mirrors/poky
1
0
Fork 0
mirror of https://git.yoctoproject.org/poky synced 2026-05-30 12:29:55 +00:00
Code Issues Projects Releases Wiki Activity

glibc: stable 2.35 branch updates

Browse Source 
Below commits on glibc-2.35 stable branch are updated.
cbceb903c4 (HEAD -> release/2.35/master, origin/release/2.35/master) io: Fix F_GETLK, F_SETLK, and F_SETLKW for powerpc64
0967fb5861 io: Fix record locking contants on 32 bit arch with 64 bit default time_t
739de21d30 Document BZ #20975 fix
2b9906f9a0 __check_pf: Add a cancellation cleanup handler
7035f2174f gmon: Revert addition of tunables to preserve GLIBC_PRIVATE ABI
e698e8bd8e gmon: fix memory corruption issues
9f81b8fa65 gmon: improve mcount overflow handling
f2820e478c gmon: Fix allocated buffer overflow
413af1eb02 posix: Fix system blocks SIGCHLD erroneously

CVE-2023-0687.patch is dropped

(From OE-Core rev: afce7649180950b0a168771c2f95e7839382b02c)

Signed-off-by: Deepthi Hemraj <Deepthi.Hemraj@windriver.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
This commit is contained in:
Deepthi Hemraj
2023-06-12 15:14:15 +05:30
committed by Steve Sakoman
parent c4c9531c9b
commit 1e8fd09f78
3 changed files with 1 additions and 84 deletions
Download Patch File Download Diff File Expand all files Collapse all files
meta/recipes-core/glibc/glibc-version.inc
+1 -1
View File
@@ -1,6 +1,6 @@
SRCBRANCH ?= "release/2.35/master" SRCBRANCH ?= "release/2.35/master"
PV = "2.35" PV = "2.35"
SRCREV_glibc ?= "1c7f51c75ae300fe52ccb636e71b8e28cb20824c" SRCREV_glibc ?= "cbceb903c4d770acc7e4ba5641036516830ed69b"
SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87" SRCREV_localedef ?= "794da69788cbf9bf57b59a852f9f11307663fa87"
GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git" GLIBC_GIT_URI ?= "git://sourceware.org/git/glibc.git"
meta/recipes-core/glibc/glibc/CVE-2023-0687.patch
-82
View File
@@ -1,82 +0,0 @@
From 952aff5c00ad7c6b83c3f310f2643939538827f8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=D0=9B=D0=B5=D0=BE=D0=BD=D0=B8=D0=B4=20=D0=AE=D1=80=D1=8C?=
=?UTF-8?q?=D0=B5=D0=B2=20=28Leonid=20Yuriev=29?= <leo@yuriev.ru>
Date: Sat, 4 Feb 2023 14:41:38 +0300
Subject: [PATCH] gmon: Fix allocated buffer overflow (bug 29444)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The `__monstartup()` allocates a buffer used to store all the data
accumulated by the monitor.
The size of this buffer depends on the size of the internal structures
used and the address range for which the monitor is activated, as well
as on the maximum density of call instructions and/or callable functions
that could be potentially on a segment of executable code.
In particular a hash table of arcs is placed at the end of this buffer.
The size of this hash table is calculated in bytes as
p->fromssize = p->textsize / HASHFRACTION;
but actually should be
p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
This results in writing beyond the end of the allocated buffer when an
added arc corresponds to a call near from the end of the monitored
address range, since `_mcount()` check the incoming caller address for
monitored range but not the intermediate result hash-like index that
uses to write into the table.
It should be noted that when the results are output to `gmon.out`, the
table is read to the last element calculated from the allocated size in
bytes, so the arcs stored outside the buffer boundary did not fall into
`gprof` for analysis. Thus this "feature" help me to found this bug
during working with https://sourceware.org/bugzilla/show_bug.cgi?id=29438
Just in case, I will explicitly note that the problem breaks the
`make test t=gmon/tst-gmon-dso` added for Bug 29438.
There, the arc of the `f3()` call disappears from the output, since in
the DSO case, the call to `f3` is located close to the end of the
monitored range.
Signed-off-by: Леонид Юрьев (Leonid Yuriev) <leo@yuriev.ru>
Another minor error seems a related typo in the calculation of
`kcountsize`, but since kcounts are smaller than froms, this is
actually to align the p->froms data.
Co-authored-by: DJ Delorie <dj@redhat.com>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=801af9fafd4689337ebf27260aa115335a0cb2bc]
CVE: CVE-2023-0687
Signed-off-by: Shubham Kulkarni <skulkarni@mvista.com>
---
gmon/gmon.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/gmon/gmon.c b/gmon/gmon.c
index dee6480..bf76358 100644
--- a/gmon/gmon.c
+++ b/gmon/gmon.c
@@ -132,6 +132,8 @@ __monstartup (u_long lowpc, u_long highpc)
p->lowpc = ROUNDDOWN(lowpc, HISTFRACTION * sizeof(HISTCOUNTER));
p->highpc = ROUNDUP(highpc, HISTFRACTION * sizeof(HISTCOUNTER));
p->textsize = p->highpc - p->lowpc;
+ /* This looks like a typo, but it's here to align the p->froms
+ section. */
p->kcountsize = ROUNDUP(p->textsize / HISTFRACTION, sizeof(*p->froms));
p->hashfraction = HASHFRACTION;
p->log_hashfraction = -1;
@@ -142,7 +144,7 @@ __monstartup (u_long lowpc, u_long highpc)
instead of integer division. Precompute shift amount. */
p->log_hashfraction = ffs(p->hashfraction * sizeof(*p->froms)) - 1;
}
- p->fromssize = p->textsize / HASHFRACTION;
+ p->fromssize = ROUNDUP(p->textsize / HASHFRACTION, sizeof(*p->froms));
p->tolimit = p->textsize * ARCDENSITY / 100;
if (p->tolimit < MINARCS)
p->tolimit = MINARCS;
--
2.7.4
meta/recipes-core/glibc/glibc_2.35.bb
-1
View File
@@ -50,7 +50,6 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0024-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \ file://0024-fix-create-thread-failed-in-unprivileged-process-BZ-.patch \
\ \
file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \ file://0001-Revert-Linux-Implement-a-useful-version-of-_startup_.patch \
file://CVE-2023-0687.patch \
" "
S = "${WORKDIR}/git" S = "${WORKDIR}/git"
B = "${WORKDIR}/build-${TARGET_SYS}" B = "${WORKDIR}/build-${TARGET_SYS}"