]>
Commit | Line | Data |
---|---|---|
b9a4368a MT |
1 | From 4b6be914bd3920500a67ef6ca1aa7d1c37e5e859 Mon Sep 17 00:00:00 2001 |
2 | From: Andreas Schwab <schwab@linux-m68k.org> | |
3 | Date: Thu, 27 May 2021 12:49:47 +0200 | |
4 | Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896) | |
5 | ||
6 | Make a deep copy of the pthread attribute object to remove a potential | |
7 | use-after-free issue. | |
8 | ||
9 | (cherry picked from commit 42d359350510506b87101cf77202fefcbfc790cb) | |
10 | --- | |
11 | NEWS | 6 ++++++ | |
12 | sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++----- | |
13 | 2 files changed, 16 insertions(+), 5 deletions(-) | |
14 | ||
15 | diff --git a/NEWS b/NEWS | |
16 | index 0c33a80af9..b9e570b4a4 100644 | |
17 | --- a/NEWS | |
18 | +++ b/NEWS | |
19 | @@ -13,6 +13,12 @@ Major new features: | |
20 | a dump of information related to IFUNC resolver operation and | |
21 | glibc-hwcaps subdirectory selection. | |
22 | ||
23 | +Security related changes: | |
24 | + | |
25 | + CVE-2021-33574: The mq_notify function has a potential use-after-free | |
26 | + issue when using a notification type of SIGEV_THREAD and a thread | |
27 | + attribute with a non-default affinity mask. | |
28 | + | |
29 | The following bugs are resolved with this release: | |
30 | ||
31 | [15271] dlfcn function failure after dlmopen terminates process | |
32 | diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c | |
33 | index cc575a0cdd..f7ddfe5a6c 100644 | |
34 | --- a/sysdeps/unix/sysv/linux/mq_notify.c | |
35 | +++ b/sysdeps/unix/sysv/linux/mq_notify.c | |
36 | @@ -133,8 +133,11 @@ helper_thread (void *arg) | |
37 | (void) __pthread_barrier_wait (¬ify_barrier); | |
38 | } | |
39 | else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) | |
40 | - /* The only state we keep is the copy of the thread attributes. */ | |
41 | - free (data.attr); | |
42 | + { | |
43 | + /* The only state we keep is the copy of the thread attributes. */ | |
44 | + pthread_attr_destroy (data.attr); | |
45 | + free (data.attr); | |
46 | + } | |
47 | } | |
48 | return NULL; | |
49 | } | |
50 | @@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | |
51 | if (data.attr == NULL) | |
52 | return -1; | |
53 | ||
54 | - memcpy (data.attr, notification->sigev_notify_attributes, | |
55 | - sizeof (pthread_attr_t)); | |
56 | + __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); | |
57 | } | |
58 | ||
59 | /* Construct the new request. */ | |
60 | @@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) | |
61 | ||
62 | /* If it failed, free the allocated memory. */ | |
63 | if (__glibc_unlikely (retval != 0)) | |
64 | - free (data.attr); | |
65 | + { | |
66 | + pthread_attr_destroy (data.attr); | |
67 | + free (data.attr); | |
68 | + } | |
69 | ||
70 | return retval; | |
71 | } | |
72 | -- | |
73 | 2.20.1 | |
74 |