glibc: Fix CVE-2021-38604

Source: https://sourceware.org/git/glibc.git Tracking -- https://sourceware.org/bugzilla/show_bug.cgi?id=28213 Backported upstream commits b805aebd42364fe696e417808a700fdb9800c9e8 and 4cc79c217744743077bf7a0ec5e0a4318f1e6641 to glibc-2.34 source. Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8] Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641] (From OE-Core rev: 014c6b0a1188d5dfb32790246491973ea91017d8) Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Vinay Kumar <vinay.m.engg@gmail.com> 2021-08-18 08:31:41 -0700
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2021-08-20 08:53:03 +0100
commit: 901b82a4c8b343b378293956420ad5a4943b6be7 (patch)
tree: e850352e21142970b129939961f2be39cb1ad5b5
parent: ec1894938b127c1d8472b805b34d1776748df290 (diff)
download: poky-901b82a4c8b343b378293956420ad5a4943b6be7.tar.gz
3 files changed, 195 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch
new file mode 100644
index 0000000000..1e94049004
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch
@@ -0,0 +1,43 @@
+From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <npv1310@gmail.com>
+Date: Mon, 9 Aug 2021 20:17:34 +0530
+Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
+Helper thread frees copied attribute on NOTIFY_REMOVED message
+received from the OS kernel.  Unfortunately, it fails to check whether
+copied attribute actually exists (data.attr != NULL).  This worked
+earlier because free() checks passed pointer before actually
+attempting to release corresponding memory.  But
+__pthread_attr_destroy assumes pointer is not NULL.
+So passing NULL pointer to __pthread_attr_destroy will result in
+segmentation fault.  This scenario is possible if
+notification->sigev_notify_attributes == NULL (which means default
+thread attributes should be used).
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8]
+CVE: CVE-2021-38604
+Signed-off-by: Nikita Popov <npv1310@gmail.com>
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
+---
+ sysdeps/unix/sysv/linux/mq_notify.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
+index 9799dcdaa4..eccae2e4c6 100644
+--- a/sysdeps/unix/sysv/linux/mq_notify.c
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
+@@ -131,7 +131,7 @@ helper_thread (void *arg)
+               to wait until it is done with it.  */
+            (void) __pthread_barrier_wait (&notify_barrier);
+        }
+-      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
+      else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
+        {
+          /* The only state we keep is the copy of the thread attributes.  */
+          __pthread_attr_destroy (data.attr);
+-- 
+2.31.1
diff --git a/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch
new file mode 100644
index 0000000000..9f71fecddb
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch
@@ -0,0 +1,150 @@
+From 4cc79c217744743077bf7a0ec5e0a4318f1e6641 Mon Sep 17 00:00:00 2001
+From: Nikita Popov <npv1310@gmail.com>
+Date: Thu, 12 Aug 2021 16:09:50 +0530
+Subject: [PATCH] librt: add test (bug 28213)
+This test implements following logic:
+1) Create POSIX message queue.
+   Register a notification with mq_notify (using NULL attributes).
+   Then immediately unregister the notification with mq_notify.
+   Helper thread in a vulnerable version of glibc
+   should cause NULL pointer dereference after these steps.
+2) Once again, register the same notification.
+   Try to send a dummy message.
+   Test is considered successfulif the dummy message
+   is successfully received by the callback function.
+Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641]
+CVE: CVE-2021-38604
+Signed-off-by: Nikita Popov <npv1310@gmail.com>
+Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
+---
+ rt/Makefile      |   1 +
+ rt/tst-bz28213.c | 101 +++++++++++++++++++++++++++++++++++++++++++++++
+ 2 files changed, 102 insertions(+)
+ create mode 100644 rt/tst-bz28213.c
+diff --git a/rt/Makefile b/rt/Makefile
+index 113cea03a5..910e775995 100644
+--- a/rt/Makefile
+++ b/rt/Makefile
+@@ -74,6 +74,7 @@ tests := tst-shm tst-timer tst-timer2 \
+         tst-aio7 tst-aio8 tst-aio9 tst-aio10 \
+         tst-mqueue1 tst-mqueue2 tst-mqueue3 tst-mqueue4 \
+         tst-mqueue5 tst-mqueue6 tst-mqueue7 tst-mqueue8 tst-mqueue9 \
+        tst-bz28213 \
+         tst-timer3 tst-timer4 tst-timer5 \
+         tst-cpuclock2 tst-cputimer1 tst-cputimer2 tst-cputimer3 \
+         tst-shm-cancel \
+diff --git a/rt/tst-bz28213.c b/rt/tst-bz28213.c
+new file mode 100644
+index 0000000000..0c096b5a0a
+--- /dev/null
+++ b/rt/tst-bz28213.c
+@@ -0,0 +1,101 @@
+/* Bug 28213: test for NULL pointer dereference in mq_notify.
+   Copyright (C) The GNU Toolchain Authors.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <errno.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <mqueue.h>
+#include <signal.h>
+#include <stdlib.h>
+#include <string.h>
+#include <support/check.h>
+
+static mqd_t m = -1;
+static const char msg[] = "hello";
+
+static void
+check_bz28213_cb (union sigval sv)
+{
+  char buf[sizeof (msg)];
+
+  (void) sv;
+
+  TEST_VERIFY_EXIT ((size_t) mq_receive (m, buf, sizeof (buf), NULL)
+                   == sizeof (buf));
+  TEST_VERIFY_EXIT (memcmp (buf, msg, sizeof (buf)) == 0);
+
+  exit (0);
+}
+
+static void
+check_bz28213 (void)
+{
+  struct sigevent sev;
+
+  memset (&sev, '\0', sizeof (sev));
+  sev.sigev_notify = SIGEV_THREAD;
+  sev.sigev_notify_function = check_bz28213_cb;
+
+  /* Step 1: Register & unregister notifier.
+     Helper thread should receive NOTIFY_REMOVED notification.
+     In a vulnerable version of glibc, NULL pointer dereference follows. */
+  TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0);
+  TEST_VERIFY_EXIT (mq_notify (m, NULL) == 0);
+
+  /* Step 2: Once again, register notification.
+     Try to send one message.
+     Test is considered successful, if the callback does exit (0). */
+  TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0);
+  TEST_VERIFY_EXIT (mq_send (m, msg, sizeof (msg), 1) == 0);
+
+  /* Wait... */
+  pause ();
+}
+
+static int
+do_test (void)
+{
+  static const char m_name[] = "/bz28213_queue";
+  struct mq_attr m_attr;
+
+  memset (&m_attr, '\0', sizeof (m_attr));
+  m_attr.mq_maxmsg = 1;
+  m_attr.mq_msgsize = sizeof (msg);
+
+  m = mq_open (m_name,
+               O_RDWR | O_CREAT | O_EXCL,
+               0600,
+               &m_attr);
+
+  if (m < 0)
+    {
+      if (errno == ENOSYS)
+        FAIL_UNSUPPORTED ("POSIX message queues are not implemented\n");
+      FAIL_EXIT1 ("Failed to create POSIX message queue: %m\n");
+    }
+
+  TEST_VERIFY_EXIT (mq_unlink (m_name) == 0);
+
+  check_bz28213 ();
+
+  return 0;
+}
+
+#include <support/test-driver.c>
+-- 
+2.31.1
diff --git a/meta/recipes-core/glibc/glibc_2.34.bb b/meta/recipes-core/glibc/glibc_2.34.bb
index 66494c5c23..eafc0216ff 100644
--- a/meta/recipes-core/glibc/glibc_2.34.bb
+++ b/meta/recipes-core/glibc/glibc_2.34.bb
@@ -55,6 +55,8 @@ SRC_URI =  "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch \
           file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch \
           file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
+           file://0001-CVE-2021-38604.patch \
+           file://0002-CVE-2021-38604.patch \
           "
 S = "${WORKDIR}/git"
 B = "${WORKDIR}/build-${TARGET_SYS}"
author	Vinay Kumar <vinay.m.engg@gmail.com>	2021-08-18 08:31:41 -0700
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2021-08-20 08:53:03 +0100
commit	901b82a4c8b343b378293956420ad5a4943b6be7 (patch)
tree	e850352e21142970b129939961f2be39cb1ad5b5
parent	ec1894938b127c1d8472b805b34d1776748df290 (diff)
download	poky-901b82a4c8b343b378293956420ad5a4943b6be7.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch new file mode 100644 index 0000000000..1e94049004 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0001-CVE-2021-38604.patch
@@ -0,0 +1,43 @@
		1	From b805aebd42364fe696e417808a700fdb9800c9e8 Mon Sep 17 00:00:00 2001
		2	From: Nikita Popov <npv1310@gmail.com>
		3	Date: Mon, 9 Aug 2021 20:17:34 +0530
		4	Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213)
		5
		6	Helper thread frees copied attribute on NOTIFY_REMOVED message
		7	received from the OS kernel. Unfortunately, it fails to check whether
		8	copied attribute actually exists (data.attr != NULL). This worked
		9	earlier because free() checks passed pointer before actually
		10	attempting to release corresponding memory. But
		11	__pthread_attr_destroy assumes pointer is not NULL.
		12
		13	So passing NULL pointer to __pthread_attr_destroy will result in
		14	segmentation fault. This scenario is possible if
		15	notification->sigev_notify_attributes == NULL (which means default
		16	thread attributes should be used).
		17
		18	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=b805aebd42364fe696e417808a700fdb9800c9e8]
		19	CVE: CVE-2021-38604
		20
		21	Signed-off-by: Nikita Popov <npv1310@gmail.com>
		22	Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
		23	Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
		24	---
		25	sysdeps/unix/sysv/linux/mq_notify.c \| 2 +-
		26	1 file changed, 1 insertion(+), 1 deletion(-)
		27
		28	diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
		29	index 9799dcdaa4..eccae2e4c6 100644
		30	--- a/sysdeps/unix/sysv/linux/mq_notify.c
		31	+++ b/sysdeps/unix/sysv/linux/mq_notify.c
		32	@@ -131,7 +131,7 @@ helper_thread (void *arg)
		33	to wait until it is done with it. */
		34	(void) __pthread_barrier_wait (&notify_barrier);
		35	}
		36	- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
		37	+ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL)
		38	{
		39	/* The only state we keep is the copy of the thread attributes. */
		40	__pthread_attr_destroy (data.attr);
		41	--
		42	2.31.1
		43


diff --git a/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch b/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch new file mode 100644 index 0000000000..9f71fecddb --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0002-CVE-2021-38604.patch
@@ -0,0 +1,150 @@
		1	From 4cc79c217744743077bf7a0ec5e0a4318f1e6641 Mon Sep 17 00:00:00 2001
		2	From: Nikita Popov <npv1310@gmail.com>
		3	Date: Thu, 12 Aug 2021 16:09:50 +0530
		4	Subject: [PATCH] librt: add test (bug 28213)
		5
		6	This test implements following logic:
		7	1) Create POSIX message queue.
		8	Register a notification with mq_notify (using NULL attributes).
		9	Then immediately unregister the notification with mq_notify.
		10	Helper thread in a vulnerable version of glibc
		11	should cause NULL pointer dereference after these steps.
		12	2) Once again, register the same notification.
		13	Try to send a dummy message.
		14	Test is considered successfulif the dummy message
		15	is successfully received by the callback function.
		16
		17	Upstream-Status: Backport [https://sourceware.org/git/?p=glibc.git;a=commit;h=4cc79c217744743077bf7a0ec5e0a4318f1e6641]
		18	CVE: CVE-2021-38604
		19
		20	Signed-off-by: Nikita Popov <npv1310@gmail.com>
		21	Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
		22	Signed-off-by: Vinay Kumar <vinay.m.engg@gmail.com>
		23	---
		24	rt/Makefile \| 1 +
		25	rt/tst-bz28213.c \| 101 +++++++++++++++++++++++++++++++++++++++++++++++
		26	2 files changed, 102 insertions(+)
		27	create mode 100644 rt/tst-bz28213.c
		28
		29	diff --git a/rt/Makefile b/rt/Makefile
		30	index 113cea03a5..910e775995 100644
		31	--- a/rt/Makefile
		32	+++ b/rt/Makefile
		33	@@ -74,6 +74,7 @@ tests := tst-shm tst-timer tst-timer2 \
		34	tst-aio7 tst-aio8 tst-aio9 tst-aio10 \
		35	tst-mqueue1 tst-mqueue2 tst-mqueue3 tst-mqueue4 \
		36	tst-mqueue5 tst-mqueue6 tst-mqueue7 tst-mqueue8 tst-mqueue9 \
		37	+ tst-bz28213 \
		38	tst-timer3 tst-timer4 tst-timer5 \
		39	tst-cpuclock2 tst-cputimer1 tst-cputimer2 tst-cputimer3 \
		40	tst-shm-cancel \
		41	diff --git a/rt/tst-bz28213.c b/rt/tst-bz28213.c
		42	new file mode 100644
		43	index 0000000000..0c096b5a0a
		44	--- /dev/null
		45	+++ b/rt/tst-bz28213.c
		46	@@ -0,0 +1,101 @@
		47	+/* Bug 28213: test for NULL pointer dereference in mq_notify.
		48	+ Copyright (C) The GNU Toolchain Authors.
		49	+ This file is part of the GNU C Library.
		50	+
		51	+ The GNU C Library is free software; you can redistribute it and/or
		52	+ modify it under the terms of the GNU Lesser General Public
		53	+ License as published by the Free Software Foundation; either
		54	+ version 2.1 of the License, or (at your option) any later version.
		55	+
		56	+ The GNU C Library is distributed in the hope that it will be useful,
		57	+ but WITHOUT ANY WARRANTY; without even the implied warranty of
		58	+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		59	+ Lesser General Public License for more details.
		60	+
		61	+ You should have received a copy of the GNU Lesser General Public
		62	+ License along with the GNU C Library; if not, see
		63	+ <https://www.gnu.org/licenses/>. */
		64	+
		65	+#include <errno.h>
		66	+#include <sys/types.h>
		67	+#include <sys/stat.h>
		68	+#include <fcntl.h>
		69	+#include <unistd.h>
		70	+#include <mqueue.h>
		71	+#include <signal.h>
		72	+#include <stdlib.h>
		73	+#include <string.h>
		74	+#include <support/check.h>
		75	+
		76	+static mqd_t m = -1;
		77	+static const char msg[] = "hello";
		78	+
		79	+static void
		80	+check_bz28213_cb (union sigval sv)
		81	+{
		82	+ char buf[sizeof (msg)];
		83	+
		84	+ (void) sv;
		85	+
		86	+ TEST_VERIFY_EXIT ((size_t) mq_receive (m, buf, sizeof (buf), NULL)
		87	+ == sizeof (buf));
		88	+ TEST_VERIFY_EXIT (memcmp (buf, msg, sizeof (buf)) == 0);
		89	+
		90	+ exit (0);
		91	+}
		92	+
		93	+static void
		94	+check_bz28213 (void)
		95	+{
		96	+ struct sigevent sev;
		97	+
		98	+ memset (&sev, '\0', sizeof (sev));
		99	+ sev.sigev_notify = SIGEV_THREAD;
		100	+ sev.sigev_notify_function = check_bz28213_cb;
		101	+
		102	+ /* Step 1: Register & unregister notifier.
		103	+ Helper thread should receive NOTIFY_REMOVED notification.
		104	+ In a vulnerable version of glibc, NULL pointer dereference follows. */
		105	+ TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0);
		106	+ TEST_VERIFY_EXIT (mq_notify (m, NULL) == 0);
		107	+
		108	+ /* Step 2: Once again, register notification.
		109	+ Try to send one message.
		110	+ Test is considered successful, if the callback does exit (0). */
		111	+ TEST_VERIFY_EXIT (mq_notify (m, &sev) == 0);
		112	+ TEST_VERIFY_EXIT (mq_send (m, msg, sizeof (msg), 1) == 0);
		113	+
		114	+ /* Wait... */
		115	+ pause ();
		116	+}
		117	+
		118	+static int
		119	+do_test (void)
		120	+{
		121	+ static const char m_name[] = "/bz28213_queue";
		122	+ struct mq_attr m_attr;
		123	+
		124	+ memset (&m_attr, '\0', sizeof (m_attr));
		125	+ m_attr.mq_maxmsg = 1;
		126	+ m_attr.mq_msgsize = sizeof (msg);
		127	+
		128	+ m = mq_open (m_name,
		129	+ O_RDWR \| O_CREAT \| O_EXCL,
		130	+ 0600,
		131	+ &m_attr);
		132	+
		133	+ if (m < 0)
		134	+ {
		135	+ if (errno == ENOSYS)
		136	+ FAIL_UNSUPPORTED ("POSIX message queues are not implemented\n");
		137	+ FAIL_EXIT1 ("Failed to create POSIX message queue: %m\n");
		138	+ }
		139	+
		140	+ TEST_VERIFY_EXIT (mq_unlink (m_name) == 0);
		141	+
		142	+ check_bz28213 ();
		143	+
		144	+ return 0;
		145	+}
		146	+
		147	+#include <support/test-driver.c>
		148	--
		149	2.31.1
		150


diff --git a/meta/recipes-core/glibc/glibc_2.34.bb b/meta/recipes-core/glibc/glibc_2.34.bb index 66494c5c23..eafc0216ff 100644 --- a/meta/recipes-core/glibc/glibc_2.34.bb +++ b/meta/recipes-core/glibc/glibc_2.34.bb
@@ -55,6 +55,8 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
55	file://0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch \	55	file://0028-readlib-Add-OECORE_KNOWN_INTERPRETER_NAMES-to-known-.patch \
56	file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch \	56	file://0029-wordsize.h-Unify-the-header-between-arm-and-aarch64.patch \
57	file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \	57	file://0030-powerpc-Do-not-ask-compiler-for-finding-arch.patch \
		58	file://0001-CVE-2021-38604.patch \
		59	file://0002-CVE-2021-38604.patch \
58	"	60	"
59	S = "${WORKDIR}/git"	61	S = "${WORKDIR}/git"
60	B = "${WORKDIR}/build-${TARGET_SYS}"	62	B = "${WORKDIR}/build-${TARGET_SYS}"