This is an automated email from the git hooks/post-receive script. aurel32 pushed a commit to branch sid in repository glibc.
commit b07991b329a1352457ca14d94fde9ff81c6e5e12 Author: Aurelien Jarno <aurel...@aurel32.net> Date: Sun Aug 13 19:58:44 2017 +0200 debian/patches/git-updates.diff: update from upstream stable branch: * debian/patches/git-updates.diff: update from upstream stable branch: - Avoid use-after-free read access in clntudp_call (CVE-2017-12133). Closes: #870648. --- debian/changelog | 3 + debian/patches/git-updates.diff | 133 ++++++++++++++++++++++++++++++++++++++-- 2 files changed, 130 insertions(+), 6 deletions(-) diff --git a/debian/changelog b/debian/changelog index 206c453..f11bd24 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,6 +1,9 @@ glibc (2.24-15) UNRELEASED; urgency=medium [ Aurelien Jarno ] + * debian/patches/git-updates.diff: update from upstream stable branch: + - Avoid use-after-free read access in clntudp_call (CVE-2017-12133). + Closes: #870648. * debian/control.in/*: Change back gcc-multilib to a Recommends for biarch packages. It provides the /usr/include/linux/asm symlink. * debian/control.in/x32: Add a gcc-multilib Recommends for libc6-dev-x32. diff --git a/debian/patches/git-updates.diff b/debian/patches/git-updates.diff index 51f448e..8174cab 100644 --- a/debian/patches/git-updates.diff +++ b/debian/patches/git-updates.diff @@ -1,10 +1,24 @@ GIT update of git://sourceware.org/git/glibc.git/release/2.24/master from glibc-2.24 diff --git a/ChangeLog b/ChangeLog -index c44c926094..e2d55512c4 100644 +index c44c926094..ecc0da0b02 100644 --- a/ChangeLog +++ b/ChangeLog -@@ -1,3 +1,608 @@ +@@ -1,3 +1,622 @@ ++2017-08-06 H.J. Lu <hongjiu...@intel.com> ++ ++ [BZ #21871] ++ * sysdeps/x86/cpu-features.c (init_cpu_features): Set ++ bit_arch_Use_dl_runtime_resolve_opt only with AVX512F. ++ ++2017-02-27 Florian Weimer <fwei...@redhat.com> ++ ++ [BZ #21115] ++ * sunrpc/clnt_udp.c (clntudp_call): Free ancillary data later. ++ * sunrpc/Makefile (tests): Add tst-udp-error. ++ (tst-udp-error): Link against libc.so explicitly. ++ * sunrpc/tst-udp-error: New file. ++ +2017-01-24 James Clarke <jrt...@jrtc27.com> + + * sysdeps/unix/sysv/linux/sh/sh3/ucontext_i.sym: Use new REG_R* @@ -3513,6 +3527,110 @@ index 0000000000..2ece7ce575 +} + +command_$command +diff --git a/sunrpc/Makefile b/sunrpc/Makefile +index 789ef423e5..4373fffdec 100644 +--- a/sunrpc/Makefile ++++ b/sunrpc/Makefile +@@ -96,7 +96,7 @@ rpcgen-objs = rpc_main.o rpc_hout.o rpc_cout.o rpc_parse.o \ + extra-objs = $(rpcgen-objs) $(addprefix cross-,$(rpcgen-objs)) + others += rpcgen + +-tests = tst-xdrmem tst-xdrmem2 test-rpcent ++tests = tst-xdrmem tst-xdrmem2 test-rpcent tst-udp-error + xtests := tst-getmyaddr + + ifeq ($(have-thread-library),yes) +@@ -153,6 +153,7 @@ BUILD_CPPFLAGS += $(sunrpc-CPPFLAGS) + $(objpfx)tst-getmyaddr: $(common-objpfx)linkobj/libc.so + $(objpfx)tst-xdrmem: $(common-objpfx)linkobj/libc.so + $(objpfx)tst-xdrmem2: $(common-objpfx)linkobj/libc.so ++$(objpfx)tst-udp-error: $(common-objpfx)linkobj/libc.so + + $(objpfx)rpcgen: $(addprefix $(objpfx),$(rpcgen-objs)) + +diff --git a/sunrpc/clnt_udp.c b/sunrpc/clnt_udp.c +index 4d9acb1e6a..1de25cb771 100644 +--- a/sunrpc/clnt_udp.c ++++ b/sunrpc/clnt_udp.c +@@ -421,9 +421,9 @@ send_again: + cmsg = CMSG_NXTHDR (&msg, cmsg)) + if (cmsg->cmsg_level == SOL_IP && cmsg->cmsg_type == IP_RECVERR) + { +- free (cbuf); + e = (struct sock_extended_err *) CMSG_DATA(cmsg); + cu->cu_error.re_errno = e->ee_errno; ++ free (cbuf); + return (cu->cu_error.re_status = RPC_CANTRECV); + } + free (cbuf); +diff --git a/sunrpc/tst-udp-error.c b/sunrpc/tst-udp-error.c +new file mode 100644 +index 0000000000..1efc02f5c6 +--- /dev/null ++++ b/sunrpc/tst-udp-error.c +@@ -0,0 +1,62 @@ ++/* Check for use-after-free in clntudp_call (bug 21115). ++ Copyright (C) 2017 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ <http://www.gnu.org/licenses/>. */ ++ ++#include <netinet/in.h> ++#include <rpc/clnt.h> ++#include <rpc/svc.h> ++#include <support/check.h> ++#include <support/namespace.h> ++#include <support/xsocket.h> ++#include <unistd.h> ++ ++static int ++do_test (void) ++{ ++ support_become_root (); ++ support_enter_network_namespace (); ++ ++ /* Obtain a likely-unused port number. */ ++ struct sockaddr_in sin = ++ { ++ .sin_family = AF_INET, ++ .sin_addr.s_addr = htonl (INADDR_LOOPBACK), ++ }; ++ { ++ int fd = xsocket (AF_INET, SOCK_DGRAM | SOCK_CLOEXEC, 0); ++ xbind (fd, (struct sockaddr *) &sin, sizeof (sin)); ++ socklen_t sinlen = sizeof (sin); ++ xgetsockname (fd, (struct sockaddr *) &sin, &sinlen); ++ /* Close the socket, so that we will receive an error below. */ ++ close (fd); ++ } ++ ++ int sock = RPC_ANYSOCK; ++ CLIENT *clnt = clntudp_create ++ (&sin, 1, 2, (struct timeval) { 1, 0 }, &sock); ++ TEST_VERIFY_EXIT (clnt != NULL); ++ TEST_VERIFY (clnt_call (clnt, 3, ++ (xdrproc_t) xdr_void, NULL, ++ (xdrproc_t) xdr_void, NULL, ++ ((struct timeval) { 3, 0 })) ++ == RPC_CANTRECV); ++ clnt_destroy (clnt); ++ ++ return 0; ++} ++ ++#include <support/test-driver.c> diff --git a/support/Makefile b/support/Makefile new file mode 100644 index 0000000000..20b0343ade @@ -15125,7 +15243,7 @@ index 8332ade9fb..cdd2dea32a 100644 jae SYSCALL_ERROR_LABEL /* Branch forward if it failed. */ diff --git a/sysdeps/x86/cpu-features.c b/sysdeps/x86/cpu-features.c -index 9ce4b495a5..d1ee922290 100644 +index 9ce4b495a5..508ad2ae7b 100644 --- a/sysdeps/x86/cpu-features.c +++ b/sysdeps/x86/cpu-features.c @@ -133,8 +133,6 @@ init_cpu_features (struct cpu_features *cpu_features) @@ -15137,7 +15255,7 @@ index 9ce4b495a5..d1ee922290 100644 case 0x5c: case 0x5f: -@@ -205,6 +203,30 @@ init_cpu_features (struct cpu_features *cpu_features) +@@ -205,6 +203,33 @@ init_cpu_features (struct cpu_features *cpu_features) if (CPU_FEATURES_ARCH_P (cpu_features, AVX2_Usable)) cpu_features->feature[index_arch_AVX_Fast_Unaligned_Load] |= bit_arch_AVX_Fast_Unaligned_Load; @@ -15153,10 +15271,13 @@ index 9ce4b495a5..d1ee922290 100644 + |= bit_arch_Prefer_No_AVX512; + + /* To avoid SSE transition penalty, use _dl_runtime_resolve_slow. -+ If XGETBV suports ECX == 1, use _dl_runtime_resolve_opt. */ ++ If XGETBV suports ECX == 1, use _dl_runtime_resolve_opt. ++ Use _dl_runtime_resolve_opt only with AVX512F since it is ++ slower than _dl_runtime_resolve_slow with AVX. */ + cpu_features->feature[index_arch_Use_dl_runtime_resolve_slow] + |= bit_arch_Use_dl_runtime_resolve_slow; -+ if (cpu_features->max_cpuid >= 0xd) ++ if (CPU_FEATURES_ARCH_P (cpu_features, AVX512F_Usable) ++ && cpu_features->max_cpuid >= 0xd) + { + unsigned int eax; + -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-glibc/glibc.git