From 475a8ee8afec240acf1455503e3702e3fe474de8 Mon Sep 17 00:00:00 2001 From: liqingqing_1229 Date: Mon, 12 Dec 2022 17:50:06 +0800 Subject: [PATCH] io: Fix use after free in ftw (BZ 26779) (cherry picked from commit 79dcf1a0e983217810662ec0ebe26dc33b43c41c) --- glibc.spec | 6 ++++- io-Fix-use-after-free-in-ftw-BZ-26779.patch | 29 +++++++++++++++++++++ 2 files changed, 34 insertions(+), 1 deletion(-) create mode 100644 io-Fix-use-after-free-in-ftw-BZ-26779.patch diff --git a/glibc.spec b/glibc.spec index 27458f4..5ecff4d 100644 --- a/glibc.spec +++ b/glibc.spec @@ -66,7 +66,7 @@ ############################################################################## Name: glibc Version: 2.34 -Release: 102 +Release: 103 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -243,6 +243,7 @@ Patch155: backport-elf-tlsdeschtab.h-Add-the-Malloc-return-value-check.patch Patch156: backport-Fix-OOB-read-in-stdlib-thousand-grouping-parsing-BZ.patch Patch157: backport-elf-Remove-allocate-use-on-_dl_debug_printf.patch Patch158: backport-elf-Do-not-completely-clear-reused-namespace-in-dlmo.patch +Patch159: io-Fix-use-after-free-in-ftw-BZ-26779.patch Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch @@ -1424,6 +1425,9 @@ fi %endif %changelog +* Mon Dec 12 2022 Qingqing Li - 2.34-103 +- io: Fix use after free in ftw (BZ 26779) + * Thu Dec 08 2022 shixuantong - 2.34-102 - elf: Do not completely clear reused namespace in dlmopen (bug 29600) - elf: Remove allocate use on _dl_debug_printf diff --git a/io-Fix-use-after-free-in-ftw-BZ-26779.patch b/io-Fix-use-after-free-in-ftw-BZ-26779.patch new file mode 100644 index 0000000..813d906 --- /dev/null +++ b/io-Fix-use-after-free-in-ftw-BZ-26779.patch @@ -0,0 +1,29 @@ +From ee52ab25ba875f458981fce22c54e3c04c7a17d3 Mon Sep 17 00:00:00 2001 +From: Martin Sebor +Date: Tue, 25 Jan 2022 17:39:02 -0700 +Subject: [PATCH] io: Fix use-after-free in ftw [BZ #26779] + +Reviewed-by: Carlos O'Donell +--- + io/ftw.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/io/ftw.c b/io/ftw.c +index 2742541f36..94bd5a93e4 100644 +--- a/io/ftw.c ++++ b/io/ftw.c +@@ -323,8 +323,9 @@ open_dir_stream (int *dfdp, struct ftw_data *data, struct dir_data *dirp) + buf[actsize++] = '\0'; + + /* Shrink the buffer to what we actually need. */ +- data->dirstreams[data->actdir]->content = realloc (buf, actsize); +- if (data->dirstreams[data->actdir]->content == NULL) ++ void *content = realloc (buf, actsize); ++ data->dirstreams[data->actdir]->content = content; ++ if (content == NULL) + { + int save_err = errno; + free (buf); +-- +2.33.0 +