From 7eb78e80e2ef6574fc29e6d30bf54c7f39b0743a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bernhard=20Rosenkr=C3=A4nzer?=
<bernhard.rosenkraenzer.ext@huawei.com>
Date: Fri, 30 Jul 2021 02:02:05 +0200
Subject: [PATCH] glibc: Fix CVE-2021-33574
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
This is a backport of openembedded-core commit
b4bc29cf19d811c0ec948dbe69c0bc79fe31e0e8:
Source: https://sourceware.org/git/glibc.git
Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=27896
Backported upstream commit 42d359350510506b87101cf77202fefcbfc790cb to
glibc-2.33 source with dependent commit id 217b6dc298156bdb0d6aea9ea93e7e394a5ff091.
Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb]
Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Bernhard Rosenkränzer <bernhard.rosenkraenzer.ext@huawei.com>
---
.../glibc/glibc/CVE-2021-33574.patch | 61 +++++++++++++++++++
.../recipes-core/glibc/glibc_2.33.bb | 1 +
2 files changed, 62 insertions(+)
create mode 100644 meta-ohos-staging/recipes-core/glibc/glibc/CVE-2021-33574.patch
diff --git a/meta-ohos-staging/recipes-core/glibc/glibc/CVE-2021-33574.patch b/meta-ohos-staging/recipes-core/glibc/glibc/CVE-2021-33574.patch
new file mode 100644
index 00000000..fd73b23c
--- /dev/null
+++ b/meta-ohos-staging/recipes-core/glibc/glibc/CVE-2021-33574.patch
@@ -0,0 +1,61 @@
+From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@linux-m68k.org>
+Date: Thu, 27 May 2021 12:49:47 +0200
+Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
+
+Make a deep copy of the pthread attribute object to remove a potential
+use-after-free issue.
+
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb]
+CVE: CVE-2021-33574
+Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
+---
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index cc575a0cdd8..6f46d29d1dc 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
++++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -133,8 +133,11 @@ helper_thread (void *arg)
+ (void) __pthread_barrier_wait (¬ify_barrier);
+ }
+ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+- /* The only state we keep is the copy of the thread attributes. */
+- free (data.attr);
++ {
++ /* The only state we keep is the copy of the thread attributes. */
++ pthread_attr_destroy (data.attr);
++ free (data.attr);
++ }
+ }
+ return NULL;
+ }
+@@ -255,8 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ if (data.attr == NULL)
+ return -1;
+
+- memcpy (data.attr, notification->sigev_notify_attributes,
+- sizeof (pthread_attr_t));
++ int ret = __pthread_attr_copy (data.attr,
++ notification->sigev_notify_attributes);
++ if (ret != 0)
++ {
++ free (data.attr);
++ __set_errno (ret);
++ return -1;
++ }
+ }
+
+ /* Construct the new request. */
+@@ -269,8 +278,11 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
+ int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
+
+ /* If it failed, free the allocated memory. */
+- if (__glibc_unlikely (retval != 0))
+- free (data.attr);
++ if (retval != 0 && data.attr != NULL)
++ {
++ pthread_attr_destroy (data.attr);
++ free (data.attr);
++ }
+
+ return retval;
+ }
diff --git a/meta-ohos-staging/recipes-core/glibc/glibc_2.33.bb b/meta-ohos-staging/recipes-core/glibc/glibc_2.33.bb
index 925efe8c..e9f01a14 100644
--- a/meta-ohos-staging/recipes-core/glibc/glibc_2.33.bb
+++ b/meta-ohos-staging/recipes-core/glibc/glibc_2.33.bb
@@ -57,6 +57,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch \
file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
file://mte-backports.patch \
+ file://CVE-2021-33574.patch \
"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}"
--
GitLab