!345 [sync] PR-339: fix CVE-2019-1010023

Merge pull request !345 from openeuler-sync-bot/sync-pr339-cve-to-openEuler-22.03-LTS
2022-01-28 07:45:55 +00:00 · 2022-01-28 07:45:55 +00:00 · 2dc1a46a01
commit 2dc1a46a01
parent 3c24017032 f7cd45c1c8
2 changed files with 71 additions and 1 deletions
--- a/fix-CVE-2019-1010023.patch
+++ b/fix-CVE-2019-1010023.patch
@ -0,0 +1,66 @@
 From fe1ffef2eec9c6634a1e9af951eb68f0f5614470 Mon Sep 17 00:00:00 2001
 From: xujing <xujing99@huawei.com>
 Date: Thu, 2 Dec 2021 11:41:46 +0800
 Subject: [PATCH] glibc: fix CVE-2019-1010023
 MIME-Version: 1.0
 Content-Type: text/plain; charset=UTF-8
 Content-Transfer-Encoding: 8bit
 | PT_LOAD
 |
 | […] Loadable segment entries in the program header table appear in
 | ascending order, sorted on the p_vaddr member.
 http://www.sco.com/developers/gabi/latest/ch5.pheader.html
 Some check needed to fix vulnerability in load commands mapping reported by
 https://sourceware.org/bugzilla/show_bug.cgi?id=22851
 Signed-off-by: lvying <lvying6@huawei.com>
 Signed-off-by: xujing <xujing99@huawei.com>
 ---
 elf/dl-map-segments.h | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/elf/dl-map-segments.h b/elf/dl-map-segments.h
 index 084076a2..a41ae73b 100644
 --- a/elf/dl-map-segments.h
 +++ b/elf/dl-map-segments.h
@@ -33,6 +33,7 @@ _dl_map_segments (struct link_map *l, int fd,
                   struct link_map *loader)
 {
   const struct loadcmd *c = loadcmds;
 +  ElfW(Addr) l_map_end_aligned;
   if (__glibc_likely (type == ET_DYN))
     {
@@ -61,6 +62,8 @@ _dl_map_segments (struct link_map *l, int fd,
         return DL_MAP_SEGMENTS_ERROR_MAP_SEGMENT;
       l->l_map_end = l->l_map_start + maplength;
 +      l_map_end_aligned = ((l->l_map_end + GLRO(dl_pagesize) - 1)
 +                          & ~(GLRO(dl_pagesize) - 1));
       l->l_addr = l->l_map_start - c->mapstart;
       if (has_holes)
@@ -85,10 +88,16 @@ _dl_map_segments (struct link_map *l, int fd,
   /* Remember which part of the address space this object uses.  */
   l->l_map_start = c->mapstart + l->l_addr;
   l->l_map_end = l->l_map_start + maplength;
 +  l_map_end_aligned = ((l->l_map_end + GLRO(dl_pagesize) - 1)
 +                      & ~(GLRO(dl_pagesize) - 1));
   l->l_contiguous = !has_holes;
   while (c < &loadcmds[nloadcmds])
     {
 +      if ((l->l_addr + c->mapend) > l_map_end_aligned ||
 +          (l->l_addr + c->mapstart) < l->l_map_start)
 +          return DL_MAP_SEGMENTS_ERROR_MAP_SEGMENT;
 +
       if (c->mapend > c->mapstart
           /* Map the segment contents from the file.  */
           && (__mmap ((void *) (l->l_addr + c->mapstart),
 -- 
 2.23.0
--- a/glibc.spec
+++ b/glibc.spec
@ -66,7 +66,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.34
-Release: 	48
+Release: 	49
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -176,6 +176,7 @@ Patch88: i386-Remove-broken-CAN_USE_REGISTER_ASM_EBP-bug-2877.patch
 Patch89: x86-use-default-cache-size-if-it-cannot-be-determine.patch
 Patch90: x86-Fix-__wcsncmp_avx2-in-strcmp-avx2.S-BZ-28755.patch
 Patch91: x86-Fix-__wcsncmp_evex-in-strcmp-evex.S-BZ-28755.patch
 Patch92: fix-CVE-2019-1010023.patch
 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch 
@ -1379,6 +1380,9 @@ fi
 %endif
 %changelog
 * Fri Jan 28 2022 Lv Ying <lvying6@huawei.com> - 2.34-49
 - fix CVE-2019-1010023
 * Fri Jan 28 2022 Qingqing Li <liqingqing3@huawei.com> - 2.34-48
 - Fix __wcsncmp_evex in strcmp-evex.S [BZ #28755]
 - Fix __wcsncmp_avx2 in strcmp-avx2.S [BZ #28755]