Merge branch 'kernel-update' of ssh://git.ipfire.org/pub/git/ipfire-2.x into kernel...

[ipfire-2.x.git] / src / patches / glibc / glibc-rh767146.patch

diff --git a/src/patches/glibc/glibc-rh767146.patch b/src/patches/glibc/glibc-rh767146.patch
new file mode 100644 (file)
index 0000000..8252062
--- /dev/null
+++ b/src/patches/glibc/glibc-rh767146.patch
@@ -0,0 +1,21 @@
+diff -rup a/elf/dl-load.c b/elf/dl-load.c
+--- a/elf/dl-load.c    2012-02-03 10:59:58.917870716 -0700
++++ b/elf/dl-load.c    2012-02-03 11:01:01.796580644 -0700
+@@ -1130,6 +1130,16 @@ _dl_map_object_from_fd (const char *name
+               = N_("ELF load command address/offset not properly aligned");
+             goto call_lose;
+           }
++        if (__builtin_expect ((ph->p_offset + ph->p_filesz > st.st_size), 0))
++          {
++            /* If the segment requires zeroing of part of its last
++               page, we'll crash when accessing the unmapped page.
++               There's still a possibility of a race, if the shared
++               object is truncated between the fxstat above and the
++               memset below.  */
++            errstring = N_("ELF load command past end of file");
++            goto call_lose;
++          }
+ 
+         c = &loadcmds[nloadcmds++];
+         c->mapstart = ph->p_vaddr & ~(GLRO(dl_pagesize) - 1);
+Only in b/elf: dl-load.c.orig