From d444931e8385ba84f11f25dfaf23274210720f6c Mon Sep 17 00:00:00 2001 From: Dimitri John Ledkov Date: Sat, 27 Jul 2024 00:36:19 +0100 Subject: [PATCH] Reapply "glibc/2.40 package update" This reverts commit 24e2165ff0f3e5265739bf9b4ea7d6280cb30c8f. --- gcc.yaml | 2 +- glibc.yaml | 9 +- glibc/CVE-2023-4527.patch | 185 ----------------- glibc/CVE-2023-4911.patch | 171 --------------- glibc/CVE-2023-5156.patch | 128 ------------ glibc/CVE-2023-6246.patch | 179 ---------------- glibc/CVE-2023-6779.patch | 105 ---------- glibc/CVE-2023-6780.patch | 40 ---- glibc/CVE-2024-2961.patch | 215 ------------------- glibc/CVE-2024-33599.patch | 37 ---- glibc/CVE-2024-33600-2.patch | 59 ------ glibc/CVE-2024-33600.patch | 58 ------ glibc/CVE-2024-33601.patch | 389 ----------------------------------- 13 files changed, 5 insertions(+), 1572 deletions(-) delete mode 100644 glibc/CVE-2023-4527.patch delete mode 100644 glibc/CVE-2023-4911.patch delete mode 100644 glibc/CVE-2023-5156.patch delete mode 100644 glibc/CVE-2023-6246.patch delete mode 100644 glibc/CVE-2023-6779.patch delete mode 100644 glibc/CVE-2023-6780.patch delete mode 100644 glibc/CVE-2024-2961.patch delete mode 100644 glibc/CVE-2024-33599.patch delete mode 100644 glibc/CVE-2024-33600-2.patch delete mode 100644 glibc/CVE-2024-33600.patch delete mode 100644 glibc/CVE-2024-33601.patch diff --git a/gcc.yaml b/gcc.yaml index 043b92ce552..0464e9f3449 100644 --- a/gcc.yaml +++ b/gcc.yaml @@ -1,7 +1,7 @@ package: name: gcc version: 14.2.0 - epoch: 0 + epoch: 1 description: "the GNU compiler collection" copyright: - license: GPL-3.0-or-later WITH GCC-exception-3.1 diff --git a/glibc.yaml b/glibc.yaml index a81c7bdae05..196f7a801b6 100644 --- a/glibc.yaml +++ b/glibc.yaml @@ -1,7 +1,7 @@ package: name: glibc version: 2.39 - epoch: 8 + epoch: 9 description: "the GNU C library" copyright: - license: LGPL-2.1-or-later @@ -61,10 +61,6 @@ pipeline: with: patches: Disable-AVX512VL.patch - - uses: patch - with: - patches: CVE-2024-2961.patch CVE-2024-33599.patch CVE-2024-33600.patch CVE-2024-33600-2.patch CVE-2024-33601.patch - - name: 'Set up build directory' runs: | mkdir build @@ -223,6 +219,7 @@ data: lb: Luxembourgish lg: Ganda lij: Ligurian + ltg: Latgalian li: Limburgish ln: Lingala lo: Lao @@ -231,6 +228,7 @@ data: lzh: Literary Chinese mag: Magahi mai: Maithili + mdf: Moksha mfe: Morisyen mg: Malagasy mhr: Meadow Mari @@ -275,6 +273,7 @@ data: sat: Santali sa: Sanskrit sc: Sardinian + scn: Sicilian sd: Sindhi se: Northern Sami sgs: Samogitian diff --git a/glibc/CVE-2023-4527.patch b/glibc/CVE-2023-4527.patch deleted file mode 100644 index 55c7547e0ad..00000000000 --- a/glibc/CVE-2023-4527.patch +++ /dev/null @@ -1,185 +0,0 @@ -From 7e86998d6035b805d606dd90ea7ad19a94136d9a Mon Sep 17 00:00:00 2001 -From: Dan Luhring -Date: Fri, 22 Sep 2023 08:13:53 -0400 -Subject: [PATCH] patch CVE-2023-4527 - -Derived from https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b25508dd774b617f99419bdc3cf2ace4560cd2d6 - -Signed-off-by: Dan Luhring ---- - resolv/Makefile | 2 + - resolv/nss_dns/dns-host.c | 2 +- - resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++ - 3 files changed, 132 insertions(+), 1 deletion(-) - create mode 100644 resolv/tst-resolv-noaaaa-vc.c - -diff --git a/resolv/Makefile b/resolv/Makefile -index 054b1fa36c..2f99eb3862 100644 ---- a/resolv/Makefile -+++ b/resolv/Makefile -@@ -102,6 +102,7 @@ tests += \ - tst-resolv-invalid-cname \ - tst-resolv-network \ - tst-resolv-noaaaa \ -+ tst-resolv-noaaaa-vc \ - tst-resolv-nondecimal \ - tst-resolv-res_init-multi \ - tst-resolv-search \ -@@ -293,6 +294,7 @@ $(objpfx)tst-resolv-res_init-thread: $(objpfx)libresolv.so \ - $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ - $(shared-thread-library) - $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) -+$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) - $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) - $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) - $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library) -diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c -index 1d60c51f5e..5d0ab30de6 100644 ---- a/resolv/nss_dns/dns-host.c -+++ b/resolv/nss_dns/dns-host.c -@@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, - { - n = __res_context_search (ctx, name, C_IN, T_A, - dns_packet_buffer, sizeof (dns_packet_buffer), -- NULL, NULL, NULL, NULL, NULL); -+ &alt_dns_packet_buffer, NULL, NULL, NULL, NULL); - if (n >= 0) - status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n, - &abuf, pat, errnop, herrnop, ttlp); -diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c -new file mode 100644 -index 0000000000..9f5aebd99f ---- /dev/null -+++ b/resolv/tst-resolv-noaaaa-vc.c -@@ -0,0 +1,129 @@ -+/* Test the RES_NOAAAA resolver option with a large response. -+ Copyright (C) 2022-2023 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+/* Used to keep track of the number of queries. */ -+static volatile unsigned int queries; -+ -+/* If true, add a large TXT record at the start of the answer section. */ -+static volatile bool stuff_txt; -+ -+static void -+response (const struct resolv_response_context *ctx, -+ struct resolv_response_builder *b, -+ const char *qname, uint16_t qclass, uint16_t qtype) -+{ -+ /* If not using TCP, just force its use. */ -+ if (!ctx->tcp) -+ { -+ struct resolv_response_flags flags = {.tc = true}; -+ resolv_response_init (b, flags); -+ resolv_response_add_question (b, qname, qclass, qtype); -+ return; -+ } -+ -+ /* The test needs to send four queries, the first three are used to -+ grow the NSS buffer via the ERANGE handshake. */ -+ ++queries; -+ TEST_VERIFY (queries <= 4); -+ -+ /* AAAA queries are supposed to be disabled. */ -+ TEST_COMPARE (qtype, T_A); -+ TEST_COMPARE (qclass, C_IN); -+ TEST_COMPARE_STRING (qname, "example.com"); -+ -+ struct resolv_response_flags flags = {}; -+ resolv_response_init (b, flags); -+ resolv_response_add_question (b, qname, qclass, qtype); -+ -+ resolv_response_section (b, ns_s_an); -+ -+ if (stuff_txt) -+ { -+ resolv_response_open_record (b, qname, qclass, T_TXT, 60); -+ int zero = 0; -+ for (int i = 0; i <= 15000; ++i) -+ resolv_response_add_data (b, &zero, sizeof (zero)); -+ resolv_response_close_record (b); -+ } -+ -+ for (int i = 0; i < 200; ++i) -+ { -+ resolv_response_open_record (b, qname, qclass, qtype, 60); -+ char ipv4[4] = {192, 0, 2, i + 1}; -+ resolv_response_add_data (b, &ipv4, sizeof (ipv4)); -+ resolv_response_close_record (b); -+ } -+} -+ -+static int -+do_test (void) -+{ -+ struct resolv_test *obj = resolv_test_start -+ ((struct resolv_redirect_config) -+ { -+ .response_callback = response -+ }); -+ -+ _res.options |= RES_NOAAAA; -+ -+ for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt) -+ { -+ queries = 0; -+ stuff_txt = do_stuff_txt; -+ -+ struct addrinfo *ai = NULL; -+ int ret; -+ ret = getaddrinfo ("example.com", "80", -+ &(struct addrinfo) -+ { -+ .ai_family = AF_UNSPEC, -+ .ai_socktype = SOCK_STREAM, -+ }, &ai); -+ -+ char *expected_result; -+ { -+ struct xmemstream mem; -+ xopen_memstream (&mem); -+ for (int i = 0; i < 200; ++i) -+ fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1); -+ xfclose_memstream (&mem); -+ expected_result = mem.buffer; -+ } -+ -+ check_addrinfo ("example.com", ai, ret, expected_result); -+ -+ free (expected_result); -+ freeaddrinfo (ai); -+ } -+ -+ resolv_test_end (obj); -+ return 0; -+} -+ -+#include --- -2.42.0 diff --git a/glibc/CVE-2023-4911.patch b/glibc/CVE-2023-4911.patch deleted file mode 100644 index e80cc968aa8..00000000000 --- a/glibc/CVE-2023-4911.patch +++ /dev/null @@ -1,171 +0,0 @@ -From 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa Mon Sep 17 00:00:00 2001 -From: Siddhesh Poyarekar -Date: Tue, 19 Sep 2023 18:39:32 -0400 -Subject: [PATCH] tunables: Terminate if end of input is reached - (CVE-2023-4911) - -The string parsing routine may end up writing beyond bounds of tunestr -if the input tunable string is malformed, of the form name=name=val. -This gets processed twice, first as name=name=val and next as name=val, -resulting in tunestr being name=name=val:name=val, thus overflowing -tunestr. - -Terminate the parsing loop at the first instance itself so that tunestr -does not overflow. - -This also fixes up tst-env-setuid-tunables to actually handle failures -correct and add new tests to validate the fix for this CVE. - -Signed-off-by: Siddhesh Poyarekar -Reviewed-by: Carlos O'Donell ---- - NEWS | 5 +++++ - elf/dl-tunables.c | 17 +++++++++------- - elf/tst-env-setuid-tunables.c | 37 +++++++++++++++++++++++++++-------- - 3 files changed, 44 insertions(+), 15 deletions(-) - -diff --git a/NEWS b/NEWS -index a94650da64..cc4b81f0ac 100644 ---- a/NEWS -+++ b/NEWS -@@ -64,6 +64,11 @@ Security related changes: - an application calls getaddrinfo for AF_INET6 with AI_CANONNAME, - AI_ALL and AI_V4MAPPED flags set. - -+ CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the -+ environment of a setuid program and NAME is valid, it may result in a -+ buffer overflow, which could be exploited to achieve escalated -+ privileges. This flaw was introduced in glibc 2.34. -+ - The following bugs are resolved with this release: - - [The release manager will add the list generated by -diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c -index 62b7332d95..cae67efa0a 100644 ---- a/elf/dl-tunables.c -+++ b/elf/dl-tunables.c -@@ -180,11 +180,7 @@ parse_tunables (char *tunestr, char *valstring) - /* If we reach the end of the string before getting a valid name-value - pair, bail out. */ - if (p[len] == '\0') -- { -- if (__libc_enable_secure) -- tunestr[off] = '\0'; -- return; -- } -+ break; - - /* We did not find a valid name-value pair before encountering the - colon. */ -@@ -244,9 +240,16 @@ parse_tunables (char *tunestr, char *valstring) - } - } - -- if (p[len] != '\0') -- p += len + 1; -+ /* We reached the end while processing the tunable string. */ -+ if (p[len] == '\0') -+ break; -+ -+ p += len + 1; - } -+ -+ /* Terminate tunestr before we leave. */ -+ if (__libc_enable_secure) -+ tunestr[off] = '\0'; - } - - /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when -diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c -index 7dfb0e073a..f0b92c97e7 100644 ---- a/elf/tst-env-setuid-tunables.c -+++ b/elf/tst-env-setuid-tunables.c -@@ -50,6 +50,8 @@ const char *teststrings[] = - "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", - "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096", - "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", -+ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", -+ "glibc.malloc.check=2", - "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2", - "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096", - ":glibc.malloc.garbage=2:glibc.malloc.check=1", -@@ -68,6 +70,8 @@ const char *resultstrings[] = - "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", -+ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", -+ "", - "", - "", - "", -@@ -81,11 +85,18 @@ test_child (int off) - { - const char *val = getenv ("GLIBC_TUNABLES"); - -+ printf (" [%d] GLIBC_TUNABLES is %s\n", off, val); -+ fflush (stdout); - if (val != NULL && strcmp (val, resultstrings[off]) == 0) - return 0; - - if (val != NULL) -- printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val); -+ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n", -+ off, val, resultstrings[off]); -+ else -+ printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off); -+ -+ fflush (stdout); - - return 1; - } -@@ -106,21 +117,26 @@ do_test (int argc, char **argv) - if (ret != 0) - exit (1); - -- exit (EXIT_SUCCESS); -+ /* Special return code to make sure that the child executed all the way -+ through. */ -+ exit (42); - } - else - { -- int ret = 0; -- - /* Spawn tests. */ - for (int i = 0; i < array_length (teststrings); i++) - { - char buf[INT_BUFSIZE_BOUND (int)]; - -- printf ("Spawned test for %s (%d)\n", teststrings[i], i); -+ printf ("[%d] Spawned test for %s\n", i, teststrings[i]); - snprintf (buf, sizeof (buf), "%d\n", i); -+ fflush (stdout); - if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0) -- exit (1); -+ { -+ printf (" [%d] Failed to set GLIBC_TUNABLES: %m", i); -+ support_record_failure (); -+ continue; -+ } - - int status = support_capture_subprogram_self_sgid (buf); - -@@ -128,9 +144,14 @@ do_test (int argc, char **argv) - if (WEXITSTATUS (status) == EXIT_UNSUPPORTED) - return EXIT_UNSUPPORTED; - -- ret |= status; -+ if (WEXITSTATUS (status) != 42) -+ { -+ printf (" [%d] child failed with status %d\n", i, -+ WEXITSTATUS (status)); -+ support_record_failure (); -+ } - } -- return ret; -+ return 0; - } - } - --- -2.39.3 diff --git a/glibc/CVE-2023-5156.patch b/glibc/CVE-2023-5156.patch deleted file mode 100644 index 77f51a4b5be..00000000000 --- a/glibc/CVE-2023-5156.patch +++ /dev/null @@ -1,128 +0,0 @@ -Cherry picks patch to CVE-2023-5156 from upstream: https://sourceware.org/git/?p=glibc.git;a=commitdiff;h=ec6b95c3303c700eb89eebeda2d7264cc184a796 - ---- -diff --git a/nss/Makefile b/nss/Makefile -index 06fcdc450f..73db7d6df8 100644 ---- a/nss/Makefile -+++ b/nss/Makefile -@@ -147,6 +147,15 @@ tests-static += tst-nss-static - endif - extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os - -+ifeq ($(run-built-tests),yes) -+ifneq (no,$(PERL)) -+tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out -+endif -+endif -+ -+generated += mtrace-tst-nss-gai-hv2-canonname.out \ -+ tst-nss-gai-hv2-canonname.mtrace -+ - include ../Rules - - ifeq (yes,$(have-selinux)) -@@ -207,6 +216,17 @@ endif - $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so - $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so - -+tst-nss-gai-hv2-canonname-ENV = \ -+ MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \ -+ LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so -+$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \ -+ $(objpfx)tst-nss-gai-hv2-canonname.out -+ { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \ -+ || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \ -+ && $(common-objpfx)malloc/mtrace \ -+ $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \ -+ $(evaluate-test) -+ - # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS - # functions can load testing NSS modules via DT_RPATH. - LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags -diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c -new file mode 100644 -index 0000000000..7db53cf09d ---- /dev/null -+++ b/nss/tst-nss-gai-hv2-canonname.c -@@ -0,0 +1,66 @@ -+/* Test NSS query path for plugins that only implement gethostbyname2 -+ (#30843). -+ Copyright The GNU Toolchain Authors. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "nss/tst-nss-gai-hv2-canonname.h" -+ -+#define PREPARE do_prepare -+ -+static void do_prepare (int a, char **av) -+{ -+ FILE *hosts = xfopen ("/etc/hosts", "w"); -+ for (unsigned i = 2; i < 255; i++) -+ { -+ fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); -+ fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); -+ } -+ xfclose (hosts); -+} -+ -+static int -+do_test (void) -+{ -+ mtrace (); -+ -+ __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); -+ -+ struct addrinfo hints = {}; -+ struct addrinfo *result = NULL; -+ -+ hints.ai_family = AF_INET6; -+ hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; -+ -+ int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); -+ -+ if (ret != 0) -+ FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); -+ -+ TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); -+ -+ freeaddrinfo(result); -+ return 0; -+} -+ -+#include -diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c -index 0356b622be..237ef2be3d 100644 ---- a/sysdeps/posix/getaddrinfo.c -+++ b/sysdeps/posix/getaddrinfo.c -@@ -1187,9 +1187,7 @@ free_and_return: - if (malloc_name) - free ((char *) name); - free (addrmem); -- if (res.free_at) -- free (res.at); -- free (res.canon); -+ gaih_result_reset (&res); - - return result; - } diff --git a/glibc/CVE-2023-6246.patch b/glibc/CVE-2023-6246.patch deleted file mode 100644 index 1d6e7567066..00000000000 --- a/glibc/CVE-2023-6246.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 6bd0e4efcc78f3c0115e5ea9739a1642807450da Mon Sep 17 00:00:00 2001 -From: Arjun Shankar -Date: Mon, 15 Jan 2024 17:44:43 +0100 -Subject: [PATCH] syslog: Fix heap buffer overflow in __vsyslog_internal - (CVE-2023-6246) - -__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER -containing a long program name failed to update the required buffer -size, leading to the allocation and overflow of a too-small buffer on -the heap. This commit fixes that. It also adds a new regression test -that uses glibc.malloc.check. - -Reviewed-by: Adhemerval Zanella -Reviewed-by: Carlos O'Donell -Tested-by: Carlos O'Donell ---- - misc/Makefile | 8 ++- - misc/syslog.c | 50 +++++++++++++------ - misc/tst-syslog-long-progname.c | 39 +++++++++++++++ - .../postclean.req | 0 - 4 files changed, 82 insertions(+), 15 deletions(-) - create mode 100644 misc/tst-syslog-long-progname.c - create mode 100644 misc/tst-syslog-long-progname.root/postclean.req - -diff --git a/misc/Makefile b/misc/Makefile -index 42899c2b6c..c273ec6974 100644 ---- a/misc/Makefile -+++ b/misc/Makefile -@@ -289,7 +289,10 @@ tests-special += $(objpfx)tst-error1-mem.out \ - $(objpfx)tst-allocate_once-mem.out - endif - --tests-container := tst-syslog -+tests-container := \ -+ tst-syslog \ -+ tst-syslog-long-progname \ -+ # tests-container - - CFLAGS-select.c += -fexceptions -fasynchronous-unwind-tables - CFLAGS-tsearch.c += $(uses-callbacks) -@@ -351,6 +354,9 @@ $(objpfx)tst-allocate_once-mem.out: $(objpfx)tst-allocate_once.out - $(common-objpfx)malloc/mtrace $(objpfx)tst-allocate_once.mtrace > $@; \ - $(evaluate-test) - -+tst-syslog-long-progname-ENV = GLIBC_TUNABLES=glibc.malloc.check=3 \ -+ LD_PRELOAD=libc_malloc_debug.so.0 -+ - $(objpfx)tst-select: $(librt) - $(objpfx)tst-select-time64: $(librt) - $(objpfx)tst-pselect: $(librt) -diff --git a/misc/syslog.c b/misc/syslog.c -index 1b8cb722c5..814d224a1e 100644 ---- a/misc/syslog.c -+++ b/misc/syslog.c -@@ -124,8 +124,9 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - { - /* Try to use a static buffer as an optimization. */ - char bufs[1024]; -- char *buf = NULL; -- size_t bufsize = 0; -+ char *buf = bufs; -+ size_t bufsize; -+ - int msgoff; - int saved_errno = errno; - -@@ -177,29 +178,50 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - #define SYSLOG_HEADER_WITHOUT_TS(__pri, __msgoff) \ - "<%d>: %n", __pri, __msgoff - -- int l; -+ int l, vl; - if (has_ts) - l = __snprintf (bufs, sizeof bufs, - SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); - else - l = __snprintf (bufs, sizeof bufs, - SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -+ -+ char *pos; -+ size_t len; -+ - if (0 <= l && l < sizeof bufs) - { -- va_list apc; -- va_copy (apc, ap); -+ /* At this point, there is still a chance that we can print the -+ remaining part of the log into bufs and use that. */ -+ pos = bufs + l; -+ len = sizeof (bufs) - l; -+ } -+ else -+ { -+ buf = NULL; -+ /* We already know that bufs is too small to use for this log message. -+ The next vsnprintf into bufs is used only to calculate the total -+ required buffer length. We will discard bufs contents and allocate -+ an appropriately sized buffer later instead. */ -+ pos = bufs; -+ len = sizeof (bufs); -+ } - -- /* Restore errno for %m format. */ -- __set_errno (saved_errno); -+ { -+ va_list apc; -+ va_copy (apc, ap); - -- int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc, -- mode_flags); -- if (0 <= vl && vl < sizeof bufs - l) -- buf = bufs; -- bufsize = l + vl; -+ /* Restore errno for %m format. */ -+ __set_errno (saved_errno); - -- va_end (apc); -- } -+ vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); -+ -+ if (!(0 <= vl && vl < len)) -+ buf = NULL; -+ -+ bufsize = l + vl; -+ va_end (apc); -+ } - - if (buf == NULL) - { -diff --git a/misc/tst-syslog-long-progname.c b/misc/tst-syslog-long-progname.c -new file mode 100644 -index 0000000000..88f37a8a00 ---- /dev/null -+++ b/misc/tst-syslog-long-progname.c -@@ -0,0 +1,39 @@ -+/* Test heap buffer overflow in syslog with long __progname (CVE-2023-6246) -+ Copyright (C) 2023 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+ -+extern char * __progname; -+ -+static int -+do_test (void) -+{ -+ char long_progname[2048]; -+ -+ memset (long_progname, 'X', sizeof (long_progname) - 1); -+ long_progname[sizeof (long_progname) - 1] = '\0'; -+ -+ __progname = long_progname; -+ -+ syslog (LOG_INFO, "Hello, World!"); -+ -+ return 0; -+} -+ -+#include -diff --git a/misc/tst-syslog-long-progname.root/postclean.req b/misc/tst-syslog-long-progname.root/postclean.req -new file mode 100644 -index 0000000000..e69de29bb2 --- -2.43.0 diff --git a/glibc/CVE-2023-6779.patch b/glibc/CVE-2023-6779.patch deleted file mode 100644 index 057fbb6bb1a..00000000000 --- a/glibc/CVE-2023-6779.patch +++ /dev/null @@ -1,105 +0,0 @@ -From 7e5a0c286da33159d47d0122007aac016f3e02cd Mon Sep 17 00:00:00 2001 -From: Arjun Shankar -Date: Mon, 15 Jan 2024 17:44:44 +0100 -Subject: [PATCH] syslog: Fix heap buffer overflow in __vsyslog_internal - (CVE-2023-6779) - -__vsyslog_internal used the return value of snprintf/vsnprintf to -calculate buffer sizes for memory allocation. If these functions (for -any reason) failed and returned -1, the resulting buffer would be too -small to hold output. This commit fixes that. - -All snprintf/vsnprintf calls are checked for negative return values and -the function silently returns upon encountering them. - -Reviewed-by: Carlos O'Donell ---- - misc/syslog.c | 39 ++++++++++++++++++++++++++++----------- - 1 file changed, 28 insertions(+), 11 deletions(-) - -diff --git a/misc/syslog.c b/misc/syslog.c -index 814d224a1e..53440e47ad 100644 ---- a/misc/syslog.c -+++ b/misc/syslog.c -@@ -185,11 +185,13 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - else - l = __snprintf (bufs, sizeof bufs, - SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -+ if (l < 0) -+ goto out; - - char *pos; - size_t len; - -- if (0 <= l && l < sizeof bufs) -+ if (l < sizeof bufs) - { - /* At this point, there is still a chance that we can print the - remaining part of the log into bufs and use that. */ -@@ -215,12 +217,15 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - __set_errno (saved_errno); - - vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); -+ va_end (apc); -+ -+ if (vl < 0) -+ goto out; - -- if (!(0 <= vl && vl < len)) -+ if (vl >= len) - buf = NULL; - - bufsize = l + vl; -- va_end (apc); - } - - if (buf == NULL) -@@ -231,25 +236,37 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - /* Tell the cancellation handler to free this buffer. */ - clarg.buf = buf; - -+ int cl; - if (has_ts) -- __snprintf (buf, l + 1, -- SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); -+ cl = __snprintf (buf, l + 1, -+ SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); - else -- __snprintf (buf, l + 1, -- SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -+ cl = __snprintf (buf, l + 1, -+ SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -+ if (cl != l) -+ goto out; - - va_list apc; - va_copy (apc, ap); -- __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, -- mode_flags); -+ cl = __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, -+ mode_flags); - va_end (apc); -+ -+ if (cl != vl) -+ goto out; - } - else - { -+ int bl; - /* Nothing much to do but emit an error message. */ -- bufsize = __snprintf (bufs, sizeof bufs, -- "out of memory[%d]", __getpid ()); -+ bl = __snprintf (bufs, sizeof bufs, -+ "out of memory[%d]", __getpid ()); -+ if (bl < 0 || bl >= sizeof bufs) -+ goto out; -+ -+ bufsize = bl; - buf = bufs; -+ msgoff = 0; - } - } - --- -2.43.0 - diff --git a/glibc/CVE-2023-6780.patch b/glibc/CVE-2023-6780.patch deleted file mode 100644 index e613c0fede2..00000000000 --- a/glibc/CVE-2023-6780.patch +++ /dev/null @@ -1,40 +0,0 @@ -From ddf542da94caf97ff43cc2875c88749880b7259b Mon Sep 17 00:00:00 2001 -From: Arjun Shankar -Date: Mon, 15 Jan 2024 17:44:45 +0100 -Subject: [PATCH] syslog: Fix integer overflow in __vsyslog_internal - (CVE-2023-6780) - -__vsyslog_internal calculated a buffer size by adding two integers, but -did not first check if the addition would overflow. This commit fixes -that. - -Reviewed-by: Carlos O'Donell -Tested-by: Carlos O'Donell ---- - misc/syslog.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/misc/syslog.c b/misc/syslog.c -index 53440e47ad..4af87f54fd 100644 ---- a/misc/syslog.c -+++ b/misc/syslog.c -@@ -41,6 +41,7 @@ static char sccsid[] = "@(#)syslog.c 8.4 (Berkeley) 3/18/94"; - #include - #include - #include -+#include - - static int LogType = SOCK_DGRAM; /* type of socket connection */ - static int LogFile = -1; /* fd for log */ -@@ -219,7 +220,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); - va_end (apc); - -- if (vl < 0) -+ if (vl < 0 || vl >= INT_MAX - l) - goto out; - - if (vl >= len) --- -2.43.0 - diff --git a/glibc/CVE-2024-2961.patch b/glibc/CVE-2024-2961.patch deleted file mode 100644 index cb269fe1b5d..00000000000 --- a/glibc/CVE-2024-2961.patch +++ /dev/null @@ -1,215 +0,0 @@ -From 31da30f23cddd36db29d5b6a1c7619361b271fb4 Mon Sep 17 00:00:00 2001 -From: Charles Fol -Date: Thu, 28 Mar 2024 12:25:38 -0300 -Subject: [PATCH] iconv: ISO-2022-CN-EXT: fix out-of-bound writes when writing - escape sequence (CVE-2024-2961) - -ISO-2022-CN-EXT uses escape sequences to indicate character set changes -(as specified by RFC 1922). While the SOdesignation has the expected -bounds checks, neither SS2designation nor SS3designation have its; -allowing a write overflow of 1, 2, or 3 bytes with fixed values: -'$+I', '$+J', '$+K', '$+L', '$+M', or '$*H'. - -Checked on aarch64-linux-gnu. - -Co-authored-by: Adhemerval Zanella -Reviewed-by: Carlos O'Donell -Tested-by: Carlos O'Donell - -(cherry picked from commit f9dc609e06b1136bb0408be9605ce7973a767ada) ---- - iconvdata/Makefile | 5 +- - iconvdata/iso-2022-cn-ext.c | 12 +++ - iconvdata/tst-iconv-iso-2022-cn-ext.c | 128 ++++++++++++++++++++++++++ - 3 files changed, 144 insertions(+), 1 deletion(-) - create mode 100644 iconvdata/tst-iconv-iso-2022-cn-ext.c - -diff --git a/iconvdata/Makefile b/iconvdata/Makefile -index ea019ce5c0..7196a8744b 100644 ---- a/iconvdata/Makefile -+++ b/iconvdata/Makefile -@@ -75,7 +75,8 @@ ifeq (yes,$(build-shared)) - tests = bug-iconv1 bug-iconv2 tst-loading tst-e2big tst-iconv4 bug-iconv4 \ - tst-iconv6 bug-iconv5 bug-iconv6 tst-iconv7 bug-iconv8 bug-iconv9 \ - bug-iconv10 bug-iconv11 bug-iconv12 tst-iconv-big5-hkscs-to-2ucs4 \ -- bug-iconv13 bug-iconv14 bug-iconv15 -+ bug-iconv13 bug-iconv14 bug-iconv15 \ -+ tst-iconv-iso-2022-cn-ext - ifeq ($(have-thread-library),yes) - tests += bug-iconv3 - endif -@@ -330,6 +331,8 @@ $(objpfx)bug-iconv14.out: $(addprefix $(objpfx), $(gconv-modules)) \ - $(addprefix $(objpfx),$(modules.so)) - $(objpfx)bug-iconv15.out: $(addprefix $(objpfx), $(gconv-modules)) \ - $(addprefix $(objpfx),$(modules.so)) -+$(objpfx)tst-iconv-iso-2022-cn-ext.out: $(addprefix $(objpfx), $(gconv-modules)) \ -+ $(addprefix $(objpfx),$(modules.so)) - - $(objpfx)iconv-test.out: run-iconv-test.sh \ - $(addprefix $(objpfx), $(gconv-modules)) \ -diff --git a/iconvdata/iso-2022-cn-ext.c b/iconvdata/iso-2022-cn-ext.c -index b34c8a36f4..cce29b1969 100644 ---- a/iconvdata/iso-2022-cn-ext.c -+++ b/iconvdata/iso-2022-cn-ext.c -@@ -574,6 +574,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); - { \ - const char *escseq; \ - \ -+ if (outptr + 4 > outend) \ -+ { \ -+ result = __GCONV_FULL_OUTPUT; \ -+ break; \ -+ } \ -+ \ - assert (used == CNS11643_2_set); /* XXX */ \ - escseq = "*H"; \ - *outptr++ = ESC; \ -@@ -587,6 +593,12 @@ DIAG_IGNORE_Os_NEEDS_COMMENT (5, "-Wmaybe-uninitialized"); - { \ - const char *escseq; \ - \ -+ if (outptr + 4 > outend) \ -+ { \ -+ result = __GCONV_FULL_OUTPUT; \ -+ break; \ -+ } \ -+ \ - assert ((used >> 5) >= 3 && (used >> 5) <= 7); \ - escseq = "+I+J+K+L+M" + ((used >> 5) - 3) * 2; \ - *outptr++ = ESC; \ -diff --git a/iconvdata/tst-iconv-iso-2022-cn-ext.c b/iconvdata/tst-iconv-iso-2022-cn-ext.c -new file mode 100644 -index 0000000000..96a8765fd5 ---- /dev/null -+++ b/iconvdata/tst-iconv-iso-2022-cn-ext.c -@@ -0,0 +1,128 @@ -+/* Verify ISO-2022-CN-EXT does not write out of the bounds. -+ Copyright (C) 2024 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+ -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+/* The test sets up a two memory page buffer with the second page marked -+ PROT_NONE to trigger a fault if the conversion writes beyond the exact -+ expected amount. Then we carry out various conversions and precisely -+ place the start of the output buffer in order to trigger a SIGSEGV if the -+ process writes anywhere between 1 and page sized bytes more (only one -+ PROT_NONE page is setup as a canary) than expected. These tests exercise -+ all three of the cases in ISO-2022-CN-EXT where the converter must switch -+ character sets and may run out of buffer space while doing the -+ operation. */ -+ -+static int -+do_test (void) -+{ -+ iconv_t cd = iconv_open ("ISO-2022-CN-EXT", "UTF-8"); -+ TEST_VERIFY_EXIT (cd != (iconv_t) -1); -+ -+ char *ntf; -+ size_t ntfsize; -+ char *outbufbase; -+ { -+ int pgz = getpagesize (); -+ TEST_VERIFY_EXIT (pgz > 0); -+ ntfsize = 2 * pgz; -+ -+ ntf = xmmap (NULL, ntfsize, PROT_READ | PROT_WRITE, MAP_PRIVATE -+ | MAP_ANONYMOUS, -1); -+ xmprotect (ntf + pgz, pgz, PROT_NONE); -+ -+ outbufbase = ntf + pgz; -+ } -+ -+ /* Check if SOdesignation escape sequence does not trigger an OOB write. */ -+ { -+ char inbuf[] = "\xe4\xba\xa4\xe6\x8d\xa2"; -+ -+ for (int i = 0; i < 9; i++) -+ { -+ char *inp = inbuf; -+ size_t inleft = sizeof (inbuf) - 1; -+ -+ char *outp = outbufbase - i; -+ size_t outleft = i; -+ -+ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) -+ == (size_t) -1); -+ TEST_COMPARE (errno, E2BIG); -+ -+ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); -+ } -+ } -+ -+ /* Same as before for SS2designation. */ -+ { -+ char inbuf[] = "ã´½ \xe3\xb4\xbd"; -+ -+ for (int i = 0; i < 14; i++) -+ { -+ char *inp = inbuf; -+ size_t inleft = sizeof (inbuf) - 1; -+ -+ char *outp = outbufbase - i; -+ size_t outleft = i; -+ -+ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) -+ == (size_t) -1); -+ TEST_COMPARE (errno, E2BIG); -+ -+ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); -+ } -+ } -+ -+ /* Same as before for SS3designation. */ -+ { -+ char inbuf[] = "劄 \xe5\x8a\x84"; -+ -+ for (int i = 0; i < 14; i++) -+ { -+ char *inp = inbuf; -+ size_t inleft = sizeof (inbuf) - 1; -+ -+ char *outp = outbufbase - i; -+ size_t outleft = i; -+ -+ TEST_VERIFY_EXIT (iconv (cd, &inp, &inleft, &outp, &outleft) -+ == (size_t) -1); -+ TEST_COMPARE (errno, E2BIG); -+ -+ TEST_VERIFY_EXIT (iconv (cd, NULL, NULL, NULL, NULL) == 0); -+ } -+ } -+ -+ TEST_VERIFY_EXIT (iconv_close (cd) != -1); -+ -+ xmunmap (ntf, ntfsize); -+ -+ return 0; -+} -+ -+#include --- -2.39.3 diff --git a/glibc/CVE-2024-33599.patch b/glibc/CVE-2024-33599.patch deleted file mode 100644 index 006041fabf4..00000000000 --- a/glibc/CVE-2024-33599.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 1263d583d2e28afb8be53f8d6922f0842036f35d Mon Sep 17 00:00:00 2001 -From: Florian Weimer -Date: Thu, 25 Apr 2024 15:00:45 +0200 -Subject: [PATCH] CVE-2024-33599: nscd: Stack-based buffer overflow in netgroup - cache (bug 31677) - -Using alloca matches what other caches do. The request length is -bounded by MAXKEYLEN. - -Reviewed-by: Carlos O'Donell -(cherry picked from commit 87801a8fd06db1d654eea3e4f7626ff476a9bdaa) ---- - nscd/netgroupcache.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c -index 0c6e46f15c..f227dc7fa2 100644 ---- a/nscd/netgroupcache.c -+++ b/nscd/netgroupcache.c -@@ -502,12 +502,13 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, - = (struct indataset *) mempool_alloc (db, - sizeof (*dataset) + req->key_len, - 1); -- struct indataset dataset_mem; - bool cacheable = true; - if (__glibc_unlikely (dataset == NULL)) - { - cacheable = false; -- dataset = &dataset_mem; -+ /* The alloca is safe because nscd_run_worker verfies that -+ key_len is not larger than MAXKEYLEN. */ -+ dataset = alloca (sizeof (*dataset) + req->key_len); - } - - datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, --- -2.39.3 diff --git a/glibc/CVE-2024-33600-2.patch b/glibc/CVE-2024-33600-2.patch deleted file mode 100644 index 8c01f6f0535..00000000000 --- a/glibc/CVE-2024-33600-2.patch +++ /dev/null @@ -1,59 +0,0 @@ -From c99f886de54446cd4447db6b44be93dabbdc2f8b Mon Sep 17 00:00:00 2001 -From: Florian Weimer -Date: Thu, 25 Apr 2024 15:01:07 +0200 -Subject: [PATCH] CVE-2024-33600: nscd: Avoid null pointer crashes after - notfound response (bug 31678) - -The addgetnetgrentX call in addinnetgrX may have failed to produce -a result, so the result variable in addinnetgrX can be NULL. -Use db->negtimeout as the fallback value if there is no result data; -the timeout is also overwritten below. - -Also avoid sending a second not-found response. (The client -disconnects after receiving the first response, so the data stream did -not go out of sync even without this fix.) It is still beneficial to -add the negative response to the mapping, so that the client can get -it from there in the future, instead of going through the socket. - -Reviewed-by: Siddhesh Poyarekar -(cherry picked from commit b048a482f088e53144d26a61c390bed0210f49f2) ---- - nscd/netgroupcache.c | 11 +++++++---- - 1 file changed, 7 insertions(+), 4 deletions(-) - -diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c -index c18fe111f3..e22ffa5884 100644 ---- a/nscd/netgroupcache.c -+++ b/nscd/netgroupcache.c -@@ -511,14 +511,15 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, - - datahead_init_pos (&dataset->head, sizeof (*dataset) + req->key_len, - sizeof (innetgroup_response_header), -- he == NULL ? 0 : dh->nreloads + 1, result->head.ttl); -+ he == NULL ? 0 : dh->nreloads + 1, -+ result == NULL ? db->negtimeout : result->head.ttl); - /* Set the notfound status and timeout based on the result from - getnetgrent. */ -- dataset->head.notfound = result->head.notfound; -+ dataset->head.notfound = result == NULL || result->head.notfound; - dataset->head.timeout = timeout; - - dataset->resp.version = NSCD_VERSION; -- dataset->resp.found = result->resp.found; -+ dataset->resp.found = result != NULL && result->resp.found; - /* Until we find a matching entry the result is 0. */ - dataset->resp.result = 0; - -@@ -566,7 +567,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, - goto out; - } - -- if (he == NULL) -+ /* addgetnetgrentX may have already sent a notfound response. Do -+ not send another one. */ -+ if (he == NULL && dataset->resp.found) - { - /* We write the dataset before inserting it to the database - since while inserting this thread might block and so would --- -2.39.3 diff --git a/glibc/CVE-2024-33600.patch b/glibc/CVE-2024-33600.patch deleted file mode 100644 index 3363ef23947..00000000000 --- a/glibc/CVE-2024-33600.patch +++ /dev/null @@ -1,58 +0,0 @@ -From 5a508e0b508c8ad53bd0d2fb48fd71b242626341 Mon Sep 17 00:00:00 2001 -From: Florian Weimer -Date: Thu, 25 Apr 2024 15:01:07 +0200 -Subject: [PATCH 1/1] CVE-2024-33600: nscd: Do not send missing not-found - response in addgetnetgrentX (bug 31678) - -If we failed to add a not-found response to the cache, the dataset -point can be null, resulting in a null pointer dereference. - -Reviewed-by: Siddhesh Poyarekar -(cherry picked from commit 7835b00dbce53c3c87bbbb1754a95fb5e58187aa) ---- - nscd/netgroupcache.c | 14 ++++++-------- - 1 file changed, 6 insertions(+), 8 deletions(-) - -diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c -index f227dc7fa2..c18fe111f3 100644 ---- a/nscd/netgroupcache.c -+++ b/nscd/netgroupcache.c -@@ -147,7 +147,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - /* No such service. */ - cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, - &key_copy); -- goto writeout; -+ goto maybe_cache_add; - } - - memset (&data, '\0', sizeof (data)); -@@ -348,7 +348,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - { - cacheable = do_notfound (db, fd, req, key, &dataset, &total, &timeout, - &key_copy); -- goto writeout; -+ goto maybe_cache_add; - } - - total = buffilled; -@@ -410,14 +410,12 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - } - - if (he == NULL && fd != -1) -- { -- /* We write the dataset before inserting it to the database -- since while inserting this thread might block and so would -- unnecessarily let the receiver wait. */ -- writeout: -+ /* We write the dataset before inserting it to the database since -+ while inserting this thread might block and so would -+ unnecessarily let the receiver wait. */ - writeall (fd, &dataset->resp, dataset->head.recsize); -- } - -+ maybe_cache_add: - if (cacheable) - { - /* If necessary, we also propagate the data to disk. */ --- -2.39.3 diff --git a/glibc/CVE-2024-33601.patch b/glibc/CVE-2024-33601.patch deleted file mode 100644 index 18cb87b396a..00000000000 --- a/glibc/CVE-2024-33601.patch +++ /dev/null @@ -1,389 +0,0 @@ -From a9a8d3eebb145779a18d90e3966009a1daa63cd8 Mon Sep 17 00:00:00 2001 -From: Florian Weimer -Date: Thu, 25 Apr 2024 15:01:07 +0200 -Subject: [PATCH] CVE-2024-33601, CVE-2024-33602: nscd: netgroup: Use two - buffers in addgetnetgrentX (bug 31680) - -This avoids potential memory corruption when the underlying NSS -callback function does not use the buffer space to store all strings -(e.g., for constant strings). - -Instead of custom buffer management, two scratch buffers are used. -This increases stack usage somewhat. - -Scratch buffer allocation failure is handled by return -1 -(an invalid timeout value) instead of terminating the process. -This fixes bug 31679. - -Reviewed-by: Siddhesh Poyarekar -(cherry picked from commit c04a21e050d64a1193a6daab872bca2528bda44b) ---- - nscd/netgroupcache.c | 219 ++++++++++++++++++++++++------------------- - 1 file changed, 121 insertions(+), 98 deletions(-) - -diff --git a/nscd/netgroupcache.c b/nscd/netgroupcache.c -index e22ffa5884..e8fe041846 100644 ---- a/nscd/netgroupcache.c -+++ b/nscd/netgroupcache.c -@@ -23,6 +23,7 @@ - #include - #include - #include -+#include - - #include "../nss/netgroup.h" - #include "nscd.h" -@@ -65,6 +66,16 @@ struct dataset - char strdata[0]; - }; - -+/* Send a notfound response to FD. Always returns -1 to indicate an -+ ephemeral error. */ -+static time_t -+send_notfound (int fd) -+{ -+ if (fd != -1) -+ TEMP_FAILURE_RETRY (send (fd, ¬found, sizeof (notfound), MSG_NOSIGNAL)); -+ return -1; -+} -+ - /* Sends a notfound message and prepares a notfound dataset to write to the - cache. Returns true if there was enough memory to allocate the dataset and - returns the dataset in DATASETP, total bytes to write in TOTALP and the -@@ -83,8 +94,7 @@ do_notfound (struct database_dyn *db, int fd, request_header *req, - total = sizeof (notfound); - timeout = time (NULL) + db->negtimeout; - -- if (fd != -1) -- TEMP_FAILURE_RETRY (send (fd, ¬found, total, MSG_NOSIGNAL)); -+ send_notfound (fd); - - dataset = mempool_alloc (db, sizeof (struct dataset) + req->key_len, 1); - /* If we cannot permanently store the result, so be it. */ -@@ -109,11 +119,78 @@ do_notfound (struct database_dyn *db, int fd, request_header *req, - return cacheable; - } - -+struct addgetnetgrentX_scratch -+{ -+ /* This is the result that the caller should use. It can be NULL, -+ point into buffer, or it can be in the cache. */ -+ struct dataset *dataset; -+ -+ struct scratch_buffer buffer; -+ -+ /* Used internally in addgetnetgrentX as a staging area. */ -+ struct scratch_buffer tmp; -+ -+ /* Number of bytes in buffer that are actually used. */ -+ size_t buffer_used; -+}; -+ -+static void -+addgetnetgrentX_scratch_init (struct addgetnetgrentX_scratch *scratch) -+{ -+ scratch->dataset = NULL; -+ scratch_buffer_init (&scratch->buffer); -+ scratch_buffer_init (&scratch->tmp); -+ -+ /* Reserve space for the header. */ -+ scratch->buffer_used = sizeof (struct dataset); -+ static_assert (sizeof (struct dataset) < sizeof (scratch->tmp.__space), -+ "initial buffer space"); -+ memset (scratch->tmp.data, 0, sizeof (struct dataset)); -+} -+ -+static void -+addgetnetgrentX_scratch_free (struct addgetnetgrentX_scratch *scratch) -+{ -+ scratch_buffer_free (&scratch->buffer); -+ scratch_buffer_free (&scratch->tmp); -+} -+ -+/* Copy LENGTH bytes from S into SCRATCH. Returns NULL if SCRATCH -+ could not be resized, otherwise a pointer to the copy. */ -+static char * -+addgetnetgrentX_append_n (struct addgetnetgrentX_scratch *scratch, -+ const char *s, size_t length) -+{ -+ while (true) -+ { -+ size_t remaining = scratch->buffer.length - scratch->buffer_used; -+ if (remaining >= length) -+ break; -+ if (!scratch_buffer_grow_preserve (&scratch->buffer)) -+ return NULL; -+ } -+ char *copy = scratch->buffer.data + scratch->buffer_used; -+ memcpy (copy, s, length); -+ scratch->buffer_used += length; -+ return copy; -+} -+ -+/* Copy S into SCRATCH, including its null terminator. Returns false -+ if SCRATCH could not be resized. */ -+static bool -+addgetnetgrentX_append (struct addgetnetgrentX_scratch *scratch, const char *s) -+{ -+ if (s == NULL) -+ s = ""; -+ return addgetnetgrentX_append_n (scratch, s, strlen (s) + 1) != NULL; -+} -+ -+/* Caller must initialize and free *SCRATCH. If the return value is -+ negative, this function has sent a notfound response. */ - static time_t - addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - const char *key, uid_t uid, struct hashentry *he, -- struct datahead *dh, struct dataset **resultp, -- void **tofreep) -+ struct datahead *dh, struct addgetnetgrentX_scratch *scratch) - { - if (__glibc_unlikely (debug_level > 0)) - { -@@ -132,14 +209,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - - char *key_copy = NULL; - struct __netgrent data; -- size_t buflen = MAX (1024, sizeof (*dataset) + req->key_len); -- size_t buffilled = sizeof (*dataset); -- char *buffer = NULL; - size_t nentries = 0; - size_t group_len = strlen (key) + 1; - struct name_list *first_needed - = alloca (sizeof (struct name_list) + group_len); -- *tofreep = NULL; - - if (netgroup_database == NULL - && !__nss_database_get (nss_database_netgroup, &netgroup_database)) -@@ -151,8 +224,6 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - } - - memset (&data, '\0', sizeof (data)); -- buffer = xmalloc (buflen); -- *tofreep = buffer; - first_needed->next = first_needed; - memcpy (first_needed->name, key, group_len); - data.needed_groups = first_needed; -@@ -195,8 +266,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - while (1) - { - int e; -- status = getfct.f (&data, buffer + buffilled, -- buflen - buffilled - req->key_len, &e); -+ status = getfct.f (&data, scratch->tmp.data, -+ scratch->tmp.length, &e); - if (status == NSS_STATUS_SUCCESS) - { - if (data.type == triple_val) -@@ -204,68 +275,10 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - const char *nhost = data.val.triple.host; - const char *nuser = data.val.triple.user; - const char *ndomain = data.val.triple.domain; -- -- size_t hostlen = strlen (nhost ?: "") + 1; -- size_t userlen = strlen (nuser ?: "") + 1; -- size_t domainlen = strlen (ndomain ?: "") + 1; -- -- if (nhost == NULL || nuser == NULL || ndomain == NULL -- || nhost > nuser || nuser > ndomain) -- { -- const char *last = nhost; -- if (last == NULL -- || (nuser != NULL && nuser > last)) -- last = nuser; -- if (last == NULL -- || (ndomain != NULL && ndomain > last)) -- last = ndomain; -- -- size_t bufused -- = (last == NULL -- ? buffilled -- : last + strlen (last) + 1 - buffer); -- -- /* We have to make temporary copies. */ -- size_t needed = hostlen + userlen + domainlen; -- -- if (buflen - req->key_len - bufused < needed) -- { -- buflen += MAX (buflen, 2 * needed); -- /* Save offset in the old buffer. We don't -- bother with the NULL check here since -- we'll do that later anyway. */ -- size_t nhostdiff = nhost - buffer; -- size_t nuserdiff = nuser - buffer; -- size_t ndomaindiff = ndomain - buffer; -- -- char *newbuf = xrealloc (buffer, buflen); -- /* Fix up the triplet pointers into the new -- buffer. */ -- nhost = (nhost ? newbuf + nhostdiff -- : NULL); -- nuser = (nuser ? newbuf + nuserdiff -- : NULL); -- ndomain = (ndomain ? newbuf + ndomaindiff -- : NULL); -- *tofreep = buffer = newbuf; -- } -- -- nhost = memcpy (buffer + bufused, -- nhost ?: "", hostlen); -- nuser = memcpy ((char *) nhost + hostlen, -- nuser ?: "", userlen); -- ndomain = memcpy ((char *) nuser + userlen, -- ndomain ?: "", domainlen); -- } -- -- char *wp = buffer + buffilled; -- wp = memmove (wp, nhost ?: "", hostlen); -- wp += hostlen; -- wp = memmove (wp, nuser ?: "", userlen); -- wp += userlen; -- wp = memmove (wp, ndomain ?: "", domainlen); -- wp += domainlen; -- buffilled = wp - buffer; -+ if (!(addgetnetgrentX_append (scratch, nhost) -+ && addgetnetgrentX_append (scratch, nuser) -+ && addgetnetgrentX_append (scratch, ndomain))) -+ return send_notfound (fd); - ++nentries; - } - else -@@ -317,8 +330,8 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - } - else if (status == NSS_STATUS_TRYAGAIN && e == ERANGE) - { -- buflen *= 2; -- *tofreep = buffer = xrealloc (buffer, buflen); -+ if (!scratch_buffer_grow (&scratch->tmp)) -+ return send_notfound (fd); - } - else if (status == NSS_STATUS_RETURN - || status == NSS_STATUS_NOTFOUND -@@ -351,10 +364,17 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - goto maybe_cache_add; - } - -- total = buffilled; -+ /* Capture the result size without the key appended. */ -+ total = scratch->buffer_used; -+ -+ /* Make a copy of the key. The scratch buffer must not move after -+ this point. */ -+ key_copy = addgetnetgrentX_append_n (scratch, key, req->key_len); -+ if (key_copy == NULL) -+ return send_notfound (fd); - - /* Fill in the dataset. */ -- dataset = (struct dataset *) buffer; -+ dataset = scratch->buffer.data; - timeout = datahead_init_pos (&dataset->head, total + req->key_len, - total - offsetof (struct dataset, resp), - he == NULL ? 0 : dh->nreloads + 1, -@@ -363,11 +383,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - dataset->resp.version = NSCD_VERSION; - dataset->resp.found = 1; - dataset->resp.nresults = nentries; -- dataset->resp.result_len = buffilled - sizeof (*dataset); -- -- assert (buflen - buffilled >= req->key_len); -- key_copy = memcpy (buffer + buffilled, key, req->key_len); -- buffilled += req->key_len; -+ dataset->resp.result_len = total - sizeof (*dataset); - - /* Now we can determine whether on refill we have to create a new - record or not. */ -@@ -398,7 +414,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - if (__glibc_likely (newp != NULL)) - { - /* Adjust pointer into the memory block. */ -- key_copy = (char *) newp + (key_copy - buffer); -+ key_copy = (char *) newp + (key_copy - (char *) dataset); - - dataset = memcpy (newp, dataset, total + req->key_len); - cacheable = true; -@@ -439,7 +455,7 @@ addgetnetgrentX (struct database_dyn *db, int fd, request_header *req, - } - - out: -- *resultp = dataset; -+ scratch->dataset = dataset; - - return timeout; - } -@@ -460,6 +476,9 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, - if (user != NULL) - key = strchr (key, '\0') + 1; - const char *domain = *key++ ? key : NULL; -+ struct addgetnetgrentX_scratch scratch; -+ -+ addgetnetgrentX_scratch_init (&scratch); - - if (__glibc_unlikely (debug_level > 0)) - { -@@ -475,12 +494,8 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, - group, group_len, - db, uid); - time_t timeout; -- void *tofree; - if (result != NULL) -- { -- timeout = result->head.timeout; -- tofree = NULL; -- } -+ timeout = result->head.timeout; - else - { - request_header req_get = -@@ -489,7 +504,10 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, - .key_len = group_len - }; - timeout = addgetnetgrentX (db, -1, &req_get, group, uid, NULL, NULL, -- &result, &tofree); -+ &scratch); -+ result = scratch.dataset; -+ if (timeout < 0) -+ goto out; - } - - struct indataset -@@ -603,7 +621,7 @@ addinnetgrX (struct database_dyn *db, int fd, request_header *req, - } - - out: -- free (tofree); -+ addgetnetgrentX_scratch_free (&scratch); - return timeout; - } - -@@ -613,11 +631,12 @@ addgetnetgrentX_ignore (struct database_dyn *db, int fd, request_header *req, - const char *key, uid_t uid, struct hashentry *he, - struct datahead *dh) - { -- struct dataset *ignore; -- void *tofree; -- time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, -- &ignore, &tofree); -- free (tofree); -+ struct addgetnetgrentX_scratch scratch; -+ addgetnetgrentX_scratch_init (&scratch); -+ time_t timeout = addgetnetgrentX (db, fd, req, key, uid, he, dh, &scratch); -+ addgetnetgrentX_scratch_free (&scratch); -+ if (timeout < 0) -+ timeout = 0; - return timeout; - } - -@@ -661,5 +680,9 @@ readdinnetgr (struct database_dyn *db, struct hashentry *he, - .key_len = he->len - }; - -- return addinnetgrX (db, -1, &req, db->data + he->key, he->owner, he, dh); -+ int timeout = addinnetgrX (db, -1, &req, db->data + he->key, he->owner, -+ he, dh); -+ if (timeout < 0) -+ timeout = 0; -+ return timeout; - } --- -2.39.3