diff options
author | Patrick J Volkerding <volkerdi@slackware.com> | 2024-02-02 22:12:45 +0000 |
---|---|---|
committer | Eric Hameleers <alien@slackware.com> | 2024-02-02 23:36:24 +0100 |
commit | da45f62f68edec9ba958379a15bcb219af0df933 (patch) | |
tree | 50008e9582435f9a091ec6273a9460227c12e12b /source/l | |
parent | 67afc7b997a6e95d273566113b8a95df302aa24b (diff) | |
download | current-da45f62f68edec9ba958379a15bcb219af0df933.tar.gz current-da45f62f68edec9ba958379a15bcb219af0df933.tar.xz |
Fri Feb 2 22:12:45 UTC 202420240202221245
A test mass rebuild here didn't find any new failure-to-build-from-source, so
we'll go ahead and upgrade to the new glibc. Enjoy! :-)
a/aaa_glibc-solibs-2.39-x86_64-1.txz: Upgraded.
kde/calligra-3.2.1-x86_64-36.txz: Rebuilt.
Recompiled against poppler-24.02.0.
kde/cantor-23.08.4-x86_64-2.txz: Rebuilt.
Recompiled against poppler-24.02.0.
kde/kfilemetadata-5.114.0-x86_64-3.txz: Rebuilt.
Recompiled against poppler-24.02.0.
kde/kile-2.9.93-x86_64-30.txz: Rebuilt.
Recompiled against poppler-24.02.0.
kde/kitinerary-23.08.4-x86_64-2.txz: Rebuilt.
Recompiled against poppler-24.02.0.
kde/krita-5.2.2-x86_64-3.txz: Rebuilt.
Recompiled against poppler-24.02.0.
kde/okular-23.08.4-x86_64-2.txz: Rebuilt.
Recompiled against poppler-24.02.0.
l/SDL2-2.30.0-x86_64-1.txz: Upgraded.
l/glibc-2.39-x86_64-1.txz: Upgraded.
This fixes a few __vsyslog_internal related overflows that could result in
an application crash or local privilege escalation.
The issues affected glibc 2.36 and newer.
For more information, see:
https://www.cve.org/CVERecord?id=CVE-2023-6246
https://www.cve.org/CVERecord?id=CVE-2023-6779
https://www.cve.org/CVERecord?id=CVE-2023-6780
(* Security fix *)
l/glibc-i18n-2.39-x86_64-1.txz: Upgraded.
l/glibc-profile-2.39-x86_64-1.txz: Upgraded.
l/pipewire-1.0.3-x86_64-1.txz: Upgraded.
l/poppler-24.02.0-x86_64-1.txz: Upgraded.
Shared library .so-version bump.
n/ipset-7.20-x86_64-1.txz: Upgraded.
Diffstat (limited to '')
-rw-r--r-- | source/l/SDL2/SDL2.url | 2 | ||||
-rwxr-xr-x | source/l/glibc/glibc.SlackBuild | 12 | ||||
-rw-r--r-- | source/l/glibc/patches/glibc-2.38-upstream_fixes-1.patch | 695 | ||||
-rw-r--r-- | source/l/glibc/patches/glibc.CVE-2023-4911.patch | 173 |
4 files changed, 7 insertions, 875 deletions
diff --git a/source/l/SDL2/SDL2.url b/source/l/SDL2/SDL2.url index fa4e62c75..7185a61c7 100644 --- a/source/l/SDL2/SDL2.url +++ b/source/l/SDL2/SDL2.url @@ -1,2 +1,2 @@ https://github.com/libsdl-org/SDL -https://github.com/libsdl-org/SDL/releases/download/release-2.28.5/SDL2-2.28.5.tar.gz +https://github.com/libsdl-org/SDL/releases/download/release-2.30.0/SDL2-2.30.0.tar.gz diff --git a/source/l/glibc/glibc.SlackBuild b/source/l/glibc/glibc.SlackBuild index ebc6de463..e16558257 100755 --- a/source/l/glibc/glibc.SlackBuild +++ b/source/l/glibc/glibc.SlackBuild @@ -1,6 +1,6 @@ #!/bin/bash -# Copyright 2006, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023 Patrick J. Volkerding, Sebeka, MN, USA +# Copyright 2006, 2008, 2009, 2010, 2011, 2012, 2013, 2014, 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022, 2023, 2024 Patrick J. Volkerding, Sebeka, MN, USA # All rights reserved. # # Redistribution and use of this script, with or without modification, is @@ -25,7 +25,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=glibc VERSION=${VERSION:-$(echo glibc-*.tar.xz | rev | cut -f 3- -d . | cut -f 1 -d - | rev)} CHECKOUT=${CHECKOUT:-""} -BUILD=${BUILD:-3} +BUILD=${BUILD:-1} # I was considering disabling NSCD, but MoZes talked me out of it. :) #DISABLE_NSCD=" --disable-nscd " @@ -194,10 +194,10 @@ mkdir -p $PKG/var/run/nscd # Begin extract/compile: cd $TMP rm -rf glibc-$CVSVER -tar xvf $CWD/glibc-$CVSVER.tar.xz \ - || tar xvf $CWD/glibc-$CVSVER.tar.lz \ - || tar xvf $CWD/glibc-$CVSVER.tar.bz2 \ - || tar xvf $CWD/glibc-$CVSVER.tar.gz +echo "Extracting $CWD/glibc-$CVSVER.tar.?z..." +tar xf $CWD/glibc-$CVSVER.tar.xz \ + || tar xf $CWD/glibc-$CVSVER.tar.lz \ + || tar xf $CWD/glibc-$CVSVER.tar.gz cd glibc-$CVSVER # Apply patches; exit if any fail. diff --git a/source/l/glibc/patches/glibc-2.38-upstream_fixes-1.patch b/source/l/glibc/patches/glibc-2.38-upstream_fixes-1.patch deleted file mode 100644 index e111d8aba..000000000 --- a/source/l/glibc/patches/glibc-2.38-upstream_fixes-1.patch +++ /dev/null @@ -1,695 +0,0 @@ -Submitted By: Xi Ruoyao <xry111 at xry111.site> -Date: 2023-09-13 -Initial Package Version: 2.38 -Upstream Status: Under review -Origin: Upstream & Self - - 1/5: https://sourceware.org/git/?p=glibc.git;a=patch;h=542b11058525 - - 2/5: https://sourceware.org/pipermail/libc-alpha/2023-August/150857.html - - 3/5: Trivial unused code removal - - 4/5: https://sourceware.org/pipermail/libc-alpha/2023-September/151522.html - - 5/5: https://sourceware.org/pipermail/libc-alpha/2023-September/151548.html -Description: Fixes a regression causing posix_memalign() - very slow in certain conditions to avoid - breaking ffmpeg-based applications; - fixes two security vulnerabilities, - CVE-2023-4527 and CVE-2023-4806. - -From fc01478d06658ace8d57e5328c1e717275acfe84 Mon Sep 17 00:00:00 2001 -From: Florian Weimer <fweimer@redhat.com> -Date: Fri, 11 Aug 2023 11:18:17 +0200 -Subject: [PATCH 1/3] malloc: Enable merging of remainders in memalign (bug - 30723) - -Previously, calling _int_free from _int_memalign could put remainders -into the tcache or into fastbins, where they are invisible to the -low-level allocator. This results in missed merge opportunities -because once these freed chunks become available to the low-level -allocator, further memalign allocations (even of the same size are) -likely obstructing merges. - -Furthermore, during forwards merging in _int_memalign, do not -completely give up when the remainder is too small to serve as a -chunk on its own. We can still give it back if it can be merged -with the following unused chunk. This makes it more likely that -memalign calls in a loop achieve a compact memory layout, -independently of initial heap layout. - -Drop some useless (unsigned long) casts along the way, and tweak -the style to more closely match GNU on changed lines. - -Reviewed-by: DJ Delorie <dj@redhat.com> -(cherry picked from commit 542b1105852568c3ebc712225ae78b8c8ba31a78) ---- - malloc/malloc.c | 197 +++++++++++++++++++++++++++++------------------- - 1 file changed, 121 insertions(+), 76 deletions(-) - -diff --git a/malloc/malloc.c b/malloc/malloc.c -index e2f1a615a4..948f9759af 100644 ---- a/malloc/malloc.c -+++ b/malloc/malloc.c -@@ -1086,6 +1086,11 @@ typedef struct malloc_chunk* mchunkptr; - - static void* _int_malloc(mstate, size_t); - static void _int_free(mstate, mchunkptr, int); -+static void _int_free_merge_chunk (mstate, mchunkptr, INTERNAL_SIZE_T); -+static INTERNAL_SIZE_T _int_free_create_chunk (mstate, -+ mchunkptr, INTERNAL_SIZE_T, -+ mchunkptr, INTERNAL_SIZE_T); -+static void _int_free_maybe_consolidate (mstate, INTERNAL_SIZE_T); - static void* _int_realloc(mstate, mchunkptr, INTERNAL_SIZE_T, - INTERNAL_SIZE_T); - static void* _int_memalign(mstate, size_t, size_t); -@@ -4637,31 +4642,52 @@ _int_free (mstate av, mchunkptr p, int have_lock) - if (!have_lock) - __libc_lock_lock (av->mutex); - -- nextchunk = chunk_at_offset(p, size); -- -- /* Lightweight tests: check whether the block is already the -- top block. */ -- if (__glibc_unlikely (p == av->top)) -- malloc_printerr ("double free or corruption (top)"); -- /* Or whether the next chunk is beyond the boundaries of the arena. */ -- if (__builtin_expect (contiguous (av) -- && (char *) nextchunk -- >= ((char *) av->top + chunksize(av->top)), 0)) -- malloc_printerr ("double free or corruption (out)"); -- /* Or whether the block is actually not marked used. */ -- if (__glibc_unlikely (!prev_inuse(nextchunk))) -- malloc_printerr ("double free or corruption (!prev)"); -- -- nextsize = chunksize(nextchunk); -- if (__builtin_expect (chunksize_nomask (nextchunk) <= CHUNK_HDR_SZ, 0) -- || __builtin_expect (nextsize >= av->system_mem, 0)) -- malloc_printerr ("free(): invalid next size (normal)"); -+ _int_free_merge_chunk (av, p, size); - -- free_perturb (chunk2mem(p), size - CHUNK_HDR_SZ); -+ if (!have_lock) -+ __libc_lock_unlock (av->mutex); -+ } -+ /* -+ If the chunk was allocated via mmap, release via munmap(). -+ */ -+ -+ else { -+ munmap_chunk (p); -+ } -+} -+ -+/* Try to merge chunk P of SIZE bytes with its neighbors. Put the -+ resulting chunk on the appropriate bin list. P must not be on a -+ bin list yet, and it can be in use. */ -+static void -+_int_free_merge_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size) -+{ -+ mchunkptr nextchunk = chunk_at_offset(p, size); -+ -+ /* Lightweight tests: check whether the block is already the -+ top block. */ -+ if (__glibc_unlikely (p == av->top)) -+ malloc_printerr ("double free or corruption (top)"); -+ /* Or whether the next chunk is beyond the boundaries of the arena. */ -+ if (__builtin_expect (contiguous (av) -+ && (char *) nextchunk -+ >= ((char *) av->top + chunksize(av->top)), 0)) -+ malloc_printerr ("double free or corruption (out)"); -+ /* Or whether the block is actually not marked used. */ -+ if (__glibc_unlikely (!prev_inuse(nextchunk))) -+ malloc_printerr ("double free or corruption (!prev)"); -+ -+ INTERNAL_SIZE_T nextsize = chunksize(nextchunk); -+ if (__builtin_expect (chunksize_nomask (nextchunk) <= CHUNK_HDR_SZ, 0) -+ || __builtin_expect (nextsize >= av->system_mem, 0)) -+ malloc_printerr ("free(): invalid next size (normal)"); -+ -+ free_perturb (chunk2mem(p), size - CHUNK_HDR_SZ); - -- /* consolidate backward */ -- if (!prev_inuse(p)) { -- prevsize = prev_size (p); -+ /* Consolidate backward. */ -+ if (!prev_inuse(p)) -+ { -+ INTERNAL_SIZE_T prevsize = prev_size (p); - size += prevsize; - p = chunk_at_offset(p, -((long) prevsize)); - if (__glibc_unlikely (chunksize(p) != prevsize)) -@@ -4669,9 +4695,25 @@ _int_free (mstate av, mchunkptr p, int have_lock) - unlink_chunk (av, p); - } - -- if (nextchunk != av->top) { -+ /* Write the chunk header, maybe after merging with the following chunk. */ -+ size = _int_free_create_chunk (av, p, size, nextchunk, nextsize); -+ _int_free_maybe_consolidate (av, size); -+} -+ -+/* Create a chunk at P of SIZE bytes, with SIZE potentially increased -+ to cover the immediately following chunk NEXTCHUNK of NEXTSIZE -+ bytes (if NEXTCHUNK is unused). The chunk at P is not actually -+ read and does not have to be initialized. After creation, it is -+ placed on the appropriate bin list. The function returns the size -+ of the new chunk. */ -+static INTERNAL_SIZE_T -+_int_free_create_chunk (mstate av, mchunkptr p, INTERNAL_SIZE_T size, -+ mchunkptr nextchunk, INTERNAL_SIZE_T nextsize) -+{ -+ if (nextchunk != av->top) -+ { - /* get and clear inuse bit */ -- nextinuse = inuse_bit_at_offset(nextchunk, nextsize); -+ bool nextinuse = inuse_bit_at_offset (nextchunk, nextsize); - - /* consolidate forward */ - if (!nextinuse) { -@@ -4686,8 +4728,8 @@ _int_free (mstate av, mchunkptr p, int have_lock) - been given one chance to be used in malloc. - */ - -- bck = unsorted_chunks(av); -- fwd = bck->fd; -+ mchunkptr bck = unsorted_chunks (av); -+ mchunkptr fwd = bck->fd; - if (__glibc_unlikely (fwd->bk != bck)) - malloc_printerr ("free(): corrupted unsorted chunks"); - p->fd = fwd; -@@ -4706,61 +4748,52 @@ _int_free (mstate av, mchunkptr p, int have_lock) - check_free_chunk(av, p); - } - -- /* -- If the chunk borders the current high end of memory, -- consolidate into top -- */ -- -- else { -+ else -+ { -+ /* If the chunk borders the current high end of memory, -+ consolidate into top. */ - size += nextsize; - set_head(p, size | PREV_INUSE); - av->top = p; - check_chunk(av, p); - } - -- /* -- If freeing a large space, consolidate possibly-surrounding -- chunks. Then, if the total unused topmost memory exceeds trim -- threshold, ask malloc_trim to reduce top. -- -- Unless max_fast is 0, we don't know if there are fastbins -- bordering top, so we cannot tell for sure whether threshold -- has been reached unless fastbins are consolidated. But we -- don't want to consolidate on each free. As a compromise, -- consolidation is performed if FASTBIN_CONSOLIDATION_THRESHOLD -- is reached. -- */ -+ return size; -+} - -- if ((unsigned long)(size) >= FASTBIN_CONSOLIDATION_THRESHOLD) { -+/* If freeing a large space, consolidate possibly-surrounding -+ chunks. Then, if the total unused topmost memory exceeds trim -+ threshold, ask malloc_trim to reduce top. */ -+static void -+_int_free_maybe_consolidate (mstate av, INTERNAL_SIZE_T size) -+{ -+ /* Unless max_fast is 0, we don't know if there are fastbins -+ bordering top, so we cannot tell for sure whether threshold has -+ been reached unless fastbins are consolidated. But we don't want -+ to consolidate on each free. As a compromise, consolidation is -+ performed if FASTBIN_CONSOLIDATION_THRESHOLD is reached. */ -+ if (size >= FASTBIN_CONSOLIDATION_THRESHOLD) -+ { - if (atomic_load_relaxed (&av->have_fastchunks)) - malloc_consolidate(av); - -- if (av == &main_arena) { -+ if (av == &main_arena) -+ { - #ifndef MORECORE_CANNOT_TRIM -- if ((unsigned long)(chunksize(av->top)) >= -- (unsigned long)(mp_.trim_threshold)) -- systrim(mp_.top_pad, av); -+ if (chunksize (av->top) >= mp_.trim_threshold) -+ systrim (mp_.top_pad, av); - #endif -- } else { -- /* Always try heap_trim(), even if the top chunk is not -- large, because the corresponding heap might go away. */ -- heap_info *heap = heap_for_ptr(top(av)); -+ } -+ else -+ { -+ /* Always try heap_trim, even if the top chunk is not large, -+ because the corresponding heap might go away. */ -+ heap_info *heap = heap_for_ptr (top (av)); - -- assert(heap->ar_ptr == av); -- heap_trim(heap, mp_.top_pad); -- } -+ assert (heap->ar_ptr == av); -+ heap_trim (heap, mp_.top_pad); -+ } - } -- -- if (!have_lock) -- __libc_lock_unlock (av->mutex); -- } -- /* -- If the chunk was allocated via mmap, release via munmap(). -- */ -- -- else { -- munmap_chunk (p); -- } - } - - /* -@@ -5221,7 +5254,7 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) - (av != &main_arena ? NON_MAIN_ARENA : 0)); - set_inuse_bit_at_offset (newp, newsize); - set_head_size (p, leadsize | (av != &main_arena ? NON_MAIN_ARENA : 0)); -- _int_free (av, p, 1); -+ _int_free_merge_chunk (av, p, leadsize); - p = newp; - - assert (newsize >= nb && -@@ -5232,15 +5265,27 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) - if (!chunk_is_mmapped (p)) - { - size = chunksize (p); -- if ((unsigned long) (size) > (unsigned long) (nb + MINSIZE)) -+ mchunkptr nextchunk = chunk_at_offset(p, size); -+ INTERNAL_SIZE_T nextsize = chunksize(nextchunk); -+ if (size > nb) - { - remainder_size = size - nb; -- remainder = chunk_at_offset (p, nb); -- set_head (remainder, remainder_size | PREV_INUSE | -- (av != &main_arena ? NON_MAIN_ARENA : 0)); -- set_head_size (p, nb); -- _int_free (av, remainder, 1); -- } -+ if (remainder_size >= MINSIZE -+ || nextchunk == av->top -+ || !inuse_bit_at_offset (nextchunk, nextsize)) -+ { -+ /* We can only give back the tail if it is larger than -+ MINSIZE, or if the following chunk is unused (top -+ chunk or unused in-heap chunk). Otherwise we would -+ create a chunk that is smaller than MINSIZE. */ -+ remainder = chunk_at_offset (p, nb); -+ set_head_size (p, nb); -+ remainder_size = _int_free_create_chunk (av, remainder, -+ remainder_size, -+ nextchunk, nextsize); -+ _int_free_maybe_consolidate (av, remainder_size); -+ } -+ } - } - - check_inuse_chunk (av, p); --- -2.41.0 - -From b37e836b7cc2dba672e1de1cc7e076ba1c712614 Mon Sep 17 00:00:00 2001 -From: Florian Weimer <fweimer@redhat.com> -Date: Fri, 11 Aug 2023 17:48:13 +0200 -Subject: [PATCH 2/3] malloc: Remove bin scanning from memalign (bug 30723) - -On the test workload (mpv --cache=yes with VP9 video decoding), the -bin scanning has a very poor success rate (less than 2%). The tcache -scanning has about 50% success rate, so keep that. - -Update comments in malloc/tst-memalign-2 to indicate the purpose -of the tests. Even with the scanning removed, the additional -merging opportunities since commit 542b1105852568c3ebc712225ae78b -("malloc: Enable merging of remainders in memalign (bug 30723)") -are sufficient to pass the existing large bins test. - -Link: https://sourceware.org/pipermail/libc-alpha/2023-August/150857.html ---- - malloc/malloc.c | 127 ++-------------------------------------- - malloc/tst-memalign-2.c | 7 ++- - 2 files changed, 10 insertions(+), 124 deletions(-) - -diff --git a/malloc/malloc.c b/malloc/malloc.c -index 948f9759af..9c2cab7a59 100644 ---- a/malloc/malloc.c -+++ b/malloc/malloc.c -@@ -5082,7 +5082,6 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) - mchunkptr remainder; /* spare room at end to split off */ - unsigned long remainder_size; /* its size */ - INTERNAL_SIZE_T size; -- mchunkptr victim; - - nb = checked_request2size (bytes); - if (nb == 0) -@@ -5101,129 +5100,13 @@ _int_memalign (mstate av, size_t alignment, size_t bytes) - we don't find anything in those bins, the common malloc code will - scan starting at 2x. */ - -- /* This will be set if we found a candidate chunk. */ -- victim = NULL; -+ /* Call malloc with worst case padding to hit alignment. */ -+ m = (char *) (_int_malloc (av, nb + alignment + MINSIZE)); - -- /* Fast bins are singly-linked, hard to remove a chunk from the middle -- and unlikely to meet our alignment requirements. We have not done -- any experimentation with searching for aligned fastbins. */ -+ if (m == 0) -+ return 0; /* propagate failure */ - -- if (av != NULL) -- { -- int first_bin_index; -- int first_largebin_index; -- int last_bin_index; -- -- if (in_smallbin_range (nb)) -- first_bin_index = smallbin_index (nb); -- else -- first_bin_index = largebin_index (nb); -- -- if (in_smallbin_range (nb * 2)) -- last_bin_index = smallbin_index (nb * 2); -- else -- last_bin_index = largebin_index (nb * 2); -- -- first_largebin_index = largebin_index (MIN_LARGE_SIZE); -- -- int victim_index; /* its bin index */ -- -- for (victim_index = first_bin_index; -- victim_index < last_bin_index; -- victim_index ++) -- { -- victim = NULL; -- -- if (victim_index < first_largebin_index) -- { -- /* Check small bins. Small bin chunks are doubly-linked despite -- being the same size. */ -- -- mchunkptr fwd; /* misc temp for linking */ -- mchunkptr bck; /* misc temp for linking */ -- -- bck = bin_at (av, victim_index); -- fwd = bck->fd; -- while (fwd != bck) -- { -- if (chunk_ok_for_memalign (fwd, alignment, nb) > 0) -- { -- victim = fwd; -- -- /* Unlink it */ -- victim->fd->bk = victim->bk; -- victim->bk->fd = victim->fd; -- break; -- } -- -- fwd = fwd->fd; -- } -- } -- else -- { -- /* Check large bins. */ -- mchunkptr fwd; /* misc temp for linking */ -- mchunkptr bck; /* misc temp for linking */ -- mchunkptr best = NULL; -- size_t best_size = 0; -- -- bck = bin_at (av, victim_index); -- fwd = bck->fd; -- -- while (fwd != bck) -- { -- int extra; -- -- if (chunksize (fwd) < nb) -- break; -- extra = chunk_ok_for_memalign (fwd, alignment, nb); -- if (extra > 0 -- && (extra <= best_size || best == NULL)) -- { -- best = fwd; -- best_size = extra; -- } -- -- fwd = fwd->fd; -- } -- victim = best; -- -- if (victim != NULL) -- { -- unlink_chunk (av, victim); -- break; -- } -- } -- -- if (victim != NULL) -- break; -- } -- } -- -- /* Strategy: find a spot within that chunk that meets the alignment -- request, and then possibly free the leading and trailing space. -- This strategy is incredibly costly and can lead to external -- fragmentation if header and footer chunks are unused. */ -- -- if (victim != NULL) -- { -- p = victim; -- m = chunk2mem (p); -- set_inuse (p); -- if (av != &main_arena) -- set_non_main_arena (p); -- } -- else -- { -- /* Call malloc with worst case padding to hit alignment. */ -- -- m = (char *) (_int_malloc (av, nb + alignment + MINSIZE)); -- -- if (m == 0) -- return 0; /* propagate failure */ -- -- p = mem2chunk (m); -- } -+ p = mem2chunk (m); - - if ((((unsigned long) (m)) % alignment) != 0) /* misaligned */ - { -diff --git a/malloc/tst-memalign-2.c b/malloc/tst-memalign-2.c -index f229283dbf..ecd6fa249e 100644 ---- a/malloc/tst-memalign-2.c -+++ b/malloc/tst-memalign-2.c -@@ -86,7 +86,8 @@ do_test (void) - TEST_VERIFY (tcache_allocs[i].ptr1 == tcache_allocs[i].ptr2); - } - -- /* Test for non-head tcache hits. */ -+ /* Test for non-head tcache hits. This exercises the memalign -+ scanning code to find matching allocations. */ - for (i = 0; i < array_length (ptr); ++ i) - { - if (i == 4) -@@ -113,7 +114,9 @@ do_test (void) - free (p); - TEST_VERIFY (count > 0); - -- /* Large bins test. */ -+ /* Large bins test. This verifies that the over-allocated parts -+ that memalign releases for future allocations can be reused by -+ memalign itself at least in some cases. */ - - for (i = 0; i < LN; ++ i) - { --- -2.41.0 - -From 26973f7b09c33e67f6bcbc79371796c8dd334528 Mon Sep 17 00:00:00 2001 -From: Xi Ruoyao <xry111@xry111.site> -Date: Mon, 14 Aug 2023 11:05:18 +0800 -Subject: [PATCH 3/3] malloc: Remove unused functions and variables - -Remove unused chunk_ok_for_memalign function and unused local variables -in _int_free. - -Signed-off-by: Xi Ruoyao <xry111@xry111.site> ---- - malloc/malloc.c | 42 ------------------------------------------ - 1 file changed, 42 deletions(-) - -diff --git a/malloc/malloc.c b/malloc/malloc.c -index 9c2cab7a59..d0bbbf3710 100644 ---- a/malloc/malloc.c -+++ b/malloc/malloc.c -@@ -4488,12 +4488,6 @@ _int_free (mstate av, mchunkptr p, int have_lock) - { - INTERNAL_SIZE_T size; /* its size */ - mfastbinptr *fb; /* associated fastbin */ -- mchunkptr nextchunk; /* next contiguous chunk */ -- INTERNAL_SIZE_T nextsize; /* its size */ -- int nextinuse; /* true if nextchunk is used */ -- INTERNAL_SIZE_T prevsize; /* size of previous contiguous chunk */ -- mchunkptr bck; /* misc temp for linking */ -- mchunkptr fwd; /* misc temp for linking */ - - size = chunksize (p); - -@@ -5032,42 +5026,6 @@ _int_realloc (mstate av, mchunkptr oldp, INTERNAL_SIZE_T oldsize, - ------------------------------ memalign ------------------------------ - */ - --/* Returns 0 if the chunk is not and does not contain the requested -- aligned sub-chunk, else returns the amount of "waste" from -- trimming. NB is the *chunk* byte size, not the user byte -- size. */ --static size_t --chunk_ok_for_memalign (mchunkptr p, size_t alignment, size_t nb) --{ -- void *m = chunk2mem (p); -- INTERNAL_SIZE_T size = chunksize (p); -- void *aligned_m = m; -- -- if (__glibc_unlikely (misaligned_chunk (p))) -- malloc_printerr ("_int_memalign(): unaligned chunk detected"); -- -- aligned_m = PTR_ALIGN_UP (m, alignment); -- -- INTERNAL_SIZE_T front_extra = (intptr_t) aligned_m - (intptr_t) m; -- -- /* We can't trim off the front as it's too small. */ -- if (front_extra > 0 && front_extra < MINSIZE) -- return 0; -- -- /* If it's a perfect fit, it's an exception to the return value rule -- (we would return zero waste, which looks like "not usable"), so -- handle it here by returning a small non-zero value instead. */ -- if (size == nb && front_extra == 0) -- return 1; -- -- /* If the block we need fits in the chunk, calculate total waste. */ -- if (size > nb + front_extra) -- return size - nb; -- -- /* Can't use this chunk. */ -- return 0; --} -- - /* BYTES is user requested bytes, not requested chunksize bytes. */ - static void * - _int_memalign (mstate av, size_t alignment, size_t bytes) --- -2.41.0 - -diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c -index c8b77bbc35..119dc9f00f 100644 ---- a/resolv/nss_dns/dns-host.c -+++ b/resolv/nss_dns/dns-host.c -@@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, - { - n = __res_context_search (ctx, name, C_IN, T_A, - dns_packet_buffer, sizeof (dns_packet_buffer), -- NULL, NULL, NULL, NULL, NULL); -+ &alt_dns_packet_buffer, NULL, NULL, NULL, NULL); - if (n >= 0) - status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n, - &abuf, pat, errnop, herrnop, ttlp); - -diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c -index 6ae6744fe4..eb5ba59dac 100644 ---- a/sysdeps/posix/getaddrinfo.c -+++ b/sysdeps/posix/getaddrinfo.c -@@ -120,6 +120,7 @@ struct gaih_result - { - struct gaih_addrtuple *at; - char *canon; -+ char *hname; - bool free_at; - bool got_ipv6; - }; -@@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) - if (res->free_at) - free (res->at); - free (res->canon); -+ free (res->hname); - memset (res, 0, sizeof (*res)); - } - -@@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, - return 0; - } - --/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name -- is not copied, and the struct hostent object must not be deallocated -- prematurely. The new addresses are appended to the tuple array in RES. */ -+/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new -+ addresses are appended to the tuple array in RES. */ - static bool - convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, - struct hostent *h, struct gaih_result *res) -@@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, - res->at = array; - res->free_at = true; - -+ /* Duplicate h_name because it may get reclaimed when the underlying storage -+ is freed. */ -+ if (res->hname == NULL) -+ { -+ res->hname = __strdup (h->h_name); -+ if (res->hname == NULL) -+ return false; -+ } -+ - /* Update the next pointers on reallocation. */ - for (size_t i = 0; i < old; i++) - array[i].next = array + i + 1; -@@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, - } - array[i].next = array + i + 1; - } -- array[0].name = h->h_name; - array[count - 1].next = NULL; - - return true; -@@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name, - memory allocation failure. The returned string is allocated on the - heap; the caller has to free it. */ - static char * --getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name) -+getcanonname (nss_action_list nip, const char *hname, const char *name) - { - nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r"); - char *s = (char *) name; - if (cfct != NULL) - { - char buf[256]; -- if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), -- &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) -+ if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, -+ &h_errno)) != NSS_STATUS_SUCCESS) - /* If the canonical name cannot be determined, use the passed - string. */ - s = (char *) name; -@@ -740,6 +749,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, - } - no_inet6_data = no_data; - inet6_status = status; -+ - } - if (req->ai_family == AF_INET - || req->ai_family == AF_UNSPEC -@@ -771,7 +781,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, - if ((req->ai_flags & AI_CANONNAME) != 0 - && res->canon == NULL) - { -- char *canonbuf = getcanonname (nip, res->at, name); -+ char *canonbuf = getcanonname (nip, res->hname, name); - if (canonbuf == NULL) - { - __resolv_context_put (res_ctx); diff --git a/source/l/glibc/patches/glibc.CVE-2023-4911.patch b/source/l/glibc/patches/glibc.CVE-2023-4911.patch deleted file mode 100644 index a790a8305..000000000 --- a/source/l/glibc/patches/glibc.CVE-2023-4911.patch +++ /dev/null @@ -1,173 +0,0 @@ -From 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa Mon Sep 17 00:00:00 2001 -From: Siddhesh Poyarekar <siddhesh@sourceware.org> -Date: Tue, 19 Sep 2023 18:39:32 -0400 -Subject: [PATCH] tunables: Terminate if end of input is reached - (CVE-2023-4911) - -The string parsing routine may end up writing beyond bounds of tunestr -if the input tunable string is malformed, of the form name=name=val. -This gets processed twice, first as name=name=val and next as name=val, -resulting in tunestr being name=name=val:name=val, thus overflowing -tunestr. - -Terminate the parsing loop at the first instance itself so that tunestr -does not overflow. - -This also fixes up tst-env-setuid-tunables to actually handle failures -correct and add new tests to validate the fix for this CVE. - -Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> -Reviewed-by: Carlos O'Donell <carlos@redhat.com> ---- - NEWS | 5 +++++ - elf/dl-tunables.c | 17 +++++++++------- - elf/tst-env-setuid-tunables.c | 37 +++++++++++++++++++++++++++-------- - 3 files changed, 44 insertions(+), 15 deletions(-) - -diff --git a/NEWS b/NEWS -index a94650da64..cc4b81f0ac 100644 ---- a/NEWS -+++ b/NEWS -@@ -64,6 +64,11 @@ Security related changes: - an application calls getaddrinfo for AF_INET6 with AI_CANONNAME, - AI_ALL and AI_V4MAPPED flags set. - -+ CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the -+ environment of a setuid program and NAME is valid, it may result in a -+ buffer overflow, which could be exploited to achieve escalated -+ privileges. This flaw was introduced in glibc 2.34. -+ - The following bugs are resolved with this release: - - [The release manager will add the list generated by -diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c -index 62b7332d95..cae67efa0a 100644 ---- a/elf/dl-tunables.c -+++ b/elf/dl-tunables.c -@@ -180,11 +180,7 @@ parse_tunables (char *tunestr, char *valstring) - /* If we reach the end of the string before getting a valid name-value - pair, bail out. */ - if (p[len] == '\0') -- { -- if (__libc_enable_secure) -- tunestr[off] = '\0'; -- return; -- } -+ break; - - /* We did not find a valid name-value pair before encountering the - colon. */ -@@ -244,9 +240,16 @@ parse_tunables (char *tunestr, char *valstring) - } - } - -- if (p[len] != '\0') -- p += len + 1; -+ /* We reached the end while processing the tunable string. */ -+ if (p[len] == '\0') -+ break; -+ -+ p += len + 1; - } -+ -+ /* Terminate tunestr before we leave. */ -+ if (__libc_enable_secure) -+ tunestr[off] = '\0'; - } - - /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when -diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c -index 7dfb0e073a..f0b92c97e7 100644 ---- a/elf/tst-env-setuid-tunables.c -+++ b/elf/tst-env-setuid-tunables.c -@@ -50,6 +50,8 @@ const char *teststrings[] = - "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", - "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096", - "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", -+ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", -+ "glibc.malloc.check=2", - "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2", - "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096", - ":glibc.malloc.garbage=2:glibc.malloc.check=1", -@@ -68,6 +70,8 @@ const char *resultstrings[] = - "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", - "glibc.malloc.mmap_threshold=4096", -+ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", -+ "", - "", - "", - "", -@@ -81,11 +85,18 @@ test_child (int off) - { - const char *val = getenv ("GLIBC_TUNABLES"); - -+ printf (" [%d] GLIBC_TUNABLES is %s\n", off, val); -+ fflush (stdout); - if (val != NULL && strcmp (val, resultstrings[off]) == 0) - return 0; - - if (val != NULL) -- printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val); -+ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n", -+ off, val, resultstrings[off]); -+ else -+ printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off); -+ -+ fflush (stdout); - - return 1; - } -@@ -106,21 +117,26 @@ do_test (int argc, char **argv) - if (ret != 0) - exit (1); - -- exit (EXIT_SUCCESS); -+ /* Special return code to make sure that the child executed all the way -+ through. */ -+ exit (42); - } - else - { -- int ret = 0; -- - /* Spawn tests. */ - for (int i = 0; i < array_length (teststrings); i++) - { - char buf[INT_BUFSIZE_BOUND (int)]; - -- printf ("Spawned test for %s (%d)\n", teststrings[i], i); -+ printf ("[%d] Spawned test for %s\n", i, teststrings[i]); - snprintf (buf, sizeof (buf), "%d\n", i); -+ fflush (stdout); - if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0) -- exit (1); -+ { -+ printf (" [%d] Failed to set GLIBC_TUNABLES: %m", i); -+ support_record_failure (); -+ continue; -+ } - - int status = support_capture_subprogram_self_sgid (buf); - -@@ -128,9 +144,14 @@ do_test (int argc, char **argv) - if (WEXITSTATUS (status) == EXIT_UNSUPPORTED) - return EXIT_UNSUPPORTED; - -- ret |= status; -+ if (WEXITSTATUS (status) != 42) -+ { -+ printf (" [%d] child failed with status %d\n", i, -+ WEXITSTATUS (status)); -+ support_record_failure (); -+ } - } -- return ret; -+ return 0; - } - } - --- -2.39.3 - - |