Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package glibc for openSUSE:Factory checked in at 2023-09-29 21:12:19 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/glibc (Old) and /work/SRC/openSUSE:Factory/.glibc.new.28202 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "glibc" Fri Sep 29 21:12:19 2023 rev:279 rq:1114023 version:2.38 Changes: -------- --- /work/SRC/openSUSE:Factory/glibc/glibc.changes 2023-08-30 10:22:03.991538598 +0200 +++ /work/SRC/openSUSE:Factory/.glibc.new.28202/glibc.changes 2023-09-29 21:12:20.735089707 +0200 @@ -0,0 +1,48 @@ +------------------------------------------------------------------- +Wed Sep 27 14:08:48 UTC 2023 - Andreas Schwab <schwab@suse.de> + +- fstat-implementation.patch: io: Do not implement fstat with fstatat + +------------------------------------------------------------------- +Mon Sep 25 07:58:08 UTC 2023 - Andreas Schwab <schwab@suse.de> + +- getaddrinfo-memory-leak.patch: Fix leak in getaddrinfo introduced by the + fix for CVE-2023-4806 (CVE-2023-5156, bsc#1215714, BZ #30884) + +------------------------------------------------------------------- +Mon Sep 18 08:48:59 UTC 2023 - Andreas Schwab <schwab@suse.de> + +- getcanonname-use-after-free.patch: getaddrinfo: Fix use after free in + getcanonname (CVE-2023-4806, bsc#1215281, BZ #30843) +- Do not build any cross packages in SLES + +------------------------------------------------------------------- +Wed Sep 13 12:25:56 UTC 2023 - Andreas Schwab <schwab@suse.de> + +- no-aaaa-read-overflow.patch: Stack read overflow with large TCP + responses in no-aaaa mode (CVE-2023-4527, bsc#1215280, BZ #30842) + +------------------------------------------------------------------- +Tue Sep 12 12:52:55 UTC 2023 - Andreas Schwab <schwab@suse.de> + +- Add systemd to passwd, group and shadow lookups (jsc#PED-5188) + +------------------------------------------------------------------- +Mon Sep 11 09:20:07 UTC 2023 - Andreas Schwab <schwab@suse.de> + +- ppc64-flock-fob64.patch: io: Fix record locking contants for powerpc64 + with __USE_FILE_OFFSET64 (BZ #30804) +- libio-io-vtables.patch: libio: Fix oversized __io_vtables +- call-init-proxy-objects.patch: elf: Do not run constructors for proxy + objects +- dtors-reverse-ctor-order.patch: elf: Always call destructors in reverse + constructor order (BZ #30785) + +------------------------------------------------------------------- +Tue Sep 5 11:13:13 UTC 2023 - Andreas Schwab <schwab@suse.de> + +- intl-c-utf-8-like-c-locale.patch: intl: Treat C.UTF-8 locale like C + locale (BZ #16621) +- glibc-disable-gettext-for-c-utf8.patch: Removed + +------------------------------------------------------------------- Old: ---- glibc-disable-gettext-for-c-utf8.patch New: ---- call-init-proxy-objects.patch dtors-reverse-ctor-order.patch fstat-implementation.patch getaddrinfo-memory-leak.patch getcanonname-use-after-free.patch intl-c-utf-8-like-c-locale.patch libio-io-vtables.patch no-aaaa-read-overflow.patch ppc64-flock-fob64.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ glibc.spec ++++++ --- /var/tmp/diff_new_pack.58pn1S/_old 2023-09-29 21:12:25.207251062 +0200 +++ /var/tmp/diff_new_pack.58pn1S/_new 2023-09-29 21:12:25.211251206 +0200 @@ -96,6 +96,9 @@ %define build_cross 1 %undefine _build_create_debug ExcludeArch: %{cross_arch} +%if 0%{?suse_version} < 1600 +ExclusiveArch: do_not_build +%endif %endif %define host_arch %{?cross_cpu}%{!?cross_cpu:%{_target_cpu}} @@ -287,8 +290,6 @@ Patch102: glibc-2.4.90-no_NO.diff # PATCH-FIX-OPENSUSE -- Renames for China Patch103: glibc-2.4-china.diff -# PATCH-FIX-OPENSUSE -- Disable gettext for C.UTF-8 locale -Patch104: glibc-disable-gettext-for-c-utf8.patch ### Network related patches # PATCH-FIX-OPENSUSE Warn about usage of mdns in resolv.conv @@ -307,6 +308,24 @@ Patch1002: cache-intel-shared.patch # PATCH-FIX-UPSTREAM malloc: Enable merging of remainders in memalign, remove bin scanning from memalign (BZ #30723) Patch1003: posix-memalign-fragmentation.patch +# PATCH-FIX-UPSTREAM intl: Treat C.UTF-8 locale like C locale (BZ #16621) +Patch1004: intl-c-utf-8-like-c-locale.patch +# PATCH-FIX-UPSTREAM io: Fix record locking contants for powerpc64 with __USE_FILE_OFFSET64 (BZ #30804) +Patch1005: ppc64-flock-fob64.patch +# PATCH-FIX-UPSTREAM libio: Fix oversized __io_vtables +Patch1006: libio-io-vtables.patch +# PATCH-FIX-UPSTREAM elf: Do not run constructors for proxy objects +Patch1007: call-init-proxy-objects.patch +# PATCH-FIX-UPSTREAM elf: Always call destructors in reverse constructor order (BZ #30785) +Patch1008: dtors-reverse-ctor-order.patch +# PATCH-FIX-UPSTREAM Stack read overflow with large TCP responses in no-aaaa mode (CVE-2023-4527, BZ #30842) +Patch1009: no-aaaa-read-overflow.patch +# PATCH-FIX-UPSTREAM getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806, BZ #30843) +Patch1010: getcanonname-use-after-free.patch +# PATCH-FIX-UPSTREAM Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 (CVE-2023-5156, BZ #30884) +Patch1011: getaddrinfo-memory-leak.patch +# PATCH-FIX-UPSTREAM io: Do not implement fstat with fstatat +Patch1012: fstat-implementation.patch ### # Patches awaiting upstream approval @@ -524,7 +543,6 @@ %patch100 -p1 %patch102 -p1 %patch103 -p1 -%patch104 -p1 %patch304 -p1 %patch306 -p1 @@ -534,6 +552,15 @@ %patch1001 -p1 %patch1002 -p1 %patch1003 -p1 +%patch1004 -p1 +%patch1005 -p1 +%patch1006 -p1 +%patch1007 -p1 +%patch1008 -p1 +%patch1009 -p1 +%patch1010 -p1 +%patch1011 -p1 +%patch1012 -p1 %endif %patch2000 -p1 ++++++ call-init-proxy-objects.patch ++++++ From 7ae211a01b085d0bde54bd13b887ce8f9d57c2b4 Mon Sep 17 00:00:00 2001 From: Florian Weimer <fweimer@redhat.com> Date: Tue, 22 Aug 2023 13:56:25 +0200 Subject: [PATCH] elf: Do not run constructors for proxy objects Otherwise, the ld.so constructor runs for each audit namespace and each dlmopen namespace. (cherry picked from commit f6c8204fd7fabf0cf4162eaf10ccf23258e4d10e) --- elf/dl-init.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/elf/dl-init.c b/elf/dl-init.c index 5b0732590f..ba4d2fdc85 100644 --- a/elf/dl-init.c +++ b/elf/dl-init.c @@ -25,10 +25,14 @@ static void call_init (struct link_map *l, int argc, char **argv, char **env) { + /* Do not run constructors for proxy objects. */ + if (l != l->l_real) + return; + /* If the object has not been relocated, this is a bug. The function pointers are invalid in this case. (Executables do not - need relocation, and neither do proxy objects.) */ - assert (l->l_real->l_relocated || l->l_real->l_type == lt_executable); + need relocation.) */ + assert (l->l_relocated || l->l_type == lt_executable); if (l->l_init_called) /* This object is all done. */ -- 2.42.0 ++++++ dtors-reverse-ctor-order.patch ++++++ ++++ 835 lines (skipped) ++++++ fstat-implementation.patch ++++++ From 551101e8240b7514fc646d1722f8b79c90362b8f Mon Sep 17 00:00:00 2001 From: Adhemerval Zanella <adhemerval.zanella@linaro.org> Date: Mon, 11 Sep 2023 10:25:48 -0300 Subject: [PATCH] io: Do not implement fstat with fstatat AT_EMPTY_PATH is a requirement to implement fstat over fstatat, however it does not prevent the kernel to read the path argument. It is not an issue, but on x86-64 with SMAP-capable CPUs the kernel is forced to perform expensive user memory access. After that regular lookup is performed which adds even more overhead. Instead, issue the fstat syscall directly on LFS fstat implementation (32 bit architectures will still continue to use statx, which is required to have 64 bit time_t support). it should be even a small performance gain on non x86_64, since there is no need to handle the path argument. Checked on x86_64-linux-gnu. --- sysdeps/unix/sysv/linux/fstat64.c | 37 +++++++++++++++++++++++-- sysdeps/unix/sysv/linux/fstatat64.c | 12 ++------ sysdeps/unix/sysv/linux/internal-stat.h | 31 +++++++++++++++++++++ 3 files changed, 68 insertions(+), 12 deletions(-) create mode 100644 sysdeps/unix/sysv/linux/internal-stat.h diff --git a/sysdeps/unix/sysv/linux/fstat64.c b/sysdeps/unix/sysv/linux/fstat64.c index 124384e57f..a291f0825b 100644 --- a/sysdeps/unix/sysv/linux/fstat64.c +++ b/sysdeps/unix/sysv/linux/fstat64.c @@ -19,20 +19,53 @@ #define __fstat __redirect___fstat #define fstat __redirect_fstat #include <sys/stat.h> +#undef __fstat +#undef fstat #include <fcntl.h> -#include <kernel_stat.h> -#include <stat_t64_cp.h> +#include <internal-stat.h> #include <errno.h> int __fstat64_time64 (int fd, struct __stat64_t64 *buf) { +#if !FSTATAT_USE_STATX +# if XSTAT_IS_XSTAT64 +# ifdef __NR_fstat + /* 64-bit kABI, e.g. aarch64, ia64, powerpc64*, s390x, riscv64, and + x86_64. */ + return INLINE_SYSCALL_CALL (fstat, fd, buf); +# elif defined __NR_fstat64 +# if STAT64_IS_KERNEL_STAT64 + /* 64-bit kABI outlier, e.g. alpha */ + return INLINE_SYSCALL_CALL (fstat64, fd, buf); +# else + /* 64-bit kABI outlier, e.g. sparc64. */ + struct kernel_stat64 kst64; + int r = INLINE_SYSCALL_CALL (fstat64, fd, &kst64); + if (r == 0) + __cp_stat64_kstat64 (buf, &kst64); + return r; +# endif /* STAT64_IS_KERNEL_STAT64 */ +# endif +# else /* XSTAT_IS_XSTAT64 */ + /* 64-bit kabi outlier, e.g. mips64 and mips64-n32. */ + struct kernel_stat kst; + int r = INLINE_SYSCALL_CALL (fstat, fd, &kst); + if (r == 0) + __cp_kstat_stat64_t64 (&kst, buf); + return r; +# endif +#else /* !FSTATAT_USE_STATX */ + /* All kABIs with non-LFS support and with old 32-bit time_t support + e.g. arm, csky, i386, hppa, m68k, microblaze, nios2, sh, powerpc32, + and sparc32. */ if (fd < 0) { __set_errno (EBADF); return -1; } return __fstatat64_time64 (fd, "", buf, AT_EMPTY_PATH); +#endif } #if __TIMESIZE != 64 hidden_def (__fstat64_time64) diff --git a/sysdeps/unix/sysv/linux/fstatat64.c b/sysdeps/unix/sysv/linux/fstatat64.c index 3509d3ca6d..127c6ff601 100644 --- a/sysdeps/unix/sysv/linux/fstatat64.c +++ b/sysdeps/unix/sysv/linux/fstatat64.c @@ -21,12 +21,10 @@ #include <sys/stat.h> #include <fcntl.h> #include <string.h> -#include <kernel_stat.h> #include <sysdep.h> #include <time.h> -#include <kstat_cp.h> -#include <stat_t64_cp.h> #include <sys/sysmacros.h> +#include <internal-stat.h> #if __TIMESIZE == 64 \ && (__WORDSIZE == 32 \ @@ -40,11 +38,7 @@ _Static_assert (sizeof (__blkcnt_t) == sizeof (__blkcnt64_t), "__blkcnt_t and __blkcnt64_t must match"); #endif -#if (__WORDSIZE == 32 \ - && (!defined __SYSCALL_WORDSIZE || __SYSCALL_WORDSIZE == 32)) \ - || defined STAT_HAS_TIME32 \ - || (!defined __NR_newfstatat && !defined __NR_fstatat64) -# define FSTATAT_USE_STATX 1 +#if FSTATAT_USE_STATX static inline int fstatat64_time64_statx (int fd, const char *file, struct __stat64_t64 *buf, @@ -79,8 +73,6 @@ fstatat64_time64_statx (int fd, const char *file, struct __stat64_t64 *buf, return r; } -#else -# define FSTATAT_USE_STATX 0 #endif /* Only statx supports 64-bit timestamps for 32-bit architectures with diff --git a/sysdeps/unix/sysv/linux/internal-stat.h b/sysdeps/unix/sysv/linux/internal-stat.h new file mode 100644 index 0000000000..e3b0569853 --- /dev/null +++ b/sysdeps/unix/sysv/linux/internal-stat.h @@ -0,0 +1,31 @@ +/* Internal stat definitions. + Copyright (C) 2023 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +#include <sysdep.h> +#include <stat_t64_cp.h> +#include <kernel_stat.h> +#include <kstat_cp.h> + +#if (__WORDSIZE == 32 \ + && (!defined __SYSCALL_WORDSIZE || __SYSCALL_WORDSIZE == 32)) \ + || defined STAT_HAS_TIME32 \ + || (!defined __NR_newfstatat && !defined __NR_fstatat64) +# define FSTATAT_USE_STATX 1 +#else +# define FSTATAT_USE_STATX 0 +#endif -- 2.42.0 ++++++ getaddrinfo-memory-leak.patch ++++++ From ec6b95c3303c700eb89eebeda2d7264cc184a796 Mon Sep 17 00:00:00 2001 From: Romain Geissler <romain.geissler@amadeus.com> Date: Mon, 25 Sep 2023 01:21:51 +0100 Subject: [PATCH] Fix leak in getaddrinfo introduced by the fix for CVE-2023-4806 [BZ #30843] This patch fixes a very recently added leak in getaddrinfo. Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org> --- nss/Makefile | 20 ++++++++++++++++++++ nss/tst-nss-gai-hv2-canonname.c | 3 +++ sysdeps/posix/getaddrinfo.c | 4 +--- 3 files changed, 24 insertions(+), 3 deletions(-) diff --git a/nss/Makefile b/nss/Makefile index 8a5126ecf3..668ba34b18 100644 --- a/nss/Makefile +++ b/nss/Makefile @@ -149,6 +149,15 @@ endif extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ nss_test_gai_hv2_canonname.os +ifeq ($(run-built-tests),yes) +ifneq (no,$(PERL)) +tests-special += $(objpfx)mtrace-tst-nss-gai-hv2-canonname.out +endif +endif + +generated += mtrace-tst-nss-gai-hv2-canonname.out \ + tst-nss-gai-hv2-canonname.mtrace + include ../Rules ifeq (yes,$(have-selinux)) @@ -217,6 +226,17 @@ endif $(objpfx)tst-nss-files-alias-leak.out: $(objpfx)/libnss_files.so $(objpfx)tst-nss-files-alias-truncated.out: $(objpfx)/libnss_files.so +tst-nss-gai-hv2-canonname-ENV = \ + MALLOC_TRACE=$(objpfx)tst-nss-gai-hv2-canonname.mtrace \ + LD_PRELOAD=$(common-objpfx)/malloc/libc_malloc_debug.so +$(objpfx)mtrace-tst-nss-gai-hv2-canonname.out: \ + $(objpfx)tst-nss-gai-hv2-canonname.out + { test -r $(objpfx)tst-nss-gai-hv2-canonname.mtrace \ + || ( echo "tst-nss-gai-hv2-canonname.mtrace does not exist"; exit 77; ) \ + && $(common-objpfx)malloc/mtrace \ + $(objpfx)tst-nss-gai-hv2-canonname.mtrace; } > $@; \ + $(evaluate-test) + # Disable DT_RUNPATH on NSS tests so that the glibc internal NSS # functions can load testing NSS modules via DT_RPATH. LDFLAGS-tst-nss-test1 = -Wl,--disable-new-dtags diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c index d5f10c07d6..7db53cf09d 100644 --- a/nss/tst-nss-gai-hv2-canonname.c +++ b/nss/tst-nss-gai-hv2-canonname.c @@ -21,6 +21,7 @@ #include <netdb.h> #include <stdlib.h> #include <string.h> +#include <mcheck.h> #include <support/check.h> #include <support/xstdio.h> #include "nss/tst-nss-gai-hv2-canonname.h" @@ -41,6 +42,8 @@ static void do_prepare (int a, char **av) static int do_test (void) { + mtrace (); + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); struct addrinfo hints = {}; diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c index 47f421fddf..531124958d 100644 --- a/sysdeps/posix/getaddrinfo.c +++ b/sysdeps/posix/getaddrinfo.c @@ -1196,9 +1196,7 @@ free_and_return: if (malloc_name) free ((char *) name); free (addrmem); - if (res.free_at) - free (res.at); - free (res.canon); + gaih_result_reset (&res); return result; } -- 2.42.0 ++++++ getcanonname-use-after-free.patch ++++++ From 00ae4f10b504bc4564e9f22f00907093f1ab9338 Mon Sep 17 00:00:00 2001 From: Siddhesh Poyarekar <siddhesh@sourceware.org> Date: Fri, 15 Sep 2023 13:51:12 -0400 Subject: [PATCH] getaddrinfo: Fix use after free in getcanonname (CVE-2023-4806) When an NSS plugin only implements the _gethostbyname2_r and _getcanonname_r callbacks, getaddrinfo could use memory that was freed during tmpbuf resizing, through h_name in a previous query response. The backing store for res->at->name when doing a query with gethostbyname3_r or gethostbyname2_r is tmpbuf, which is reallocated in gethosts during the query. For AF_INET6 lookup with AI_ALL | AI_V4MAPPED, gethosts gets called twice, once for a v6 lookup and second for a v4 lookup. In this case, if the first call reallocates tmpbuf enough number of times, resulting in a malloc, th->h_name (that res->at->name refers to) ends up on a heap allocated storage in tmpbuf. Now if the second call to gethosts also causes the plugin callback to return NSS_STATUS_TRYAGAIN, tmpbuf will get freed, resulting in a UAF reference in res->at->name. This then gets dereferenced in the getcanonname_r plugin call, resulting in the use after free. Fix this by copying h_name over and freeing it at the end. This resolves BZ #30843, which is assigned CVE-2023-4806. Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org> (cherry picked from commit 973fe93a5675c42798b2161c6f29c01b0e243994) --- nss/Makefile | 15 ++++- nss/nss_test_gai_hv2_canonname.c | 56 +++++++++++++++++ nss/tst-nss-gai-hv2-canonname.c | 63 +++++++++++++++++++ nss/tst-nss-gai-hv2-canonname.h | 1 + .../postclean.req | 0 .../tst-nss-gai-hv2-canonname.script | 2 + sysdeps/posix/getaddrinfo.c | 25 +++++--- 7 files changed, 152 insertions(+), 10 deletions(-) create mode 100644 nss/nss_test_gai_hv2_canonname.c create mode 100644 nss/tst-nss-gai-hv2-canonname.c create mode 100644 nss/tst-nss-gai-hv2-canonname.h create mode 100644 nss/tst-nss-gai-hv2-canonname.root/postclean.req create mode 100644 nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script diff --git a/nss/Makefile b/nss/Makefile index 06fcdc450f..8a5126ecf3 100644 --- a/nss/Makefile +++ b/nss/Makefile @@ -82,6 +82,7 @@ tests-container := \ tst-nss-test3 \ tst-reload1 \ tst-reload2 \ + tst-nss-gai-hv2-canonname \ # tests-container # Tests which need libdl @@ -145,7 +146,8 @@ libnss_compat-inhibit-o = $(filter-out .os,$(object-suffixes)) ifeq ($(build-static-nss),yes) tests-static += tst-nss-static endif -extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os +extra-test-objs += nss_test1.os nss_test2.os nss_test_errno.os \ + nss_test_gai_hv2_canonname.os include ../Rules @@ -180,12 +182,16 @@ rtld-tests-LDFLAGS += -Wl,--dynamic-list=nss_test.ver libof-nss_test1 = extramodules libof-nss_test2 = extramodules libof-nss_test_errno = extramodules +libof-nss_test_gai_hv2_canonname = extramodules $(objpfx)/libnss_test1.so: $(objpfx)nss_test1.os $(link-libc-deps) $(build-module) $(objpfx)/libnss_test2.so: $(objpfx)nss_test2.os $(link-libc-deps) $(build-module) $(objpfx)/libnss_test_errno.so: $(objpfx)nss_test_errno.os $(link-libc-deps) $(build-module) +$(objpfx)/libnss_test_gai_hv2_canonname.so: \ + $(objpfx)nss_test_gai_hv2_canonname.os $(link-libc-deps) + $(build-module) $(objpfx)nss_test2.os : nss_test1.c # Use the nss_files suffix for these objects as well. $(objpfx)/libnss_test1.so$(libnss_files.so-version): $(objpfx)/libnss_test1.so @@ -195,10 +201,14 @@ $(objpfx)/libnss_test2.so$(libnss_files.so-version): $(objpfx)/libnss_test2.so $(objpfx)/libnss_test_errno.so$(libnss_files.so-version): \ $(objpfx)/libnss_test_errno.so $(make-link) +$(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version): \ + $(objpfx)/libnss_test_gai_hv2_canonname.so + $(make-link) $(patsubst %,$(objpfx)%.out,$(tests) $(tests-container)) : \ $(objpfx)/libnss_test1.so$(libnss_files.so-version) \ $(objpfx)/libnss_test2.so$(libnss_files.so-version) \ - $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) + $(objpfx)/libnss_test_errno.so$(libnss_files.so-version) \ + $(objpfx)/libnss_test_gai_hv2_canonname.so$(libnss_files.so-version) ifeq (yes,$(have-thread-library)) $(objpfx)tst-cancel-getpwuid_r: $(shared-thread-library) @@ -215,3 +225,4 @@ LDFLAGS-tst-nss-test3 = -Wl,--disable-new-dtags LDFLAGS-tst-nss-test4 = -Wl,--disable-new-dtags LDFLAGS-tst-nss-test5 = -Wl,--disable-new-dtags LDFLAGS-tst-nss-test_errno = -Wl,--disable-new-dtags +LDFLAGS-tst-nss-test_gai_hv2_canonname = -Wl,--disable-new-dtags diff --git a/nss/nss_test_gai_hv2_canonname.c b/nss/nss_test_gai_hv2_canonname.c new file mode 100644 index 0000000000..4439c83c9f --- /dev/null +++ b/nss/nss_test_gai_hv2_canonname.c @@ -0,0 +1,56 @@ +/* NSS service provider that only provides gethostbyname2_r. + Copyright The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +#include <nss.h> +#include <stdlib.h> +#include <string.h> +#include "nss/tst-nss-gai-hv2-canonname.h" + +/* Catch misnamed and functions. */ +#pragma GCC diagnostic error "-Wmissing-prototypes" +NSS_DECLARE_MODULE_FUNCTIONS (test_gai_hv2_canonname) + +extern enum nss_status _nss_files_gethostbyname2_r (const char *, int, + struct hostent *, char *, + size_t, int *, int *); + +enum nss_status +_nss_test_gai_hv2_canonname_gethostbyname2_r (const char *name, int af, + struct hostent *result, + char *buffer, size_t buflen, + int *errnop, int *herrnop) +{ + return _nss_files_gethostbyname2_r (name, af, result, buffer, buflen, errnop, + herrnop); +} + +enum nss_status +_nss_test_gai_hv2_canonname_getcanonname_r (const char *name, char *buffer, + size_t buflen, char **result, + int *errnop, int *h_errnop) +{ + /* We expect QUERYNAME, which is a small enough string that it shouldn't fail + the test. */ + if (memcmp (QUERYNAME, name, sizeof (QUERYNAME)) + || buflen < sizeof (QUERYNAME)) + abort (); + + strncpy (buffer, name, buflen); + *result = buffer; + return NSS_STATUS_SUCCESS; +} diff --git a/nss/tst-nss-gai-hv2-canonname.c b/nss/tst-nss-gai-hv2-canonname.c new file mode 100644 index 0000000000..d5f10c07d6 --- /dev/null +++ b/nss/tst-nss-gai-hv2-canonname.c @@ -0,0 +1,63 @@ +/* Test NSS query path for plugins that only implement gethostbyname2 + (#30843). + Copyright The GNU Toolchain Authors. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +#include <nss.h> +#include <netdb.h> +#include <stdlib.h> +#include <string.h> +#include <support/check.h> +#include <support/xstdio.h> +#include "nss/tst-nss-gai-hv2-canonname.h" + +#define PREPARE do_prepare + +static void do_prepare (int a, char **av) +{ + FILE *hosts = xfopen ("/etc/hosts", "w"); + for (unsigned i = 2; i < 255; i++) + { + fprintf (hosts, "ff01::ff02:ff03:%u:2\ttest.example.com\n", i); + fprintf (hosts, "192.168.0.%u\ttest.example.com\n", i); + } + xfclose (hosts); +} + +static int +do_test (void) +{ + __nss_configure_lookup ("hosts", "test_gai_hv2_canonname"); + + struct addrinfo hints = {}; + struct addrinfo *result = NULL; + + hints.ai_family = AF_INET6; + hints.ai_flags = AI_ALL | AI_V4MAPPED | AI_CANONNAME; + + int ret = getaddrinfo (QUERYNAME, NULL, &hints, &result); + + if (ret != 0) + FAIL_EXIT1 ("getaddrinfo failed: %s\n", gai_strerror (ret)); + + TEST_COMPARE_STRING (result->ai_canonname, QUERYNAME); + + freeaddrinfo(result); + return 0; +} + +#include <support/test-driver.c> diff --git a/nss/tst-nss-gai-hv2-canonname.h b/nss/tst-nss-gai-hv2-canonname.h new file mode 100644 index 0000000000..14f2a9cb08 --- /dev/null +++ b/nss/tst-nss-gai-hv2-canonname.h @@ -0,0 +1 @@ +#define QUERYNAME "test.example.com" diff --git a/nss/tst-nss-gai-hv2-canonname.root/postclean.req b/nss/tst-nss-gai-hv2-canonname.root/postclean.req new file mode 100644 index 0000000000..e69de29bb2 diff --git a/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script new file mode 100644 index 0000000000..31848b4a28 --- /dev/null +++ b/nss/tst-nss-gai-hv2-canonname.root/tst-nss-gai-hv2-canonname.script @@ -0,0 +1,2 @@ +cp $B/nss/libnss_test_gai_hv2_canonname.so $L/libnss_test_gai_hv2_canonname.so.2 +su diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c index 0356b622be..b2236b105c 100644 --- a/sysdeps/posix/getaddrinfo.c +++ b/sysdeps/posix/getaddrinfo.c @@ -120,6 +120,7 @@ struct gaih_result { struct gaih_addrtuple *at; char *canon; + char *h_name; bool free_at; bool got_ipv6; }; @@ -165,6 +166,7 @@ gaih_result_reset (struct gaih_result *res) if (res->free_at) free (res->at); free (res->canon); + free (res->h_name); memset (res, 0, sizeof (*res)); } @@ -203,9 +205,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp, return 0; } -/* Convert struct hostent to a list of struct gaih_addrtuple objects. h_name - is not copied, and the struct hostent object must not be deallocated - prematurely. The new addresses are appended to the tuple array in RES. */ +/* Convert struct hostent to a list of struct gaih_addrtuple objects. The new + addresses are appended to the tuple array in RES. */ static bool convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, struct hostent *h, struct gaih_result *res) @@ -238,6 +239,15 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, res->at = array; res->free_at = true; + /* Duplicate h_name because it may get reclaimed when the underlying storage + is freed. */ + if (res->h_name == NULL) + { + res->h_name = __strdup (h->h_name); + if (res->h_name == NULL) + return false; + } + /* Update the next pointers on reallocation. */ for (size_t i = 0; i < old; i++) array[i].next = array + i + 1; @@ -262,7 +272,6 @@ convert_hostent_to_gaih_addrtuple (const struct addrinfo *req, int family, } array[i].next = array + i + 1; } - array[0].name = h->h_name; array[count - 1].next = NULL; return true; @@ -324,15 +333,15 @@ gethosts (nss_gethostbyname3_r fct, int family, const char *name, memory allocation failure. The returned string is allocated on the heap; the caller has to free it. */ static char * -getcanonname (nss_action_list nip, struct gaih_addrtuple *at, const char *name) +getcanonname (nss_action_list nip, const char *hname, const char *name) { nss_getcanonname_r *cfct = __nss_lookup_function (nip, "getcanonname_r"); char *s = (char *) name; if (cfct != NULL) { char buf[256]; - if (DL_CALL_FCT (cfct, (at->name ?: name, buf, sizeof (buf), - &s, &errno, &h_errno)) != NSS_STATUS_SUCCESS) + if (DL_CALL_FCT (cfct, (hname ?: name, buf, sizeof (buf), &s, &errno, + &h_errno)) != NSS_STATUS_SUCCESS) /* If the canonical name cannot be determined, use the passed string. */ s = (char *) name; @@ -771,7 +780,7 @@ get_nss_addresses (const char *name, const struct addrinfo *req, if ((req->ai_flags & AI_CANONNAME) != 0 && res->canon == NULL) { - char *canonbuf = getcanonname (nip, res->at, name); + char *canonbuf = getcanonname (nip, res->h_name, name); if (canonbuf == NULL) { __resolv_context_put (res_ctx); -- 2.42.0 ++++++ intl-c-utf-8-like-c-locale.patch ++++++ From 2897b231a6b71ee17d47d3d63f1112b2641a476c Mon Sep 17 00:00:00 2001 From: Bruno Haible <bruno@clisp.org> Date: Mon, 4 Sep 2023 15:31:36 +0200 Subject: [PATCH] intl: Treat C.UTF-8 locale like C locale (BZ# 16621) The wiki page https://sourceware.org/glibc/wiki/Proposals/C.UTF-8 says that "Setting LC_ALL=C.UTF-8 will ignore LANGUAGE just like it does with LC_ALL=C." This patch implements it. * intl/dcigettext.c (guess_category_value): Treat C.<encoding> locale like the C locale. Reviewed-by: Florian Weimer <fweimer@redhat.com> --- intl/dcigettext.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/intl/dcigettext.c b/intl/dcigettext.c index 7886ac9545..27063886d2 100644 --- a/intl/dcigettext.c +++ b/intl/dcigettext.c @@ -1560,8 +1560,12 @@ guess_category_value (int category, const char *categoryname) 2. The precise output of some programs in the "C" locale is specified by POSIX and should not depend on environment variables like "LANGUAGE" or system-dependent information. We allow such programs - to use gettext(). */ - if (strcmp (locale, "C") == 0) + to use gettext(). + Ignore LANGUAGE and its system-dependent analogon also if the locale is + set to "C.UTF-8" or, more generally, to "C.<encoding>", because that's + the by-design behaviour for glibc, see + <https://sourceware.org/glibc/wiki/Proposals/C.UTF-8>. */ + if (locale[0] == 'C' && (locale[1] == '\0' || locale[1] == '.')) return locale; /* The highest priority value is the value of the 'LANGUAGE' environment -- 2.42.0 ++++++ libio-io-vtables.patch ++++++ From 92201f16cbcfd9eafe314ef6654be2ea7ba25675 Mon Sep 17 00:00:00 2001 From: Adam Jackson <ajax@redhat.com> Date: Fri, 8 Sep 2023 15:55:19 -0400 Subject: [PATCH] libio: Fix oversized __io_vtables IO_VTABLES_LEN is the size of the struct array in bytes, not the number of __IO_jump_t's in the array. Drops just under 384kb from .rodata on LP64 machines. Fixes: 3020f72618e ("libio: Remove the usage of __libc_IO_vtables") Signed-off-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Florian Weimer <fweimer@redhat.com> Tested-by: Florian Weimer <fweimer@redhat.com> (cherry picked from commit 8cb69e054386f980f9ff4d93b157861d72b2019e) --- libio/vtables.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/libio/vtables.c b/libio/vtables.c index 1d8ad612e9..34f7e15f1c 100644 --- a/libio/vtables.c +++ b/libio/vtables.c @@ -20,6 +20,7 @@ #include <libioP.h> #include <stdio.h> #include <ldsodefs.h> +#include <array_length.h> #include <pointer_guard.h> #include <libio-macros.h> @@ -88,7 +89,7 @@ # pragma weak __wprintf_buffer_as_file_xsputn #endif -const struct _IO_jump_t __io_vtables[IO_VTABLES_LEN] attribute_relro = +const struct _IO_jump_t __io_vtables[] attribute_relro = { /* _IO_str_jumps */ [IO_STR_JUMPS] = @@ -485,6 +486,8 @@ const struct _IO_jump_t __io_vtables[IO_VTABLES_LEN] attribute_relro = }, #endif }; +_Static_assert (array_length (__io_vtables) == IO_VTABLES_NUM, + "initializer count"); #ifdef SHARED -- 2.42.0 ++++++ no-aaaa-read-overflow.patch ++++++ From bd77dd7e73e3530203be1c52c8a29d08270cb25d Mon Sep 17 00:00:00 2001 From: Florian Weimer <fweimer@redhat.com> Date: Wed, 13 Sep 2023 14:10:56 +0200 Subject: [PATCH] CVE-2023-4527: Stack read overflow with large TCP responses in no-aaaa mode Without passing alt_dns_packet_buffer, __res_context_search can only store 2048 bytes (what fits into dns_packet_buffer). However, the function returns the total packet size, and the subsequent DNS parsing code in _nss_dns_gethostbyname4_r reads beyond the end of the stack-allocated buffer. Fixes commit f282cdbe7f436c75864e5640a4 ("resolv: Implement no-aaaa stub resolver option") and bug 30842. --- NEWS | 6 +- resolv/Makefile | 2 + resolv/nss_dns/dns-host.c | 2 +- resolv/tst-resolv-noaaaa-vc.c | 129 ++++++++++++++++++++++++++++++++++ 4 files changed, 137 insertions(+), 2 deletions(-) create mode 100644 resolv/tst-resolv-noaaaa-vc.c diff --git a/resolv/Makefile b/resolv/Makefile index 054b1fa36c..2f99eb3862 100644 --- a/resolv/Makefile +++ b/resolv/Makefile @@ -102,6 +102,7 @@ tests += \ tst-resolv-invalid-cname \ tst-resolv-network \ tst-resolv-noaaaa \ + tst-resolv-noaaaa-vc \ tst-resolv-nondecimal \ tst-resolv-res_init-multi \ tst-resolv-search \ @@ -293,6 +294,7 @@ $(objpfx)tst-resolv-res_init-thread: $(objpfx)libresolv.so \ $(objpfx)tst-resolv-invalid-cname: $(objpfx)libresolv.so \ $(shared-thread-library) $(objpfx)tst-resolv-noaaaa: $(objpfx)libresolv.so $(shared-thread-library) +$(objpfx)tst-resolv-noaaaa-vc: $(objpfx)libresolv.so $(shared-thread-library) $(objpfx)tst-resolv-nondecimal: $(objpfx)libresolv.so $(shared-thread-library) $(objpfx)tst-resolv-qtypes: $(objpfx)libresolv.so $(shared-thread-library) $(objpfx)tst-resolv-rotate: $(objpfx)libresolv.so $(shared-thread-library) diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c index c8b77bbc35..119dc9f00f 100644 --- a/resolv/nss_dns/dns-host.c +++ b/resolv/nss_dns/dns-host.c @@ -427,7 +427,7 @@ _nss_dns_gethostbyname4_r (const char *name, struct gaih_addrtuple **pat, { n = __res_context_search (ctx, name, C_IN, T_A, dns_packet_buffer, sizeof (dns_packet_buffer), - NULL, NULL, NULL, NULL, NULL); + &alt_dns_packet_buffer, NULL, NULL, NULL, NULL); if (n >= 0) status = gaih_getanswer_noaaaa (alt_dns_packet_buffer, n, &abuf, pat, errnop, herrnop, ttlp); diff --git a/resolv/tst-resolv-noaaaa-vc.c b/resolv/tst-resolv-noaaaa-vc.c new file mode 100644 index 0000000000..9f5aebd99f --- /dev/null +++ b/resolv/tst-resolv-noaaaa-vc.c @@ -0,0 +1,129 @@ +/* Test the RES_NOAAAA resolver option with a large response. + Copyright (C) 2022-2023 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <https://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <netdb.h> +#include <resolv.h> +#include <stdbool.h> +#include <stdlib.h> +#include <support/check.h> +#include <support/check_nss.h> +#include <support/resolv_test.h> +#include <support/support.h> +#include <support/xmemstream.h> + +/* Used to keep track of the number of queries. */ +static volatile unsigned int queries; + +/* If true, add a large TXT record at the start of the answer section. */ +static volatile bool stuff_txt; + +static void +response (const struct resolv_response_context *ctx, + struct resolv_response_builder *b, + const char *qname, uint16_t qclass, uint16_t qtype) +{ + /* If not using TCP, just force its use. */ + if (!ctx->tcp) + { + struct resolv_response_flags flags = {.tc = true}; + resolv_response_init (b, flags); + resolv_response_add_question (b, qname, qclass, qtype); + return; + } + + /* The test needs to send four queries, the first three are used to + grow the NSS buffer via the ERANGE handshake. */ + ++queries; + TEST_VERIFY (queries <= 4); + + /* AAAA queries are supposed to be disabled. */ + TEST_COMPARE (qtype, T_A); + TEST_COMPARE (qclass, C_IN); + TEST_COMPARE_STRING (qname, "example.com"); + + struct resolv_response_flags flags = {}; + resolv_response_init (b, flags); + resolv_response_add_question (b, qname, qclass, qtype); + + resolv_response_section (b, ns_s_an); + + if (stuff_txt) + { + resolv_response_open_record (b, qname, qclass, T_TXT, 60); + int zero = 0; + for (int i = 0; i <= 15000; ++i) + resolv_response_add_data (b, &zero, sizeof (zero)); + resolv_response_close_record (b); + } + + for (int i = 0; i < 200; ++i) + { + resolv_response_open_record (b, qname, qclass, qtype, 60); + char ipv4[4] = {192, 0, 2, i + 1}; + resolv_response_add_data (b, &ipv4, sizeof (ipv4)); + resolv_response_close_record (b); + } +} + +static int +do_test (void) +{ + struct resolv_test *obj = resolv_test_start + ((struct resolv_redirect_config) + { + .response_callback = response + }); + + _res.options |= RES_NOAAAA; + + for (int do_stuff_txt = 0; do_stuff_txt < 2; ++do_stuff_txt) + { + queries = 0; + stuff_txt = do_stuff_txt; + + struct addrinfo *ai = NULL; + int ret; + ret = getaddrinfo ("example.com", "80", + &(struct addrinfo) + { + .ai_family = AF_UNSPEC, + .ai_socktype = SOCK_STREAM, + }, &ai); + + char *expected_result; + { + struct xmemstream mem; + xopen_memstream (&mem); + for (int i = 0; i < 200; ++i) + fprintf (mem.out, "address: STREAM/TCP 192.0.2.%d 80\n", i + 1); + xfclose_memstream (&mem); + expected_result = mem.buffer; + } + + check_addrinfo ("example.com", ai, ret, expected_result); + + free (expected_result); + freeaddrinfo (ai); + } + + resolv_test_end (obj); + return 0; +} + +#include <support/test-driver.c> -- 2.42.0 ++++++ nsswitch.conf ++++++ --- /var/tmp/diff_new_pack.58pn1S/_old 2023-09-29 21:12:25.495261453 +0200 +++ /var/tmp/diff_new_pack.58pn1S/_new 2023-09-29 21:12:25.499261597 +0200 @@ -52,9 +52,9 @@ # shadow: db files # group: db files -passwd: compat -group: compat -shadow: compat +passwd: compat systemd +group: compat systemd +shadow: compat systemd # Allow initgroups to default to the setting for group. # initgroups: compat ++++++ ppc64-flock-fob64.patch ++++++ From 434bf72a94de68f0cc7fbf3c44bf38c1911b70cb Mon Sep 17 00:00:00 2001 From: Aurelien Jarno <aurelien@aurel32.net> Date: Mon, 28 Aug 2023 23:30:37 +0200 Subject: [PATCH] io: Fix record locking contants for powerpc64 with __USE_FILE_OFFSET64 Commit 5f828ff824e3b7cd1 ("io: Fix F_GETLK, F_SETLK, and F_SETLKW for powerpc64") fixed an issue with the value of the lock constants on powerpc64 when not using __USE_FILE_OFFSET64, but it ended-up also changing the value when using __USE_FILE_OFFSET64 causing an API change. Fix that by also checking that define, restoring the pre 4d0fe291aed3a476a commit values: Default values: - F_GETLK: 5 - F_SETLK: 6 - F_SETLKW: 7 With -D_FILE_OFFSET_BITS=64: - F_GETLK: 12 - F_SETLK: 13 - F_SETLKW: 14 At the same time, it has been noticed that there was no test for io lock with __USE_FILE_OFFSET64, so just add one. Tested on x86_64-linux-gnu, i686-linux-gnu and powerpc64le-unknown-linux-gnu. Resolves: BZ #30804. Co-authored-by: Adhemerval Zanella <adhemerval.zanella@linaro.org> Signed-off-by: Aurelien Jarno <aurelien@aurel32.net> --- io/Makefile | 1 + io/tst-fcntl-lock-lfs.c | 2 ++ sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h | 2 +- 3 files changed, 4 insertions(+), 1 deletion(-) create mode 100644 io/tst-fcntl-lock-lfs.c diff --git a/io/Makefile b/io/Makefile index 6ccc0e8691..8a3c83a3bb 100644 --- a/io/Makefile +++ b/io/Makefile @@ -192,6 +192,7 @@ tests := \ tst-fchownat \ tst-fcntl \ tst-fcntl-lock \ + tst-fcntl-lock-lfs \ tst-fstatat \ tst-fts \ tst-fts-lfs \ diff --git a/io/tst-fcntl-lock-lfs.c b/io/tst-fcntl-lock-lfs.c new file mode 100644 index 0000000000..f2a909fb02 --- /dev/null +++ b/io/tst-fcntl-lock-lfs.c @@ -0,0 +1,2 @@ +#define _FILE_OFFSET_BITS 64 +#include <io/tst-fcntl-lock.c> diff --git a/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h b/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h index f7615a447e..d8a291a331 100644 --- a/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h +++ b/sysdeps/unix/sysv/linux/powerpc/bits/fcntl.h @@ -33,7 +33,7 @@ # define __O_LARGEFILE 0200000 #endif -#if __WORDSIZE == 64 +#if __WORDSIZE == 64 && !defined __USE_FILE_OFFSET64 # define F_GETLK 5 # define F_SETLK 6 # define F_SETLKW 7 -- 2.42.0