sync glibc upstream to fix bug 28828/28949/28993

here the details: libio: Ensure output buffer for wchars bug 28828 libio: libio Flush onlu _IO_str_overflow must not return EOF bug 28949 linux: Fix _closefrom_fallback iterates until max int bug 28993
2022-04-09 14:42:03 +08:00 · 2022-04-09 14:42:03 +08:00 · 21334ee1f9
commit 21334ee1f9
parent 30abaab648
4 changed files with 233 additions and 3 deletions
--- a/glibc.spec
+++ b/glibc.spec
@ -66,7 +66,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.34
-Release: 	73
+Release: 	74
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -209,6 +209,9 @@ Patch123: malloc-hugepage-0005-malloc-Add-Huge-Page-support-to-arenas.patch
 Patch124: malloc-hugepage-0006-malloc-Move-MORECORE-fallback-mmap-to-sysmalloc_mmap.patch
 Patch125: malloc-hugepage-0007-malloc-Enable-huge-page-support-on-main-arena.patch
 Patch126: localedef-Handle-symbolic-links-when-generating-loca.patch
+Patch127: libio-Ensure-output-buffer-for-wchars-bug-28828.patch
+Patch128: libio-Flush-only-_IO_str_overflow-must-not-return-EO.patch
+Patch129: linux-Fix-__closefrom_fallback-iterates-until-max-in.patch

 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch 
@ -1302,6 +1305,11 @@ fi
 %endif

 %changelog
+* Sat Apr 9 2022 Qingqing Li <liqingqing3@huawei.com> - 2.34-74
+- libio: Ensure output buffer for wchars bug 28828
+- libio: libio Flush onlu _IO_str_overflow must not return EOF bug 28949
+- linux: Fix _closefrom_fallback iterates until max int bug 28993
+
 * Fri Apr 8 2022 Qingqing Li <liqingqing3@huawei.com> - 2.34-73
 - localedef: Handle symbolic links when generating locale-archive

--- a/libio-Ensure-output-buffer-for-wchars-bug-28828.patch
+++ b/libio-Ensure-output-buffer-for-wchars-bug-28828.patch
@ -0,0 +1,110 @@
+From edc696a73a7cb07b1aa68792a845a98d036ee7eb Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Jos=C3=A9=20Bollo?= <jobol@nonadev.net>
+Date: Tue, 8 Mar 2022 09:58:16 +0100
+Subject: [PATCH] libio: Ensure output buffer for wchars (bug #28828)
+
+The _IO_wfile_overflow does not check if the write pointer for wide
+data is valid before access, different than _IO_file_overflow.  This
+leads to crash on some cases, as described by bug 28828.
+
+The minimal sequence to produce the crash was:
+
+  #include <stdio.h>
+  #include <wchar.h>
+  int main (int ac, char **av)
+  {
+    setvbuf (stdout, NULL, _IOLBF, 0);
+    fgetwc (stdin);
+    fputwc (10, stdout); /*CRASH HERE!*/
+    return 0;
+  }
+
+The "fgetwc(stdin);" is necessary since it triggers the bug by setting
+the flag _IO_CURRENTLY_PUTTING on stdout indirectly (file wfileops.c,
+function _IO_wfile_underflow, line 213).
+
+Signed-off-by: Jose Bollo <jobol@nonadev.net>
+---
+ libio/Makefile          |  2 +-
+ libio/tst-bz28828.c     | 32 ++++++++++++++++++++++++++++++++
+ libio/tst-bz28828.input |  1 +
+ libio/wfileops.c        |  3 ++-
+ 4 files changed, 36 insertions(+), 2 deletions(-)
+ create mode 100644 libio/tst-bz28828.c
+ create mode 100644 libio/tst-bz28828.input
+
+diff --git a/libio/Makefile b/libio/Makefile
+index 0e5f348..e973877 100644
+--- a/libio/Makefile
+++ b/libio/Makefile
+@@ -66,7 +66,7 @@ tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf tst_getwc tst_putwc   \
+ 	tst-fwrite-error tst-ftell-partial-wide tst-ftell-active-handler \
+ 	tst-ftell-append tst-fputws tst-bz22415 tst-fgetc-after-eof \
+ 	tst-sprintf-ub tst-sprintf-chk-ub tst-bz24051 tst-bz24153 \
+-	tst-wfile-sync
+	tst-wfile-sync tst-bz28828
+ 
+ tests-internal = tst-vtables tst-vtables-interposed
+ 
+diff --git a/libio/tst-bz28828.c b/libio/tst-bz28828.c
+new file mode 100644
+index 0000000..638a6e2
+--- /dev/null
+++ b/libio/tst-bz28828.c
+@@ -0,0 +1,32 @@
+/* Unit test for BZ#28828.
+   Copyright (C) 2022 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <support/xstdio.h>
+#include <support/check.h>
+#include <wchar.h>
+
+static int
+do_test (void)
+{
+  setvbuf (stdout, NULL, _IOLBF, 0);
+  fgetwc (stdin);
+  fputwc (10, stdout); /* It should not crash here.  */
+  return 0;
+}
+
+#include <support/test-driver.c>
+diff --git a/libio/tst-bz28828.input b/libio/tst-bz28828.input
+new file mode 100644
+index 0000000..ce01362
+--- /dev/null
+++ b/libio/tst-bz28828.input
+@@ -0,0 +1 @@
+hello
+diff --git a/libio/wfileops.c b/libio/wfileops.c
+index fb9d45b..b59a988 100644
+--- a/libio/wfileops.c
+++ b/libio/wfileops.c
+@@ -412,7 +412,8 @@ _IO_wfile_overflow (FILE *f, wint_t wch)
+       return WEOF;
+     }
+   /* If currently reading or no buffer allocated. */
+-  if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0)
+  if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0
+      || f->_wide_data->_IO_write_base == NULL)
+     {
+       /* Allocate a buffer if needed. */
+       if (f->_wide_data->_IO_write_base == 0)
+-- 
+1.8.3.1
+
--- a/libio-Flush-only-_IO_str_overflow-must-not-return-EO.patch
+++ b/libio-Flush-only-_IO_str_overflow-must-not-return-EO.patch
@ -0,0 +1,54 @@
+From 88ed43ff0cf2561481de7cba00686386794515d6 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Fri, 18 Mar 2022 21:27:54 +0100
+Subject: [PATCH] libio: Flush-only _IO_str_overflow must not return EOF (bug
+ 28949)
+
+In general, _IO_str_overflow returns the character passed as an argument
+on success.  However, if flush-only operation is requested by passing
+EOF, returning EOF looks like an error, and the caller cannot tell
+whether the operation was successful or not.
+
+_IO_wstr_overflow had the same bug regarding WEOF.
+
+Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
+---
+ libio/strops.c  | 5 ++++-
+ libio/wstrops.c | 5 ++++-
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/libio/strops.c b/libio/strops.c
+index 6a9a884..1cd0bf6 100644
+--- a/libio/strops.c
+++ b/libio/strops.c
+@@ -133,7 +133,10 @@ _IO_str_overflow (FILE *fp, int c)
+     *fp->_IO_write_ptr++ = (unsigned char) c;
+   if (fp->_IO_write_ptr > fp->_IO_read_end)
+     fp->_IO_read_end = fp->_IO_write_ptr;
+-  return c;
+  if (flush_only)
+    return 0;
+  else
+    return c;
+ }
+ libc_hidden_def (_IO_str_overflow)
+ 
+diff --git a/libio/wstrops.c b/libio/wstrops.c
+index 8e44f86..2aec3149 100644
+--- a/libio/wstrops.c
+++ b/libio/wstrops.c
+@@ -130,7 +130,10 @@ _IO_wstr_overflow (FILE *fp, wint_t c)
+     *fp->_wide_data->_IO_write_ptr++ = c;
+   if (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_read_end)
+     fp->_wide_data->_IO_read_end = fp->_wide_data->_IO_write_ptr;
+-  return c;
+  if (flush_only)
+    return 0;
+  else
+    return c;
+ }
+ 
+ 
+-- 
+1.8.3.1
+
--- a/linux-Fix-__closefrom_fallback-iterates-until-max-in.patch
+++ b/linux-Fix-__closefrom_fallback-iterates-until-max-in.patch
@ -0,0 +1,58 @@
+From 053fe273434056f551ed8f81daf750db9dab5931 Mon Sep 17 00:00:00 2001
+From: Adhemerval Zanella <adhemerval.zanella@linaro.org>
+Date: Wed, 23 Mar 2022 17:40:01 -0300
+Subject: [PATCH] linux: Fix __closefrom_fallback iterates until max int
+ (BZ#28993)
+
+The __closefrom_fallback tries to get a available file descriptor
+if the initial open ("/proc/self/fd/", ...) fails.  It assumes the
+failure would be only if procfs is not mount (ENOENT), however if
+the the proc file is not accessible (due some other kernel filtering
+such apparmor) it will iterate over a potentially large file set
+issuing close calls.
+
+It should only try the close fallback if open returns EMFILE,
+ENFILE, or ENOMEM.
+
+Checked on x86_64-linux-gnu.
+---
+ sysdeps/unix/sysv/linux/closefrom_fallback.c | 11 ++++++-----
+ 1 file changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/sysdeps/unix/sysv/linux/closefrom_fallback.c b/sysdeps/unix/sysv/linux/closefrom_fallback.c
+index 60101aa..a9dd0c4 100644
+--- a/sysdeps/unix/sysv/linux/closefrom_fallback.c
+++ b/sysdeps/unix/sysv/linux/closefrom_fallback.c
+@@ -30,16 +30,16 @@
+ _Bool
+ __closefrom_fallback (int from, _Bool dirfd_fallback)
+ {
+-  bool ret = false;
+-
+   int dirfd = __open_nocancel (FD_TO_FILENAME_PREFIX, O_RDONLY | O_DIRECTORY,
+                                0);
+   if (dirfd == -1)
+     {
+-      /* The closefrom should work even when process can't open new files.  */
+-      if (errno == ENOENT || !dirfd_fallback)
+-        goto err;
+      /* Return if procfs can not be opened for some reason.  */
+      if ((errno != EMFILE && errno != ENFILE && errno != ENOMEM)
+	  || !dirfd_fallback)
+	return false;
+ 
+      /* The closefrom should work even when process can't open new files.  */
+       for (int i = from; i < INT_MAX; i++)
+         {
+           int r = __close_nocancel (i);
+@@ -54,6 +54,7 @@ __closefrom_fallback (int from, _Bool dirfd_fallback)
+     }
+ 
+   char buffer[1024];
+  bool ret = false;
+   while (true)
+     {
+       ssize_t ret = __getdents64 (dirfd, buffer, sizeof (buffer));
+-- 
+1.8.3.1
+