backport patches from glibc upstream 2.38 branch

2023-10-07 11:28:41 +08:00 · 2023-10-07 11:28:41 +08:00 · 2c5a06e909
commit 2c5a06e909
parent b8e298e51c
5 changed files with 347 additions and 1 deletions
--- a/0001-Fix-leak-in-getaddrinfo-introduced-by-the-fix-for-CV.patch
+++ b/0001-Fix-leak-in-getaddrinfo-introduced-by-the-fix-for-CV.patch
@ -0,0 +1,98 @@
 From 5ee59ca371b99984232d7584fe2b1a758b4421d3 Mon Sep 17 00:00:00 2001
 From: Romain Geissler <romain.geissler@amadeus.com>
 Date: Mon, 25 Sep 2023 01:21:51 +0100
 Subject: [PATCH 1/4] Fix leak in getaddrinfo introduced by the fix for
 CVE-2023-4806 [BZ #30843]
 This patch fixes a very recently added leak in getaddrinfo.
 This was assigned CVE-2023-5156.
 Resolves: BZ #30884
 Related: BZ #30842
 Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
 (cherry picked from commit ec6b95c3303c700eb89eebeda2d7264cc184a796)
 ---
 nss/Makefile                    | 20 ++++++++++++++++++++
 nss/tst-nss-gai-hv2-canonname.c |  3 +++
 sysdeps/posix/getaddrinfo.c     |  4 +---
 3 files changed, 24 insertions(+), 3 deletions(-)
 diff --git a/nss/Makefile b/nss/Makefile
 index 8a5126ecf3..668ba34b18 100644
 --- a/nss/Makefile
 +++ b/nss/Makefile
@@ -149,6 +149,15 @@ endif
 extra-test-objs		+= nss_test1.os nss_test2.os nss_test_errno.os \
 			   nss_test_gai_hv2_canonname.os
 +ifeq ($(run-built-tests),yes)
 +ifneq (no,$(PERL))
 +tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out
 +endif
 +endif
 +
 +generated += mtrace-tst-nss-gai-hv2-canonname.out \
 +		tst-nss-gai-hv2-canonname.mtrace
 +
 include ../Rules
 ifeq (yes,$(have-selinux))
@@ -217,6 +226,17 @@ endif
 $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so
 $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so
 +tst-nss-gai-hv2-canonname-ENV = \
 +		MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \
 +		LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so
 +$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \
 +  $(objpfx)tst-nss-gai-hv2-canonname.out
 +	{ test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \
 +	|| ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \
 +	&& $(common-objpfx)malloc/mtrace \
 +	$(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \
 +	$(evaluate-test)
 +
 # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS
 # functions can load testing NSS modules via DT_RPATH.
 LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags
 diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c
 index d5f10c07d6..7db53cf09d 100644
 --- a/nss/tst-nss-gai-hv2-canonname.c
 +++ b/nss/tst-nss-gai-hv2-canonname.c
@@ -21,6 +21,7 @@
 #include <netdb.h>
 #include <stdlib.h>
 #include <string.h>
 +#include <mcheck.h>
 #include <support/check.h>
 #include <support/xstdio.h>
 #include "nss/tst-nss-gai-hv2-canonname.h"
@@ -41,6 +42,8 @@ static void do_prepare (int a, char **av)
 static int
 do_test (void)
 {
 +  mtrace ();
 +
   __nss_configure_lookup ("hosts", "test_gai_hv2_canonname");
   struct addrinfo hints = {};
 diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
 index b2236b105c..13082305d3 100644
 --- a/sysdeps/posix/getaddrinfo.c
 +++ b/sysdeps/posix/getaddrinfo.c
@@ -1196,9 +1196,7 @@ free_and_return:
   if (malloc_name)
     free ((char *) name);
   free (addrmem);
 -  if (res.free_at)
 -    free (res.at);
 -  free (res.canon);
 +  gaih_result_reset (&res);
   return result;
 }
 -- 
 2.33.0
--- a/0002-Document-CVE-2023-4806-and-CVE-2023-5156-in-NEWS.patch
+++ b/0002-Document-CVE-2023-4806-and-CVE-2023-5156-in-NEWS.patch
@ -0,0 +1,36 @@
 From f6445dc94da185b3d1ee283f0ca0a34c4e1986cc Mon Sep 17 00:00:00 2001
 From: Siddhesh Poyarekar <siddhesh@sourceware.org>
 Date: Tue, 26 Sep 2023 07:38:07 -0400
 Subject: [PATCH 2/4] Document CVE-2023-4806 and CVE-2023-5156 in NEWS
 These are tracked in BZ #30884 and BZ #30843.
 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
 (cherry picked from commit fd134feba35fa839018965733b34d28a09a075dd)
 ---
 NEWS | 9 +++++++++
 1 file changed, 9 insertions(+)
 diff --git a/NEWS b/NEWS
 index dfee278a9c..f1b1b0a3b4 100644
 --- a/NEWS
 +++ b/NEWS
@@ -15,6 +15,15 @@ Security related changes:
   2048 bytes, getaddrinfo may potentially disclose stack contents via
   the returned address data, or crash.
 +  CVE-2023-4806: When an NSS plugin only implements the
 +  _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use
 +  memory that was freed during buffer resizing, potentially causing a
 +  crash or read or write to arbitrary memory.
 +
 +  CVE-2023-5156: The fix for CVE-2023-4806 introduced a memory leak when
 +  an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
 +  AI_ALL and AI_V4MAPPED flags set.
 +
 The following bugs are resolved with this release:
   [30723] posix_memalign repeatedly scans long bin lists
 -- 
 2.33.0
--- a/0003-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch
+++ b/0003-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch
@ -0,0 +1,32 @@
 From 73e3fcd1a552783e66ff1f65c5f322e2f17a81d1 Mon Sep 17 00:00:00 2001
 From: Siddhesh Poyarekar <siddhesh@sourceware.org>
 Date: Tue, 19 Sep 2023 13:25:40 -0400
 Subject: [PATCH 3/4] Propagate GLIBC_TUNABLES in setxid binaries
 GLIBC_TUNABLES scrubbing happens earlier than envvar scrubbing and some
 tunables are required to propagate past setxid boundary, like their
 env_alias.  Rely on tunable scrubbing to clean out GLIBC_TUNABLES like
 before, restoring behaviour in glibc 2.37 and earlier.
 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
 (cherry picked from commit 0d5f9ea97f1b39f2a855756078771673a68497e1)
 ---
 sysdeps/generic/unsecvars.h | 1 -
 1 file changed, 1 deletion(-)
 diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
 index 81397fb90b..8278c50a84 100644
 --- a/sysdeps/generic/unsecvars.h
 +++ b/sysdeps/generic/unsecvars.h
@@ -4,7 +4,6 @@
 #define UNSECURE_ENVVARS \
   "GCONV_PATH\0"							      \
   "GETCONF_DIR\0"							      \
 -  "GLIBC_TUNABLES\0"							      \
   "HOSTALIASES\0"							      \
   "LD_AUDIT\0"								      \
   "LD_DEBUG\0"								      \
 -- 
 2.33.0
--- a/0004-tunables-Terminate-if-end-of-input-is-reached-CVE-20.patch
+++ b/0004-tunables-Terminate-if-end-of-input-is-reached-CVE-20.patch
@ -0,0 +1,173 @@
 From 750a45a783906a19591fb8ff6b7841470f1f5701 Mon Sep 17 00:00:00 2001
 From: Siddhesh Poyarekar <siddhesh@sourceware.org>
 Date: Tue, 19 Sep 2023 18:39:32 -0400
 Subject: [PATCH 4/4] tunables: Terminate if end of input is reached
 (CVE-2023-4911)
 The string parsing routine may end up writing beyond bounds of tunestr
 if the input tunable string is malformed, of the form name=name=val.
 This gets processed twice, first as name=name=val and next as name=val,
 resulting in tunestr being name=name=val:name=val, thus overflowing
 tunestr.
 Terminate the parsing loop at the first instance itself so that tunestr
 does not overflow.
 This also fixes up tst-env-setuid-tunables to actually handle failures
 correct and add new tests to validate the fix for this CVE.
 Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
 Reviewed-by: Carlos O'Donell <carlos@redhat.com>
 (cherry picked from commit 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa)
 ---
 NEWS                          |  5 +++++
 elf/dl-tunables.c             | 17 +++++++++-------
 elf/tst-env-setuid-tunables.c | 37 +++++++++++++++++++++++++++--------
 3 files changed, 44 insertions(+), 15 deletions(-)
 diff --git a/NEWS b/NEWS
 index f1b1b0a3b4..bfcd46efa9 100644
 --- a/NEWS
 +++ b/NEWS
@@ -24,6 +24,11 @@ Security related changes:
   an application calls getaddrinfo for AF_INET6 with AI_CANONNAME,
   AI_ALL and AI_V4MAPPED flags set.
 +  CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
 +  environment of a setuid program and NAME is valid, it may result in a
 +  buffer overflow, which could be exploited to achieve escalated
 +  privileges.  This flaw was introduced in glibc 2.34.
 +
 The following bugs are resolved with this release:
   [30723] posix_memalign repeatedly scans long bin lists
 diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
 index 62b7332d95..cae67efa0a 100644
 --- a/elf/dl-tunables.c
 +++ b/elf/dl-tunables.c
@@ -180,11 +180,7 @@ parse_tunables (char *tunestr, char *valstring)
       /* If we reach the end of the string before getting a valid name-value
 	 pair, bail out.  */
       if (p[len] == '\0')
 -	{
 -	  if (__libc_enable_secure)
 -	    tunestr[off] = '\0';
 -	  return;
 -	}
 +	break;
       /* We did not find a valid name-value pair before encountering the
 	 colon.  */
@@ -244,9 +240,16 @@ parse_tunables (char *tunestr, char *valstring)
 	    }
 	}
 -      if (p[len] != '\0')
 -	p += len + 1;
 +      /* We reached the end while processing the tunable string.  */
 +      if (p[len] == '\0')
 +	break;
 +
 +      p += len + 1;
     }
 +
 +  /* Terminate tunestr before we leave.  */
 +  if (__libc_enable_secure)
 +    tunestr[off] = '\0';
 }
 /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when
 diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c
 index 7dfb0e073a..f0b92c97e7 100644
 --- a/elf/tst-env-setuid-tunables.c
 +++ b/elf/tst-env-setuid-tunables.c
@@ -50,6 +50,8 @@ const char *teststrings[] =
   "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
   "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096",
   "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096",
 +  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
 +  "glibc.malloc.check=2",
   "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2",
   "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096",
   ":glibc.malloc.garbage=2:glibc.malloc.check=1",
@@ -68,6 +70,8 @@ const char *resultstrings[] =
   "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096",
   "glibc.malloc.mmap_threshold=4096",
   "glibc.malloc.mmap_threshold=4096",
 +  "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096",
 +  "",
   "",
   "",
   "",
@@ -81,11 +85,18 @@ test_child (int off)
 {
   const char *val = getenv ("GLIBC_TUNABLES");
 +  printf ("    [%d] GLIBC_TUNABLES is %s\n", off, val);
 +  fflush (stdout);
   if (val != NULL && strcmp (val, resultstrings[off]) == 0)
     return 0;
   if (val != NULL)
 -    printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val);
 +    printf ("    [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n",
 +	    off, val, resultstrings[off]);
 +  else
 +    printf ("    [%d] GLIBC_TUNABLES environment variable absent\n", off);
 +
 +  fflush (stdout);
   return 1;
 }
@@ -106,21 +117,26 @@ do_test (int argc, char **argv)
       if (ret != 0)
 	exit (1);
 -      exit (EXIT_SUCCESS);
 +      /* Special return code to make sure that the child executed all the way
 +	 through.  */
 +      exit (42);
     }
   else
     {
 -      int ret = 0;
 -
       /* Spawn tests.  */
       for (int i = 0; i < array_length (teststrings); i++)
 	{
 	  char buf[INT_BUFSIZE_BOUND (int)];
 -	  printf ("Spawned test for %s (%d)\n", teststrings[i], i);
 +	  printf ("[%d] Spawned test for %s\n", i, teststrings[i]);
 	  snprintf (buf, sizeof (buf), "%d\n", i);
 +	  fflush (stdout);
 	  if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0)
 -	    exit (1);
 +	    {
 +	      printf ("    [%d] Failed to set GLIBC_TUNABLES: %m", i);
 +	      support_record_failure ();
 +	      continue;
 +	    }
 	  int status = support_capture_subprogram_self_sgid (buf);
@@ -128,9 +144,14 @@ do_test (int argc, char **argv)
 	  if (WEXITSTATUS (status) == EXIT_UNSUPPORTED)
 	    return EXIT_UNSUPPORTED;
 -	  ret |= status;
 +	  if (WEXITSTATUS (status) != 42)
 +	    {
 +	      printf ("    [%d] child failed with status %d\n", i,
 +		      WEXITSTATUS (status));
 +	      support_record_failure ();
 +	    }
 	}
 -      return ret;
 +      return 0;
     }
 }
 -- 
 2.33.0
--- a/glibc.spec
+++ b/glibc.spec
@ -67,7 +67,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.38
-Release: 	10
+Release: 	11
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -110,6 +110,10 @@ Patch21: 0001-getaddrinfo-Fix-use-after-free-in-getcanonname-CVE-2.patch
 Patch22: 0002-iconv-restore-verbosity-with-unrecognized-encoding-n.patch
 Patch23: 0003-string-Fix-tester-build-with-fortify-enable-with-gcc.patch
 Patch24: 0004-manual-jobs.texi-Add-missing-item-EPERM-for-getpgid.patch
 Patch25: 0001-Fix-leak-in-getaddrinfo-introduced-by-the-fix-for-CV.patch
 Patch26: 0002-Document-CVE-2023-4806-and-CVE-2023-5156-in-NEWS.patch
 Patch27: 0003-Propagate-GLIBC_TUNABLES-in-setxid-binaries.patch
 Patch28: 0004-tunables-Terminate-if-end-of-input-is-reached-CVE-20.patch
 Patch9000: turn-default-value-of-x86_rep_stosb_threshold_form_2K_to_1M.patch
 Patch9001: locale-delete-no-hard-link-to-avoid-all_language-pac.patch 
@ -1323,6 +1327,9 @@ fi
 %endif
 %changelog
 * Sat Oct 7 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-11
 - backport patches from glibc upstream 2.38 branch
 * Sat Sep 16 2023 Qingqing Li <liqingqing3@huawei.com> - 2.38-10
 - backport patches from glibc upstream 2.38 branch
 - revert some customization modification