73667d0be6
* Thu Apr 28 2022 Carlos O'Donell <carlos@redhat.com> - 2.34-32 - Sync with upstream branch release/2.34/master, commit c66c92181ddbd82306537a608e8c0282587131de: - posix/glob.c: update from gnulib (BZ#25659) - linux: Fix fchmodat with AT_SYMLINK_NOFOLLOW for 64 bit time_t (BZ#29097) * Wed Apr 27 2022 Carlos O'Donell <carlos@redhat.com> - 2.34-31 - Sync with upstream branch release/2.34/master, commit 55640ed3fde48360a8e8083be4843bd2dc7cecfe: - i386: Regenerate ulps - linux: Fix missing internal 64 bit time_t stat usage - x86: Optimize L(less_vec) case in memcmp-evex-movbe.S - x86: Don't set Prefer_No_AVX512 for processors with AVX512 and AVX-VNNI - x86-64: Use notl in EVEX strcmp [BZ #28646] - x86: Shrink memcmp-sse4.S code size - x86: Double size of ERMS rep_movsb_threshold in dl-cacheinfo.h - x86: Optimize memmove-vec-unaligned-erms.S - x86-64: Replace movzx with movzbl - x86-64: Remove Prefer_AVX2_STRCMP - x86-64: Improve EVEX strcmp with masked load - x86: Replace sse2 instructions with avx in memcmp-evex-movbe.S - x86: Optimize memset-vec-unaligned-erms.S - x86: Optimize memcmp-evex-movbe.S for frontend behavior and size - x86: Modify ENTRY in sysdep.h so that p2align can be specified - x86-64: Optimize load of all bits set into ZMM register [BZ #28252] - scripts/glibcelf.py: Mark as UNSUPPORTED on Python 3.5 and earlier - dlfcn: Do not use rtld_active () to determine ld.so state (bug 29078) - INSTALL: Rephrase -with-default-link documentation - misc: Fix rare fortify crash on wchar funcs. [BZ 29030] - Default to --with-default-link=no (bug 25812) - scripts: Add glibcelf.py module * Thu Apr 21 2022 Carlos O'Donell <carlos@redhat.com> - 2.34-30 - Sync with upstream branch release/2.34/master, commit 71326f1f2fd09dafb9c34404765fb88129e94237: - nptl: Fix pthread_cancel cancelhandling atomic operations - mips: Fix mips64n32 64 bit time_t stat support (BZ#29069) - hurd: Fix arbitrary error code - nptl: Handle spurious EINTR when thread cancellation is disabled (BZ#29029) - S390: Add new s390 platform z16. - NEWS: Update fixed bug list for LD_AUDIT backports. - hppa: Fix bind-now audit (BZ #28857) - elf: Replace tst-audit24bmod2.so with tst-audit24bmod2 - Fix elf/tst-audit25a with default bind now toolchains - elf: Fix runtime linker auditing on aarch64 (BZ #26643) - elf: Issue la_symbind for bind-now (BZ #23734) - elf: Fix initial-exec TLS access on audit modules (BZ #28096) - elf: Add la_activity during application exit - elf: Do not fail for failed dlmopen on audit modules (BZ #28061) - elf: Issue audit la_objopen for vDSO - elf: Add audit tests for modules with TLSDESC - elf: Avoid unnecessary slowdown from profiling with audit (BZ#15533) - elf: Add _dl_audit_pltexit - elf: Add _dl_audit_pltenter - elf: Add _dl_audit_preinit - elf: Add _dl_audit_symbind_alt and _dl_audit_symbind - elf: Add _dl_audit_objclose - elf: Add _dl_audit_objsearch - elf: Add _dl_audit_activity_map and _dl_audit_activity_nsid - elf: Add _dl_audit_objopen - elf: Move la_activity (LA_ACT_ADD) after _dl_add_to_namespace_list() (BZ #28062) - elf: Move LAV_CURRENT to link_lavcurrent.h - elf: Fix elf_get_dynamic_info() for bootstrap - elf: Fix dynamic-link.h usage on rtld.c - elf: Fix elf_get_dynamic_info definition - elf: Avoid nested functions in the loader [BZ #27220] - powerpc: Delete unneeded ELF_MACHINE_BEFORE_RTLD_RELOC - hppa: Use END instead of PSEUDO_END in swapcontext.S - hppa: Implement swapcontext in assembler (bug 28960) Resolves: #2003291 Resolves: #2064181 Resolves: #2072328 Resolves: #2075713 Resolves: #2077838
88 lines
3.5 KiB
Diff
88 lines
3.5 KiB
Diff
commit ca0faa140ff8cebe4c041d935f0f5eb480873d99
|
|
Author: Joan Bruguera <joanbrugueram@gmail.com>
|
|
Date: Mon Apr 11 19:49:56 2022 +0200
|
|
|
|
misc: Fix rare fortify crash on wchar funcs. [BZ 29030]
|
|
|
|
If `__glibc_objsize (__o) == (size_t) -1` (i.e. `__o` is unknown size), fortify
|
|
checks should pass, and `__whatever_alias` should be called.
|
|
|
|
Previously, `__glibc_objsize (__o) == (size_t) -1` was explicitly checked, but
|
|
on commit a643f60c53876b, this was moved into `__glibc_safe_or_unknown_len`.
|
|
|
|
A comment says the -1 case should work as: "The -1 check is redundant because
|
|
since it implies that __glibc_safe_len_cond is true.". But this fails when:
|
|
* `__s > 1`
|
|
* `__osz == -1` (i.e. unknown size at compile time)
|
|
* `__l` is big enough
|
|
* `__l * __s <= __osz` can be folded to a constant
|
|
(I only found this to be true for `mbsrtowcs` and other functions in wchar2.h)
|
|
|
|
In this case `__l * __s <= __osz` is false, and `__whatever_chk_warn` will be
|
|
called by `__glibc_fortify` or `__glibc_fortify_n` and crash the program.
|
|
|
|
This commit adds the explicit `__osz == -1` check again.
|
|
moc crashes on startup due to this, see: https://bugs.archlinux.org/task/74041
|
|
|
|
Minimal test case (test.c):
|
|
#include <wchar.h>
|
|
|
|
int main (void)
|
|
{
|
|
const char *hw = "HelloWorld";
|
|
mbsrtowcs (NULL, &hw, (size_t)-1, NULL);
|
|
return 0;
|
|
}
|
|
|
|
Build with:
|
|
gcc -O2 -Wp,-D_FORTIFY_SOURCE=2 test.c -o test && ./test
|
|
|
|
Output:
|
|
*** buffer overflow detected ***: terminated
|
|
|
|
Fixes: BZ #29030
|
|
Signed-off-by: Joan Bruguera <joanbrugueram@gmail.com>
|
|
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
|
|
(cherry picked from commit 33e03f9cd2be4f2cd62f93fda539cc07d9c8130e)
|
|
|
|
diff --git a/debug/tst-fortify.c b/debug/tst-fortify.c
|
|
index 8b5902423cf0ad88..fb02452f5993c594 100644
|
|
--- a/debug/tst-fortify.c
|
|
+++ b/debug/tst-fortify.c
|
|
@@ -1505,6 +1505,11 @@ do_test (void)
|
|
CHK_FAIL_END
|
|
#endif
|
|
|
|
+ /* Bug 29030 regresion check */
|
|
+ cp = "HelloWorld";
|
|
+ if (mbsrtowcs (NULL, &cp, (size_t)-1, &s) != 10)
|
|
+ FAIL ();
|
|
+
|
|
cp = "A";
|
|
if (mbstowcs (wenough, cp, 10) != 1
|
|
|| wcscmp (wenough, L"A") != 0)
|
|
diff --git a/misc/sys/cdefs.h b/misc/sys/cdefs.h
|
|
index 515fb681a0547217..b36013b9a6b4d9c3 100644
|
|
--- a/misc/sys/cdefs.h
|
|
+++ b/misc/sys/cdefs.h
|
|
@@ -161,13 +161,13 @@
|
|
|| (__builtin_constant_p (__l) && (__l) > 0))
|
|
|
|
/* Length is known to be safe at compile time if the __L * __S <= __OBJSZ
|
|
- condition can be folded to a constant and if it is true. The -1 check is
|
|
- redundant because since it implies that __glibc_safe_len_cond is true. */
|
|
+ condition can be folded to a constant and if it is true, or unknown (-1) */
|
|
#define __glibc_safe_or_unknown_len(__l, __s, __osz) \
|
|
- (__glibc_unsigned_or_positive (__l) \
|
|
- && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \
|
|
- __s, __osz)) \
|
|
- && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), __s, __osz))
|
|
+ ((__osz) == (__SIZE_TYPE__) -1 \
|
|
+ || (__glibc_unsigned_or_positive (__l) \
|
|
+ && __builtin_constant_p (__glibc_safe_len_cond ((__SIZE_TYPE__) (__l), \
|
|
+ (__s), (__osz))) \
|
|
+ && __glibc_safe_len_cond ((__SIZE_TYPE__) (__l), (__s), (__osz))))
|
|
|
|
/* Conversely, we know at compile time that the length is unsafe if the
|
|
__L * __S <= __OBJSZ condition can be folded to a constant and if it is
|