Gentoo Archives: gentoo-commits

From: "Mike Frysinger (vapier)" <vapier@g.o>
To: gentoo-commits@l.g.o
Subject: [gentoo-commits] gentoo commit in src/patchsets/glibc/2.24: 00_all_0039-Bug-11941-ld.so-Improper-assert-map-l_init_called-in.patch 00_all_0040-localedata-bs_BA-fix-yesexpr-noexpr-BZ-20974.patch 00_all_0041-powerpc-Fix-write-after-destroy-in-lock-elision-BZ-2.patch 00_all_0042-Drop-GLIBC_TUNABLES-in-setxid-processes.patch 00_all_0043-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch README.history
Date: Thu, 09 Feb 2017 11:38:27
Message-Id: 20170209113819.022C43E5A@oystercatcher.gentoo.org
1 vapier 17/02/09 11:38:18
2
3 Modified: README.history
4 Added:
5 00_all_0039-Bug-11941-ld.so-Improper-assert-map-l_init_called-in.patch
6 00_all_0040-localedata-bs_BA-fix-yesexpr-noexpr-BZ-20974.patch
7 00_all_0041-powerpc-Fix-write-after-destroy-in-lock-elision-BZ-2.patch
8 00_all_0042-Drop-GLIBC_TUNABLES-in-setxid-processes.patch
9 00_all_0043-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
10 Log:
11 more upstream fixes
12
13 Revision Changes Path
14 1.4 src/patchsets/glibc/2.24/README.history
15
16 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/README.history?rev=1.4&view=markup
17 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/README.history?rev=1.4&content-type=text/plain
18 diff : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/README.history?r1=1.3&r2=1.4
19
20 Index: README.history
21 ===================================================================
22 RCS file: /var/cvsroot/gentoo/src/patchsets/glibc/2.24/README.history,v
23 retrieving revision 1.3
24 retrieving revision 1.4
25 diff -u -r1.3 -r1.4
26 --- README.history 8 Dec 2016 19:28:42 -0000 1.3
27 +++ README.history 9 Feb 2017 11:38:18 -0000 1.4
28 @@ -1,3 +1,10 @@
29 +4 09 Feb 2017
30 + + 00_all_0039-Bug-11941-ld.so-Improper-assert-map-l_init_called-in.patch
31 + + 00_all_0040-localedata-bs_BA-fix-yesexpr-noexpr-BZ-20974.patch
32 + + 00_all_0041-powerpc-Fix-write-after-destroy-in-lock-elision-BZ-2.patch
33 + + 00_all_0042-Drop-GLIBC_TUNABLES-in-setxid-processes.patch
34 + + 00_all_0043-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
35 +
36 3 08 Dec 2016
37 + 00_all_0030-Fix-writes-past-the-allocated-array-bounds-in-execvp.patch
38 + 00_all_0031-MIPS-Add-.insn-to-ensure-a-text-label-is-defined-as-.patch
39
40
41
42 1.1 src/patchsets/glibc/2.24/00_all_0039-Bug-11941-ld.so-Improper-assert-map-l_init_called-in.patch
43
44 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/00_all_0039-Bug-11941-ld.so-Improper-assert-map-l_init_called-in.patch?rev=1.1&view=markup
45 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/00_all_0039-Bug-11941-ld.so-Improper-assert-map-l_init_called-in.patch?rev=1.1&content-type=text/plain
46
47 Index: 00_all_0039-Bug-11941-ld.so-Improper-assert-map-l_init_called-in.patch
48 ===================================================================
49 From 88849c6b0ff4cb1c7840a7071bc9f6fa3c984d3e Mon Sep 17 00:00:00 2001
50 From: Carlos O'Donell <carlos@××××××.com>
51 Date: Fri, 23 Dec 2016 13:30:22 -0500
52 Subject: [PATCH] Bug 11941: ld.so: Improper assert map->l_init_called in
53 dlclose
54
55 There is at least one use case where during exit a library destructor
56 might call dlclose() on a valid handle and have it fail with an
57 assertion. We must allow this case, it is a valid handle, and dlclose()
58 should not fail with an assert. In the future we might be able to return
59 an error that the dlclose() could not be completed because the opened
60 library has already been unloaded and destructors have run as part of
61 exit processing.
62
63 For more details see:
64 https://www.sourceware.org/ml/libc-alpha/2016-12/msg00859.html
65
66 (cherry picked from commit 57707b7fcc38855869321f8c7827bfe21d729f37)
67 (cherry picked from commit e9e69e468039fcd57276f783a16aa771a8e4214e)
68 ---
69 elf/Makefile | 15 ++++++-
70 elf/dl-close.c | 30 ++++++++++---
71 elf/tst-nodelete-dlclose-dso.c | 90 +++++++++++++++++++++++++++++++++++++++
72 elf/tst-nodelete-dlclose-plugin.c | 40 +++++++++++++++++
73 elf/tst-nodelete-dlclose.c | 36 ++++++++++++++++
74 5 files changed, 203 insertions(+), 8 deletions(-)
75 create mode 100644 elf/tst-nodelete-dlclose-dso.c
76 create mode 100644 elf/tst-nodelete-dlclose-plugin.c
77 create mode 100644 elf/tst-nodelete-dlclose.c
78
79 diff --git a/elf/Makefile b/elf/Makefile
80 index 68c5d82a7094..d51e2c631b6b 100644
81 --- a/elf/Makefile
82 +++ b/elf/Makefile
83 @@ -149,7 +149,8 @@ tests += loadtest restest1 preloadtest loadfail multiload origtest resolvfail \
84 tst-nodelete) \
85 tst-initorder tst-initorder2 tst-relsort1 tst-null-argv \
86 tst-ptrguard1 tst-tlsalign tst-tlsalign-extern tst-nodelete-opened \
87 - tst-nodelete2 tst-audit11 tst-audit12 tst-dlsym-error
88 + tst-nodelete2 tst-audit11 tst-audit12 tst-dlsym-error \
89 + tst-nodelete-dlclose
90 # reldep9
91 ifeq ($(build-hardcoded-path-in-tests),yes)
92 tests += tst-dlopen-aout
93 @@ -223,7 +224,8 @@ modules-names = testobj1 testobj2 testobj3 testobj4 testobj5 testobj6 \
94 tst-array5dep tst-null-argv-lib \
95 tst-tlsalign-lib tst-nodelete-opened-lib tst-nodelete2mod \
96 tst-audit11mod1 tst-audit11mod2 tst-auditmod11 \
97 - tst-audit12mod1 tst-audit12mod2 tst-audit12mod3 tst-auditmod12
98 + tst-audit12mod1 tst-audit12mod2 tst-audit12mod3 tst-auditmod12 \
99 + tst-nodelete-dlclose-dso tst-nodelete-dlclose-plugin
100 ifeq (yes,$(have-mtls-dialect-gnu2))
101 tests += tst-gnu2-tls1
102 modules-names += tst-gnu2-tls1mod
103 @@ -1267,3 +1269,12 @@ $(objpfx)tst-ldconfig-X.out : tst-ldconfig-X.sh $(objpfx)ldconfig
104 $(evaluate-test)
105
106 $(objpfx)tst-dlsym-error: $(libdl)
107 +
108 +# The application depends on the DSO, and the DSO loads the plugin.
109 +# The plugin also depends on the DSO. This creates the circular
110 +# dependency via dlopen that we're testing to make sure works.
111 +$(objpfx)tst-nodelete-dlclose-dso.so: $(libdl)
112 +$(objpfx)tst-nodelete-dlclose-plugin.so: $(objpfx)tst-nodelete-dlclose-dso.so
113 +$(objpfx)tst-nodelete-dlclose: $(objpfx)tst-nodelete-dlclose-dso.so
114 +$(objpfx)tst-nodelete-dlclose.out: $(objpfx)tst-nodelete-dlclose-dso.so \
115 + $(objpfx)tst-nodelete-dlclose-plugin.so
116 diff --git a/elf/dl-close.c b/elf/dl-close.c
117 index 687d7de874c5..9f93ab762882 100644
118 --- a/elf/dl-close.c
119 +++ b/elf/dl-close.c
120 @@ -805,19 +805,37 @@ _dl_close (void *_map)
121 {
122 struct link_map *map = _map;
123
124 - /* First see whether we can remove the object at all. */
125 + /* We must take the lock to examine the contents of map and avoid
126 + concurrent dlopens. */
127 + __rtld_lock_lock_recursive (GL(dl_load_lock));
128 +
129 + /* At this point we are guaranteed nobody else is touching the list of
130 + loaded maps, but a concurrent dlclose might have freed our map
131 + before we took the lock. There is no way to detect this (see below)
132 + so we proceed assuming this isn't the case. First see whether we
133 + can remove the object at all. */
134 if (__glibc_unlikely (map->l_flags_1 & DF_1_NODELETE))
135 {
136 - assert (map->l_init_called);
137 /* Nope. Do nothing. */
138 + __rtld_lock_unlock_recursive (GL(dl_load_lock));
139 return;
140 }
141
142 + /* At present this is an unreliable check except in the case where the
143 + caller has recursively called dlclose and we are sure the link map
144 + has not been freed. In a non-recursive dlclose the map itself
145 + might have been freed and this access is potentially a data race
146 + with whatever other use this memory might have now, or worse we
147 + might silently corrupt memory if it looks enough like a link map.
148 + POSIX has language in dlclose that appears to guarantee that this
149 + should be a detectable case and given that dlclose should be threadsafe
150 + we need this to be a reliable detection.
151 + This is bug 20990. */
152 if (__builtin_expect (map->l_direct_opencount, 1) == 0)
153 - GLRO(dl_signal_error) (0, map->l_name, NULL, N_("shared object not open"));
154 -
155 - /* Acquire the lock. */
156 - __rtld_lock_lock_recursive (GL(dl_load_lock));
157 + {
158 + __rtld_lock_unlock_recursive (GL(dl_load_lock));
159 + _dl_signal_error (0, map->l_name, NULL, N_("shared object not open"));
160 + }
161
162 _dl_close_worker (map, false);
163
164 diff --git a/elf/tst-nodelete-dlclose-dso.c b/elf/tst-nodelete-dlclose-dso.c
165 new file mode 100644
166 index 000000000000..dd930f99cce3
167 --- /dev/null
168 +++ b/elf/tst-nodelete-dlclose-dso.c
169 @@ -0,0 +1,90 @@
170 +/* Bug 11941: Improper assert map->l_init_called in dlclose.
171 + Copyright (C) 2016 Free Software Foundation, Inc.
172 + This file is part of the GNU C Library.
173 +
174 + The GNU C Library is free software; you can redistribute it and/or
175 + modify it under the terms of the GNU Lesser General Public
176 + License as published by the Free Software Foundation; either
177 + version 2.1 of the License, or (at your option) any later version.
178 +
179 + The GNU C Library is distributed in the hope that it will be useful,
180 + but WITHOUT ANY WARRANTY; without even the implied warranty of
181 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
182 + Lesser General Public License for more details.
183 +
184 + You should have received a copy of the GNU Lesser General Public
185 + License along with the GNU C Library; if not, see
186 + <http://www.gnu.org/licenses/>. */
187 +
188 +/* This is the primary DSO that is loaded by the appliation. This DSO
189 + then loads a plugin with RTLD_NODELETE. This plugin depends on this
190 + DSO. This dependency chain means that at application shutdown the
191 + plugin will be destructed first. Thus by the time this DSO is
192 + destructed we will be calling dlclose on an object that has already
193 + been destructed. It is allowed to call dlclose in this way and
194 + should not assert. */
195 +#include <stdio.h>
196 +#include <stdlib.h>
197 +#include <dlfcn.h>
198 +
199 +/* Plugin to load. */
200 +static void *plugin_lib = NULL;
201 +/* Plugin function. */
202 +static void (*plugin_func) (void);
203 +#define LIB_PLUGIN "tst-nodelete-dlclose-plugin.so"
204 +
205 +/* This function is never called but the plugin references it.
206 + We do this to avoid any future --as-needed from removing the
207 + plugin's DT_NEEDED on this DSO (required for the test). */
208 +void
209 +primary_reference (void)
210 +{
211 + printf ("INFO: Called primary_reference function.\n");
212 +}
213 +
214 +void
215 +primary (void)
216 +{
217 + char *error;
218 +
219 + plugin_lib = dlopen (LIB_PLUGIN, RTLD_NOW | RTLD_LOCAL | RTLD_NODELETE);
220 + if (plugin_lib == NULL)
221 + {
222 + printf ("ERROR: Unable to load plugin library.\n");
223 + exit (EXIT_FAILURE);
224 + }
225 + dlerror ();
226 +
227 + plugin_func = (void (*) (void)) dlsym (plugin_lib, "plugin_func");
228 + error = dlerror ();
229 + if (error != NULL)
230 + {
231 + printf ("ERROR: Unable to find symbol with error \"%s\".",
232 + error);
233 + exit (EXIT_FAILURE);
234 + }
235 +
236 + return;
237 +}
238 +
239 +__attribute__ ((destructor))
240 +static void
241 +primary_dtor (void)
242 +{
243 + int ret;
244 +
245 + printf ("INFO: Calling primary destructor.\n");
246 +
247 + /* The destructor runs in the test driver also, which
248 + hasn't called primary, in that case do nothing. */
249 + if (plugin_lib == NULL)
250 + return;
251 +
252 + ret = dlclose (plugin_lib);
253 + if (ret != 0)
254 + {
255 + printf ("ERROR: Calling dlclose failed with \"%s\"\n",
256 + dlerror ());
257 + exit (EXIT_FAILURE);
258 + }
259 +}
260 diff --git a/elf/tst-nodelete-dlclose-plugin.c b/elf/tst-nodelete-dlclose-plugin.c
261 new file mode 100644
262 index 000000000000..8b295c1718fc
263 --- /dev/null
264 +++ b/elf/tst-nodelete-dlclose-plugin.c
265 @@ -0,0 +1,40 @@
266 +/* Bug 11941: Improper assert map->l_init_called in dlclose.
267 + Copyright (C) 2016 Free Software Foundation, Inc.
268 + This file is part of the GNU C Library.
269 +
270 + The GNU C Library is free software; you can redistribute it and/or
271 + modify it under the terms of the GNU Lesser General Public
272 + License as published by the Free Software Foundation; either
273 + version 2.1 of the License, or (at your option) any later version.
274 +
275 + The GNU C Library is distributed in the hope that it will be useful,
276 + but WITHOUT ANY WARRANTY; without even the implied warranty of
277 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
278 + Lesser General Public License for more details.
279 +
280 + You should have received a copy of the GNU Lesser General Public
281 + License along with the GNU C Library; if not, see
282 + <http://www.gnu.org/licenses/>. */
283 +
284 +/* This DSO simulates a plugin with a dependency on the
285 + primary DSO loaded by the appliation. */
286 +#include <stdio.h>
287 +
288 +extern void primary_reference (void);
289 +
290 +void
291 +plugin_func (void)
292 +{
293 + printf ("INFO: Calling plugin function.\n");
294 + /* Need a reference to the DSO to ensure that a potential --as-needed
295 + doesn't remove the DT_NEEDED entry which we rely upon to ensure
296 + destruction ordering. */
297 + primary_reference ();
298 +}
299 +
300 +__attribute__ ((destructor))
301 +static void
302 +plugin_dtor (void)
303 +{
304 + printf ("INFO: Calling plugin destructor.\n");
305 +}
306 diff --git a/elf/tst-nodelete-dlclose.c b/elf/tst-nodelete-dlclose.c
307 new file mode 100644
308 index 000000000000..b3d07e184980
309 --- /dev/null
310 +++ b/elf/tst-nodelete-dlclose.c
311 @@ -0,0 +1,36 @@
312 +/* Bug 11941: Improper assert map->l_init_called in dlclose.
313 + Copyright (C) 2016 Free Software Foundation, Inc.
314 + This file is part of the GNU C Library.
315 +
316 + The GNU C Library is free software; you can redistribute it and/or
317 + modify it under the terms of the GNU Lesser General Public
318 + License as published by the Free Software Foundation; either
319 + version 2.1 of the License, or (at your option) any later version.
320 +
321 + The GNU C Library is distributed in the hope that it will be useful,
322 + but WITHOUT ANY WARRANTY; without even the implied warranty of
323 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
324 + Lesser General Public License for more details.
325 +
326 + You should have received a copy of the GNU Lesser General Public
327 + License along with the GNU C Library; if not, see
328 + <http://www.gnu.org/licenses/>. */
329 +
330 +/* This simulates an application using the primary DSO which loads the
331 + plugin DSO. */
332 +#include <stdio.h>
333 +#include <stdlib.h>
334 +
335 +extern void primary (void);
336 +
337 +static int
338 +do_test (void)
339 +{
340 + printf ("INFO: Starting application.\n");
341 + primary ();
342 + printf ("INFO: Exiting application.\n");
343 + return 0;
344 +}
345 +
346 +#define TEST_FUNCTION do_test ()
347 +#include "../test-skeleton.c"
348 --
349 2.11.0
350
351
352
353
354 1.1 src/patchsets/glibc/2.24/00_all_0040-localedata-bs_BA-fix-yesexpr-noexpr-BZ-20974.patch
355
356 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/00_all_0040-localedata-bs_BA-fix-yesexpr-noexpr-BZ-20974.patch?rev=1.1&view=markup
357 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/00_all_0040-localedata-bs_BA-fix-yesexpr-noexpr-BZ-20974.patch?rev=1.1&content-type=text/plain
358
359 Index: 00_all_0040-localedata-bs_BA-fix-yesexpr-noexpr-BZ-20974.patch
360 ===================================================================
361 From 5a855ded1c38d27e016aeff54cfd283d337237a9 Mon Sep 17 00:00:00 2001
362 From: Mike Frysinger <vapier@g.o>
363 Date: Thu, 15 Dec 2016 18:34:05 -0500
364 Subject: [PATCH] localedata: bs_BA: fix yesexpr/noexpr [BZ #20974]
365
366 Both regexes end with a "*." which means the previous match can be
367 omitted, and then the . allows them to match any input at all.
368
369 This means tools like coreutils' `rm -i` will always delete things
370 when prompted because the yesexpr regex matches all inputs (even
371 the negative ones).
372
373 (cherry picked from commit a035eb6928bc63fb798dcc1421529f933122d74f)
374 (cherry picked from commit 7e4405c50fc374d5e80141554c7887a52d1f9118)
375 ---
376 localedata/locales/bs_BA | 4 ++--
377 1 file changed, 2 insertions(+), 2 deletions(-)
378
379 diff --git a/localedata/locales/bs_BA b/localedata/locales/bs_BA
380 index a47f87eb373d..68c2f9471a09 100644
381 --- a/localedata/locales/bs_BA
382 +++ b/localedata/locales/bs_BA
383 @@ -148,8 +148,8 @@ copy "en_DK"
384 END LC_CTYPE
385
386 LC_MESSAGES
387 -yesexpr "<U005E><U005B><U002B><U0031><U0064><U0044><U0079><U0059><U005D><U002A><U002E>"
388 -noexpr "<U005E><U005B><U002D><U0030><U006E><U004E><U005D><U002A><U002E>"
389 +yesexpr "<U005E><U005B><U002B><U0031><U0064><U0044><U0079><U0059><U005D>"
390 +noexpr "<U005E><U005B><U002D><U0030><U006E><U004E><U005D>"
391 yesstr "<U0064><U0061>"
392 nostr "<U006E><U0065>"
393 END LC_MESSAGES
394 --
395 2.11.0
396
397
398
399
400 1.1 src/patchsets/glibc/2.24/00_all_0041-powerpc-Fix-write-after-destroy-in-lock-elision-BZ-2.patch
401
402 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/00_all_0041-powerpc-Fix-write-after-destroy-in-lock-elision-BZ-2.patch?rev=1.1&view=markup
403 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/00_all_0041-powerpc-Fix-write-after-destroy-in-lock-elision-BZ-2.patch?rev=1.1&content-type=text/plain
404
405 Index: 00_all_0041-powerpc-Fix-write-after-destroy-in-lock-elision-BZ-2.patch
406 ===================================================================
407 From 4adce1bf311f30d584a97a25d34a2e77fa9a0bab Mon Sep 17 00:00:00 2001
408 From: Tulio Magno Quites Machado Filho <tuliom@××××××××××××××.com>
409 Date: Mon, 23 Jan 2017 14:39:47 -0200
410 Subject: [PATCH] powerpc: Fix write-after-destroy in lock elision [BZ #20822]
411
412 The update of *adapt_count after the release of the lock causes a race
413 condition when thread A unlocks, thread B continues and destroys the
414 mutex, and thread A writes to *adapt_count.
415
416 (cherry picked from commit e9a96ea1aca4ebaa7c86e8b83b766f118d689d0f)
417 (with changes from commit eb1321f291515dae75c83a40c39e775fdd38e97a)
418
419 (cherry picked from commit 2762a7145bba9681b30ed5d4aed0c5d1df4329c8)
420 ---
421 sysdeps/unix/sysv/linux/powerpc/elision-lock.c | 10 +++++++---
422 sysdeps/unix/sysv/linux/powerpc/elision-trylock.c | 7 ++++---
423 sysdeps/unix/sysv/linux/powerpc/elision-unlock.c | 15 +++++++++------
424 3 files changed, 20 insertions(+), 12 deletions(-)
425
426 diff --git a/sysdeps/unix/sysv/linux/powerpc/elision-lock.c b/sysdeps/unix/sysv/linux/powerpc/elision-lock.c
427 index dd1e4c3b17a3..7dd3d835b6ab 100644
428 --- a/sysdeps/unix/sysv/linux/powerpc/elision-lock.c
429 +++ b/sysdeps/unix/sysv/linux/powerpc/elision-lock.c
430 @@ -45,7 +45,9 @@
431 int
432 __lll_lock_elision (int *lock, short *adapt_count, EXTRAARG int pshared)
433 {
434 - if (*adapt_count > 0)
435 + /* adapt_count is accessed concurrently but is just a hint. Thus,
436 + use atomic accesses but relaxed MO is sufficient. */
437 + if (atomic_load_relaxed (adapt_count) > 0)
438 {
439 goto use_lock;
440 }
441 @@ -67,7 +69,8 @@ __lll_lock_elision (int *lock, short *adapt_count, EXTRAARG int pshared)
442 if (_TEXASRU_FAILURE_PERSISTENT (__builtin_get_texasru ()))
443 {
444 if (aconf.skip_lock_internal_abort > 0)
445 - *adapt_count = aconf.skip_lock_internal_abort;
446 + atomic_store_relaxed (adapt_count,
447 + aconf.skip_lock_internal_abort);
448 goto use_lock;
449 }
450 }
451 @@ -75,7 +78,8 @@ __lll_lock_elision (int *lock, short *adapt_count, EXTRAARG int pshared)
452
453 /* Fall back to locks for a bit if retries have been exhausted */
454 if (aconf.try_tbegin > 0 && aconf.skip_lock_out_of_tbegin_retries > 0)
455 - *adapt_count = aconf.skip_lock_out_of_tbegin_retries;
456 + atomic_store_relaxed (adapt_count,
457 + aconf.skip_lock_out_of_tbegin_retries);
458
459 use_lock:
460 return LLL_LOCK ((*lock), pshared);
461 diff --git a/sysdeps/unix/sysv/linux/powerpc/elision-trylock.c b/sysdeps/unix/sysv/linux/powerpc/elision-trylock.c
462 index 0807a6a4323b..606185670dc3 100644
463 --- a/sysdeps/unix/sysv/linux/powerpc/elision-trylock.c
464 +++ b/sysdeps/unix/sysv/linux/powerpc/elision-trylock.c
465 @@ -34,7 +34,7 @@ __lll_trylock_elision (int *futex, short *adapt_count)
466 __libc_tabort (_ABORT_NESTED_TRYLOCK);
467
468 /* Only try a transaction if it's worth it. */
469 - if (*adapt_count > 0)
470 + if (atomic_load_relaxed (adapt_count) > 0)
471 {
472 goto use_lock;
473 }
474 @@ -49,7 +49,7 @@ __lll_trylock_elision (int *futex, short *adapt_count)
475 __libc_tend (0);
476
477 if (aconf.skip_lock_busy > 0)
478 - *adapt_count = aconf.skip_lock_busy;
479 + atomic_store_relaxed (adapt_count, aconf.skip_lock_busy);
480 }
481 else
482 {
483 @@ -59,7 +59,8 @@ __lll_trylock_elision (int *futex, short *adapt_count)
484 result in another failure. Use normal locking now and
485 for the next couple of calls. */
486 if (aconf.skip_trylock_internal_abort > 0)
487 - *adapt_count = aconf.skip_trylock_internal_abort;
488 + atomic_store_relaxed (adapt_count,
489 + aconf.skip_trylock_internal_abort);
490 }
491 }
492
493 diff --git a/sysdeps/unix/sysv/linux/powerpc/elision-unlock.c b/sysdeps/unix/sysv/linux/powerpc/elision-unlock.c
494 index 43c5a67df2a4..51d7018e4c0a 100644
495 --- a/sysdeps/unix/sysv/linux/powerpc/elision-unlock.c
496 +++ b/sysdeps/unix/sysv/linux/powerpc/elision-unlock.c
497 @@ -28,13 +28,16 @@ __lll_unlock_elision (int *lock, short *adapt_count, int pshared)
498 __libc_tend (0);
499 else
500 {
501 - lll_unlock ((*lock), pshared);
502 + /* Update adapt_count in the critical section to prevent a
503 + write-after-destroy error as mentioned in BZ 20822. The
504 + following update of adapt_count has to be contained within
505 + the critical region of the fall-back lock in order to not violate
506 + the mutex destruction requirements. */
507 + short __tmp = atomic_load_relaxed (adapt_count);
508 + if (__tmp > 0)
509 + atomic_store_relaxed (adapt_count, __tmp - 1);
510
511 - /* Update the adapt count AFTER completing the critical section.
512 - Doing this here prevents unneeded stalling when entering
513 - a critical section. Saving about 8% runtime on P8. */
514 - if (*adapt_count > 0)
515 - (*adapt_count)--;
516 + lll_unlock ((*lock), pshared);
517 }
518 return 0;
519 }
520 --
521 2.11.0
522
523
524
525
526 1.1 src/patchsets/glibc/2.24/00_all_0042-Drop-GLIBC_TUNABLES-in-setxid-processes.patch
527
528 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/00_all_0042-Drop-GLIBC_TUNABLES-in-setxid-processes.patch?rev=1.1&view=markup
529 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/00_all_0042-Drop-GLIBC_TUNABLES-in-setxid-processes.patch?rev=1.1&content-type=text/plain
530
531 Index: 00_all_0042-Drop-GLIBC_TUNABLES-in-setxid-processes.patch
532 ===================================================================
533 From a0c7c4ebeea470eb00dcd1c8200a902a00b5470b Mon Sep 17 00:00:00 2001
534 From: Siddhesh Poyarekar <siddhesh@××××××××××.org>
535 Date: Thu, 2 Feb 2017 16:15:45 +0530
536 Subject: [PATCH] Drop GLIBC_TUNABLES in setxid processes
537
538 Drop the GLIBC_TUNABLES environment variable from the environment of
539 setxid processes to avoid passing it on to non-setxid children. This
540 prevents potentially insecure tunables in the GLIBC_TUNABLES envvar
541 from crossing over into a child that may use a libc that has tunables
542 support.
543
544 * sysdeps/generic/unsecvars.h: Add GLIBC_TUNABLES.
545
546 (cherry picked from commit 537a06fbdeb9a6c2184c745c15ef3346681f5eeb)
547 ---
548 sysdeps/generic/unsecvars.h | 1 +
549 1 file changed, 1 insertion(+)
550
551 diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
552 index d5b8119c9cb5..3e56538b51c4 100644
553 --- a/sysdeps/generic/unsecvars.h
554 +++ b/sysdeps/generic/unsecvars.h
555 @@ -4,6 +4,7 @@
556 #define UNSECURE_ENVVARS \
557 "GCONV_PATH\0" \
558 "GETCONF_DIR\0" \
559 + "GLIBC_TUNABLES\0" \
560 "HOSTALIASES\0" \
561 "LD_AUDIT\0" \
562 "LD_DEBUG\0" \
563 --
564 2.11.0
565
566
567
568
569 1.1 src/patchsets/glibc/2.24/00_all_0043-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
570
571 file : http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/00_all_0043-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch?rev=1.1&view=markup
572 plain: http://sources.gentoo.org/viewvc.cgi/gentoo/src/patchsets/glibc/2.24/00_all_0043-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch?rev=1.1&content-type=text/plain
573
574 Index: 00_all_0043-CVE-2015-5180-resolv-Fix-crash-with-internal-QTYPE-B.patch
575 ===================================================================
576 From 20f534e0abd81149c71cef082c8c058bb9d953af Mon Sep 17 00:00:00 2001
577 From: Florian Weimer <fweimer@××××××.com>
578 Date: Sat, 31 Dec 2016 20:22:09 +0100
579 Subject: [PATCH] CVE-2015-5180: resolv: Fix crash with internal QTYPE [BZ
580 #18784]
581
582 Also rename T_UNSPEC because an upcoming public header file
583 update will use that name.
584
585 (cherry picked from commit fc82b0a2dfe7dbd35671c10510a8da1043d746a5)
586 (cherry picked from commit b3b37f1a5559a7620e31c8053ed1b44f798f2b6d)
587 ---
588 include/arpa/nameser_compat.h | 6 +-
589 resolv/Makefile | 5 ++
590 resolv/nss_dns/dns-host.c | 2 +-
591 resolv/res_mkquery.c | 4 +
592 resolv/res_query.c | 6 +-
593 resolv/tst-resolv-qtypes.c | 185 ++++++++++++++++++++++++++++++++++++++++++
594 6 files changed, 201 insertions(+), 7 deletions(-)
595 create mode 100644 resolv/tst-resolv-qtypes.c
596
597 diff --git a/include/arpa/nameser_compat.h b/include/arpa/nameser_compat.h
598 index 2e735ede4c0e..7c0deed9aed4 100644
599 --- a/include/arpa/nameser_compat.h
600 +++ b/include/arpa/nameser_compat.h
601 @@ -1,8 +1,8 @@
602 #ifndef _ARPA_NAMESER_COMPAT_
603 #include <resolv/arpa/nameser_compat.h>
604
605 -/* Picksome unused number to represent lookups of IPv4 and IPv6 (i.e.,
606 - T_A and T_AAAA). */
607 -#define T_UNSPEC 62321
608 +/* The number is outside the 16-bit RR type range and is used
609 + internally by the implementation. */
610 +#define T_QUERY_A_AND_AAAA 439963904
611
612 #endif
613 diff --git a/resolv/Makefile b/resolv/Makefile
614 index 8be41d3ae141..a4c86b976257 100644
615 --- a/resolv/Makefile
616 +++ b/resolv/Makefile
617 @@ -40,6 +40,9 @@ ifeq ($(have-thread-library),yes)
618 extra-libs += libanl
619 routines += gai_sigqueue
620 tests += tst-res_hconf_reorder
621 +
622 +# This test sends millions of packets and is rather slow.
623 +xtests += tst-resolv-qtypes
624 endif
625 extra-libs-others = $(extra-libs)
626 libresolv-routines := gethnamaddr res_comp res_debug \
627 @@ -117,3 +120,5 @@ tst-leaks2-ENV = MALLOC_TRACE=$(objpfx)tst-leaks2.mtrace
628 $(objpfx)mtrace-tst-leaks2.out: $(objpfx)tst-leaks2.out
629 $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks2.mtrace > $@; \
630 $(evaluate-test)
631 +
632 +$(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library)
633 diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
634 index 5f9e35701b2a..d16fa4b8edf6 100644
635 --- a/resolv/nss_dns/dns-host.c
636 +++ b/resolv/nss_dns/dns-host.c
637 @@ -323,7 +323,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat,
638
639 int olderr = errno;
640 enum nss_status status;
641 - int n = __libc_res_nsearch (&_res, name, C_IN, T_UNSPEC,
642 + int n = __libc_res_nsearch (&_res, name, C_IN, T_QUERY_A_AND_AAAA,
643 host_buffer.buf->buf, 2048, &host_buffer.ptr,
644 &ans2p, &nans2p, &resplen2, &ans2p_malloced);
645 if (n >= 0)
646 diff --git a/resolv/res_mkquery.c b/resolv/res_mkquery.c
647 index 12f9730199f8..d80b5318e5e0 100644
648 --- a/resolv/res_mkquery.c
649 +++ b/resolv/res_mkquery.c
650 @@ -103,6 +103,10 @@ res_nmkquery(res_state statp,
651 int n;
652 u_char *dnptrs[20], **dpp, **lastdnptr;
653
654 + if (class < 0 || class > 65535
655 + || type < 0 || type > 65535)
656 + return -1;
657 +
658 #ifdef DEBUG
659 if (statp->options & RES_DEBUG)
660 printf(";; res_nmkquery(%s, %s, %s, %s)\n",
661 diff --git a/resolv/res_query.c b/resolv/res_query.c
662 index 944d1a90f57e..07dc6f658386 100644
663 --- a/resolv/res_query.c
664 +++ b/resolv/res_query.c
665 @@ -122,7 +122,7 @@ __libc_res_nquery(res_state statp,
666 int n, use_malloc = 0;
667 u_int oflags = statp->_flags;
668
669 - size_t bufsize = (type == T_UNSPEC ? 2 : 1) * QUERYSIZE;
670 + size_t bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * QUERYSIZE;
671 u_char *buf = alloca (bufsize);
672 u_char *query1 = buf;
673 int nquery1 = -1;
674 @@ -137,7 +137,7 @@ __libc_res_nquery(res_state statp,
675 printf(";; res_query(%s, %d, %d)\n", name, class, type);
676 #endif
677
678 - if (type == T_UNSPEC)
679 + if (type == T_QUERY_A_AND_AAAA)
680 {
681 n = res_nmkquery(statp, QUERY, name, class, T_A, NULL, 0, NULL,
682 query1, bufsize);
683 @@ -190,7 +190,7 @@ __libc_res_nquery(res_state statp,
684 if (__builtin_expect (n <= 0, 0) && !use_malloc) {
685 /* Retry just in case res_nmkquery failed because of too
686 short buffer. Shouldn't happen. */
687 - bufsize = (type == T_UNSPEC ? 2 : 1) * MAXPACKET;
688 + bufsize = (type == T_QUERY_A_AND_AAAA ? 2 : 1) * MAXPACKET;
689 buf = malloc (bufsize);
690 if (buf != NULL) {
691 query1 = buf;
692 diff --git a/resolv/tst-resolv-qtypes.c b/resolv/tst-resolv-qtypes.c
693 new file mode 100644
694 index 000000000000..b3e60c693bf2
695 --- /dev/null
696 +++ b/resolv/tst-resolv-qtypes.c
697 @@ -0,0 +1,185 @@
698 +/* Exercise low-level query functions with different QTYPEs.
699 + Copyright (C) 2016 Free Software Foundation, Inc.
700 + This file is part of the GNU C Library.
701 +
702 + The GNU C Library is free software; you can redistribute it and/or
703 + modify it under the terms of the GNU Lesser General Public
704 + License as published by the Free Software Foundation; either
705 + version 2.1 of the License, or (at your option) any later version.
706 +
707 + The GNU C Library is distributed in the hope that it will be useful,
708 + but WITHOUT ANY WARRANTY; without even the implied warranty of
709 + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
710 + Lesser General Public License for more details.
711 +
712 + You should have received a copy of the GNU Lesser General Public
713 + License along with the GNU C Library; if not, see
714 + <http://www.gnu.org/licenses/>. */
715 +
716 +#include <resolv.h>
717 +#include <string.h>
718 +#include <support/check.h>
719 +#include <support/check_nss.h>
720 +#include <support/resolv_test.h>
721 +#include <support/support.h>
722 +#include <support/test-driver.h>
723 +#include <support/xmemstream.h>
724 +
725 +/* If ture, the response function will send the actual response packet
726 + over TCP instead of UDP. */
727 +static volatile bool force_tcp;
728 +
729 +/* Send back a fake resource record matching the QTYPE. */
730 +static void
731 +response (const struct resolv_response_context *ctx,
732 + struct resolv_response_builder *b,
733 + const char *qname, uint16_t qclass, uint16_t qtype)
734 +{
735 + if (force_tcp && ctx->tcp)
736 + {
737 + resolv_response_init (b, (struct resolv_response_flags) { .tc = 1 });
738 + resolv_response_add_question (b, qname, qclass, qtype);
739 + return;
740 + }
741 +
742 + resolv_response_init (b, (struct resolv_response_flags) { });
743 + resolv_response_add_question (b, qname, qclass, qtype);
744 + resolv_response_section (b, ns_s_an);
745 + resolv_response_open_record (b, qname, qclass, qtype, 0);
746 + resolv_response_add_data (b, &qtype, sizeof (qtype));
747 + resolv_response_close_record (b);
748 +}
749 +
750 +static const const char *domain = "www.example.com";
751 +
752 +static int
753 +wrap_res_query (int type, unsigned char *answer, int answer_length)
754 +{
755 + return res_query (domain, C_IN, type, answer, answer_length);
756 +}
757 +
758 +static int
759 +wrap_res_search (int type, unsigned char *answer, int answer_length)
760 +{
761 + return res_query (domain, C_IN, type, answer, answer_length);
762 +}
763 +
764 +static int
765 +wrap_res_querydomain (int type, unsigned char *answer, int answer_length)
766 +{
767 + return res_querydomain ("www", "example.com", C_IN, type,
768 + answer, answer_length);
769 +}
770 +
771 +static int
772 +wrap_res_send (int type, unsigned char *answer, int answer_length)
773 +{
774 + unsigned char buf[512];
775 + int ret = res_mkquery (QUERY, domain, C_IN, type,
776 + (const unsigned char *) "", 0, NULL,
777 + buf, sizeof (buf));
778 + if (type < 0 || type >= 65536)
779 + {
780 + /* res_mkquery fails for out-of-range record types. */
781 + TEST_VERIFY_EXIT (ret == -1);
782 + return -1;
783 + }
784 + TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
785 + return res_send (buf, ret, answer, answer_length);
786 +}
787 +
788 +static int
789 +wrap_res_nquery (int type, unsigned char *answer, int answer_length)
790 +{
791 + return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
792 +}
793 +
794 +static int
795 +wrap_res_nsearch (int type, unsigned char *answer, int answer_length)
796 +{
797 + return res_nquery (&_res, domain, C_IN, type, answer, answer_length);
798 +}
799 +
800 +static int
801 +wrap_res_nquerydomain (int type, unsigned char *answer, int answer_length)
802 +{
803 + return res_nquerydomain (&_res, "www", "example.com", C_IN, type,
804 + answer, answer_length);
805 +}
806 +
807 +static int
808 +wrap_res_nsend (int type, unsigned char *answer, int answer_length)
809 +{
810 + unsigned char buf[512];
811 + int ret = res_nmkquery (&_res, QUERY, domain, C_IN, type,
812 + (const unsigned char *) "", 0, NULL,
813 + buf, sizeof (buf));
814 + if (type < 0 || type >= 65536)
815 + {
816 + /* res_mkquery fails for out-of-range record types. */
817 + TEST_VERIFY_EXIT (ret == -1);
818 + return -1;
819 + }
820 + TEST_VERIFY_EXIT (ret > 12); /* DNS header length. */
821 + return res_nsend (&_res, buf, ret, answer, answer_length);
822 +}
823 +
824 +static void
825 +test_function (const char *fname,
826 + int (*func) (int type,
827 + unsigned char *answer, int answer_length))
828 +{
829 + unsigned char buf[512];
830 + for (int tcp = 0; tcp < 2; ++tcp)
831 + {
832 + force_tcp = tcp;
833 + for (unsigned int type = 1; type <= 65535; ++type)
834 + {
835 + if (test_verbose)
836 + printf ("info: sending QTYPE %d with %s (tcp=%d)\n",
837 + type, fname, tcp);
838 + int ret = func (type, buf, sizeof (buf));
839 + if (ret != 47)
840 + FAIL_EXIT1 ("%s tcp=%d qtype=%d return value %d",
841 + fname,tcp, type, ret);
842 + /* One question, one answer record. */
843 + TEST_VERIFY (memcmp (buf + 4, "\0\1\0\1\0\0\0\0", 8) == 0);
844 + /* Question section. */
845 + static const char qname[] = "\3www\7example\3com";
846 + size_t qname_length = sizeof (qname);
847 + TEST_VERIFY (memcmp (buf + 12, qname, qname_length) == 0);
848 + /* RDATA part of answer. */
849 + uint16_t type16 = type;
850 + TEST_VERIFY (memcmp (buf + ret - 2, &type16, sizeof (type16)) == 0);
851 + }
852 + }
853 +
854 + TEST_VERIFY (func (-1, buf, sizeof (buf) == -1));
855 + TEST_VERIFY (func (65536, buf, sizeof (buf) == -1));
856 +}
857 +
858 +static int
859 +do_test (void)
860 +{
861 + struct resolv_redirect_config config =
862 + {
863 + .response_callback = response,
864 + };
865 + struct resolv_test *obj = resolv_test_start (config);
866 +
867 + test_function ("res_query", &wrap_res_query);
868 + test_function ("res_search", &wrap_res_search);
869 + test_function ("res_querydomain", &wrap_res_querydomain);
870 + test_function ("res_send", &wrap_res_send);
871 +
872 + test_function ("res_nquery", &wrap_res_nquery);
873 + test_function ("res_nsearch", &wrap_res_nsearch);
874 + test_function ("res_nquerydomain", &wrap_res_nquerydomain);
875 + test_function ("res_nsend", &wrap_res_nsend);
876 +
877 + resolv_test_end (obj);
878 + return 0;
879 +}
880 +
881 +#define TIMEOUT 300
882 +#include <support/test-driver.c>
883 --
884 2.11.0