glibc-2.33 release version of Feb 2021 is used in Hardknott branch. There are many bug fixes in the latest glibc-2.33 version. The patch takes the latest glibc-2.33 version commit. Regression tested on X86-64 without any new issues.
Signed-off-by: Pgowda <pgowda....@gmail.com> --- meta/recipes-core/glibc/glibc-version.inc | 2 +- .../glibc/glibc/0001-CVE-2021-38604.patch | 40 ---- ...-private-futex-optimization-BZ-27304.patch | 49 ----- .../glibc/glibc/0002-CVE-2021-38604.patch | 147 -------------- ...-ISA-support-for-x86-64-level-marker.patch | 116 ----------- ...ork-around-GCC-PR-98512-in-rawmemchr.patch | 58 ------ ...-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch | 185 ------------------ .../glibc/glibc/CVE-2021-27318-revert.patch | 174 ++++++++++++++++ .../glibc/glibc/CVE-2021-27645.patch | 51 ----- .../glibc/glibc/CVE-2021-33574_1.patch | 76 ------- .../glibc/glibc/CVE-2021-33574_2.patch | 61 ------ .../glibc/glibc/CVE-2021-35942.patch | 44 ----- meta/recipes-core/glibc/glibc_2.33.bb | 10 - 13 files changed, 175 insertions(+), 838 deletions(-) delete mode 100644 meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch delete mode 100644 meta/recipes-core/glibc/glibc/0001-nptl-Remove-private-futex-optimization-BZ-27304.patch delete mode 100644 meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch delete mode 100644 meta/recipes-core/glibc/glibc/0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch delete mode 100644 meta/recipes-core/glibc/glibc/0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch delete mode 100644 meta/recipes-core/glibc/glibc/0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-27318-revert.patch delete mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-27645.patch delete mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch delete mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch delete mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-35942.patch diff --git a/meta/recipes-core/glibc/glibc-version.inc b/meta/recipes-core/glibc/glibc-version.inc index 3a95173175..4d69187961 100644 --- a/meta/recipes-core/glibc/glibc-version.inc +++ b/meta/recipes-core/glibc/glibc-version.inc @@ -1,6 +1,6 @@ SRCBRANCH ?= "release/2.33/master" PV = "2.33" -SRCREV_glibc ?= "9826b03b747b841f5fc6de2054bf1ef3f5c4bdf3" +SRCREV_glibc ?= "6090cf1330faf2deb17285758f327cb23b89ebf1" SRCREV_localedef ?= "bd644c9e6f3e20c5504da1488448173c69c56c28" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch deleted file mode 100644 index 8a52ac957c..0000000000 --- a/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch +++ /dev/null @@ -1,40 +0,0 @@ -From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001 -From: Nikita Popov <npv1...@gmail.com> -Date: Mon, 9 Aug 2021 20:17:34 +0530 -Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213) - -Helper thread frees copied attribute on NOTIFY_REMOVED message -received from the OS kernel. Unfortunately, it fails to check whether -copied attribute actually exists (data.attr != NULL). This worked -earlier because free() checks passed pointer before actually -attempting to release corresponding memory. But -__pthread_attr_destroy assumes pointer is not NULL. - -So passing NULL pointer to __pthread_attr_destroy will result in -segmentation fault. This scenario is possible if -notification->sigev_notify_attributes == NULL (which means default -thread attributes should be used). - -Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8] -CVE: CVE-2021-38604 - -Signed-off-by: Nikita Popov <npv1...@gmail.com> -Reviewed-by: Siddhesh Poyarekar <siddh...@sourceware.org> -Signed-off-by: Vinay Kumar <vinay.m.e...@gmail.com> ---- - sysdeps/unix/sysv/linux/mq_notify.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c -index 6f46d29d1d..1714e1cc5f 100644 ---- a/sysdeps/unix/sysv/linux/mq_notify.c -+++ b/sysdeps/unix/sysv/linux/mq_notify.c -@@ -132,7 +132,7 @@ helper_thread (void *arg) - to wait until it is done with it. */ - (void) __pthread_barrier_wait (¬ify_barrier); - } -- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) -+ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL) - { - /* The only state we keep is the copy of the thread attributes. */ - pthread_attr_destroy (data.attr); diff --git a/meta/recipes-core/glibc/glibc/0001-nptl-Remove-private-futex-optimization-BZ-27304.patch b/meta/recipes-core/glibc/glibc/0001-nptl-Remove-private-futex-optimization-BZ-27304.patch deleted file mode 100644 index 39fde5b785..0000000000 --- a/meta/recipes-core/glibc/glibc/0001-nptl-Remove-private-futex-optimization-BZ-27304.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c4ad832276f4dadfa40904109b26a521468f66bc Mon Sep 17 00:00:00 2001 -From: Florian Weimer <fwei...@redhat.com> -Date: Thu, 4 Feb 2021 15:00:20 +0100 -Subject: [PATCH] nptl: Remove private futex optimization [BZ #27304] - -It is effectively used, unexcept for pthread_cond_destroy, where we do -not want it; see bug 27304. The internal locks do not support a -process-shared mode. - -This fixes commit dc6cfdc934db9997c33728082d63552b9eee4563 ("nptl: -Move pthread_cond_destroy implementation into libc"). - -Reviewed-by: Adhemerval Zanella <adhemerval.zane...@linaro.org> - -Upstream-Status: Backport [https://sourceware.org/bugzilla/show_bug.cgi?id=27304] -Signed-off-by: Yanfei Xu <yanfei...@windriver.com> ---- - sysdeps/nptl/lowlevellock-futex.h | 14 +------------- - 1 file changed, 1 insertion(+), 13 deletions(-) - -diff --git a/sysdeps/nptl/lowlevellock-futex.h b/sysdeps/nptl/lowlevellock-futex.h -index ecb729da6b..ca96397a4a 100644 ---- a/sysdeps/nptl/lowlevellock-futex.h -+++ b/sysdeps/nptl/lowlevellock-futex.h -@@ -50,20 +50,8 @@ - #define LLL_SHARED FUTEX_PRIVATE_FLAG - - #ifndef __ASSEMBLER__ -- --# if IS_IN (libc) || IS_IN (rtld) --/* In libc.so or ld.so all futexes are private. */ --# define __lll_private_flag(fl, private) \ -- ({ \ -- /* Prevent warnings in callers of this macro. */ \ -- int __lll_private_flag_priv __attribute__ ((unused)); \ -- __lll_private_flag_priv = (private); \ -- ((fl) | FUTEX_PRIVATE_FLAG); \ -- }) --# else --# define __lll_private_flag(fl, private) \ -+# define __lll_private_flag(fl, private) \ - (((fl) | FUTEX_PRIVATE_FLAG) ^ (private)) --# endif - - # define lll_futex_syscall(nargs, futexp, op, ...) \ - ({ \ --- -2.27.0 - diff --git a/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch deleted file mode 100644 index b654cdfecb..0000000000 --- a/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch +++ /dev/null @@ -1,147 +0,0 @@ -From 4cc79c217744743077bf7a0ec5e0a4318f1e6641 Mon Sep 17 00:00:00 2001 -From: Nikita Popov <npv1...@gmail.com> -Date: Thu, 12 Aug 2021 16:09:50 +0530 -Subject: [PATCH] librt: add test (bug 28213) - -This test implements following logic: -1) Create POSIX message queue. - Register a notification with mq_notify (using NULL attributes). - Then immediately unregister the notification with mq_notify. - Helper thread in a vulnerable version of glibc - should cause NULL pointer dereference after these steps. -2) Once again, register the same notification. - Try to send a dummy message. - Test is considered successfulif the dummy message - is successfully received by the callback function. - -Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641] -CVE: CVE-2021-38604 - -Signed-off-by: Nikita Popov <npv1...@gmail.com> -Reviewed-by: Siddhesh Poyarekar <siddh...@sourceware.org> -Signed-off-by: Vinay Kumar <vinay.m.e...@gmail.com> ---- - rt/Makefile | 1 + - rt/tst-bz28213.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++ - 2 files changed, 102 insertions(+) - create mode 100644 rt/tst-bz28213.c - -diff --git a/rt/Makefile b/rt/Makefile -index 7b374f2073..c87d95793a 100644 ---- a/rt/Makefile -+++ b/rt/Makefile -@@ -44,6 +44,7 @@ tests := tst-shm tst-timer tst-timer2 \ - tst-aio7 tst-aio8 tst-aio9 tst-aio10 \ - tst-mqueue1 tst-mqueue2 tst-mqueue3 tst-mqueue4 \ - tst-mqueue5 tst-mqueue6 tst-mqueue7 tst-mqueue8 tst-mqueue9 \ -+ tst-bz28213 \ - tst-timer3 tst-timer4 tst-timer5 \ - tst-cpuclock2 tst-cputimer1 tst-cputimer2 tst-cputimer3 \ - tst-shm-cancel -diff --git a/rt/tst-bz28213.c b/rt/tst-bz28213.c -new file mode 100644 -index 0000000000..0c096b5a0a ---- /dev/null -+++ b/rt/tst-bz28213.c -@@ -0,0 +1,101 @@ -+/* Bug 28213: test for NULL pointer dereference in mq_notify. -+ Copyright (C) The GNU Toolchain Authors. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ <https://www.gnu.org/licenses/>. */ -+ -+#include <errno.h> -+#include <sys/types.h> -+#include <sys/stat.h> -+#include <fcntl.h> -+#include <unistd.h> -+#include <mqueue.h> -+#include <signal.h> -+#include <stdlib.h> -+#include <string.h> -+#include <support/check.h> -+ -+static mqd_t m = -1; -+static const char msg[] = "hello"; -+ -+static void -+check_bz28213_cb (union sigval sv) -+{ -+ char buf[sizeof (msg)]; -+ -+ (void) sv; -+ -+ TEST_VERIFY_EXIT ((size_t) mq_receive (m, buf, sizeof (buf), NULL) -+ == sizeof (buf)); -+ TEST_VERIFY_EXIT (memcmp (buf, msg, sizeof (buf)) == 0); -+ -+ exit (0); -+} -+ -+static void -+check_bz28213 (void) -+{ -+ struct sigevent sev; -+ -+ memset (&sev, '\0', sizeof (sev)); -+ sev.sigev_notify = SIGEV_THREAD; -+ sev.sigev_notify_function = check_bz28213_cb; -+ -+ /* Step 1: Register & unregister notifier. -+ Helper thread should receive NOTIFY_REMOVED notification. -+ In a vulnerable version of glibc, NULL pointer dereference follows. */ -+ TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0); -+ TEST_VERIFY_EXIT (mq_notify (m, NULL) == 0); -+ -+ /* Step 2: Once again, register notification. -+ Try to send one message. -+ Test is considered successful, if the callback does exit (0). */ -+ TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0); -+ TEST_VERIFY_EXIT (mq_send (m, msg, sizeof (msg), 1) == 0); -+ -+ /* Wait... */ -+ pause (); -+} -+ -+static int -+do_test (void) -+{ -+ static const char m_name[] = "/bz28213_queue"; -+ struct mq_attr m_attr; -+ -+ memset (&m_attr, '\0', sizeof (m_attr)); -+ m_attr.mq_maxmsg = 1; -+ m_attr.mq_msgsize = sizeof (msg); -+ -+ m = mq_open (m_name, -+ O_RDWR | O_CREAT | O_EXCL, -+ 0600, -+ &m_attr); -+ -+ if (m < 0) -+ { -+ if (errno == ENOSYS) -+ FAIL_UNSUPPORTED ("POSIX message queues are not implemented\n"); -+ FAIL_EXIT1 ("Failed to create POSIX message queue: %m\n"); -+ } -+ -+ TEST_VERIFY_EXIT (mq_unlink (m_name) == 0); -+ -+ check_bz28213 (); -+ -+ return 0; -+} -+ -+#include <support/test-driver.c> diff --git a/meta/recipes-core/glibc/glibc/0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch b/meta/recipes-core/glibc/glibc/0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch deleted file mode 100644 index 3cb60b2e55..0000000000 --- a/meta/recipes-core/glibc/glibc/0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch +++ /dev/null @@ -1,116 +0,0 @@ -From b1971f6f1331d738d1d6b376b4741668a7546125 Mon Sep 17 00:00:00 2001 -From: "H.J. Lu" <hjl.to...@gmail.com> -Date: Tue, 2 Feb 2021 13:45:58 -0800 -Subject: [PATCH] x86: Require full ISA support for x86-64 level marker [BZ #27318] - -Since -march=sandybridge enables ISAs in x86-64 ISA level v3, the v3 -marker is set on libc.so. We couldn't set the needed ISA marker to v2 -since this libc won't run on all v2 machines. Technically, the v3 marker -is correct. But the resulting libc.so won't run on Sandy Brigde, which -is a v2 machine, even when libc is compiled with -march=sandybridge: - -$ ./elf/ld.so ./libc.so -./libc.so: (p) CPU ISA level is lower than required: needed: 7; got: 3 - -Instead, we require full ISA support for x86-64 level marker and disable -x86-64 level marker for -march=sandybridge which enables ISAs between v2 -and v3. - -Upstream-Status: Submitted [https://sourceware.org/pipermail/libc-alpha/2021-February/122297.html] -Signed-off-by: Khem Raj <raj.k...@gmail.com> ---- - - sysdeps/x86/configure | 7 ++++++- - sysdeps/x86/configure.ac | 2 +- - sysdeps/x86/isa-level.c | 21 ++++++++++++++++++++- - 3 files changed, 27 insertions(+), 3 deletions(-) - -diff --git a/sysdeps/x86/configure b/sysdeps/x86/configure -index 5e32dc62b3..5b20646843 100644 ---- a/sysdeps/x86/configure -+++ b/sysdeps/x86/configure -@@ -133,7 +133,12 @@ if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -nostartfiles -nostdlib -r -o conftest c - $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 - test $ac_status = 0; }; }; then - count=`LC_ALL=C $READELF -n conftest | grep NT_GNU_PROPERTY_TYPE_0 | wc -l` -- if test "$count" = 1; then -+ if test "$count" = 1 && { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -DINCLUDE_X86_ISA_LEVEL -S -o conftest.s $srcdir/sysdeps/x86/isa-level.c' -+ { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5 -+ (eval $ac_try) 2>&5 -+ ac_status=$? -+ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 -+ test $ac_status = 0; }; }; then - libc_cv_include_x86_isa_level=yes - fi - fi -diff --git a/sysdeps/x86/configure.ac b/sysdeps/x86/configure.ac -index f94088f377..54ecd33d2c 100644 ---- a/sysdeps/x86/configure.ac -+++ b/sysdeps/x86/configure.ac -@@ -100,7 +100,7 @@ EOF - libc_cv_include_x86_isa_level=no - if AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS -nostartfiles -nostdlib -r -o conftest conftest1.S conftest2.S); then - count=`LC_ALL=C $READELF -n conftest | grep NT_GNU_PROPERTY_TYPE_0 | wc -l` -- if test "$count" = 1; then -+ if test "$count" = 1 && AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS -DINCLUDE_X86_ISA_LEVEL -S -o conftest.s $srcdir/sysdeps/x86/isa-level.c); then - libc_cv_include_x86_isa_level=yes - fi - fi -diff --git a/sysdeps/x86/isa-level.c b/sysdeps/x86/isa-level.c -index aaf524cb56..7f83449061 100644 ---- a/sysdeps/x86/isa-level.c -+++ b/sysdeps/x86/isa-level.c -@@ -25,12 +25,17 @@ - License along with the GNU C Library; if not, see - <https://www.gnu.org/licenses/>. */ - --#include <elf.h> -+#ifdef _LIBC -+# include <elf.h> -+#endif - - /* ELF program property for x86 ISA level. */ - #ifdef INCLUDE_X86_ISA_LEVEL - # if defined __x86_64__ || defined __FXSR__ || !defined _SOFT_FLOAT \ - || defined __MMX__ || defined __SSE__ || defined __SSE2__ -+# if !defined __SSE__ || !defined __SSE2__ -+# error "Missing ISAs for x86-64 ISA level baseline" -+# endif - # define ISA_BASELINE GNU_PROPERTY_X86_ISA_1_BASELINE - # else - # define ISA_BASELINE 0 -@@ -40,6 +45,11 @@ - || (defined __x86_64__ && defined __LAHF_SAHF__) \ - || defined __POPCNT__ || defined __SSE3__ \ - || defined __SSSE3__ || defined __SSE4_1__ || defined __SSE4_2__ -+# if !defined __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 \ -+ || !defined __POPCNT__ || !defined __SSE3__ \ -+ || !defined __SSSE3__ || !defined __SSE4_1__ || !defined __SSE4_2__ -+# error "Missing ISAs for x86-64 ISA level v2" -+# endif - # define ISA_V2 GNU_PROPERTY_X86_ISA_1_V2 - # else - # define ISA_V2 0 -@@ -48,6 +58,10 @@ - # if defined __AVX__ || defined __AVX2__ || defined __F16C__ \ - || defined __FMA__ || defined __LZCNT__ || defined __MOVBE__ \ - || defined __XSAVE__ -+# if !defined __AVX__ || !defined __AVX2__ || !defined __F16C__ \ -+ || !defined __FMA__ || !defined __LZCNT__ -+# error "Missing ISAs for x86-64 ISA level v3" -+# endif - # define ISA_V3 GNU_PROPERTY_X86_ISA_1_V3 - # else - # define ISA_V3 0 -@@ -55,6 +69,11 @@ - - # if defined __AVX512F__ || defined __AVX512BW__ || defined __AVX512CD__ \ - || defined __AVX512DQ__ || defined __AVX512VL__ -+# if !defined __AVX512F__ || !defined __AVX512BW__ \ -+ || !defined __AVX512CD__ || !defined __AVX512DQ__ \ -+ || !defined __AVX512VL__ -+# error "Missing ISAs for x86-64 ISA level v4" -+# endif - # define ISA_V4 GNU_PROPERTY_X86_ISA_1_V4 - # else - # define ISA_V4 0 diff --git a/meta/recipes-core/glibc/glibc/0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch b/meta/recipes-core/glibc/glibc/0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch deleted file mode 100644 index e904b28a05..0000000000 --- a/meta/recipes-core/glibc/glibc/0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 044e603b698093cf48f6e6229e0b66acf05227e4 Mon Sep 17 00:00:00 2001 -From: Florian Weimer <fwei...@redhat.com> -Date: Fri, 19 Feb 2021 13:29:00 +0100 -Subject: [PATCH] string: Work around GCC PR 98512 in rawmemchr - -Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=044e603b698093cf48f6e6229e0b66acf05227e4] -Signed-off-by: Khem Raj <raj.k...@gmail.com> ---- - string/rawmemchr.c | 26 +++++++++++++++----------- - 1 file changed, 15 insertions(+), 11 deletions(-) - -diff --git a/string/rawmemchr.c b/string/rawmemchr.c -index 59bbeeaa42..b8523118e5 100644 ---- a/string/rawmemchr.c -+++ b/string/rawmemchr.c -@@ -22,24 +22,28 @@ - # define RAWMEMCHR __rawmemchr - #endif - --/* Find the first occurrence of C in S. */ --void * --RAWMEMCHR (const void *s, int c) --{ -- DIAG_PUSH_NEEDS_COMMENT; -+/* The pragmata should be nested inside RAWMEMCHR below, but that -+ triggers GCC PR 98512. */ -+DIAG_PUSH_NEEDS_COMMENT; - #if __GNUC_PREREQ (7, 0) -- /* GCC 8 warns about the size passed to memchr being larger than -- PTRDIFF_MAX; the use of SIZE_MAX is deliberate here. */ -- DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-overflow="); -+/* GCC 8 warns about the size passed to memchr being larger than -+ PTRDIFF_MAX; the use of SIZE_MAX is deliberate here. */ -+DIAG_IGNORE_NEEDS_COMMENT (8, "-Wstringop-overflow="); - #endif - #if __GNUC_PREREQ (11, 0) -- /* Likewise GCC 11, with a different warning option. */ -- DIAG_IGNORE_NEEDS_COMMENT (11, "-Wstringop-overread"); -+/* Likewise GCC 11, with a different warning option. */ -+DIAG_IGNORE_NEEDS_COMMENT (11, "-Wstringop-overread"); - #endif -+ -+/* Find the first occurrence of C in S. */ -+void * -+RAWMEMCHR (const void *s, int c) -+{ - if (c != '\0') - return memchr (s, c, (size_t)-1); -- DIAG_POP_NEEDS_COMMENT; - return (char *)s + strlen (s); - } - libc_hidden_def (__rawmemchr) - weak_alias (__rawmemchr, rawmemchr) -+ -+DIAG_POP_NEEDS_COMMENT; --- -2.30.1 - diff --git a/meta/recipes-core/glibc/glibc/0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch b/meta/recipes-core/glibc/glibc/0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch deleted file mode 100644 index 3a004e227f..0000000000 --- a/meta/recipes-core/glibc/glibc/0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch +++ /dev/null @@ -1,185 +0,0 @@ -From 750b00a1ddae220403fd892a6fd4e0791ffd154a Mon Sep 17 00:00:00 2001 -From: "H.J. Lu" <hjl.to...@gmail.com> -Date: Fri, 18 Sep 2020 07:55:14 -0700 -Subject: [PATCH] x86: Handle _SC_LEVEL1_ICACHE_LINESIZE [BZ #27444] - - x86: Move x86 processor cache info to cpu_features - -missed _SC_LEVEL1_ICACHE_LINESIZE. - -1. Add level1_icache_linesize to struct cpu_features. -2. Initialize level1_icache_linesize by calling handle_intel, -handle_zhaoxin and handle_amd with _SC_LEVEL1_ICACHE_LINESIZE. -3. Return level1_icache_linesize for _SC_LEVEL1_ICACHE_LINESIZE. - -Upstream-Status: Backport [https://sourceware.org/bugzilla/show_bug.cgi?id=27444] -Signed-off-by: Andrei Gherzan <andrei.gher...@huawei.com> ---- - sysdeps/x86/Makefile | 8 +++ - sysdeps/x86/cacheinfo.c | 3 + - sysdeps/x86/dl-cacheinfo.h | 6 ++ - sysdeps/x86/include/cpu-features.h | 2 + - .../x86/tst-sysconf-cache-linesize-static.c | 1 + - sysdeps/x86/tst-sysconf-cache-linesize.c | 57 +++++++++++++++++++ - 6 files changed, 77 insertions(+) - create mode 100644 sysdeps/x86/tst-sysconf-cache-linesize-static.c - create mode 100644 sysdeps/x86/tst-sysconf-cache-linesize.c - -diff --git a/sysdeps/x86/Makefile b/sysdeps/x86/Makefile -index dd82674342..d231263051 100644 ---- a/sysdeps/x86/Makefile -+++ b/sysdeps/x86/Makefile -@@ -208,3 +208,11 @@ $(objpfx)check-cet.out: $(..)sysdeps/x86/check-cet.awk \ - generated += check-cet.out - endif - endif -+ -+ifeq ($(subdir),posix) -+tests += \ -+ tst-sysconf-cache-linesize \ -+ tst-sysconf-cache-linesize-static -+tests-static += \ -+ tst-sysconf-cache-linesize-static -+endif -diff --git a/sysdeps/x86/cacheinfo.c b/sysdeps/x86/cacheinfo.c -index 7b8df45e3b..5ea4723ca6 100644 ---- a/sysdeps/x86/cacheinfo.c -+++ b/sysdeps/x86/cacheinfo.c -@@ -32,6 +32,9 @@ __cache_sysconf (int name) - case _SC_LEVEL1_ICACHE_SIZE: - return cpu_features->level1_icache_size; - -+ case _SC_LEVEL1_ICACHE_LINESIZE: -+ return cpu_features->level1_icache_linesize; -+ - case _SC_LEVEL1_DCACHE_SIZE: - return cpu_features->level1_dcache_size; - -diff --git a/sysdeps/x86/dl-cacheinfo.h b/sysdeps/x86/dl-cacheinfo.h -index a31fa0783a..7cd00b92f1 100644 ---- a/sysdeps/x86/dl-cacheinfo.h -+++ b/sysdeps/x86/dl-cacheinfo.h -@@ -707,6 +707,7 @@ dl_init_cacheinfo (struct cpu_features *cpu_features) - long int core; - unsigned int threads = 0; - unsigned long int level1_icache_size = -1; -+ unsigned long int level1_icache_linesize = -1; - unsigned long int level1_dcache_size = -1; - unsigned long int level1_dcache_assoc = -1; - unsigned long int level1_dcache_linesize = -1; -@@ -726,6 +727,8 @@ dl_init_cacheinfo (struct cpu_features *cpu_features) - - level1_icache_size - = handle_intel (_SC_LEVEL1_ICACHE_SIZE, cpu_features); -+ level1_icache_linesize -+ = handle_intel (_SC_LEVEL1_ICACHE_LINESIZE, cpu_features); - level1_dcache_size = data; - level1_dcache_assoc - = handle_intel (_SC_LEVEL1_DCACHE_ASSOC, cpu_features); -@@ -753,6 +756,7 @@ dl_init_cacheinfo (struct cpu_features *cpu_features) - shared = handle_zhaoxin (_SC_LEVEL3_CACHE_SIZE); - - level1_icache_size = handle_zhaoxin (_SC_LEVEL1_ICACHE_SIZE); -+ level1_icache_linesize = handle_zhaoxin (_SC_LEVEL1_ICACHE_LINESIZE); - level1_dcache_size = data; - level1_dcache_assoc = handle_zhaoxin (_SC_LEVEL1_DCACHE_ASSOC); - level1_dcache_linesize = handle_zhaoxin (_SC_LEVEL1_DCACHE_LINESIZE); -@@ -772,6 +776,7 @@ dl_init_cacheinfo (struct cpu_features *cpu_features) - shared = handle_amd (_SC_LEVEL3_CACHE_SIZE); - - level1_icache_size = handle_amd (_SC_LEVEL1_ICACHE_SIZE); -+ level1_icache_linesize = handle_amd (_SC_LEVEL1_ICACHE_LINESIZE); - level1_dcache_size = data; - level1_dcache_assoc = handle_amd (_SC_LEVEL1_DCACHE_ASSOC); - level1_dcache_linesize = handle_amd (_SC_LEVEL1_DCACHE_LINESIZE); -@@ -833,6 +838,7 @@ dl_init_cacheinfo (struct cpu_features *cpu_features) - } - - cpu_features->level1_icache_size = level1_icache_size; -+ cpu_features->level1_icache_linesize = level1_icache_linesize; - cpu_features->level1_dcache_size = level1_dcache_size; - cpu_features->level1_dcache_assoc = level1_dcache_assoc; - cpu_features->level1_dcache_linesize = level1_dcache_linesize; -diff --git a/sysdeps/x86/include/cpu-features.h b/sysdeps/x86/include/cpu-features.h -index 624736b40e..39a3f4f311 100644 ---- a/sysdeps/x86/include/cpu-features.h -+++ b/sysdeps/x86/include/cpu-features.h -@@ -874,6 +874,8 @@ struct cpu_features - unsigned long int rep_stosb_threshold; - /* _SC_LEVEL1_ICACHE_SIZE. */ - unsigned long int level1_icache_size; -+ /* _SC_LEVEL1_ICACHE_LINESIZE. */ -+ unsigned long int level1_icache_linesize; - /* _SC_LEVEL1_DCACHE_SIZE. */ - unsigned long int level1_dcache_size; - /* _SC_LEVEL1_DCACHE_ASSOC. */ -diff --git a/sysdeps/x86/tst-sysconf-cache-linesize-static.c b/sysdeps/x86/tst-sysconf-cache-linesize-static.c -new file mode 100644 -index 0000000000..152ae68821 ---- /dev/null -+++ b/sysdeps/x86/tst-sysconf-cache-linesize-static.c -@@ -0,0 +1 @@ -+#include "tst-sysconf-cache-linesize.c" -diff --git a/sysdeps/x86/tst-sysconf-cache-linesize.c b/sysdeps/x86/tst-sysconf-cache-linesize.c -new file mode 100644 -index 0000000000..642dbde5d2 ---- /dev/null -+++ b/sysdeps/x86/tst-sysconf-cache-linesize.c -@@ -0,0 +1,57 @@ -+/* Test system cache line sizes. -+ Copyright (C) 2021 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ <https://www.gnu.org/licenses/>. */ -+ -+#include <stdio.h> -+#include <stdlib.h> -+#include <unistd.h> -+#include <array_length.h> -+ -+static struct -+{ -+ const char *name; -+ int _SC_val; -+} sc_options[] = -+ { -+#define N(name) { "_SC_"#name, _SC_##name } -+ N (LEVEL1_ICACHE_LINESIZE), -+ N (LEVEL1_DCACHE_LINESIZE), -+ N (LEVEL2_CACHE_LINESIZE) -+ }; -+ -+static int -+do_test (void) -+{ -+ int result = EXIT_SUCCESS; -+ -+ for (int i = 0; i < array_length (sc_options); ++i) -+ { -+ long int scret = sysconf (sc_options[i]._SC_val); -+ if (scret < 0) -+ { -+ printf ("sysconf (%s) returned < 0 (%ld)\n", -+ sc_options[i].name, scret); -+ result = EXIT_FAILURE; -+ } -+ else -+ printf ("sysconf (%s): %ld\n", sc_options[i].name, scret); -+ } -+ -+ return result; -+} -+ -+#include <support/test-driver.c> diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27318-revert.patch b/meta/recipes-core/glibc/glibc/CVE-2021-27318-revert.patch new file mode 100644 index 0000000000..2f08a90dd0 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2021-27318-revert.patch @@ -0,0 +1,174 @@ +Since the full ISA set used in an ELF binary is unknown to compiler, +an x86-64 ISA level marker indicates the minimum, not maximum, ISA set +required to run such an ELF binary. We never guarantee a library with +an x86-64 ISA level v3 marker doesn't contain other ISAs beyond x86-64 +ISA level v3, like AVX VNNI. We check the x86-64 ISA level marker for +the minimum ISA set. Since -march=sandybridge enables only some ISAs +in x86-64 ISA level v3, we should set the needed ISA marker to v2. +Otherwise, libc is compiled with -march=sandybridge will fail to run on +Sandy Bridge: + +$ ./elf/ld.so ./libc.so +./libc.so: (p) CPU ISA level is lower than required: needed: 7; got: 3 + +Set the minimum, instead of maximum, x86-64 ISA level marker should have +no impact on the b-hwcaps directory assignment logic in ldconfig nor +ld.so. + +(cherry picked from commit 339bf918ea4830fb35614632e96f3aab3237adce) +--- + config.h.in | 6 ++++++ + sysdeps/x86/configure | 28 ++++++++++++++++++++++++++++ + sysdeps/x86/configure.ac | 16 ++++++++++++++++ + sysdeps/x86/isa-level.c | 25 ++++++++++++++----------- + 4 files changed, 64 insertions(+), 11 deletions(-) + +diff --git a/config.h.in b/config.h.in +--- a/config.h.in 2021-10-16 03:28:49.447573081 -0700 ++++ b/config.h.in 2021-10-16 03:29:38.626741181 -0700 +@@ -275,4 +275,10 @@ + /* Define if x86 ISA level should be included in shared libraries. */ + #undef INCLUDE_X86_ISA_LEVEL + ++/* Define if -msahf is enabled by default on x86. */ ++#undef HAVE_X86_LAHF_SAHF ++ ++/* Define if -mmovbe is enabled by default on x86. */ ++#undef HAVE_X86_MOVBE ++ + #endif +diff --git a/sysdeps/x86/configure b/sysdeps/x86/configure +--- a/sysdeps/x86/configure 2021-10-16 03:28:49.587570713 -0700 ++++ b/sysdeps/x86/configure 2021-10-16 03:29:39.330729277 -0700 +@@ -126,6 +126,8 @@ cat > conftest2.S <<EOF + 4: + EOF + libc_cv_include_x86_isa_level=no ++libc_cv_have_x86_lahf_sahf=no ++libc_cv_have_x86_movbe=no + if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -nostartfiles -nostdlib -r -o conftest conftest1.S conftest2.S' + { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5 + (eval $ac_try) 2>&5 +@@ -135,6 +137,24 @@ if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS + count=`LC_ALL=C $READELF -n conftest | grep NT_GNU_PROPERTY_TYPE_0 | wc -l` + if test "$count" = 1; then + libc_cv_include_x86_isa_level=yes ++ cat > conftest.c <<EOF ++EOF ++ if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -fverbose-asm -S -o - conftest.c' ++ { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; } | grep -q "\-msahf"; then ++ libc_cv_have_x86_lahf_sahf=yes ++ fi ++ if { ac_try='${CC-cc} $CFLAGS $CPPFLAGS -fverbose-asm -S -o - conftest.c' ++ { { eval echo "\"\$as_me\":${as_lineno-$LINENO}: \"$ac_try\""; } >&5 ++ (eval $ac_try) 2>&5 ++ ac_status=$? ++ $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 ++ test $ac_status = 0; }; } | grep -q "\-mmovbe"; then ++ libc_cv_have_x86_movbe=yes ++ fi + fi + fi + rm -f conftest* +@@ -145,5 +165,13 @@ if test $libc_cv_include_x86_isa_level = + $as_echo "#define INCLUDE_X86_ISA_LEVEL 1" >>confdefs.h + + fi ++if test $libc_cv_have_x86_lahf_sahf = yes; then ++ $as_echo "#define HAVE_X86_LAHF_SAHF 1" >>confdefs.h ++ ++fi ++if test $libc_cv_have_x86_movbe = yes; then ++ $as_echo "#define HAVE_X86_MOVBE 1" >>confdefs.h ++ ++fi + config_vars="$config_vars + enable-x86-isa-level = $libc_cv_include_x86_isa_level" +diff --git a/sysdeps/x86/configure.ac b/sysdeps/x86/configure.ac +--- a/sysdeps/x86/configure.ac 2021-10-16 03:28:49.587570713 -0700 ++++ b/sysdeps/x86/configure.ac 2021-10-16 03:29:40.038717306 -0700 +@@ -98,14 +98,30 @@ cat > conftest2.S <<EOF + 4: + EOF + libc_cv_include_x86_isa_level=no ++libc_cv_have_x86_lahf_sahf=no ++libc_cv_have_x86_movbe=no + if AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS -nostartfiles -nostdlib -r -o conftest conftest1.S conftest2.S); then + count=`LC_ALL=C $READELF -n conftest | grep NT_GNU_PROPERTY_TYPE_0 | wc -l` + if test "$count" = 1; then + libc_cv_include_x86_isa_level=yes ++ cat > conftest.c <<EOF ++EOF ++ if AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS -fverbose-asm -S -o - conftest.c) | grep -q "\-msahf"; then ++ libc_cv_have_x86_lahf_sahf=yes ++ fi ++ if AC_TRY_COMMAND(${CC-cc} $CFLAGS $CPPFLAGS -fverbose-asm -S -o - conftest.c) | grep -q "\-mmovbe"; then ++ libc_cv_have_x86_movbe=yes ++ fi + fi + fi + rm -f conftest*]) + if test $libc_cv_include_x86_isa_level = yes; then + AC_DEFINE(INCLUDE_X86_ISA_LEVEL) + fi ++if test $libc_cv_have_x86_lahf_sahf = yes; then ++ AC_DEFINE(HAVE_X86_LAHF_SAHF) ++fi ++if test $libc_cv_have_x86_movbe = yes; then ++ AC_DEFINE(HAVE_X86_MOVBE) ++fi + LIBC_CONFIG_VAR([enable-x86-isa-level], [$libc_cv_include_x86_isa_level]) +diff --git a/sysdeps/x86/isa-level.c b/sysdeps/x86/isa-level.c +--- a/sysdeps/x86/isa-level.c 2021-10-16 03:28:49.587570713 -0700 ++++ b/sysdeps/x86/isa-level.c 2021-10-16 03:29:40.766704997 -0700 +@@ -29,32 +29,35 @@ + + /* ELF program property for x86 ISA level. */ + #ifdef INCLUDE_X86_ISA_LEVEL +-# if defined __x86_64__ || defined __FXSR__ || !defined _SOFT_FLOAT \ +- || defined __MMX__ || defined __SSE__ || defined __SSE2__ ++# if defined __SSE__ && defined __SSE2__ ++/* NB: ISAs, excluding MMX, in x86-64 ISA level baseline are used. */ + # define ISA_BASELINE GNU_PROPERTY_X86_ISA_1_BASELINE + # else + # define ISA_BASELINE 0 + # endif + +-# if defined __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 \ +- || (defined __x86_64__ && defined __LAHF_SAHF__) \ +- || defined __POPCNT__ || defined __SSE3__ \ +- || defined __SSSE3__ || defined __SSE4_1__ || defined __SSE4_2__ ++# if ISA_BASELINE && defined __GCC_HAVE_SYNC_COMPARE_AND_SWAP_16 \ ++ && defined HAVE_X86_LAHF_SAHF && defined __POPCNT__ \ ++ && defined __SSE3__ && defined __SSSE3__ && defined __SSE4_1__ \ ++ && defined __SSE4_2__ ++/* NB: ISAs in x86-64 ISA level v2 are used. */ + # define ISA_V2 GNU_PROPERTY_X86_ISA_1_V2 + # else + # define ISA_V2 0 + # endif + +-# if defined __AVX__ || defined __AVX2__ || defined __F16C__ \ +- || defined __FMA__ || defined __LZCNT__ || defined __MOVBE__ \ +- || defined __XSAVE__ ++# if ISA_V2 && defined __AVX__ && defined __AVX2__ && defined __F16C__ \ ++ && defined __FMA__ && defined __LZCNT__ && defined HAVE_X86_MOVBE ++/* NB: ISAs in x86-64 ISA level v3 are used. */ + # define ISA_V3 GNU_PROPERTY_X86_ISA_1_V3 + # else + # define ISA_V3 0 + # endif + +-# if defined __AVX512F__ || defined __AVX512BW__ || defined __AVX512CD__ \ +- || defined __AVX512DQ__ || defined __AVX512VL__ ++# if ISA_V3 && defined __AVX512F__ && defined __AVX512BW__ \ ++ && defined __AVX512CD__ && defined __AVX512DQ__ \ ++ && defined __AVX512VL__ ++/* NB: ISAs in x86-64 ISA level v4 are used. */ + # define ISA_V4 GNU_PROPERTY_X86_ISA_1_V4 + # else + # define ISA_V4 0 diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch b/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch deleted file mode 100644 index 26c5c0d2a9..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2021-27645.patch +++ /dev/null @@ -1,51 +0,0 @@ -From dca565886b5e8bd7966e15f0ca42ee5cff686673 Mon Sep 17 00:00:00 2001 -From: DJ Delorie <d...@redhat.com> -Date: Thu, 25 Feb 2021 16:08:21 -0500 -Subject: [PATCH] nscd: Fix double free in netgroupcache [BZ #27462] - -In commit 745664bd798ec8fd50438605948eea594179fba1 a use-after-free -was fixed, but this led to an occasional double-free. This patch -tracks the "live" allocation better. - -Tested manually by a third party. - -Related: RHBZ 1927877 - -Reviewed-by: Siddhesh Poyarekar <siddh...@sourceware.org> -Reviewed-by: Carlos O'Donell <car...@redhat.com> - -Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=dca565886b5e8bd7966e15f0ca42ee5cff686673] - -CVE: CVE-2021-27645 - -Reviewed-by: Carlos O'Donell <car...@redhat.com> -Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamalud...@intel.com> ---- - nscd/netgroupcache.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c -index dba6ceec1b..ad2daddafd 100644 ---- a/nscd/netgroupcache.c -+++ b/nscd/netgroupcache.c -@@ -248,7 +248,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - : NULL); - ndomain = (ndomain ? newbuf + ndomaindiff - : NULL); -- buffer = newbuf; -+ *tofreep = buffer = newbuf; - } - - nhost = memcpy (buffer + bufused, -@@ -319,7 +319,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE) - { - buflen *= 2; -- buffer = xrealloc (buffer, buflen); -+ *tofreep = buffer = xrealloc (buffer, buflen); - } - else if (status == NSS_STATUS_RETURN - || status == NSS_STATUS_NOTFOUND --- -2.27.0 - diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch deleted file mode 100644 index 21f07ac303..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2021-33574_1.patch +++ /dev/null @@ -1,76 +0,0 @@ -From 709674ec86c3c6da4f0995897f6b0205c16d049d Mon Sep 17 00:00:00 2001 -From: Andreas Schwab <sch...@linux-m68k.org> -Date: Thu, 27 May 2021 12:49:47 +0200 -Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896) - -Make a deep copy of the pthread attribute object to remove a potential -use-after-free issue. - -Upstream-Status: Backport -[https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb] - -CVE: -CVE-2021-33574 - -Reviewed-by: Siddhesh Poyarekar <siddh...@sourceware.org> -Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamalud...@intel.com> ---- - NEWS | 4 ++++ - sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++----- - 2 files changed, 14 insertions(+), 5 deletions(-) - -diff --git a/NEWS b/NEWS -index 71f5d20324..017d656433 100644 ---- a/NEWS -+++ b/NEWS -@@ -118,6 +118,10 @@ Security related changes: - CVE-2019-25013: A buffer overflow has been fixed in the iconv function when - invoked with EUC-KR input containing invalid multibyte input sequences. - -+ CVE-2021-33574: The mq_notify function has a potential use-after-free -+ issue when using a notification type of SIGEV_THREAD and a thread -+ attribute with a non-default affinity mask. -+ - The following bugs are resolved with this release: - - [10635] libc: realpath portability patches -diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c -index cc575a0cdd..f7ddfe5a6c 100644 ---- a/sysdeps/unix/sysv/linux/mq_notify.c -+++ b/sysdeps/unix/sysv/linux/mq_notify.c -@@ -133,8 +133,11 @@ helper_thread (void *arg) - (void) __pthread_barrier_wait (¬ify_barrier); - } - else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) -- /* The only state we keep is the copy of the thread attributes. */ -- free (data.attr); -+ { -+ /* The only state we keep is the copy of the thread attributes. */ -+ pthread_attr_destroy (data.attr); -+ free (data.attr); -+ } - } - return NULL; - } -@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) - if (data.attr == NULL) - return -1; - -- memcpy (data.attr, notification->sigev_notify_attributes, -- sizeof (pthread_attr_t)); -+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); - } - - /* Construct the new request. */ -@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) - - /* If it failed, free the allocated memory. */ - if (__glibc_unlikely (retval != 0)) -- free (data.attr); -+ { -+ pthread_attr_destroy (data.attr); -+ free (data.attr); -+ } - - return retval; - } diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch b/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch deleted file mode 100644 index befccd7ac7..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2021-33574_2.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 217b6dc298156bdb0d6aea9ea93e7e394a5ff091 Mon Sep 17 00:00:00 2001 -From: Florian Weimer <fwei...@redhat.com> -Date: Tue, 1 Jun 2021 17:51:41 +0200 -Subject: [PATCH] Fix use of __pthread_attr_copy in mq_notify (bug 27896) - -__pthread_attr_copy can fail and does not initialize the attribute -structure in that case. - -If __pthread_attr_copy is never called and there is no allocated -attribute, pthread_attr_destroy should not be called, otherwise -there is a null pointer dereference in rt/tst-mqueue6. - -Fixes commit 42d359350510506b87101cf77202fefcbfc790cb -("Use __pthread_attr_copy in mq_notify (bug 27896)"). - -Reviewed-by: Siddhesh Poyarekar <siddh...@sourceware.org> - -Upstream-Status: Backport -[https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091] - -CVE: -CVE-2021-33574 - -Reviewed-by: Siddhesh Poyarekar <siddh...@sourceware.org> -Signed-off-by: Khairul Rohaizzat Jamaluddin <khairul.rohaizzat.jamalud...@intel.com> ---- - sysdeps/unix/sysv/linux/mq_notify.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c -index f7ddfe5a6c..6f46d29d1d 100644 ---- a/sysdeps/unix/sysv/linux/mq_notify.c -+++ b/sysdeps/unix/sysv/linux/mq_notify.c -@@ -258,7 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) - if (data.attr == NULL) - return -1; - -- __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); -+ int ret = __pthread_attr_copy (data.attr, -+ notification->sigev_notify_attributes); -+ if (ret != 0) -+ { -+ free (data.attr); -+ __set_errno (ret); -+ return -1; -+ } - } - - /* Construct the new request. */ -@@ -271,7 +278,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) - int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se); - - /* If it failed, free the allocated memory. */ -- if (__glibc_unlikely (retval != 0)) -+ if (retval != 0 && data.attr != NULL) - { - pthread_attr_destroy (data.attr); - free (data.attr); --- -2.27.0 - diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch b/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch deleted file mode 100644 index 5cae1bc91c..0000000000 --- a/meta/recipes-core/glibc/glibc/CVE-2021-35942.patch +++ /dev/null @@ -1,44 +0,0 @@ -From 5adda61f62b77384718b4c0d8336ade8f2b4b35c Mon Sep 17 00:00:00 2001 -From: Andreas Schwab <sch...@linux-m68k.org> -Date: Fri, 25 Jun 2021 15:02:47 +0200 -Subject: [PATCH] wordexp: handle overflow in positional parameter number (bug - 28011) - -Use strtoul instead of atoi so that overflow can be detected. - -Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=5adda61f62b77384718b4c0d8336ade8f2b4b35c] -CVE: CVE-2021-35942 -Signed-off-by: Vinay Kumar <vinay.m.e...@gmail.com> ---- - posix/wordexp-test.c | 1 + - posix/wordexp.c | 2 +- - 2 files changed, 2 insertions(+), 1 deletion(-) - -diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c -index f93a546d7e..9df02dbbb3 100644 ---- a/posix/wordexp-test.c -+++ b/posix/wordexp-test.c -@@ -183,6 +183,7 @@ struct test_case_struct - { 0, NULL, "$var", 0, 0, { NULL, }, IFS }, - { 0, NULL, "\"\\n\"", 0, 1, { "\\n", }, IFS }, - { 0, NULL, "", 0, 0, { NULL, }, IFS }, -+ { 0, NULL, "${1234567890123456789012}", 0, 0, { NULL, }, IFS }, - - /* Flags not already covered (testit() has special handling for these) */ - { 0, NULL, "one two", WRDE_DOOFFS, 2, { "one", "two", }, IFS }, -diff --git a/posix/wordexp.c b/posix/wordexp.c -index bcbe96e48d..1f3b09f721 100644 ---- a/posix/wordexp.c -+++ b/posix/wordexp.c -@@ -1399,7 +1399,7 @@ envsubst: - /* Is it a numeric parameter? */ - else if (isdigit (env[0])) - { -- int n = atoi (env); -+ unsigned long n = strtoul (env, NULL, 10); - - if (n >= __libc_argc) - /* Substitute NULL. */ --- -2.17.1 - diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-core/glibc/glibc_2.33.bb index 57a60cb9d8..ad5e2b8eb1 100644 --- a/meta/recipes-core/glibc/glibc_2.33.bb +++ b/meta/recipes-core/glibc/glibc_2.33.bb @@ -56,16 +56,6 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch \ file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch \ file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \ - file://0031-x86-Require-full-ISA-support-for-x86-64-level-marker.patch \ - file://0032-string-Work-around-GCC-PR-98512-in-rawmemchr.patch \ - file://0033-x86-Handle-_SC_LEVEL1_ICACHE_LINESIZE-BZ-27444.patch \ - file://CVE-2021-27645.patch \ - file://0001-nptl-Remove-private-futex-optimization-BZ-27304.patch \ - file://CVE-2021-33574_1.patch \ - file://CVE-2021-33574_2.patch \ - file://CVE-2021-35942.patch \ - file://0001-CVE-2021-38604.patch \ - file://0002-CVE-2021-38604.patch \ " S = "${WORKDIR}/git" B = "${WORKDIR}/build-${TARGET_SYS}" -- 2.31.1
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#157024): https://lists.openembedded.org/g/openembedded-core/message/157024 Mute This Topic: https://lists.openembedded.org/mt/86384691/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
