Hi Ernst, Thanks, for the update of CVE-2021-38604. Will send a path to the hardknott branch as well as master branch.
Regards, Vinay On Tue, Aug 17, 2021 at 12:10 PM Ernst Sjöstrand <[email protected]> wrote: > > There is now an additional fix on top of this: > > https://it.slashdot.org/story/21/08/16/2131221/linux-glibc-security-fix-created-a-nastier-linux-bug > > https://access.redhat.com/security/cve/cve-2021-38604 > > //E > > Den mån 2 aug. 2021 kl 06:14 skrev Vinay Kumar <[email protected]>: >> >> Hi Anuj, >> >> >> It seems wrong to me because the patch header/description is not >> >> correct here. It's no longer a backport of just >> >> 42d359350510506b87101cf77202fefcbfc790cb. >> >> Yes, I merged 2 commits first >> (42d359350510506b87101cf77202fefcbfc790cb and >> 217b6dc298156bdb0d6aea9ea93e7e394a5ff091) >> and then backported as a single patch, and I used only the patch >> header of 42d359350510506b87101cf77202fefcbfc790cb. >> >> >> I also just noticed that there's already a fix for this CVE in my >> >> branch. So I think I will take that: >> >> Ok, thanks. Will go with this once it gets merged to the "hardknott" branch. >> >> Regards, >> Vinay >> >> On Mon, Aug 2, 2021 at 8:09 AM Mittal, Anuj <[email protected]> wrote: >> > >> > On Sat, 2021-07-31 at 21:57 +0530, Vinay Kumar wrote: >> > > Hi Anuj, >> > > >> > > The patch is conjugate of both commits. >> > > https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb >> > > >> > > https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091 >> > > >> > > Also, the patch is committed to master branch >> > > http://git.yoctoproject.org/cgit/cgit.cgi/poky/commit/?id=55681d09d7f519a1c7f17d17b18ec59bccdc91ca >> > > >> > > Due you want me to resubmit for "hardknott" branch by splitting in to >> > > 2 patches ? >> > >> > It seems wrong to me because the patch header/description is not >> > correct here. It's no longer a backport of just >> > 42d359350510506b87101cf77202fefcbfc790cb. >> > >> > I also just noticed that there's already a fix for this CVE in my >> > branch. So I think I will take that: >> > >> > https://git.openembedded.org/openembedded-core-contrib/commit/?h=anujm/hardknott&id=ede353df06a07d35dc66d024e2c7bd1b250d9761 >> > >> > Thanks, >> > >> > Anuj >> > >> > > >> > > Regards, >> > > Vinay >> > > >> > > On Sat, Jul 31, 2021 at 11:52 AM Mittal, Anuj <[email protected]> >> > > wrote: >> > > > >> > > > On Tue, 2021-07-27 at 11:38 -0700, Vinay Kumar wrote: >> > > > > Source: https://sourceware.org/git/glibc.git >> > > > > Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=27896 >> > > > > >> > > > > Backported upstream commit 42d359350510506b87101cf77202fefcbfc790cb >> > > > > to >> > > > > glibc-2.33 source with dependent commit id >> > > > > 217b6dc298156bdb0d6aea9ea93e7e394a5ff091. >> > > > > >> > > > > Upstream-Status: Backport >> > > > > [ >> > > > > https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb >> > > > > ] >> > > > >> > > > It looks like you'd need to backport this one too: >> > > > >> > > > https://sourceware.org/git/?p=glibc.git;a=commit;h=217b6dc298156bdb0d6aea9ea93e7e394a5ff091 >> > > > >> > > > ? >> > > > >> > > > Thanks, >> > > > >> > > > Anuj >> > > > >> > > > > >> > > > > Signed-off-by: Vinay Kumar <[email protected]> >> > > > > --- >> > > > > .../glibc/glibc/CVE-2021-33574.patch | 61 >> > > > > +++++++++++++++++++ >> > > > > meta/recipes-core/glibc/glibc_2.33.bb | 1 + >> > > > > 2 files changed, 62 insertions(+) >> > > > > create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021- >> > > > > 33574.patch >> > > > > >> > > > > diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-33574.patch >> > > > > b/meta/recipes-core/glibc/glibc/CVE-2021-33574.patch >> > > > > new file mode 100644 >> > > > > index 0000000000..fd73b23c88 >> > > > > --- /dev/null >> > > > > +++ b/meta/recipes-core/glibc/glibc/CVE-2021-33574.patch >> > > > > @@ -0,0 +1,61 @@ >> > > > > +From 42d359350510506b87101cf77202fefcbfc790cb Mon Sep 17 00:00:00 >> > > > > 2001 >> > > > > +From: Andreas Schwab <[email protected]> >> > > > > +Date: Thu, 27 May 2021 12:49:47 +0200 >> > > > > +Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896) >> > > > > + >> > > > > +Make a deep copy of the pthread attribute object to remove a >> > > > > potential >> > > > > +use-after-free issue. >> > > > > + >> > > > > +Upstream-Status: Backport >> > > > > [ >> > > > > https://sourceware.org/git/?p=glibc.git;a=commit;h=42d359350510506b87101cf77202fefcbfc790cb >> > > > > ] >> > > > > +CVE: CVE-2021-33574 >> > > > > +Signed-off-by: Vinay Kumar <[email protected]> >> > > > > +--- >> > > > > +diff --git a/sysdeps/unix/sysv/linux/mq_notify.c >> > > > > b/sysdeps/unix/sysv/linux/mq_notify.c >> > > > > +index cc575a0cdd8..6f46d29d1dc 100644 >> > > > > +--- a/sysdeps/unix/sysv/linux/mq_notify.c >> > > > > ++++ b/sysdeps/unix/sysv/linux/mq_notify.c >> > > > > +@@ -133,8 +133,11 @@ helper_thread (void *arg) >> > > > > + (void) __pthread_barrier_wait (¬ify_barrier); >> > > > > + } >> > > > > + else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) >> > > > > +- /* The only state we keep is the copy of the thread >> > > > > attributes. */ >> > > > > +- free (data.attr); >> > > > > ++ { >> > > > > ++ /* The only state we keep is the copy of the thread >> > > > > attributes. */ >> > > > > ++ pthread_attr_destroy (data.attr); >> > > > > ++ free (data.attr); >> > > > > ++ } >> > > > > + } >> > > > > + return NULL; >> > > > > + } >> > > > > +@@ -255,8 +258,14 @@ mq_notify (mqd_t mqdes, const struct sigevent >> > > > > *notification) >> > > > > + if (data.attr == NULL) >> > > > > + return -1; >> > > > > + >> > > > > +- memcpy (data.attr, notification->sigev_notify_attributes, >> > > > > +- sizeof (pthread_attr_t)); >> > > > > ++ int ret = __pthread_attr_copy (data.attr, >> > > > > ++ notification- >> > > > > > sigev_notify_attributes); >> > > > > ++ if (ret != 0) >> > > > > ++ { >> > > > > ++ free (data.attr); >> > > > > ++ __set_errno (ret); >> > > > > ++ return -1; >> > > > > ++ } >> > > > > + } >> > > > > + >> > > > > + /* Construct the new request. */ >> > > > > +@@ -269,8 +278,11 @@ mq_notify (mqd_t mqdes, const struct sigevent >> > > > > *notification) >> > > > > + int retval = INLINE_SYSCALL (mq_notify, 2, mqdes, &se); >> > > > > + >> > > > > + /* If it failed, free the allocated memory. */ >> > > > > +- if (__glibc_unlikely (retval != 0)) >> > > > > +- free (data.attr); >> > > > > ++ if (retval != 0 && data.attr != NULL) >> > > > > ++ { >> > > > > ++ pthread_attr_destroy (data.attr); >> > > > > ++ free (data.attr); >> > > > > ++ } >> > > > > + >> > > > > + return retval; >> > > > > + } >> > > > > diff --git a/meta/recipes-core/glibc/glibc_2.33.bb b/meta/recipes- >> > > > > core/glibc/glibc_2.33.bb >> > > > > index 925efe8cc6..e9f01a14c5 100644 >> > > > > --- a/meta/recipes-core/glibc/glibc_2.33.bb >> > > > > +++ b/meta/recipes-core/glibc/glibc_2.33.bb >> > > > > @@ -57,6 +57,7 @@ SRC_URI = >> > > > > "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ >> > > > > >> > > > > file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch >> > > > > \ >> > > > > >> > > > > file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \ >> > > > > file://mte-backports.patch \ >> > > > > + file://CVE-2021-33574.patch \ >> > > > > " >> > > > > S = "${WORKDIR}/git" >> > > > > B = "${WORKDIR}/build-${TARGET_SYS}" >> > > > >> > >> >> >>
-=-=-=-=-=-=-=-=-=-=-=- Links: You receive all messages sent to this group. View/Reply Online (#154885): https://lists.openembedded.org/g/openembedded-core/message/154885 Mute This Topic: https://lists.openembedded.org/mt/84488573/21656 Group Owner: [email protected] Unsubscribe: https://lists.openembedded.org/g/openembedded-core/unsub [[email protected]] -=-=-=-=-=-=-=-=-=-=-=-
