From: "Steve Sakoman" <steve@sakoman.com>
To: openembedded-core@lists.openembedded.org
Subject: [OE-core][dunfell 02/36] glibc: Security fix for CVE-2021-38604
Date: Sat, 28 Aug 2021 08:10:50 -1000 [thread overview]
Message-ID: <f65b5b7c88092cdba0239939fead20992eb2ff48.1630174149.git.steve@sakoman.com> (raw)
In-Reply-To: <cover.1630174149.git.steve@sakoman.com>
From: Armin Kuster <akuster@mvista.com>
Source: glibc.org
MR: 112635
Type: Security Fix
Disposition: Backport from https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8
ChangeID: 53b105da48e604f6763bb04b7114f41bfb620d2f
Description:
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
---
.../glibc/glibc/CVE-2021-38604.patch | 41 +++++++++++++++++++
meta/recipes-core/glibc/glibc_2.31.bb | 1 +
2 files changed, 42 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/CVE-2021-38604.patch
diff --git a/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch
new file mode 100644
index 0000000000..36fd4a61b2
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2021-38604.patch
@@ -0,0 +1,41 @@
+From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <npv1310@gmail.com>
+Date: Mon, 9 Aug 2021 20:17:34 +0530
+Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
+
+Helper thread frees copied attribute on NOTIFY_REMOVED message
+received from the OS kernel. Unfortunately, it fails to check whether
+copied attribute actually exists (data.attr != NULL). This worked
+earlier because free() checks passed pointer before actually
+attempting to release corresponding memory. But
+__pthread_attr_destroy assumes pointer is not NULL.
+
+So passing NULL pointer to __pthread_attr_destroy will result in
+segmentation fault. This scenario is possible if
+notification->sigev_notify_attributes == NULL (which means default
+thread attributes should be used).
+
+Signed-off-by: Nikita Popov <npv1310@gmail.com>
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+
+Upstream-Status: Backport
+CVE: CVE-2021-38604
+Signed-off-by: Armin Kuser <akuster@mvista.com>
+
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+Index: git/sysdeps/unix/sysv/linux/mq_notify.c
+===================================================================
+--- git.orig/sysdeps/unix/sysv/linux/mq_notify.c
++++ git/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -134,7 +134,7 @@ helper_thread (void *arg)
+ to wait until it is done with it. */
+ (void) __pthread_barrier_wait (¬ify_barrier);
+ }
+- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
++ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
+ {
+ /* The only state we keep is the copy of the thread attributes. */
+ pthread_attr_destroy (data.attr);
diff --git a/meta/recipes-core/glibc/glibc_2.31.bb b/meta/recipes-core/glibc/glibc_2.31.bb
index 2e950dfeda..3a3586f1b9 100644
--- a/meta/recipes-core/glibc/glibc_2.31.bb
+++ b/meta/recipes-core/glibc/glibc_2.31.bb
@@ -69,6 +69,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://CVE-2020-29573.patch \
file://CVE-2021-33574_1.patch \
file://CVE-2021-33574_2.patch \
+ file://CVE-2021-38604.patch \
"
S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}"
--
2.25.1
next prev parent reply other threads:[~2021-08-28 18:12 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-28 18:10 [OE-core][dunfell 00/36] Patch review Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 01/36] glibc: Security fix CVE-2021-33574 Steve Sakoman
2021-08-28 18:10 ` Steve Sakoman [this message]
2021-08-28 18:10 ` [OE-core][dunfell 03/36] gnupg: upgrade 2.2.20 -> 2.2.21 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 04/36] gnupg: update 2.2.21 -> 2.2.22 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 05/36] gnupg: uprev 2.2.22 -> 2.2.23 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 06/36] gnupg: update 2.2.23 -> 2.2.26 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 07/36] gnupg: upgrade 2.2.26 -> 2.2.27 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 08/36] qemu: Security fix CVE-2020-25085 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 09/36] qemu: Security fix CVE-2020-25624 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 10/36] Qemu: Security fix for CVE-2020-25625/2021-3409/2020-17380 Steve Sakoman
2021-08-28 18:10 ` [OE-core][dunfell 11/36] qemu: Security fix for CVE-2020-29443 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 12/36] qemu: Security fix CVE-2021-20221 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 13/36] qemu: fix CVE-2021-20181 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 14/36] qemu: fix CVE-2021-3416 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 15/36] qemu: fix CVE-2021-20257 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 16/36] qemu: Security fix CVE-2021-3544 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 17/36] qemu: Security fixes CVE-2021-3545/6 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 18/36] qemu: fix CVE-2021-3527 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 19/36] qemu: fix CVE-2021-3582 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 20/36] qemu: fix CVE-2021-3607 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 21/36] qemu: fix CVE-2021-3608 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 22/36] rpm: Add fix for CVE-2021-20266 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 23/36] binutils: Security fix for CVE-2021-3549 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 24/36] binutils: Security fix for CVE-2020-16593 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 25/36] openssl: update from 1.1.1k to 1.1.1l Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 26/36] Use the label provided when formating a dos partition Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 27/36] lzo: add CVE_PRODUCT Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 28/36] utils: Reduce the number of calls to the "dirname" command Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 29/36] tcf-agent: fetching over git:// no longer works Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 30/36] mklibs-native: drop deprecated cpp17 exceptions Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 31/36] image_types: Restore pre-btrfs-tools 4.14.1 mkfs.btrfs shrink behavior Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 32/36] linux-yocto/5.4: update to v5.4.142 Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 33/36] qemurunner.py: print output from runqemu/qemu-system in stop() Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 34/36] qemurunner.py: handle getOutput() having nothing to read Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 35/36] parselogs.py: ignore intermittent CD/DVDROM identification failure Steve Sakoman
2021-08-28 18:11 ` [OE-core][dunfell 36/36] selftest: disable virgl headless test Steve Sakoman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=f65b5b7c88092cdba0239939fead20992eb2ff48.1630174149.git.steve@sakoman.com \
--to=steve@sakoman.com \
--cc=openembedded-core@lists.openembedded.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox