sync patches from upstream community

(cherry picked from commit 728e1f1f679b5177ba8e35972e119cea66aa1694)
2022-12-08 19:17:32 +08:00 · 2022-12-08 19:17:32 +08:00 · 0a6899cbaa
commit 0a6899cbaa
parent bb2e626fd4
5 changed files with 293 additions and 1 deletions
--- a/backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch
+++ b/backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch
@ -0,0 +1,62 @@
+From 17bfe5954baee1f18672aea94caa1126ec36fb81 Mon Sep 17 00:00:00 2001
+From: Szabolcs Nagy <szabolcs.nagy@arm.com>
+Date: Tue, 11 Oct 2022 15:24:41 +0100
+Subject: [PATCH] Fix OOB read in stdlib thousand grouping parsing [BZ
+#29727]
+
+__correctly_grouped_prefixmb only worked with thousands_len == 1,
+otherwise it read past the end of cp or thousands.
+
+This affects scanf formats like %'d, %'f and the internal but
+exposed __strto{l,ul,f,d,..}_internal with grouping flag set
+and an LC_NUMERIC locale where thousands_len > 1.
+
+Avoid OOB access by considering thousands_len when initializing cp.
+This fixes bug 29727.
+
+Found by the morello port with strict bounds checking where
+
+FAIL: stdlib/tst-strtod4
+FAIL: stdlib/tst-strtod5i
+
+crashed using a locale with thousands_len==3.
+---
+ stdlib/grouping.c | 16 +++++++---------
+ 1 file changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/stdlib/grouping.c b/stdlib/grouping.c
+index d558d930..e2f31b2a 100644
+--- a/stdlib/grouping.c
+++ b/stdlib/grouping.c
+@@ -53,21 +53,19 @@ __correctly_grouped_prefixmb (const STRING_TYPE *begin, const STRING_TYPE *end,
+ #endif
+ 			      const char *grouping)
+ {
+-#ifndef USE_WIDE_CHAR
+-  size_t thousands_len;
+-  int cnt;
+-#endif
+-
+   if (grouping == NULL)
+     return end;
+ 
+-#ifndef USE_WIDE_CHAR
+-  thousands_len = strlen (thousands);
+#ifdef USE_WIDE_CHAR
+  size_t thousands_len = 1;
+#else
+  size_t thousands_len = strlen (thousands);
+  int cnt;
+ #endif
+ 
+-  while (end > begin)
+  while (end - begin >= thousands_len)
+     {
+-      const STRING_TYPE *cp = end - 1;
+      const STRING_TYPE *cp = end - thousands_len;
+       const char *gp = grouping;
+ 
+       /* Check first group.  */
+-- 
+2.33.0
+
--- a/backport-elf-Do-not-completely-clear-reused-namespace-in-dlmo.patch
+++ b/backport-elf-Do-not-completely-clear-reused-namespace-in-dlmo.patch
@ -0,0 +1,98 @@
+From 2c42257314536b94cc8d52edede86e94e98c1436 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Fri, 14 Oct 2022 11:02:25 +0200
+Subject: [PATCH] elf: Do not completely clear reused namespace in
+dlmopen (bug
+ 29600)
+
+The data in the _ns_debug member must be preserved, otherwise
+_dl_debug_initialize enters an infinite loop.  To be conservative,
+only clear the libc_map member for now, to fix bug 29528.
+
+Fixes commit d0e357ff45a75553dee3b17ed7d303bfa544f6fe
+("elf: Call __libc_early_init for reused namespaces (bug 29528)"),
+by reverting most of it.
+
+Reviewed-by: Carlos O'Donell <carlos@redhat.com>
+Tested-by: Carlos O'Donell <carlos@redhat.com>
+---
+ elf/dl-open.c           | 14 ++++++--------
+ elf/tst-dlmopen-twice.c | 28 ++++++++++++++++++++++++----
+ 2 files changed, 30 insertions(+), 12 deletions(-)
+
+diff --git a/elf/dl-open.c b/elf/dl-open.c
+index 9d7b764b..0820c34b 100644
+--- a/elf/dl-open.c
+++ b/elf/dl-open.c
+@@ -857,15 +857,13 @@ _dl_open (const char *file, int mode, const void *caller_dlopen, Lmid_t nsid,
+ 	  _dl_signal_error (EINVAL, file, NULL, N_("\
+ no more namespaces available for dlmopen()"));
+ 	}
+      else if (nsid == GL(dl_nns))
+       {
+         __rtld_lock_initialize (GL(dl_ns)[nsid]._ns_unique_sym_table.lock);
+         ++GL(dl_nns);
+       }
+ 
+-      if (nsid == GL(dl_nns))
+-	++GL(dl_nns);
+-
+-      /* Initialize the new namespace.  Most members are
+-	 zero-initialized, only the lock needs special treatment.  */
+-      memset (&GL(dl_ns)[nsid], 0, sizeof (GL(dl_ns)[nsid]));
+-      __rtld_lock_initialize (GL(dl_ns)[nsid]._ns_unique_sym_table.lock);
+-
+      GL(dl_ns)[nsid].libc_map = NULL;
+       _dl_debug_initialize (0, nsid)->r_state = RT_CONSISTENT;
+     }
+   /* Never allow loading a DSO in a namespace which is empty.  Such
+diff --git a/elf/tst-dlmopen-twice.c b/elf/tst-dlmopen-twice.c
+index 449f3c8f..70c71fe1 100644
+--- a/elf/tst-dlmopen-twice.c
+++ b/elf/tst-dlmopen-twice.c
+@@ -16,18 +16,38 @@
+    License along with the GNU C Library; if not, see
+    <https://www.gnu.org/licenses/>.  */
+ 
+-#include <support/xdlfcn.h>
+#include <stdio.h>
+ #include <support/check.h>
+#include <support/xdlfcn.h>
+ 
+-static int
+-do_test (void)
+/* Run the test multiple times, to check finding a new namespace while
+   another namespace is already in use.  This used to trigger bug 29600.  */
+static void
+recurse (int depth)
+ {
+-  void *handle = xdlmopen (LM_ID_NEWLM, "tst-dlmopen-twice-mod1.so", RTLD_NOW);
+  if (depth == 0)
+    return;
+
+  printf ("info: running at depth %d\n", depth);
+  void *handle = xdlmopen (LM_ID_NEWLM, "tst-dlmopen-twice-mod1.so",
+                           RTLD_NOW);
+   xdlclose (handle);
+   handle = xdlmopen (LM_ID_NEWLM, "tst-dlmopen-twice-mod2.so", RTLD_NOW);
+   int (*run_check) (void) = xdlsym (handle, "run_check");
+   TEST_COMPARE (run_check (), 0);
+  recurse (depth - 1);
+   xdlclose (handle);
+}
+
+static int
+do_test (void)
+{
+  /* First run the test without nesting.  */
+  recurse (1);
+
+  /* Then with nesting.  The constant needs to be less than the
+     internal DL_NNS namespace constant.  */
+  recurse (10);
+   return 0;
+ }
+ 
+-- 
+2.33.0
+
--- a/backport-elf-Remove-allocate-use-on-_dl_debug_printf.patch
+++ b/backport-elf-Remove-allocate-use-on-_dl_debug_printf.patch
@ -0,0 +1,90 @@
+From 40c112ed0d7d0577d2f84851c1f7b8157b3bd2f5 Mon Sep 17 00:00:00 2001
+From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+Date: Mon, 31 Oct 2022 15:46:38 -0300
+Subject: [PATCH] elf: Remove allocate use on _dl_debug_printf
+
+The maximum number of directives is already limited by the maximum
+value of iovec, and current padding usage on _dl_map_object_from_fd
+specifies a value of 16 (2 times sizeof (void *)) in hexa, which is
+less than the INT_STRLEN_BOUND(void *) (20 for LP64).
+
+This works if pointers are larger than 8 bytes, for instance 16.
+In this case the maximum padding would be 32 and the IFMTSIZE would
+be 40.
+
+The resulting code does use a slightly larger static stack, the
+output of -fstack-usage (for x86_64):
+
+ * master:
+   dl-printf.c:35:1:_dl_debug_vdprintf     1344    dynamic
+
+ * patch:
+   dl-printf.c:36:1:_dl_debug_vdprintf     2416    static
+
+However, there is an improvement in code generation:
+
+ * master
+   text    data     bss     dec     hex filename
+   330900    3309     ced elf/dl-printf.os
+
+ * patch
+text    data     bss     dec     hex filename
+315100    3151     c4f elf/dl-printf.os
+
+Checked on x86_64-linux-gnu.
+
+Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
+---
+ elf/dl-misc.c | 15 +++++++--------
+ 1 file changed, 7 insertions(+), 8 deletions(-)
+
+diff --git a/elf/dl-misc.c b/elf/dl-misc.c
+index a11d11d5..4a33737c 100644
+--- a/elf/dl-misc.c
+++ b/elf/dl-misc.c
+@@ -34,6 +34,7 @@
+ #include <_itoa.h>
+ #include <dl-writev.h>
+ #include <not-cancel.h>
+#include <intprops.h>
+ 
+ /* Read the whole contents of FILE into new mmap'd space with given
+    protections.  *SIZEP gets the size of the file.  On error MAP_FAILED
+@@ -79,6 +80,9 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg)
+ {
+ # define NIOVMAX 64
+   struct iovec iov[NIOVMAX];
+  /* Maximum size for 'd', 'u', and 'x' including padding.  */
+  enum { IFMTSIZE = INT_STRLEN_BOUND(void *) };
+  char ifmtbuf[NIOVMAX][IFMTSIZE];
+   int niov = 0;
+   pid_t pid = 0;
+   char pidbuf[12];
+@@ -143,6 +147,8 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg)
+ 	  if (*fmt == '*')
+ 	    {
+ 	      width = va_arg (arg, int);
+	      /* The maximum padding accepted is up to pointer size.  */
+	      assert (width < IFMTSIZE);
+ 	      ++fmt;
+ 	    }
+ 
+@@ -203,14 +209,7 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg)
+ #endif
+ 		  }
+ 
+-		/* We use alloca() to allocate the buffer with the most
+-		   pessimistic guess for the size.  Using alloca() allows
+-		   having more than one integer formatting in a call.  */
+-		int size = 1 + 3 * sizeof (unsigned long int);
+-		if (width + 1 > size)
+-		  size = width + 1;
+-		char *buf = (char *) alloca (size);
+-		char *endp = &buf[size];
+		char *endp = &ifmtbuf[niov][IFMTSIZE];
+ 		char *cp = _itoa (num, endp, *fmt == 'x' ? 16 : 10, 0);
+ 
+ 		/* Pad to the width the user specified.  */
+-- 
+2.33.0
+
--- a/backport-elf-tlsdeschtab.h-Add-the-Malloc-return-value-check.patch
+++ b/backport-elf-tlsdeschtab.h-Add-the-Malloc-return-value-check.patch
@ -0,0 +1,32 @@
+From d1d0162e50afe7fa1e2fc4a901eb411db48acd7b Mon Sep 17 00:00:00 2001
+From: Xiaoming Ni <nixiaoming@huawei.com>
+Date: Fri, 4 Nov 2022 17:30:00 +0800
+Subject: [PATCH] elf/tlsdeschtab.h: Add the Malloc return value check in
+ _dl_make_tlsdesc_dynamic()
+
+Check the return value of malloc based on the function header comment of
+ _dl_make_tlsdesc_dynamic(). If the return value fails, NULL is
+returned.
+
+Signed-off-by: Xiaoming Ni <nixiaoming@huawei.com>
+Reviewed-by: Szabolcs Nagy <szabolcs.nagy@arm.com>
+---
+ elf/tlsdeschtab.h | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/elf/tlsdeschtab.h b/elf/tlsdeschtab.h
+index 85bd0415..2de61737 100644
+--- a/elf/tlsdeschtab.h
+++ b/elf/tlsdeschtab.h
+@@ -111,6 +111,8 @@ _dl_make_tlsdesc_dynamic (struct link_map *map, size_t ti_offset)
+     }
+ 
+   *entry = td = malloc (sizeof (struct tlsdesc_dynamic_arg));
+  if (! td)
+    return 0;
+   /* This may be higher than the map's generation, but it doesn't
+      matter much.  Worst case, we'll have one extra DTV update per
+      thread.  */
+-- 
+2.33.0
+
--- a/glibc.spec
+++ b/glibc.spec
@ -66,7 +66,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.34
-Release: 	101
+Release: 	102
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -239,6 +239,10 @@ Patch151: elf-Call-__libc_early_init-for-reused-namespaces-bug.patch
 Patch152: dlfcn-Pass-caller-pointer-to-static-dlopen-implement.patch
 Patch153: elf-Fix-hwcaps-string-size-overestimation.patch
 Patch154: backport-elf-Fix-alloca-size-in-_dl_debug_vdprintf.patch
+Patch155: backport-elf-tlsdeschtab.h-Add-the-Malloc-return-value-check.patch
+Patch156: backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch
+Patch157: backport-elf-Remove-allocate-use-on-_dl_debug_printf.patch
+Patch158: backport-elf-Do-not-completely-clear-reused-namespace-in-dlmo.patch

 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch 
@ -1420,6 +1424,12 @@ fi
 %endif

 %changelog
+* Thu Dec 08 2022 shixuantong <shixuantong1@huawei.com> - 2.34-102
+- elf: Do not completely clear reused namespace in dlmopen (bug 29600)
+- elf: Remove allocate use on _dl_debug_printf
+- elf/tlsdeschtab.h: Add the Malloc return value check in _dl_make_tlsdesc_dynamic()
+- Fix OOB read in stdlib thousand grouping parsing [BZ#29727]
+
 * Tue Nov 29 2022 Lv Ying <lvying6@huawei.com> - 2.34-101
 - elf: Fix alloca size in _dl_debug_vdprintf