fix CVE-2019-1010023

(cherry picked from commit 0e80112809f744dee46b79cb37b4e8b28f546962)

fix-CVE-2019-1010023.patch

@@ -0,0 +1,66 @@
+From fe1ffef2eec9c6634a1e9af951eb68f0f5614470 Mon Sep 17 00:00:00 2001
+From: xujing <xujing99@huawei.com>
+Date: Thu, 2 Dec 2021 11:41:46 +0800
+Subject: [PATCH] glibc: fix CVE-2019-1010023
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+| PT_LOAD
+|
+| […] Loadable segment entries in the program header table appear in
+| ascending order, sorted on the p_vaddr member.
+
+http://www.sco.com/developers/gabi/latest/ch5.pheader.html
+
+Some check needed to fix vulnerability in load commands mapping reported by
+
+https://sourceware.org/bugzilla/show_bug.cgi?id=22851
+
+Signed-off-by: lvying <lvying6@huawei.com>
+Signed-off-by: xujing <xujing99@huawei.com>
+---
+ elf/dl-map-segments.h | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/elf/dl-map-segments.h b/elf/dl-map-segments.h
+index 084076a2..a41ae73b 100644
+--- a/elf/dl-map-segments.h
++++ b/elf/dl-map-segments.h
+@@ -33,6 +33,7 @@ _dl_map_segments (struct link_map *l, int fd,
+                   struct link_map *loader)
+ {
+   const struct loadcmd *c = loadcmds;
++  ElfW(Addr) l_map_end_aligned;
+ 
+   if (__glibc_likely (type == ET_DYN))
+     {
+@@ -61,6 +62,8 @@ _dl_map_segments (struct link_map *l, int fd,
+         return DL_MAP_SEGMENTS_ERROR_MAP_SEGMENT;
+ 
+       l->l_map_end = l->l_map_start + maplength;
++      l_map_end_aligned = ((l->l_map_end + GLRO(dl_pagesize) - 1)
++                          & ~(GLRO(dl_pagesize) - 1));
+       l->l_addr = l->l_map_start - c->mapstart;
+ 
+       if (has_holes)
+@@ -85,10 +88,16 @@ _dl_map_segments (struct link_map *l, int fd,
+   /* Remember which part of the address space this object uses.  */
+   l->l_map_start = c->mapstart + l->l_addr;
+   l->l_map_end = l->l_map_start + maplength;
++  l_map_end_aligned = ((l->l_map_end + GLRO(dl_pagesize) - 1)
++                      & ~(GLRO(dl_pagesize) - 1));
+   l->l_contiguous = !has_holes;
+ 
+   while (c < &loadcmds[nloadcmds])
+     {
++      if ((l->l_addr + c->mapend) > l_map_end_aligned ||
++          (l->l_addr + c->mapstart) < l->l_map_start)
++          return DL_MAP_SEGMENTS_ERROR_MAP_SEGMENT;
++
+       if (c->mapend > c->mapstart
+           /* Map the segment contents from the file.  */
+           && (__mmap ((void *) (l->l_addr + c->mapstart),
+-- 
+2.23.0
+

glibc.spec

@@ -67,7 +67,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.38
-Release: 	52
+Release: 	53
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@@ -310,6 +310,8 @@ Patch9034: 0001-x86-Set-preferred-CPU-features-on-the-KH-40000-and-K.patch
 Patch9035: 0002-x86_64-Optimize-large-size-copy-in-memmove-ssse3.patch
 Patch9036: 0003-x86-Set-default-non_temporal_threshold-for-Zhaoxin-p.patch
 
+Patch9037: fix-CVE-2019-1010023.patch
+
 Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)
 
 BuildRequires: audit-libs-devel >= 1.1.3, sed >= 3.95, libcap-devel, gettext
@@ -1486,6 +1488,9 @@ fi
 %endif
 
 %changelog
+* Thu Feb 06 2025 shixuantong <shixuantong1@huawei.com> - 2.38-53
+- fix CVE-2019-1010023
+
 * Sun Jan 26 2025 Qingqing Li <liqingqing3@huawei.com> - 2.38-52
 - stdlib: Test using setenv with updated environ [BZ #32588]
 - Fix underallocation of abort_msg_s struct (CVE-2025-0395)