[ipfire-2.x.git] / src / patches / glibc-2.33-use-__pthread_attr_copy-in-mq_notify-bug-27896.patch

From 4b6be914bd3920500a67ef6ca1aa7d1c37e5e859 Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@linux-m68k.org>
Date: Thu, 27 May 2021 12:49:47 +0200
Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)

Make a deep copy of the pthread attribute object to remove a potential
use-after-free issue.

(cherry picked from commit 42d359350510506b87101cf77202fefcbfc790cb)
---
 NEWS                                |  6 ++++++
 sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++-----
 2 files changed, 16 insertions(+), 5 deletions(-)

diff --git a/NEWS b/NEWS
index 0c33a80af9..b9e570b4a4 100644
--- a/NEWS
+++ b/NEWS
@@ -13,6 +13,12 @@ Major new features:
   a dump of information related to IFUNC resolver operation and
   glibc-hwcaps subdirectory selection.
 
+Security related changes:
+
+  CVE-2021-33574: The mq_notify function has a potential use-after-free
+  issue when using a notification type of SIGEV_THREAD and a thread
+  attribute with a non-default affinity mask.
+
 The following bugs are resolved with this release:
 
   [15271] dlfcn function failure after dlmopen terminates process
diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
index cc575a0cdd..f7ddfe5a6c 100644
--- a/sysdeps/unix/sysv/linux/mq_notify.c
+++ b/sysdeps/unix/sysv/linux/mq_notify.c
@@ -133,8 +133,11 @@ helper_thread (void *arg)
 	    (void) __pthread_barrier_wait (&notify_barrier);
 	}
       else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
-	/* The only state we keep is the copy of the thread attributes.  */
-	free (data.attr);
+	{
+	  /* The only state we keep is the copy of the thread attributes.  */
+	  pthread_attr_destroy (data.attr);
+	  free (data.attr);
+	}
     }
   return NULL;
 }
@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
       if (data.attr == NULL)
 	return -1;
 
-      memcpy (data.attr, notification->sigev_notify_attributes,
-	      sizeof (pthread_attr_t));
+      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
     }
 
   /* Construct the new request.  */
@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
 
   /* If it failed, free the allocated memory.  */
   if (__glibc_unlikely (retval != 0))
-    free (data.attr);
+    {
+      pthread_attr_destroy (data.attr);
+      free (data.attr);
+    }
 
   return retval;
 }
-- 
2.20.1
Commit	Line	Data
b9a4368a MT	1	From 4b6be914bd3920500a67ef6ca1aa7d1c37e5e859 Mon Sep 17 00:00:00 2001
	2	From: Andreas Schwab <schwab@linux-m68k.org>
	3	Date: Thu, 27 May 2021 12:49:47 +0200
	4	Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896)
	5
	6	Make a deep copy of the pthread attribute object to remove a potential
	7	use-after-free issue.
	8
	9	(cherry picked from commit 42d359350510506b87101cf77202fefcbfc790cb)
	10	---
	11	NEWS \| 6 ++++++
	12	sysdeps/unix/sysv/linux/mq_notify.c \| 15 ++++++++++-----
	13	2 files changed, 16 insertions(+), 5 deletions(-)
	14
	15	diff --git a/NEWS b/NEWS
	16	index 0c33a80af9..b9e570b4a4 100644
	17	--- a/NEWS
	18	+++ b/NEWS
	19	@@ -13,6 +13,12 @@ Major new features:
	20	a dump of information related to IFUNC resolver operation and
	21	glibc-hwcaps subdirectory selection.
	22
	23	+Security related changes:
	24	+
	25	+ CVE-2021-33574: The mq_notify function has a potential use-after-free
	26	+ issue when using a notification type of SIGEV_THREAD and a thread
	27	+ attribute with a non-default affinity mask.
	28	+
	29	The following bugs are resolved with this release:
	30
	31	[15271] dlfcn function failure after dlmopen terminates process
	32	diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c
	33	index cc575a0cdd..f7ddfe5a6c 100644
	34	--- a/sysdeps/unix/sysv/linux/mq_notify.c
	35	+++ b/sysdeps/unix/sysv/linux/mq_notify.c
	36	@@ -133,8 +133,11 @@ helper_thread (void *arg)
	37	(void) __pthread_barrier_wait (&notify_barrier);
	38	}
	39	else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
	40	- /* The only state we keep is the copy of the thread attributes. */
	41	- free (data.attr);
	42	+ {
	43	+ /* The only state we keep is the copy of the thread attributes. */
	44	+ pthread_attr_destroy (data.attr);
	45	+ free (data.attr);
	46	+ }
	47	}
	48	return NULL;
	49	}
	50	@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
	51	if (data.attr == NULL)
	52	return -1;
	53
	54	- memcpy (data.attr, notification->sigev_notify_attributes,
	55	- sizeof (pthread_attr_t));
	56	+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
	57	}
	58
	59	/* Construct the new request. */
	60	@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
	61
	62	/* If it failed, free the allocated memory. */
	63	if (__glibc_unlikely (retval != 0))
	64	- free (data.attr);
65	+ {
66	+ pthread_attr_destroy (data.attr);
67	+ free (data.attr);
68	+ }
69
70	return retval;
71	}
72	--
73	2.20.1
74