descriptor_supports_holes (int fd); + ++/* Predicates that a test requires a working /proc filesystem. This ++ call will exit with UNSUPPORTED if /proc is not available, printing ++ WHY_MSG as part of the diagnostic. */ ++void support_need_proc (const char *why_msg); ++ + /* Error-checking wrapper functions which terminate the process on + error. */ + +diff --git a/support/support_need_proc.c b/support/support_need_proc.c +new file mode 100644 +index 0000000000000000..9b4eab7539b2d6c3 +--- /dev/null ++++ b/support/support_need_proc.c +@@ -0,0 +1,35 @@ ++/* Indicate that a test requires a working /proc. ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++ ++/* We test for /proc/self/maps since that's one of the files that one ++ of our tests actually uses, but the general idea is if Linux's ++ /proc/ (procfs) filesystem is mounted. If not, the process exits ++ with an UNSUPPORTED result code. */ ++ ++void ++support_need_proc (const char *why_msg) ++{ ++#ifdef __linux__ ++ if (access ("/proc/self/maps", R_OK)) ++ FAIL_UNSUPPORTED ("/proc is not available, %s", why_msg); ++#endif ++} +diff --git a/support/test-container.c b/support/test-container.c +index 94498d39019a4776..7310335f7566b41e 100644 +--- a/support/test-container.c ++++ b/support/test-container.c +@@ -97,6 +97,7 @@ int verbose = 0; + * mytest.root/mytest.script has a list of "commands" to run: + syntax: + # comment ++ pidns + su + mv FILE FILE + cp FILE FILE +@@ -122,6 +123,8 @@ int verbose = 0; + + details: + - '#': A comment. ++ - 'pidns': Require a separate PID namespace, prints comment if it can't ++ (default is a shared pid namespace) + - 'su': Enables running test as root in the container. + - 'mv': A minimal move files command. + - 'cp': A minimal copy files command. +@@ -148,7 +151,7 @@ int verbose = 0; + * Simple, easy to review code (i.e. prefer simple naive code over + complex efficient code) + +- * The current implementation ist parallel-make-safe, but only in ++ * The current implementation is parallel-make-safe, but only in + that it uses a lock to prevent parallel access to the testroot. */ + + +@@ -227,11 +230,37 @@ concat (const char *str, ...) + return bufs[n]; + } + ++/* Like the above, but put spaces between words. Caller frees. */ ++static char * ++concat_words (char **words, int num_words) ++{ ++ int len = 0; ++ int i; ++ char *rv, *p; ++ ++ for (i = 0; i < num_words; i ++) ++ { ++ len += strlen (words[i]); ++ len ++; ++ } ++ ++ p = rv = (char *) xmalloc (len); ++ ++ for (i = 0; i < num_words; i ++) ++ { ++ if (i > 0) ++ p = stpcpy (p, " "); ++ p = stpcpy (p, words[i]); ++ } ++ ++ return rv; ++} ++ + /* Try to mount SRC onto DEST. */ + static void + trymount (const char *src, const char *dest) + { +- if (mount (src, dest, "", MS_BIND, NULL) < 0) ++ if (mount (src, dest, "", MS_BIND | MS_REC, NULL) < 0) + FAIL_EXIT1 ("can't mount %s onto %s\n", src, dest); + } + +@@ -726,6 +755,9 @@ main (int argc, char **argv) + gid_t original_gid; + /* If set, the test runs as root instead of the user running the testsuite. */ + int be_su = 0; ++ int require_pidns = 0; ++ const char *pidns_comment = NULL; ++ int do_proc_mounts = 0; + int UMAP; + int GMAP; + /* Used for "%lld %lld 1" so need not be large. */ +@@ -1011,6 +1043,12 @@ main (int argc, char **argv) + { + be_su = 1; + } ++ else if (nt >= 1 && strcmp (the_words[0], "pidns") == 0) ++ { ++ require_pidns = 1; ++ if (nt > 1) ++ pidns_comment = concat_words (the_words + 1, nt - 1); ++ } + else if (nt == 3 && strcmp (the_words[0], "mkdirp") == 0) + { + long int m; +@@ -1068,7 +1106,8 @@ main (int argc, char **argv) + + #ifdef CLONE_NEWNS + /* The unshare here gives us our own spaces and capabilities. */ +- if (unshare (CLONE_NEWUSER | CLONE_NEWPID | CLONE_NEWNS) < 0) ++ if (unshare (CLONE_NEWUSER | CLONE_NEWNS ++ | (require_pidns ? CLONE_NEWPID : 0)) < 0) + { + /* Older kernels may not support all the options, or security + policy may block this call. */ +@@ -1079,6 +1118,11 @@ main (int argc, char **argv) + check_for_unshare_hints (); + FAIL_UNSUPPORTED ("unable to unshare user/fs: %s", strerror (saved_errno)); + } ++ /* We're about to exit anyway, it's "safe" to call unshare again ++ just to see if the CLONE_NEWPID caused the error. */ ++ else if (require_pidns && unshare (CLONE_NEWUSER | CLONE_NEWNS) >= 0) ++ FAIL_EXIT1 ("unable to unshare pid ns: %s : %s", strerror (errno), ++ pidns_comment ? pidns_comment : "required by test"); + else + FAIL_EXIT1 ("unable to unshare user/fs: %s", strerror (errno)); + } +@@ -1094,6 +1138,15 @@ main (int argc, char **argv) + trymount (support_srcdir_root, new_srcdir_path); + trymount (support_objdir_root, new_objdir_path); + ++ /* It may not be possible to mount /proc directly. */ ++ if (! require_pidns) ++ { ++ char *new_proc = concat (new_root_path, "/proc", NULL); ++ xmkdirp (new_proc, 0755); ++ trymount ("/proc", new_proc); ++ do_proc_mounts = 1; ++ } ++ + xmkdirp (concat (new_root_path, "/dev", NULL), 0755); + devmount (new_root_path, "null"); + devmount (new_root_path, "zero"); +@@ -1163,42 +1216,60 @@ main (int argc, char **argv) + + maybe_xmkdir ("/tmp", 0755); + +- /* Now that we're pid 1 (effectively "root") we can mount /proc */ +- maybe_xmkdir ("/proc", 0777); +- if (mount ("proc", "/proc", "proc", 0, NULL) < 0) +- FAIL_EXIT1 ("Unable to mount /proc: "); +- +- /* We map our original UID to the same UID in the container so we +- can own our own files normally. */ +- UMAP = open ("/proc/self/uid_map", O_WRONLY); +- if (UMAP < 0) +- FAIL_EXIT1 ("can't write to /proc/self/uid_map\n"); +- +- sprintf (tmp, "%lld %lld 1\n", +- (long long) (be_su ? 0 : original_uid), (long long) original_uid); +- write (UMAP, tmp, strlen (tmp)); +- xclose (UMAP); +- +- /* We must disable setgroups () before we can map our groups, else we +- get EPERM. */ +- GMAP = open ("/proc/self/setgroups", O_WRONLY); +- if (GMAP >= 0) ++ if (require_pidns) + { +- /* We support kernels old enough to not have this. */ +- write (GMAP, "deny\n", 5); +- xclose (GMAP); ++ /* Now that we're pid 1 (effectively "root") we can mount /proc */ ++ maybe_xmkdir ("/proc", 0777); ++ if (mount ("proc", "/proc", "proc", 0, NULL) != 0) ++ { ++ /* This happens if we're trying to create a nested container, ++ like if the build is running under podman, and we lack ++ priviledges. ++ ++ Ideally we would WARN here, but that would just add noise to ++ *every* test-container test, and the ones that care should ++ have their own relevent diagnostics. ++ ++ FAIL_EXIT1 ("Unable to mount /proc: "); */ ++ } ++ else ++ do_proc_mounts = 1; + } + +- /* We map our original GID to the same GID in the container so we +- can own our own files normally. */ +- GMAP = open ("/proc/self/gid_map", O_WRONLY); +- if (GMAP < 0) +- FAIL_EXIT1 ("can't write to /proc/self/gid_map\n"); ++ if (do_proc_mounts) ++ { ++ /* We map our original UID to the same UID in the container so we ++ can own our own files normally. */ ++ UMAP = open ("/proc/self/uid_map", O_WRONLY); ++ if (UMAP < 0) ++ FAIL_EXIT1 ("can't write to /proc/self/uid_map\n"); ++ ++ sprintf (tmp, "%lld %lld 1\n", ++ (long long) (be_su ? 0 : original_uid), (long long) original_uid); ++ write (UMAP, tmp, strlen (tmp)); ++ xclose (UMAP); ++ ++ /* We must disable setgroups () before we can map our groups, else we ++ get EPERM. */ ++ GMAP = open ("/proc/self/setgroups", O_WRONLY); ++ if (GMAP >= 0) ++ { ++ /* We support kernels old enough to not have this. */ ++ write (GMAP, "deny\n", 5); ++ xclose (GMAP); ++ } + +- sprintf (tmp, "%lld %lld 1\n", +- (long long) (be_su ? 0 : original_gid), (long long) original_gid); +- write (GMAP, tmp, strlen (tmp)); +- xclose (GMAP); ++ /* We map our original GID to the same GID in the container so we ++ can own our own files normally. */ ++ GMAP = open ("/proc/self/gid_map", O_WRONLY); ++ if (GMAP < 0) ++ FAIL_EXIT1 ("can't write to /proc/self/gid_map\n"); ++ ++ sprintf (tmp, "%lld %lld 1\n", ++ (long long) (be_su ? 0 : original_gid), (long long) original_gid); ++ write (GMAP, tmp, strlen (tmp)); ++ xclose (GMAP); ++ } + + if (change_cwd) + { diff --git a/glibc-upstream-2.34-365.patch b/glibc-upstream-2.34-365.patch new file mode 100644 index 0000000..1fd3d7c --- /dev/null +++ b/glibc-upstream-2.34-365.patch @@ -0,0 +1,39 @@ +commit 405b8ae13540e9fd614df614e3361ebf9abd14cf +Author: Adhemerval Zanella +Date: Tue Jul 5 12:58:40 2022 -0300 + + elf: Fix wrong fscanf usage on tst-pldd + + The fix done b2cd93fce666fdc8c9a5c64af2741a8a6940ac99 does not really + work since macro strification does not expand the sizeof nor the + arithmetic operation. + + Checked on x86_64-linux-gnu. + + (cherry picked from commit c353689e49e72f3aafa1a9e68d4f7a4f33a79cbe) + +diff --git a/elf/tst-pldd.c b/elf/tst-pldd.c +index 6e4174cbf95b15c0..d3ecb99149d619c6 100644 +--- a/elf/tst-pldd.c ++++ b/elf/tst-pldd.c +@@ -108,15 +108,16 @@ do_test (void) + loader and libc. */ + { + pid_t pid; +- char buffer[512]; +-#define STRINPUT(size) "%" # size "s" ++#define BUFFERLEN 511 ++ char buffer[BUFFERLEN + 1]; ++#define STRINPUT(size) XSTRINPUT(size) ++#define XSTRINPUT(size) "%" # size "s" + + FILE *out = fmemopen (pldd.out.buffer, pldd.out.length, "r"); + TEST_VERIFY (out != NULL); + + /* First line is in the form of : */ +- TEST_COMPARE (fscanf (out, "%u: " STRINPUT (sizeof (buffer) - 1), &pid, +- buffer), 2); ++ TEST_COMPARE (fscanf (out, "%u: " STRINPUT (BUFFERLEN), &pid, buffer), 2); + + TEST_COMPARE (pid, *target_pid_ptr); + TEST_COMPARE (strcmp (basename (buffer), "tst-pldd"), 0); diff --git a/glibc.spec b/glibc.spec index d5bf422..c7bda41 100644 --- a/glibc.spec +++ b/glibc.spec @@ -148,7 +148,7 @@ end \ Summary: The GNU libc libraries Name: glibc Version: %{glibcversion} -Release: 49%{?dist} +Release: 52%{?dist} # In general, GPLv2+ is used by programs, LGPLv2+ is used for # libraries. @@ -203,6 +203,19 @@ rpm.define("__debug_install_post bash " .. wrapper .. " " .. sysroot .. " " .. original) } +# sysroot package support. These contain arch-specific packages, so +# turn off the rpmbuild check. +%global _binaries_in_noarch_packages_terminate_build 0 +# Variant of %%dist that contains just the distribution release, no affixes. +%{?fedora:%global sysroot_dist fc%{fedora}} +%{?rhel:%global sysroot_dist el%{rhel}} +%{?!sysroot_dist:%global sysroot_dist root} +# The name of the sysroot package. +%global sysroot_package_arch sysroot-%{_arch}-%{sysroot_dist}-%{name} +# Installed path for the sysroot tree. Must contain /sys-root/, which +# triggers filtering. +%global sysroot_prefix /usr/%{_arch}-redhat-linux/sys-root/%{sysroot_dist} + # The wrapper script relies on the fact that debugedit does not change # build IDs. %define _no_recompute_build_ids 1 @@ -649,6 +662,12 @@ Patch438: glibc-upstream-2.34-357.patch Patch439: glibc-upstream-2.34-358.patch Patch440: glibc-upstream-2.34-359.patch # glibc-2.34-360-g75b0edb7ef only changes NEWS. +Patch441: glibc-upstream-2.34-361.patch +Patch442: glibc-upstream-2.34-362.patch +Patch443: glibc-upstream-2.34-363.patch +Patch444: glibc-upstream-2.34-364.patch +Patch445: glibc-upstream-2.34-365.patch +Patch446: glibc-rh2149102.patch ############################################################################## # Continued list of core "glibc" package information: @@ -1450,6 +1469,21 @@ libpthread_nonshared.a which is no longer used. The static library libpthread_nonshared.a is an internal implementation detail of the C runtime and should not be expected to exist. +%if %{without bootstrap} +%package -n %sysroot_package_arch +Summary: Sysroot package for glibc, %{_arch} architecture +BuildArch: noarch +Provides: sysroot-%{_arch}-%{name} +# The files are not usable for execution, so do not provide nor +# require anything. +AutoReqProv: no + +%description -n %sysroot_package_arch +This package contains development files for the glibc package +that can be installed across architectures. +%dnl %%{without bootstrap} +%endif + ############################################################################## # Prepare for the build. ############################################################################## @@ -1955,6 +1989,53 @@ done ############################################################################## ar cr %{glibc_sysroot}%{_prefix}/%{_lib}/libpthread_nonshared.a +############################################################################### +# Sysroot package creation. +############################################################################### + +%if %{without bootstrap} +mkdir -p %{glibc_sysroot}/%{sysroot_prefix} +pushd %{glibc_sysroot}/%{sysroot_prefix} +mkdir -p usr/lib usr/lib64 + +cp -a %{glibc_sysroot}/%{_prefix}/include usr/. +for lib in lib lib64; do + for pfx in "" %{_prefix}/; do + if test -d %{glibc_sysroot}/$pfx$lib ; then + # Implement UsrMove: everything goes into usr/$lib. Only + # copy files directly in $lib. + find %{glibc_sysroot}/$pfx$lib -maxdepth 1 -type f \ + | xargs -I '{}' cp '{}' usr/$lib/. + # Symbolic links need to be adjusted for UsrMove: They + # need to stay within the same directory. + for sl in `find %{glibc_sysroot}/$pfx$lib -maxdepth 1 -type l`; do + set +x + slbase=$(basename $sl) + sltarget=$(basename $(readlink $sl)) + if ! test -r usr/$lib/$sltarget; then + echo "$sl: inferred $sltarget ($(readlink $sl)) missing" + exit 1 + fi + set -x + ln -s $sltarget usr/$lib/$slbase + done + fi + done +done + +# Remove the executable bit from files in the sysroot. This prevents +# debuginfo extraction. +find -type f | xargs chmod a-x + +# Use sysroot-relative paths in linker script. Ignore symbolic links. +sed -e 's,\([^0-9a-zA-Z=*]/lib\),=/usr/lib,g' \ + -e 's,\([^0-9a-zA-Z=*]\)/,\1=/,g' \ + -i $(find -type f -name 'lib[cm].so') + +popd +%dnl %%{without bootstrap} +%endif + ############################################################################## # Beyond this point in the install process we no longer modify the set of # installed files. @@ -2043,13 +2124,14 @@ touch compat-libpthread-nonshared.filelist # language specific sub-packages. # libnss_ files go into subpackages related to NSS modules. # and .*/share/i18n/charmaps/.*), they go into the sub-package - # "locale-source": + # "locale-source". /sys-root/ files are put into the sysroot package. sed -e '\,.*/share/locale/\([^/_]\+\).*/LC_MESSAGES/.*\.mo,d' \ -e '\,.*/share/i18n/locales/.*,d' \ -e '\,.*/share/i18n/charmaps/.*,d' \ -e '\,.*/etc/\(localtime\|nsswitch.conf\|ld\.so\.conf\|ld\.so\.cache\|default\|rpc\|gai\.conf\),d' \ -e '\,.*/%{_libdir}/lib\(pcprofile\|memusage\)\.so,d' \ - -e '\,.*/bin/\(memusage\|mtrace\|xtrace\|pcprofiledump\),d' + -e '\,.*/bin/\(memusage\|mtrace\|xtrace\|pcprofiledump\),d' \ + -e '\,.*/sys-root,d' } | sort > master.filelist # The master file list is now used by each subpackage to list their own @@ -2384,8 +2466,9 @@ echo ====================PLT RELOCS END================== # Obtain a way to run the dynamic loader. Avoid matching the symbolic # link and then pick the first loader (although there should be only -# one). See wrap-find-debuginfo.sh. -ldso_path="$(find %{glibc_sysroot}/ -regextype posix-extended \ +# one). Use -maxdepth 2 to avoid descending into the /sys-root/ +# sub-tree. See wrap-find-debuginfo.sh. +ldso_path="$(find %{glibc_sysroot}/ -maxdepth 2 -regextype posix-extended \ -regex '.*/ld(-.*|64|)\.so\.[0-9]+$' -type f | LC_ALL=C sort | head -n1)" run_ldso="$ldso_path --library-path %{glibc_sysroot}/%{_lib}" @@ -2704,7 +2787,27 @@ fi %files -f compat-libpthread-nonshared.filelist -n compat-libpthread-nonshared +%if %{without bootstrap} +%files -n sysroot-%{_arch}-%{sysroot_dist}-glibc +%{sysroot_prefix} +%endif + %changelog +* Wed Nov 30 2022 Florian Weimer - 2.34-52 +- Add noarch sysroot subpackages (#2149644) + +* Tue Nov 29 2022 Florian Weimer - 2.34-51 +- Prepare for integration of GCC 8 compatible _Static_assert (#2149102) + +* Fri Nov 25 2022 Arjun Shankar - 2.34-50 +- Sync with upstream branch release/2.34/master, + commit 405b8ae13540e9fd614df614e3361ebf9abd14cf: +- elf: Fix wrong fscanf usage on tst-pldd +- Allow for unpriviledged nested containers +- elf: Fix wrong fscanf usage on tst-pldd +- x86: Fix wcsnlen-avx2 page cross length comparison [BZ #29591] +- elf: Fix rtld-audit trampoline for aarch64 + * Mon Nov 14 2022 Arjun Shankar - 2.34-49 - Sync with upstream branch release/2.34/master, commit: 75b0edb7ef338084e53925139ae81fb0dfc07dd4: diff --git a/wrap-find-debuginfo.sh b/wrap-find-debuginfo.sh index 38c27d0..f48c1cf 100644 --- a/wrap-find-debuginfo.sh +++ b/wrap-find-debuginfo.sh @@ -39,8 +39,8 @@ shift # See ldso_path setting in glibc.spec. ldso_path= -for ldso_candidate in `find "$sysroot_path" -regextype posix-extended \ - -regex '.*/ld(-.*|64|)\.so\.[0-9]+$' -type f` ; do +for ldso_candidate in `find "$sysroot_path" -maxdepth 2 \ + -regextype posix-extended -regex '.*/ld(-.*|64|)\.so\.[0-9]+$' -type f` ; do if test -z "$ldso_path" ; then ldso_path="$ldso_candidate" else @@ -51,7 +51,7 @@ done # libc.so.6 always uses this name, so it is simpler to locate. libc_path= -for libc_candidate in `find "$sysroot_path" -name libc.so.6`; do +for libc_candidate in `find "$sysroot_path" -maxdepth 2 -name libc.so.6`; do if test -z "$libc_path" ; then libc_path="$libc_candidate" else @@ -86,7 +86,8 @@ objcopy --add-section .gnu_debuglink="$libc_tmp.debuglink" "$libc_path" # ld.so does not have separated debuginfo and so the debuginfo file # generated by find-debuginfo is redundant. Therefore, remove it. ldso_debug= -for ldso_debug_candidate in `find "$sysroot_path" -regextype posix-extended \ +for ldso_debug_candidate in `find "$sysroot_path" -maxdepth 2 \ + -regextype posix-extended \ -regex '.*/ld(-.*|64|)\.so\.[0-9]+.*debug$' -type f` ; do if test -z "$ldso_debug" ; then ldso_debug="$ldso_debug_candidate"