From 0a6899cbaa887e720b35d4f1e162d024f20dec5f Mon Sep 17 00:00:00 2001 From: shixuantong Date: Thu, 8 Dec 2022 19:17:32 +0800 Subject: [PATCH] sync patches from upstream community (cherry picked from commit 728e1f1f679b5177ba8e35972e119cea66aa1694) --- ...-stdlib-thousand-grouping-parsing-BZ.patch | 62 ++++++++++++ ...etely-clear-reused-namespace-in-dlmo.patch | 98 +++++++++++++++++++ ...ove-allocate-use-on-_dl_debug_printf.patch | 90 +++++++++++++++++ ....h-Add-the-Malloc-return-value-check.patch | 32 ++++++ glibc.spec | 12 ++- 5 files changed, 293 insertions(+), 1 deletion(-) create mode 100644 backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch create mode 100644 backport-elf-Do-not-completely-clear-reused-namespace-in-dlmo.patch create mode 100644 backport-elf-Remove-allocate-use-on-_dl_debug_printf.patch create mode 100644 backport-elf-tlsdeschtab.h-Add-the-Malloc-return-value-check.patch diff --git a/backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch b/backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch new file mode 100644 index 0000000..f8f5c49 --- /dev/null +++ b/backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch @@ -0,0 +1,62 @@ +From 17bfe5954baee1f18672aea94caa1126ec36fb81 Mon Sep 17 00:00:00 2001 +From: Szabolcs Nagy +Date: Tue, 11 Oct 2022 15:24:41 +0100 +Subject: [PATCH] Fix OOB read in stdlib thousand grouping parsing [BZ +#29727] + +__correctly_grouped_prefixmb only worked with thousands_len == 1, +otherwise it read past the end of cp or thousands. + +This affects scanf formats like %'d, %'f and the internal but +exposed __strto{l,ul,f,d,..}_internal with grouping flag set +and an LC_NUMERIC locale where thousands_len > 1. + +Avoid OOB access by considering thousands_len when initializing cp. +This fixes bug 29727. + +Found by the morello port with strict bounds checking where + +FAIL: stdlib/tst-strtod4 +FAIL: stdlib/tst-strtod5i + +crashed using a locale with thousands_len==3. +--- + stdlib/grouping.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +diff --git a/stdlib/grouping.c b/stdlib/grouping.c +index d558d930..e2f31b2a 100644 +--- a/stdlib/grouping.c ++++ b/stdlib/grouping.c +@@ -53,21 +53,19 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end, + #endif + const char *grouping) + { +-#ifndef USE_WIDE_CHAR +- size_t thousands_len; +- int cnt; +-#endif +- + if (grouping == NULL) + return end; + +-#ifndef USE_WIDE_CHAR +- thousands_len = strlen (thousands); ++#ifdef USE_WIDE_CHAR ++ size_t thousands_len = 1; ++#else ++ size_t thousands_len = strlen (thousands); ++ int cnt; + #endif + +- while (end > begin) ++ while (end - begin >= thousands_len) + { +- const STRING_TYPE *cp = end - 1; ++ const STRING_TYPE *cp = end - thousands_len; + const char *gp = grouping; + + /* Check first group. */ +-- +2.33.0 + diff --git a/backport-elf-Do-not-completely-clear-reused-namespace-in-dlmo.patch b/backport-elf-Do-not-completely-clear-reused-namespace-in-dlmo.patch new file mode 100644 index 0000000..ac2e783 --- /dev/null +++ b/backport-elf-Do-not-completely-clear-reused-namespace-in-dlmo.patch @@ -0,0 +1,98 @@ +From 2c42257314536b94cc8d52edede86e94e98c1436 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Fri, 14 Oct 2022 11:02:25 +0200 +Subject: [PATCH] elf: Do not completely clear reused namespace in +dlmopen (bug + 29600) + +The data in the _ns_debug member must be preserved, otherwise +_dl_debug_initialize enters an infinite loop. To be conservative, +only clear the libc_map member for now, to fix bug 29528. + +Fixes commit d0e357ff45a75553dee3b17ed7d303bfa544f6fe +("elf: Call __libc_early_init for reused namespaces (bug 29528)"), +by reverting most of it. + +Reviewed-by: Carlos O'Donell +Tested-by: Carlos O'Donell +--- + elf/dl-open.c | 14 ++++++-------- + elf/tst-dlmopen-twice.c | 28 ++++++++++++++++++++++++---- + 2 files changed, 30 insertions(+), 12 deletions(-) + +diff --git a/elf/dl-open.c b/elf/dl-open.c +index 9d7b764b..0820c34b 100644 +--- a/elf/dl-open.c ++++ b/elf/dl-open.c +@@ -857,15 +857,13 @@ _dl_open (const char *file, int mode, const void *caller_dlopen, Lmid_t nsid, + _dl_signal_error (EINVAL, file, NULL, N_("\ + no more namespaces available for dlmopen()")); + } ++ else if (nsid == GL(dl_nns)) ++ { ++ __rtld_lock_initialize (GL(dl_ns)[nsid]._ns_unique_sym_table.lock); ++ ++GL(dl_nns); ++ } + +- if (nsid == GL(dl_nns)) +- ++GL(dl_nns); +- +- /* Initialize the new namespace. Most members are +- zero-initialized, only the lock needs special treatment. */ +- memset (&GL(dl_ns)[nsid], 0, sizeof (GL(dl_ns)[nsid])); +- __rtld_lock_initialize (GL(dl_ns)[nsid]._ns_unique_sym_table.lock); +- ++ GL(dl_ns)[nsid].libc_map = NULL; + _dl_debug_initialize (0, nsid)->r_state = RT_CONSISTENT; + } + /* Never allow loading a DSO in a namespace which is empty. Such +diff --git a/elf/tst-dlmopen-twice.c b/elf/tst-dlmopen-twice.c +index 449f3c8f..70c71fe1 100644 +--- a/elf/tst-dlmopen-twice.c ++++ b/elf/tst-dlmopen-twice.c +@@ -16,18 +16,38 @@ + License along with the GNU C Library; if not, see + . */ + +-#include ++#include + #include ++#include + +-static int +-do_test (void) ++/* Run the test multiple times, to check finding a new namespace while ++ another namespace is already in use. This used to trigger bug 29600. */ ++static void ++recurse (int depth) + { +- void *handle = xdlmopen (LM_ID_NEWLM, "tst-dlmopen-twice-mod1.so", RTLD_NOW); ++ if (depth == 0) ++ return; ++ ++ printf ("info: running at depth %d\n", depth); ++ void *handle = xdlmopen (LM_ID_NEWLM, "tst-dlmopen-twice-mod1.so", ++ RTLD_NOW); + xdlclose (handle); + handle = xdlmopen (LM_ID_NEWLM, "tst-dlmopen-twice-mod2.so", RTLD_NOW); + int (*run_check) (void) = xdlsym (handle, "run_check"); + TEST_COMPARE (run_check (), 0); ++ recurse (depth - 1); + xdlclose (handle); ++} ++ ++static int ++do_test (void) ++{ ++ /* First run the test without nesting. */ ++ recurse (1); ++ ++ /* Then with nesting. The constant needs to be less than the ++ internal DL_NNS namespace constant. */ ++ recurse (10); + return 0; + } + +-- +2.33.0 + diff --git a/backport-elf-Remove-allocate-use-on-_dl_debug_printf.patch b/backport-elf-Remove-allocate-use-on-_dl_debug_printf.patch new file mode 100644 index 0000000..28d68a6 --- /dev/null +++ b/backport-elf-Remove-allocate-use-on-_dl_debug_printf.patch @@ -0,0 +1,90 @@ +From 40c112ed0d7d0577d2f84851c1f7b8157b3bd2f5 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella +Date: Mon, 31 Oct 2022 15:46:38 -0300 +Subject: [PATCH] elf: Remove allocate use on _dl_debug_printf + +The maximum number of directives is already limited by the maximum +value of iovec, and current padding usage on _dl_map_object_from_fd +specifies a value of 16 (2 times sizeof (void *)) in hexa, which is +less than the INT_STRLEN_BOUND(void *) (20 for LP64). + +This works if pointers are larger than 8 bytes, for instance 16. +In this case the maximum padding would be 32 and the IFMTSIZE would +be 40. + +The resulting code does use a slightly larger static stack, the +output of -fstack-usage (for x86_64): + + * master: + dl-printf.c:35:1:_dl_debug_vdprintf 1344 dynamic + + * patch: + dl-printf.c:36:1:_dl_debug_vdprintf 2416 static + +However, there is an improvement in code generation: + + * master + text data bss dec hex filename + 330900 3309 ced elf/dl-printf.os + + * patch +text data bss dec hex filename +315100 3151 c4f elf/dl-printf.os + +Checked on x86_64-linux-gnu. + +Reviewed-by: Szabolcs Nagy +--- + elf/dl-misc.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/elf/dl-misc.c b/elf/dl-misc.c +index a11d11d5..4a33737c 100644 +--- a/elf/dl-misc.c ++++ b/elf/dl-misc.c +@@ -34,6 +34,7 @@ + #include <_itoa.h> + #include + #include ++#include + + /* Read the whole contents of FILE into new mmap'd space with given + protections. *SIZEP gets the size of the file. On error MAP_FAILED +@@ -79,6 +80,9 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg) + { + # define NIOVMAX 64 + struct iovec iov[NIOVMAX]; ++ /* Maximum size for 'd', 'u', and 'x' including padding. */ ++ enum { IFMTSIZE = INT_STRLEN_BOUND(void *) }; ++ char ifmtbuf[NIOVMAX][IFMTSIZE]; + int niov = 0; + pid_t pid = 0; + char pidbuf[12]; +@@ -143,6 +147,8 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg) + if (*fmt == '*') + { + width = va_arg (arg, int); ++ /* The maximum padding accepted is up to pointer size. */ ++ assert (width < IFMTSIZE); + ++fmt; + } + +@@ -203,14 +209,7 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg) + #endif + } + +- /* We use alloca() to allocate the buffer with the most +- pessimistic guess for the size. Using alloca() allows +- having more than one integer formatting in a call. */ +- int size = 1 + 3 * sizeof (unsigned long int); +- if (width + 1 > size) +- size = width + 1; +- char *buf = (char *) alloca (size); +- char *endp = &buf[size]; ++ char *endp = &ifmtbuf[niov][IFMTSIZE]; + char *cp = _itoa (num, endp, *fmt == 'x' ? 16 : 10, 0); + + /* Pad to the width the user specified. */ +-- +2.33.0 + diff --git a/backport-elf-tlsdeschtab.h-Add-the-Malloc-return-value-check.patch b/backport-elf-tlsdeschtab.h-Add-the-Malloc-return-value-check.patch new file mode 100644 index 0000000..3a8d862 --- /dev/null +++ b/backport-elf-tlsdeschtab.h-Add-the-Malloc-return-value-check.patch @@ -0,0 +1,32 @@ +From d1d0162e50afe7fa1e2fc4a901eb411db48acd7b Mon Sep 17 00:00:00 2001 +From: Xiaoming Ni +Date: Fri, 4 Nov 2022 17:30:00 +0800 +Subject: [PATCH] elf/tlsdeschtab.h: Add the Malloc return value check in + _dl_make_tlsdesc_dynamic() + +Check the return value of malloc based on the function header comment of + _dl_make_tlsdesc_dynamic(). If the return value fails, NULL is +returned. + +Signed-off-by: Xiaoming Ni +Reviewed-by: Szabolcs Nagy +--- + elf/tlsdeschtab.h | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/elf/tlsdeschtab.h b/elf/tlsdeschtab.h +index 85bd0415..2de61737 100644 +--- a/elf/tlsdeschtab.h ++++ b/elf/tlsdeschtab.h +@@ -111,6 +111,8 @@ _dl_make_tlsdesc_dynamic (struct link_map *map, size_t ti_offset) + } + + *entry = td = malloc (sizeof (struct tlsdesc_dynamic_arg)); ++ if (! td) ++ return 0; + /* This may be higher than the map's generation, but it doesn't + matter much. Worst case, we'll have one extra DTV update per + thread. */ +-- +2.33.0 + diff --git a/glibc.spec b/glibc.spec index 6a27841..27458f4 100644 --- a/glibc.spec +++ b/glibc.spec @@ -66,7 +66,7 @@ ############################################################################## Name: glibc Version: 2.34 -Release: 101 +Release: 102 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -239,6 +239,10 @@ Patch151: elf-Call-__libc_early_init-for-reused-namespaces-bug.patch Patch152: dlfcn-Pass-caller-pointer-to-static-dlopen-implement.patch Patch153: elf-Fix-hwcaps-string-size-overestimation.patch Patch154: backport-elf-Fix-alloca-size-in-_dl_debug_vdprintf.patch +Patch155: backport-elf-tlsdeschtab.h-Add-the-Malloc-return-value-check.patch +Patch156: backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch +Patch157: backport-elf-Remove-allocate-use-on-_dl_debug_printf.patch +Patch158: backport-elf-Do-not-completely-clear-reused-namespace-in-dlmo.patch Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch @@ -1420,6 +1424,12 @@ fi %endif %changelog +* Thu Dec 08 2022 shixuantong - 2.34-102 +- elf: Do not completely clear reused namespace in dlmopen (bug 29600) +- elf: Remove allocate use on _dl_debug_printf +- elf/tlsdeschtab.h: Add the Malloc return value check in _dl_make_tlsdesc_dynamic() +- Fix OOB read in stdlib thousand grouping parsing [BZ#29727] + * Tue Nov 29 2022 Lv Ying - 2.34-101 - elf: Fix alloca size in _dl_debug_vdprintf