Re: [OE-core] [PATCH] glibc: Fix CVE-2021-33574

Mon, 16 Aug 2021 23:41:04 -0700 

There is now an additional fix on top of this:

https://it.slashdot.org/story/21/08/16/2131221/linux-glibc-security-fix-created-a-nastier-linux-bug

https://access.redhat.com/security/cve/cve-2021-38604

//E

Den mån 2 aug. 2021 kl 06:14 skrev Vinay Kumar <[email protected]>:

> Hi Anuj,
>
> >> It seems wrong to me because the patch header/description is not
> >> correct here. It's no longer a backport of just
> >> 42d359350510506b87101cf77202fefcbfc790cb.
>
> Yes, I merged 2 commits first
> (42d359350510506b87101cf77202fefcbfc790cb and
> 217b6dc298156bdb0d6aea9ea93e7e394a5ff091)
> and then backported as a single patch, and I used only the patch
> header of 42d359350510506b87101cf77202fefcbfc790cb.
>
> >> I also just noticed that there's already a fix for this CVE in my
> >> branch. So I think I will take that:
>
> Ok, thanks. Will go with this once it gets merged to the "hardknott"
> branch.
>
> Regards,
> Vinay
>
> On Mon, Aug 2, 2021 at 8:09 AM Mittal, Anuj <[email protected]> wrote:
> >
> > On Sat, 2021-07-31 at 21:57 +0530, Vinay Kumar wrote:
> > > Hi Anuj,
> > >
> > > The patch is conjugate of both commits.
> > >
> https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb
> > >
> > >
> https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091
> > >
> > > Also, the patch is committed to master branch
> > >
> http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=55681d09d7f519a1c7f17d17b18ec59bccdc91ca
> > >
> > > Due you want me to resubmit for "hardknott" branch by splitting in to
> > > 2 patches ?
> >
> > It seems wrong to me because the patch header/description is not
> > correct here. It's no longer a backport of just
> > 42d359350510506b87101cf77202fefcbfc790cb.
> >
> > I also just noticed that there's already a fix for this CVE in my
> > branch. So I think I will take that:
> >
> >
> https://git.openembedded.org/openembedded-core-contrib/commit/?h=anujm/hardknott&id=ede353df06a07d35dc66d024e2c7bd1b250d9761
> >
> > Thanks,
> >
> > Anuj
> >
> > >
> > > Regards,
> > > Vinay
> > >
> > > On Sat, Jul 31, 2021 at 11:52 AM Mittal, Anuj <[email protected]>
> > > wrote:
> > > >
> > > > On Tue, 2021-07-27 at 11:38 -0700, Vinay Kumar wrote:
> > > > > Source: https://sourceware.org/git/glibc.git
> > > > > Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=27896
> > > > >
> > > > > Backported upstream commit 42d359350510506b87101cf77202fefcbfc790cb
> > > > > to
> > > > > glibc-2.33 source with dependent commit id
> > > > > 217b6dc298156bdb0d6aea9ea93e7e394a5ff091.
> > > > >
> > > > > Upstream-Status: Backport
> > > > > [
> > > > >
> https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb
> > > > > ]
> > > >
> > > > It looks like you'd need to backport this one too:
> > > >
> > > >
> https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091
> > > >
> > > > ?
> > > >
> > > > Thanks,
> > > >
> > > > Anuj
> > > >
> > > > >
> > > > > Signed-off-by: Vinay Kumar <[email protected]>
> > > > > ---
> > > > >  .../glibc/glibc/CVE-2021-33574.patch          | 61
> > > > > +++++++++++++++++++
> > > > >  meta/recipes-core/glibc/glibc_2.33.bb         |  1 +
> > > > >  2 files changed, 62 insertions(+)
> > > > >  create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-
> > > > > 33574.patch
> > > > >
> > > > > diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574.patch
> > > > > b/meta/recipes-core/glibc/glibc/CVE-2021-33574.patch
> > > > > new file mode 100644
> > > > > index 0000000000..fd73b23c88
> > > > > --- /dev/null
> > > > > +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574.patch
> > > > > @@ -0,0 +1,61 @@
> > > > > +From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00
> > > > > 2001
> > > > > +From: Andreas Schwab <[email protected]>
> > > > > +Date: Thu, 27 May 2021 12:49:47 +0200
> > > > > +Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
> > > > > +
> > > > > +Make a deep copy of the pthread attribute object to remove a
> > > > > potential
> > > > > +use-after-free issue.
> > > > > +
> > > > > +Upstream-Status: Backport
> > > > > [
> > > > >
> https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb
> > > > > ]
> > > > > +CVE: CVE-2021-33574
> > > > > +Signed-off-by: Vinay Kumar <[email protected]>
> > > > > +---
> > > > > +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c
> > > > > b/sysdeps/unix/sysv/linux/mq_notify.c
> > > > > +index cc575a0cdd8..6f46d29d1dc 100644
> > > > > +--- a/sysdeps/unix/sysv/linux/mq_notify.c
> > > > > ++++ b/sysdeps/unix/sysv/linux/mq_notify.c
> > > > > +@@ -133,8 +133,11 @@ helper_thread (void *arg)
> > > > > +           (void) __pthread_barrier_wait (&notify_barrier);
> > > > > +       }
> > > > > +       else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
> > > > > +-      /* The only state we keep is the copy of the thread
> > > > > attributes.  */
> > > > > +-      free (data.attr);
> > > > > ++      {
> > > > > ++        /* The only state we keep is the copy of the thread
> > > > > attributes.  */
> > > > > ++        pthread_attr_destroy (data.attr);
> > > > > ++        free (data.attr);
> > > > > ++      }
> > > > > +     }
> > > > > +   return NULL;
> > > > > + }
> > > > > +@@ -255,8 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent
> > > > > *notification)
> > > > > +       if (data.attr == NULL)
> > > > > +       return -1;
> > > > > +
> > > > > +-      memcpy (data.attr, notification->sigev_notify_attributes,
> > > > > +-            sizeof (pthread_attr_t));
> > > > > ++      int ret = __pthread_attr_copy (data.attr,
> > > > > ++                                   notification-
> > > > > > sigev_notify_attributes);
> > > > > ++      if (ret != 0)
> > > > > ++      {
> > > > > ++        free (data.attr);
> > > > > ++        __set_errno (ret);
> > > > > ++        return -1;
> > > > > ++      }
> > > > > +     }
> > > > > +
> > > > > +   /* Construct the new request.  */
> > > > > +@@ -269,8 +278,11 @@ mq_notify (mqd_t mqdes, const struct sigevent
> > > > > *notification)
> > > > > +   int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se);
> > > > > +
> > > > > +   /* If it failed, free the allocated memory.  */
> > > > > +-  if (__glibc_unlikely (retval != 0))
> > > > > +-    free (data.attr);
> > > > > ++  if (retval != 0 && data.attr != NULL)
> > > > > ++    {
> > > > > ++      pthread_attr_destroy (data.attr);
> > > > > ++      free (data.attr);
> > > > > ++    }
> > > > > +
> > > > > +   return retval;
> > > > > + }
> > > > > diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes-
> > > > > core/glibc/glibc_2.33.bb
> > > > > index 925efe8cc6..e9f01a14c5 100644
> > > > > --- a/meta/recipes-core/glibc/glibc_2.33.bb
> > > > > +++ b/meta/recipes-core/glibc/glibc_2.33.bb
> > > > > @@ -57,6 +57,7 @@ SRC_URI =
> > > > > "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
> > > > >
> > > > >
> file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch
> > > > >  \
> > > > >
> > > > > file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
> > > > >             file://mte-backports.patch \
> > > > > +           file://CVE-2021-33574.patch \
> > > > >             "
> > > > >  S = "${WORKDIR}/git"
> > > > >  B = "${WORKDIR}/build-${TARGET_SYS}"
> > > >
> >
>
> 
>
>

-=-=-=-=-=-=-=-=-=-=-=-
Links: You receive all messages sent to this group.
View/Reply Online (#154867): 
https://lists.openembedded.org/g/openembedded-core/message/154867
Mute This Topic: https://lists.openembedded.org/mt/84488573/21656
Group Owner: [email protected]
Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub 
[[email protected]]
-=-=-=-=-=-=-=-=-=-=-=-

Reply via email to