diff --git a/glibc.spec b/glibc.spec index 7ded1e3..ed49618 100644 --- a/glibc.spec +++ b/glibc.spec @@ -66,7 +66,7 @@ ############################################################################## Name: glibc Version: 2.34 -Release: 73 +Release: 74 Summary: The GNU libc libraries License: %{all_license} URL: http://www.gnu.org/software/glibc/ @@ -209,6 +209,9 @@ Patch123: malloc-hugepage-0005-malloc-Add-Huge-Page-support-to-arenas.patch Patch124: malloc-hugepage-0006-malloc-Move-MORECORE-fallback-mmap-to-sysmalloc_mmap.patch Patch125: malloc-hugepage-0007-malloc-Enable-huge-page-support-on-main-arena.patch Patch126: localedef-Handle-symbolic-links-when-generating-loca.patch +Patch127: libio-Ensure-output-buffer-for-wchars-bug-28828.patch +Patch128: libio-Flush-only-_IO_str_overflow-must-not-return-EO.patch +Patch129: linux-Fix-__closefrom_fallback-iterates-until-max-in.patch Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch Patch9001: delete-no-hard-link-to-avoid-all_language-package-to.patch @@ -1302,11 +1305,16 @@ fi %endif %changelog +* Sat Apr 9 2022 Qingqing Li - 2.34-74 +- libio: Ensure output buffer for wchars bug 28828 +- libio: libio Flush onlu _IO_str_overflow must not return EOF bug 28949 +- linux: Fix _closefrom_fallback iterates until max int bug 28993 + * Fri Apr 8 2022 Qingqing Li - 2.34-73 -- localedef: Handle symbolic links when generating locale-archive +- localedef: Handle symbolic links when generating locale-archive * Wed Mar 30 2022 Lv Ying - 2.34-72 -- use mlock to determine hugepage RLIMIT_MEMLOCK soft resource limit is valid +- use mlock to determine hugepage RLIMIT_MEMLOCK soft resource limit is valid * Tue Mar 29 2022 Yang Yanchao - 2.34-71 - mv libc.info.gz* to the package glibc-help diff --git a/libio-Ensure-output-buffer-for-wchars-bug-28828.patch b/libio-Ensure-output-buffer-for-wchars-bug-28828.patch new file mode 100644 index 0000000..6cb10d5 --- /dev/null +++ b/libio-Ensure-output-buffer-for-wchars-bug-28828.patch @@ -0,0 +1,110 @@ +From edc696a73a7cb07b1aa68792a845a98d036ee7eb Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Jos=C3=A9=20Bollo?= +Date: Tue, 8 Mar 2022 09:58:16 +0100 +Subject: [PATCH] libio: Ensure output buffer for wchars (bug #28828) + +The _IO_wfile_overflow does not check if the write pointer for wide +data is valid before access, different than _IO_file_overflow. This +leads to crash on some cases, as described by bug 28828. + +The minimal sequence to produce the crash was: + + #include + #include + int main (int ac, char **av) + { + setvbuf (stdout, NULL, _IOLBF, 0); + fgetwc (stdin); + fputwc (10, stdout); /*CRASH HERE!*/ + return 0; + } + +The "fgetwc(stdin);" is necessary since it triggers the bug by setting +the flag _IO_CURRENTLY_PUTTING on stdout indirectly (file wfileops.c, +function _IO_wfile_underflow, line 213). + +Signed-off-by: Jose Bollo +--- + libio/Makefile | 2 +- + libio/tst-bz28828.c | 32 ++++++++++++++++++++++++++++++++ + libio/tst-bz28828.input | 1 + + libio/wfileops.c | 3 ++- + 4 files changed, 36 insertions(+), 2 deletions(-) + create mode 100644 libio/tst-bz28828.c + create mode 100644 libio/tst-bz28828.input + +diff --git a/libio/Makefile b/libio/Makefile +index 0e5f348..e973877 100644 +--- a/libio/Makefile ++++ b/libio/Makefile +@@ -66,7 +66,7 @@ tests = tst_swprintf tst_wprintf tst_swscanf tst_wscanf tst_getwc tst_putwc \ + tst-fwrite-error tst-ftell-partial-wide tst-ftell-active-handler \ + tst-ftell-append tst-fputws tst-bz22415 tst-fgetc-after-eof \ + tst-sprintf-ub tst-sprintf-chk-ub tst-bz24051 tst-bz24153 \ +- tst-wfile-sync ++ tst-wfile-sync tst-bz28828 + + tests-internal = tst-vtables tst-vtables-interposed + +diff --git a/libio/tst-bz28828.c b/libio/tst-bz28828.c +new file mode 100644 +index 0000000..638a6e2 +--- /dev/null ++++ b/libio/tst-bz28828.c +@@ -0,0 +1,32 @@ ++/* Unit test for BZ#28828. ++ Copyright (C) 2022 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ setvbuf (stdout, NULL, _IOLBF, 0); ++ fgetwc (stdin); ++ fputwc (10, stdout); /* It should not crash here. */ ++ return 0; ++} ++ ++#include +diff --git a/libio/tst-bz28828.input b/libio/tst-bz28828.input +new file mode 100644 +index 0000000..ce01362 +--- /dev/null ++++ b/libio/tst-bz28828.input +@@ -0,0 +1 @@ ++hello +diff --git a/libio/wfileops.c b/libio/wfileops.c +index fb9d45b..b59a988 100644 +--- a/libio/wfileops.c ++++ b/libio/wfileops.c +@@ -412,7 +412,8 @@ _IO_wfile_overflow (FILE *f, wint_t wch) + return WEOF; + } + /* If currently reading or no buffer allocated. */ +- if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0) ++ if ((f->_flags & _IO_CURRENTLY_PUTTING) == 0 ++ || f->_wide_data->_IO_write_base == NULL) + { + /* Allocate a buffer if needed. */ + if (f->_wide_data->_IO_write_base == 0) +-- +1.8.3.1 + diff --git a/libio-Flush-only-_IO_str_overflow-must-not-return-EO.patch b/libio-Flush-only-_IO_str_overflow-must-not-return-EO.patch new file mode 100644 index 0000000..ab1962f --- /dev/null +++ b/libio-Flush-only-_IO_str_overflow-must-not-return-EO.patch @@ -0,0 +1,54 @@ +From 88ed43ff0cf2561481de7cba00686386794515d6 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Fri, 18 Mar 2022 21:27:54 +0100 +Subject: [PATCH] libio: Flush-only _IO_str_overflow must not return EOF (bug + 28949) + +In general, _IO_str_overflow returns the character passed as an argument +on success. However, if flush-only operation is requested by passing +EOF, returning EOF looks like an error, and the caller cannot tell +whether the operation was successful or not. + +_IO_wstr_overflow had the same bug regarding WEOF. + +Reviewed-by: Adhemerval Zanella +--- + libio/strops.c | 5 ++++- + libio/wstrops.c | 5 ++++- + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/libio/strops.c b/libio/strops.c +index 6a9a884..1cd0bf6 100644 +--- a/libio/strops.c ++++ b/libio/strops.c +@@ -133,7 +133,10 @@ _IO_str_overflow (FILE *fp, int c) + *fp->_IO_write_ptr++ = (unsigned char) c; + if (fp->_IO_write_ptr > fp->_IO_read_end) + fp->_IO_read_end = fp->_IO_write_ptr; +- return c; ++ if (flush_only) ++ return 0; ++ else ++ return c; + } + libc_hidden_def (_IO_str_overflow) + +diff --git a/libio/wstrops.c b/libio/wstrops.c +index 8e44f86..2aec3149 100644 +--- a/libio/wstrops.c ++++ b/libio/wstrops.c +@@ -130,7 +130,10 @@ _IO_wstr_overflow (FILE *fp, wint_t c) + *fp->_wide_data->_IO_write_ptr++ = c; + if (fp->_wide_data->_IO_write_ptr > fp->_wide_data->_IO_read_end) + fp->_wide_data->_IO_read_end = fp->_wide_data->_IO_write_ptr; +- return c; ++ if (flush_only) ++ return 0; ++ else ++ return c; + } + + +-- +1.8.3.1 + diff --git a/linux-Fix-__closefrom_fallback-iterates-until-max-in.patch b/linux-Fix-__closefrom_fallback-iterates-until-max-in.patch new file mode 100644 index 0000000..1b46598 --- /dev/null +++ b/linux-Fix-__closefrom_fallback-iterates-until-max-in.patch @@ -0,0 +1,58 @@ +From 053fe273434056f551ed8f81daf750db9dab5931 Mon Sep 17 00:00:00 2001 +From: Adhemerval Zanella +Date: Wed, 23 Mar 2022 17:40:01 -0300 +Subject: [PATCH] linux: Fix __closefrom_fallback iterates until max int + (BZ#28993) + +The __closefrom_fallback tries to get a available file descriptor +if the initial open ("/proc/self/fd/", ...) fails. It assumes the +failure would be only if procfs is not mount (ENOENT), however if +the the proc file is not accessible (due some other kernel filtering +such apparmor) it will iterate over a potentially large file set +issuing close calls. + +It should only try the close fallback if open returns EMFILE, +ENFILE, or ENOMEM. + +Checked on x86_64-linux-gnu. +--- + sysdeps/unix/sysv/linux/closefrom_fallback.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/sysdeps/unix/sysv/linux/closefrom_fallback.c b/sysdeps/unix/sysv/linux/closefrom_fallback.c +index 60101aa..a9dd0c4 100644 +--- a/sysdeps/unix/sysv/linux/closefrom_fallback.c ++++ b/sysdeps/unix/sysv/linux/closefrom_fallback.c +@@ -30,16 +30,16 @@ + _Bool + __closefrom_fallback (int from, _Bool dirfd_fallback) + { +- bool ret = false; +- + int dirfd = __open_nocancel (FD_TO_FILENAME_PREFIX, O_RDONLY | O_DIRECTORY, + 0); + if (dirfd == -1) + { +- /* The closefrom should work even when process can't open new files. */ +- if (errno == ENOENT || !dirfd_fallback) +- goto err; ++ /* Return if procfs can not be opened for some reason. */ ++ if ((errno != EMFILE && errno != ENFILE && errno != ENOMEM) ++ || !dirfd_fallback) ++ return false; + ++ /* The closefrom should work even when process can't open new files. */ + for (int i = from; i < INT_MAX; i++) + { + int r = __close_nocancel (i); +@@ -54,6 +54,7 @@ __closefrom_fallback (int from, _Bool dirfd_fallback) + } + + char buffer[1024]; ++ bool ret = false; + while (true) + { + ssize_t ret = __getdents64 (dirfd, buffer, sizeof (buffer)); +-- +1.8.3.1 +