Hi Anuj, Thanks for your comments. There were 4 CVE fixes to GLIBC which were ported to the Hardknott branch.
However, these patches have been ported and present in glibc-2.33 latest versions. Hence, glibc-2.33 is upgraded to the latest version which includes these CVE and other fixes as:- https://lists.openembedded.org/g/openembedded-core/message/161106 Regression test was performed on fresh and latest sources. Results are better with the latest glibc-2.33 sources. Hardknott glibc-2.33 sources Summary of test results: 183 FAIL 3777 PASS 20 UNSUPPORTED 16 XFAIL 2 XPASS Latest glibc-2.33 Summary of test results: 164 FAIL 3801 PASS 20 UNSUPPORTED 16 XFAIL 2 XPASS Thanks, Pgowda On Tue, Jan 25, 2022 at 8:14 PM Mittal, Anuj <anuj.mit...@intel.com> wrote: > > Can you please rebase all the glibc CVE patches for hardknott on top > of: > > https://git.yoctoproject.org/poky-contrib/log/?h=anujm/hardknott > > and re-send the ones that are needed? > > Thanks, > > Anuj > > On Tue, 2022-01-25 at 03:26 -0800, pgowda wrote: > > Upstream-Status: Backport > > [https://sourceware.org/git/?p=glibc.git;a=commit;h=fb7bff12e81c677a6 > > 622f724edd4d4987dd9d971] > > Upstream-Status: Backport > > [https://sourceware.org/git/?p=glibc.git;a=commit;h=ee8d5e33adb284601 > > c00c94687bc907e10aec9bb] > > Upstream-Status: Backport > > [https://sourceware.org/git/?p=glibc.git;a=commit;h=84d2d0fe20bdf94fe > > ed82b21b4d7d136db471f03] > > > > Signed-off-by: pgowda <pgowda....@gmail.com> > > --- > > .../glibc/glibc/0001-CVE-2021-3998.patch | 282 > > ++++++++++++++++++ > > .../glibc/glibc/0002-CVE-2021-3998.patch | 138 +++++++++ > > .../glibc/glibc/0003-CVE-2021-3998.patch | 35 +++ > > meta/recipes-core/glibc/glibc_2.33.bb | 3 + > > 4 files changed, 458 insertions(+) > > create mode 100644 meta/recipes-core/glibc/glibc/0001-CVE-2021- > > 3998.patch > > create mode 100644 meta/recipes-core/glibc/glibc/0002-CVE-2021- > > 3998.patch > > create mode 100644 meta/recipes-core/glibc/glibc/0003-CVE-2021- > > 3998.patch > > > > diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2021-3998.patch > > b/meta/recipes-core/glibc/glibc/0001-CVE-2021-3998.patch > > new file mode 100644 > > index 0000000000..32aa0eb348 > > --- /dev/null > > +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2021-3998.patch > > @@ -0,0 +1,282 @@ > > +From fb7bff12e81c677a6622f724edd4d4987dd9d971 Mon Sep 17 00:00:00 > > 2001 > > +From: Siddhesh Poyarekar <siddh...@sourceware.org> > > +Date: Tue, 18 Jan 2022 13:29:36 +0530 > > +Subject: [PATCH] support: Add helpers to create paths longer than > > PATH_MAX > > + > > +Add new helpers support_create_and_chdir_toolong_temp_directory and > > +support_chdir_toolong_temp_directory to create and descend into > > +directory trees longer than PATH_MAX. > > + > > +Reviewed-by: Adhemerval Zanella <adhemerval.zane...@linaro.org> > > +Signed-off-by: Siddhesh Poyarekar <siddh...@sourceware.org> > > + > > +Upstream-Status: Backport > > [https://sourceware.org/git/?p=glibc.git;a=commit;h=fb7bff12e81c677a6 > > 622f724edd4d4987dd9d971] > > +CVE: CVE-2021-3998 > > + > > +Signed-off-by: Pgowda <pgowda....@gmail.com> > > +--- > > + support/temp_file.c | 159 > > +++++++++++++++++++++++++++++++++++++++++--- > > + support/temp_file.h | 9 +++ > > + 2 files changed, 159 insertions(+), 9 deletions(-) > > + > > +diff --git a/support/temp_file.c b/support/temp_file.c > > +index e7bb8aadb9..e41128c2d4 100644 > > +--- a/support/temp_file.c > > ++++ b/support/temp_file.c > > +@@ -1,5 +1,6 @@ > > + /* Temporary file handling for tests. > > + Copyright (C) 1998-2021 Free Software Foundation, Inc. > > ++ Copyright The GNU Tools Authors. > > + This file is part of the GNU C Library. > > + > > + The GNU C Library is free software; you can redistribute it > > and/or > > +@@ -20,15 +21,17 @@ > > + some 32-bit platforms. */ > > + #define _FILE_OFFSET_BITS 64 > > + > > ++#include <support/check.h> > > + #include <support/temp_file.h> > > + #include <support/temp_file-internal.h> > > + #include <support/support.h> > > + > > ++#include <errno.h> > > + #include <paths.h> > > + #include <stdio.h> > > + #include <stdlib.h> > > + #include <string.h> > > +-#include <unistd.h> > > ++#include <xunistd.h> > > + > > + /* List of temporary files. */ > > + static struct temp_name_list > > +@@ -36,14 +39,20 @@ static struct temp_name_list > > + struct temp_name_list *next; > > + char *name; > > + pid_t owner; > > ++ bool toolong; > > + } *temp_name_list; > > + > > + /* Location of the temporary files. Set by the test skeleton via > > + support_set_test_dir. The string is not be freed. */ > > + static const char *test_dir = _PATH_TMP; > > + > > +-void > > +-add_temp_file (const char *name) > > ++/* Name of subdirectories in a too long temporary directory tree. > > */ > > ++static char toolong_subdir[NAME_MAX + 1]; > > ++static bool toolong_initialized; > > ++static size_t toolong_path_max; > > ++ > > ++static void > > ++add_temp_file_internal (const char *name, bool toolong) > > + { > > + struct temp_name_list *newp > > + = (struct temp_name_list *) xcalloc (sizeof (*newp), 1); > > +@@ -53,12 +62,19 @@ add_temp_file (const char *name) > > + newp->name = newname; > > + newp->next = temp_name_list; > > + newp->owner = getpid (); > > ++ newp->toolong = toolong; > > + temp_name_list = newp; > > + } > > + else > > + free (newp); > > + } > > + > > ++void > > ++add_temp_file (const char *name) > > ++{ > > ++ add_temp_file_internal (name, false); > > ++} > > ++ > > + int > > + create_temp_file_in_dir (const char *base, const char *dir, char > > **filename) > > + { > > +@@ -90,8 +106,8 @@ create_temp_file (const char *base, char > > + return create_temp_file_in_dir (base, test_dir, filename); > > + } > > + > > +-char * > > +-support_create_temp_directory (const char *base) > > ++static char * > > ++create_temp_directory_internal (const char *base, bool toolong) > > + { > > + char *path = xasprintf ("%s/%sXXXXXX", test_dir, base); > > + if (mkdtemp (path) == NULL) > > +@@ -99,16 +115,132 @@ support_create_temp_directory (const cha > > + printf ("error: mkdtemp (\"%s\"): %m", path); > > + exit (1); > > + } > > +- add_temp_file (path); > > ++ add_temp_file_internal (path, toolong); > > + return path; > > + } > > + > > +-/* Helper functions called by the test skeleton follow. */ > > ++char * > > ++support_create_temp_directory (const char *base) > > ++{ > > ++ return create_temp_directory_internal (base, false); > > ++} > > ++ > > ++static void > > ++ensure_toolong_initialized (void) > > ++{ > > ++ if (!toolong_initialized) > > ++ FAIL_EXIT1 ("uninitialized toolong directory tree\n"); > > ++} > > ++ > > ++static void > > ++initialize_toolong (const char *base) > > ++{ > > ++ long name_max = pathconf (base, _PC_NAME_MAX); > > ++ name_max = (name_max < 0 ? 64 > > ++ : (name_max < sizeof (toolong_subdir) ? name_max > > ++ : sizeof (toolong_subdir) - 1)); > > ++ > > ++ long path_max = pathconf (base, _PC_PATH_MAX); > > ++ path_max = (path_max < 0 ? 1024 > > ++ : path_max <= PTRDIFF_MAX ? path_max : PTRDIFF_MAX); > > ++ > > ++ /* Sanity check to ensure that the test does not create temporary > > directories > > ++ in different filesystems because this API doesn't support it. > > */ > > ++ if (toolong_initialized) > > ++ { > > ++ if (name_max != strlen (toolong_subdir)) > > ++ FAIL_UNSUPPORTED ("name_max: Temporary directories in > > different" > > ++ " filesystems not supported yet\n"); > > ++ if (path_max != toolong_path_max) > > ++ FAIL_UNSUPPORTED ("path_max: Temporary directories in > > different" > > ++ " filesystems not supported yet\n"); > > ++ return; > > ++ } > > ++ > > ++ toolong_path_max = path_max; > > ++ > > ++ size_t len = name_max; > > ++ memset (toolong_subdir, 'X', len); > > ++ toolong_initialized = true; > > ++} > > ++ > > ++char * > > ++support_create_and_chdir_toolong_temp_directory (const char > > *basename) > > ++{ > > ++ char *base = create_temp_directory_internal (basename, true); > > ++ xchdir (base); > > ++ > > ++ initialize_toolong (base); > > ++ > > ++ size_t sz = strlen (toolong_subdir); > > ++ > > ++ /* Create directories and descend into them so that the final > > path is larger > > ++ than PATH_MAX. */ > > ++ for (size_t i = 0; i <= toolong_path_max / sz; i++) > > ++ { > > ++ int ret = mkdir (toolong_subdir, S_IRWXU); > > ++ if (ret != 0 && errno == ENAMETOOLONG) > > ++ FAIL_UNSUPPORTED ("Filesystem does not support creating too > > long " > > ++ "directory trees\n"); > > ++ else if (ret != 0) > > ++ FAIL_EXIT1 ("Failed to create directory tree: %m\n"); > > ++ xchdir (toolong_subdir); > > ++ } > > ++ return base; > > ++} > > + > > + void > > +-support_set_test_dir (const char *path) > > ++support_chdir_toolong_temp_directory (const char *base) > > + { > > +- test_dir = path; > > ++ ensure_toolong_initialized (); > > ++ > > ++ xchdir (base); > > ++ > > ++ size_t sz = strlen (toolong_subdir); > > ++ for (size_t i = 0; i <= toolong_path_max / sz; i++) > > ++ xchdir (toolong_subdir); > > ++} > > ++ > > ++/* Helper functions called by the test skeleton follow. */ > > ++ > > ++static void > > ++remove_toolong_subdirs (const char *base) > > ++{ > > ++ ensure_toolong_initialized (); > > ++ > > ++ if (chdir (base) != 0) > > ++ { > > ++ printf ("warning: toolong cleanup base failed: chdir > > (\"%s\"): %m\n", > > ++ base); > > ++ return; > > ++ } > > ++ > > ++ /* Descend. */ > > ++ int levels = 0; > > ++ size_t sz = strlen (toolong_subdir); > > ++ for (levels = 0; levels <= toolong_path_max / sz; levels++) > > ++ if (chdir (toolong_subdir) != 0) > > ++ { > > ++ printf ("warning: toolong cleanup failed: chdir (\"%s\"): > > %m\n", > > ++ toolong_subdir); > > ++ break; > > ++ } > > ++ > > ++ /* Ascend and remove. */ > > ++ while (--levels >= 0) > > ++ { > > ++ if (chdir ("..") != 0) > > ++ { > > ++ printf ("warning: toolong cleanup failed: chdir (\"..\"): > > %m\n"); > > ++ return; > > ++ } > > ++ if (remove (toolong_subdir) != 0) > > ++ { > > ++ printf ("warning: could not remove subdirectory: %s: %m\n", > > ++ toolong_subdir); > > ++ return; > > ++ } > > ++ } > > + } > > + > > + void > > +@@ -123,6 +255,9 @@ support_delete_temp_files (void) > > + around, to prevent PID reuse.) */ > > + if (temp_name_list->owner == pid) > > + { > > ++ if (temp_name_list->toolong) > > ++ remove_toolong_subdirs (temp_name_list->name); > > ++ > > + if (remove (temp_name_list->name) != 0) > > + printf ("warning: could not remove temporary file: %s: > > %m\n", > > + temp_name_list->name); > > +@@ -147,3 +282,9 @@ support_print_temp_files (FILE *f) > > + fprintf (f, ")\n"); > > + } > > + } > > ++ > > ++void > > ++support_set_test_dir (const char *path) > > ++{ > > ++ test_dir = path; > > ++} > > +diff --git a/support/temp_file.h b/support/temp_file.h > > +index 50a443abe4..8459ddda72 100644 > > +--- a/support/temp_file.h > > ++++ b/support/temp_file.h > > +@@ -44,6 +44,15 @@ int create_temp_file_in_dir (const char > > + returns. The caller should free this string. */ > > + char *support_create_temp_directory (const char *base); > > + > > ++/* Create a temporary directory tree that is longer than PATH_MAX > > and schedule > > ++ it for deletion. BASENAME is used as a prefix for the unique > > directory > > ++ name, which the function returns. The caller should free this > > string. */ > > ++char *support_create_and_chdir_toolong_temp_directory (const char > > *basename); > > ++ > > ++/* Change into the innermost directory of the directory tree BASE, > > which was > > ++ created using support_create_and_chdir_toolong_temp_directory. > > */ > > ++void support_chdir_toolong_temp_directory (const char *base); > > ++ > > + __END_DECLS > > + > > + #endif /* SUPPORT_TEMP_FILE_H */ > > diff --git a/meta/recipes-core/glibc/glibc/0002-CVE-2021-3998.patch > > b/meta/recipes-core/glibc/glibc/0002-CVE-2021-3998.patch > > new file mode 100644 > > index 0000000000..7be3c79faf > > --- /dev/null > > +++ b/meta/recipes-core/glibc/glibc/0002-CVE-2021-3998.patch > > @@ -0,0 +1,138 @@ > > +From ee8d5e33adb284601c00c94687bc907e10aec9bb Mon Sep 17 00:00:00 > > 2001 > > +From: Siddhesh Poyarekar <siddh...@sourceware.org> > > +Date: Thu, 13 Jan 2022 11:28:36 +0530 > > +Subject: [PATCH] realpath: Set errno to ENAMETOOLONG for result > > larger than > > + PATH_MAX [BZ #28770] > > + > > +realpath returns an allocated string when the result exceeds > > PATH_MAX, > > +which is unexpected when its second argument is not NULL. This > > results > > +in the second argument (resolved) being uninitialized and also > > results > > +in a memory leak since the caller expects resolved to be the same as > > the > > +returned value. > > + > > +Return NULL and set errno to ENAMETOOLONG if the result exceeds > > +PATH_MAX. This fixes [BZ #28770], which is CVE-2021-3998. > > + > > +Reviewed-by: Adhemerval Zanella <adhemerval.zane...@linaro.org> > > +Signed-off-by: Siddhesh Poyarekar <siddh...@sourceware.org> > > +(cherry picked from commit ee8d5e33adb284601c00c94687bc907e10aec9bb) > > + > > +Upstream-Status: Backport > > [https://sourceware.org/git/?p=glibc.git;a=commit;h=ee8d5e33adb284601 > > c00c94687bc907e10aec9bb] > > +CVE: CVE-2021-3998 > > + > > +Signed-off-by: Pgowda <pgowda....@gmail.com> > > +--- > > + NEWS | 4 +++ > > + stdlib/Makefile | 1 + > > + stdlib/canonicalize.c | 12 +++++++-- > > + stdlib/tst-realpath-toolong.c | 49 > > +++++++++++++++++++++++++++++++++++ > > + 4 files changed, 64 insertions(+), 2 deletions(-) > > + create mode 100644 stdlib/tst-realpath-toolong.c > > + > > +diff --git a/NEWS b/NEWS > > +index 7e773bd005..b4f81c2668 100644 > > +--- a/NEWS > > ++++ b/NEWS > > +@@ -148,6 +148,10 @@ Security related changes: > > + CVE-2019-25013: A buffer overflow has been fixed in the iconv > > function when > > + invoked with EUC-KR input containing invalid multibyte input > > sequences. > > + > > ++ CVE-2021-3998: Passing a path longer than PATH_MAX to the > > realpath > > ++ function could result in a memory leak and potential access of > > ++ uninitialized memory. Reported by Qualys. > > ++ > > + The following bugs are resolved with this release: > > + > > + [10635] libc: realpath portability patches > > +diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c > > +index 698f9ede25..7a23a51b3a 100644 > > +--- a/stdlib/canonicalize.c > > ++++ b/stdlib/canonicalize.c > > +@@ -400,8 +400,16 @@ realpath_stk (const char *name, char *re > > + > > + error: > > + *dest++ = '\0'; > > +- if (resolved != NULL && dest - rname <= get_path_max ()) > > +- rname = strcpy (resolved, rname); > > ++ if (resolved != NULL) > > ++ { > > ++ if (dest - rname <= get_path_max ()) > > ++ rname = strcpy (resolved, rname); > > ++ else > > ++ { > > ++ failed = true; > > ++ __set_errno (ENAMETOOLONG); > > ++ } > > ++ } > > + > > + error_nomem: > > + scratch_buffer_free (&extra_buffer); > > +diff --git a/stdlib/Makefile b/stdlib/Makefile > > +index 9bb5c221e8..a4ac30d1f6 100644 > > +--- a/stdlib/Makefile > > ++++ b/stdlib/Makefile > > +@@ -86,7 +86,8 @@ tests := tst-strtol tst-strtod > > testmb t > > + tst-makecontext-align test-bz22786 tst-strtod-nan- > > sign \ > > + tst-swapcontext1 tst-setcontext4 tst-setcontext5 \ > > + tst-setcontext6 tst-setcontext7 tst-setcontext8 \ > > +- tst-setcontext9 tst-bz20544 tst-canon-bz26341 > > ++ tst-setcontext9 tst-bz20544 tst-canon-bz26341 \ > > ++ tst-realpath-toolong > > + > > + tests-internal := tst-strtod1i tst-strtod3 tst-strtod4 tst- > > strtod5i \ > > + tst-tls-atexit tst-tls-atexit-nodelete > > +diff --git a/stdlib/tst-realpath-toolong.c b/stdlib/tst-realpath- > > toolong.c > > +new file mode 100644 > > +index 0000000000..8bed772460 > > +--- /dev/null > > ++++ b/stdlib/tst-realpath-toolong.c > > +@@ -0,0 +1,49 @@ > > ++/* Verify that realpath returns NULL with ENAMETOOLONG if the > > result exceeds > > ++ NAME_MAX. > > ++ Copyright The GNU Toolchain Authors. > > ++ This file is part of the GNU C Library. > > ++ > > ++ The GNU C Library is free software; you can redistribute it > > and/or > > ++ modify it under the terms of the GNU Lesser General Public > > ++ License as published by the Free Software Foundation; either > > ++ version 2.1 of the License, or (at your option) any later > > version. > > ++ > > ++ The GNU C Library is distributed in the hope that it will be > > useful, > > ++ but WITHOUT ANY WARRANTY; without even the implied warranty of > > ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > > GNU > > ++ Lesser General Public License for more details. > > ++ > > ++ You should have received a copy of the GNU Lesser General Public > > ++ License along with the GNU C Library; if not, see > > ++ <https://www.gnu.org/licenses/>. */ > > ++ > > ++#include <errno.h> > > ++#include <limits.h> > > ++#include <stdlib.h> > > ++#include <string.h> > > ++#include <unistd.h> > > ++#include <support/check.h> > > ++#include <support/temp_file.h> > > ++#include <sys/types.h> > > ++#include <sys/stat.h> > > ++ > > ++#define BASENAME "tst-realpath-toolong." > > ++ > > ++int > > ++do_test (void) > > ++{ > > ++ char *base = support_create_and_chdir_toolong_temp_directory > > (BASENAME); > > ++ > > ++ char buf[PATH_MAX + 1]; > > ++ const char *res = realpath (".", buf); > > ++ > > ++ /* canonicalize.c states that if the real path is >= PATH_MAX, > > then > > ++ realpath returns NULL and sets ENAMETOOLONG. */ > > ++ TEST_VERIFY (res == NULL); > > ++ TEST_VERIFY (errno == ENAMETOOLONG); > > ++ > > ++ free (base); > > ++ return 0; > > ++} > > ++ > > ++#include <support/test-driver.c> > > diff --git a/meta/recipes-core/glibc/glibc/0003-CVE-2021-3998.patch > > b/meta/recipes-core/glibc/glibc/0003-CVE-2021-3998.patch > > new file mode 100644 > > index 0000000000..4e0423d0d3 > > --- /dev/null > > +++ b/meta/recipes-core/glibc/glibc/0003-CVE-2021-3998.patch > > @@ -0,0 +1,35 @@ > > +From 84d2d0fe20bdf94feed82b21b4d7d136db471f03 Mon Sep 17 00:00:00 > > 2001 > > +From: Siddhesh Poyarekar <siddh...@sourceware.org> > > +Date: Mon, 24 Jan 2022 21:36:41 +0530 > > +Subject: [PATCH] realpath: Avoid overwriting preexisting error (CVE- > > 2021-3998) > > + > > +Set errno and failure for paths that are too long only if no other > > error > > +occurred earlier. > > + > > +Related: BZ #28770 > > + > > +Reviewed-by: Andreas Schwab <sch...@linux-m68k.org> > > +Signed-off-by: Siddhesh Poyarekar <siddh...@sourceware.org> > > +Upstream-Status: Backport > > [https://sourceware.org/git/?p=glibc.git;a=commit;h=84d2d0fe20bdf94fe > > ed82b21b4d7d136db471f03] > > +CVE: CVE-2021-3998 > > + > > +Signed-off-by: Pgowda <pgowda....@gmail.com> > > +--- > > + stdlib/canonicalize.c | 2 +- > > + 1 file changed, 1 insertion(+), 1 deletion(-) > > + > > +diff --git a/stdlib/canonicalize.c b/stdlib/canonicalize.c > > +index 732dc7ea46..6caed9e70e 100644 > > +--- a/stdlib/canonicalize.c > > ++++ b/stdlib/canonicalize.c > > +@@ -404,7 +404,7 @@ error: > > + { > > + if (dest - rname <= get_path_max ()) > > + rname = strcpy (resolved, rname); > > +- else > > ++ else if (!failed) > > + { > > + failed = true; > > + __set_errno (ENAMETOOLONG); > > +-- > > +2.27.0 > > diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes- > > core/glibc/glibc_2.33.bb > > index b7736359b1..55ca4ce2d3 100644 > > --- a/meta/recipes-core/glibc/glibc_2.33.bb > > +++ b/meta/recipes-core/glibc/glibc_2.33.bb > > @@ -57,6 +57,9 @@ SRC_URI = > > "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ > > > > file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch > > \ > > > > file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \ > > file://0031-CVE-2021-43396.patch \ > > + file://0001-CVE-2021-3998.patch \ > > + file://0002-CVE-2021-3998.patch \ > > + file://0003-CVE-2021-3998.patch \ > > " > > S = "${WORKDIR}/git" > > B = "${WORKDIR}/build-${TARGET_SYS}" >
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#161107): https://lists.openembedded.org/g/openembedded-core/message/161107 Mute This Topic: https://lists.openembedded.org/mt/88669429/21656 Group Owner: openembedded-core+ow...@lists.openembedded.org Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
