Version in base suite: 2.36-9+deb12u4 Base version: glibc_2.36-9+deb12u4 Target version: glibc_2.36-9+deb12u5 Base file: /srv/ftp-master.debian.org/ftp/pool/main/g/glibc/glibc_2.36-9+deb12u4.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/g/glibc/glibc_2.36-9+deb12u5.dsc changelog | 16 patches/any/local-CVE-2023-4911.patch | 60 - patches/any/local-CVE-2023-6246.patch | 174 ----- patches/any/local-CVE-2023-6779.patch | 99 --- patches/any/local-CVE-2023-6780.patch | 33 - patches/git-updates.diff | 1059 +++++++++++++--------------------- patches/series | 4 7 files changed, 422 insertions(+), 1023 deletions(-) diff -Nru glibc-2.36/debian/changelog glibc-2.36/debian/changelog --- glibc-2.36/debian/changelog 2024-01-23 20:57:06.000000000 +0000 +++ glibc-2.36/debian/changelog 2024-03-24 12:07:31.000000000 +0000 @@ -1,3 +1,19 @@ +glibc (2.36-9+deb12u5) bookworm; urgency=medium + + * debian/patches/git-updates.diff: update from upstream stable branch: + - any/local-CVE-2023-4911.patch: upstreamed. + - any/local-CVE-2023-6246.patch: upstreamed. + - any/local-CVE-2023-6779.patch: upstreamed. + - any/local-CVE-2023-6780.patch: upstreamed. + - Revert fix to always call destructors in reverse constructor order due + to unforeseen application compatibility issues. + - Fix a DTV corruption due to a reuse of a TLS module ID following dlclose + with unused TLS. + - Fix the DTV field load on x32. + - Fix the TCB field load on x32. + + -- Aurelien Jarno Sun, 24 Mar 2024 13:07:31 +0100 + glibc (2.36-9+deb12u4) bookworm-security; urgency=medium * debian/patches/any/local-CVE-2023-6246.patch: Fix a heap buffer overflow diff -Nru glibc-2.36/debian/patches/any/local-CVE-2023-4911.patch glibc-2.36/debian/patches/any/local-CVE-2023-4911.patch --- glibc-2.36/debian/patches/any/local-CVE-2023-4911.patch 2024-01-23 20:56:57.000000000 +0000 +++ glibc-2.36/debian/patches/any/local-CVE-2023-4911.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,60 +0,0 @@ -From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001 -From: Siddhesh Poyarekar -Date: Mon, 11 Sep 2023 18:53:15 -0400 -Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached - -The string parsing routine may end up writing beyond bounds of tunestr -if the input tunable string is malformed, of the form name=name=val. -This gets processed twice, first as name=name=val and next as name=val, -resulting in tunestr being name=name=val:name=val, thus overflowing -tunestr. - -Terminate the parsing loop at the first instance itself so that tunestr -does not overflow. ---- -Changes from v1: - -- Also null-terminate tunestr before exiting. - - elf/dl-tunables.c | 17 ++++++++++------- - 1 file changed, 10 insertions(+), 7 deletions(-) - -diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c -index 8e7ee9df10..76cf8b9da3 100644 ---- a/elf/dl-tunables.c -+++ b/elf/dl-tunables.c -@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring) - /* If we reach the end of the string before getting a valid name-value - pair, bail out. */ - if (p[len] == '\0') -- { -- if (__libc_enable_secure) -- tunestr[off] = '\0'; -- return; -- } -+ break; - - /* We did not find a valid name-value pair before encountering the - colon. */ -@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring) - } - } - -- if (p[len] != '\0') -- p += len + 1; -+ /* We reached the end while processing the tunable string. */ -+ if (p[len] == '\0') -+ break; -+ -+ p += len + 1; - } -+ -+ /* Terminate tunestr before we leave. */ -+ if (__libc_enable_secure) -+ tunestr[off] = '\0'; - } - #endif - --- -2.41.0 - diff -Nru glibc-2.36/debian/patches/any/local-CVE-2023-6246.patch glibc-2.36/debian/patches/any/local-CVE-2023-6246.patch --- glibc-2.36/debian/patches/any/local-CVE-2023-6246.patch 2024-01-23 20:56:57.000000000 +0000 +++ glibc-2.36/debian/patches/any/local-CVE-2023-6246.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,174 +0,0 @@ -syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6246) - -__vsyslog_internal did not handle a case where printing a SYSLOG_HEADER -containing a long program name failed to update the required buffer -size, leading to the allocation and overflow of a too-small buffer on -the heap. This commit fixes that. It also adds a new regression test -that uses glibc.malloc.check. - -Reviewed-by: Adhemerval Zanella ---- - misc/Makefile | 8 ++- - misc/syslog.c | 50 +++++++++++++------ - misc/tst-syslog-long-progname.c | 39 +++++++++++++++ - .../postclean.req | 0 - 4 files changed, 82 insertions(+), 15 deletions(-) - create mode 100644 misc/tst-syslog-long-progname.c - create mode 100644 misc/tst-syslog-long-progname.root/postclean.req - -diff --git a/misc/Makefile b/misc/Makefile -index 42899c2b6c..c273ec6974 100644 ---- a/misc/Makefile -+++ b/misc/Makefile -@@ -289,7 +289,10 @@ tests-special += $(objpfx)tst-error1-mem.out \ - $(objpfx)tst-allocate_once-mem.out - endif - --tests-container := tst-syslog -+tests-container := \ -+ tst-syslog \ -+ tst-syslog-long-progname \ -+ # tests-container - - CFLAGS-select.c += -fexceptions -fasynchronous-unwind-tables - CFLAGS-tsearch.c += $(uses-callbacks) -@@ -351,6 +354,9 @@ $(objpfx)tst-allocate_once-mem.out: $(objpfx)tst-allocate_once.out - $(common-objpfx)malloc/mtrace $(objpfx)tst-allocate_once.mtrace > $@; \ - $(evaluate-test) - -+tst-syslog-long-progname-ENV = GLIBC_TUNABLES=glibc.malloc.check=3 \ -+ LD_PRELOAD=libc_malloc_debug.so.0 -+ - $(objpfx)tst-select: $(librt) - $(objpfx)tst-select-time64: $(librt) - $(objpfx)tst-pselect: $(librt) -diff --git a/misc/syslog.c b/misc/syslog.c -index 1b8cb722c5..814d224a1e 100644 ---- a/misc/syslog.c -+++ b/misc/syslog.c -@@ -124,8 +124,9 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - { - /* Try to use a static buffer as an optimization. */ - char bufs[1024]; -- char *buf = NULL; -- size_t bufsize = 0; -+ char *buf = bufs; -+ size_t bufsize; -+ - int msgoff; - int saved_errno = errno; - -@@ -177,29 +178,50 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - #define SYSLOG_HEADER_WITHOUT_TS(__pri, __msgoff) \ - "<%d>: %n", __pri, __msgoff - -- int l; -+ int l, vl; - if (has_ts) - l = __snprintf (bufs, sizeof bufs, - SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); - else - l = __snprintf (bufs, sizeof bufs, - SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -+ -+ char *pos; -+ size_t len; -+ - if (0 <= l && l < sizeof bufs) - { -- va_list apc; -- va_copy (apc, ap); -+ /* At this point, there is still a chance that we can print the -+ remaining part of the log into bufs and use that. */ -+ pos = bufs + l; -+ len = sizeof (bufs) - l; -+ } -+ else -+ { -+ buf = NULL; -+ /* We already know that bufs is too small to use for this log message. -+ The next vsnprintf into bufs is used only to calculate the total -+ required buffer length. We will discard bufs contents and allocate -+ an appropriately sized buffer later instead. */ -+ pos = bufs; -+ len = sizeof (bufs); -+ } - -- /* Restore errno for %m format. */ -- __set_errno (saved_errno); -+ { -+ va_list apc; -+ va_copy (apc, ap); - -- int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc, -- mode_flags); -- if (0 <= vl && vl < sizeof bufs - l) -- buf = bufs; -- bufsize = l + vl; -+ /* Restore errno for %m format. */ -+ __set_errno (saved_errno); - -- va_end (apc); -- } -+ vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); -+ -+ if (!(0 <= vl && vl < len)) -+ buf = NULL; -+ -+ bufsize = l + vl; -+ va_end (apc); -+ } - - if (buf == NULL) - { -diff --git a/misc/tst-syslog-long-progname.c b/misc/tst-syslog-long-progname.c -new file mode 100644 -index 0000000000..88f37a8a00 ---- /dev/null -+++ b/misc/tst-syslog-long-progname.c -@@ -0,0 +1,39 @@ -+/* Test heap buffer overflow in syslog with long __progname (CVE-2023-6246) -+ Copyright (C) 2023 Free Software Foundation, Inc. -+ This file is part of the GNU C Library. -+ -+ The GNU C Library is free software; you can redistribute it and/or -+ modify it under the terms of the GNU Lesser General Public -+ License as published by the Free Software Foundation; either -+ version 2.1 of the License, or (at your option) any later version. -+ -+ The GNU C Library is distributed in the hope that it will be useful, -+ but WITHOUT ANY WARRANTY; without even the implied warranty of -+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -+ Lesser General Public License for more details. -+ -+ You should have received a copy of the GNU Lesser General Public -+ License along with the GNU C Library; if not, see -+ . */ -+ -+#include -+#include -+ -+extern char * __progname; -+ -+static int -+do_test (void) -+{ -+ char long_progname[2048]; -+ -+ memset (long_progname, 'X', sizeof (long_progname) - 1); -+ long_progname[sizeof (long_progname) - 1] = '\0'; -+ -+ __progname = long_progname; -+ -+ syslog (LOG_INFO, "Hello, World!"); -+ -+ return 0; -+} -+ -+#include -diff --git a/misc/tst-syslog-long-progname.root/postclean.req b/misc/tst-syslog-long-progname.root/postclean.req -new file mode 100644 -index 0000000000..e69de29bb2 --- -2.43.0 - diff -Nru glibc-2.36/debian/patches/any/local-CVE-2023-6779.patch glibc-2.36/debian/patches/any/local-CVE-2023-6779.patch --- glibc-2.36/debian/patches/any/local-CVE-2023-6779.patch 2024-01-23 20:56:57.000000000 +0000 +++ glibc-2.36/debian/patches/any/local-CVE-2023-6779.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,99 +0,0 @@ -syslog: Fix heap buffer overflow in __vsyslog_internal (CVE-2023-6779) - -__vsyslog_internal used the return value of snprintf/vsnprintf to -calculate buffer sizes for memory allocation. If these functions (for -any reason) failed and returned -1, the resulting buffer would be too -small to hold output. This commit fixes that. - -All snprintf/vsnprintf calls are checked for negative return values and -the function silently returns upon encountering them. ---- - misc/syslog.c | 39 ++++++++++++++++++++++++++++----------- - 1 file changed, 28 insertions(+), 11 deletions(-) - -diff --git a/misc/syslog.c b/misc/syslog.c -index 814d224a1e..53440e47ad 100644 ---- a/misc/syslog.c -+++ b/misc/syslog.c -@@ -185,11 +185,13 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - else - l = __snprintf (bufs, sizeof bufs, - SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -+ if (l < 0) -+ goto out; - - char *pos; - size_t len; - -- if (0 <= l && l < sizeof bufs) -+ if (l < sizeof bufs) - { - /* At this point, there is still a chance that we can print the - remaining part of the log into bufs and use that. */ -@@ -215,12 +217,15 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - __set_errno (saved_errno); - - vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); -+ va_end (apc); -+ -+ if (vl < 0) -+ goto out; - -- if (!(0 <= vl && vl < len)) -+ if (vl >= len) - buf = NULL; - - bufsize = l + vl; -- va_end (apc); - } - - if (buf == NULL) -@@ -231,25 +236,37 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - /* Tell the cancellation handler to free this buffer. */ - clarg.buf = buf; - -+ int cl; - if (has_ts) -- __snprintf (buf, l + 1, -- SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); -+ cl = __snprintf (buf, l + 1, -+ SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); - else -- __snprintf (buf, l + 1, -- SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -+ cl = __snprintf (buf, l + 1, -+ SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); -+ if (cl != l) -+ goto out; - - va_list apc; - va_copy (apc, ap); -- __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, -- mode_flags); -+ cl = __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, -+ mode_flags); - va_end (apc); -+ -+ if (cl != vl) -+ goto out; - } - else - { -+ int bl; - /* Nothing much to do but emit an error message. */ -- bufsize = __snprintf (bufs, sizeof bufs, -- "out of memory[%d]", __getpid ()); -+ bl = __snprintf (bufs, sizeof bufs, -+ "out of memory[%d]", __getpid ()); -+ if (bl < 0 || bl >= sizeof bufs) -+ goto out; -+ -+ bufsize = bl; - buf = bufs; -+ msgoff = 0; - } - } - --- -2.43.0 - diff -Nru glibc-2.36/debian/patches/any/local-CVE-2023-6780.patch glibc-2.36/debian/patches/any/local-CVE-2023-6780.patch --- glibc-2.36/debian/patches/any/local-CVE-2023-6780.patch 2024-01-23 20:56:57.000000000 +0000 +++ glibc-2.36/debian/patches/any/local-CVE-2023-6780.patch 1970-01-01 00:00:00.000000000 +0000 @@ -1,33 +0,0 @@ -syslog: Fix integer overflow in __vsyslog_internal (CVE-2023-6780) - -__vsyslog_internal calculated a buffer size by adding two integers, but -did not first check if the addition would overflow. This commit fixes -that. ---- - misc/syslog.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/misc/syslog.c b/misc/syslog.c -index 53440e47ad..4af87f54fd 100644 ---- a/misc/syslog.c -+++ b/misc/syslog.c -@@ -41,6 +41,7 @@ static char sccsid[] = "@(#)syslog.c 8.4 (Berkeley) 3/18/94"; - #include - #include - #include -+#include - - static int LogType = SOCK_DGRAM; /* type of socket connection */ - static int LogFile = -1; /* fd for log */ -@@ -219,7 +220,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); - va_end (apc); - -- if (vl < 0) -+ if (vl < 0 || vl >= INT_MAX - l) - goto out; - - if (vl >= len) --- -2.43.0 - diff -Nru glibc-2.36/debian/patches/git-updates.diff glibc-2.36/debian/patches/git-updates.diff --- glibc-2.36/debian/patches/git-updates.diff 2024-01-23 20:56:57.000000000 +0000 +++ glibc-2.36/debian/patches/git-updates.diff 2024-03-24 12:07:24.000000000 +0000 @@ -68,10 +68,10 @@ else # -s verbose := diff --git a/NEWS b/NEWS -index f61e521fc8..ae55ffb53a 100644 +index f61e521fc8..0f0ebce3f0 100644 --- a/NEWS +++ b/NEWS -@@ -5,6 +5,85 @@ See the end for copying conditions. +@@ -5,6 +5,94 @@ See the end for copying conditions. Please send GNU C library bug reports via using `glibc' in the "product" field. @@ -106,6 +106,11 @@ + an application calls getaddrinfo for AF_INET6 with AI_CANONNAME, + AI_ALL and AI_V4MAPPED flags set. + ++ CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the ++ environment of a setuid program and NAME is valid, it may result in a ++ buffer overflow, which could be exploited to achieve escalated ++ privileges. This flaw was introduced in glibc 2.34. ++ +The following bugs are resolved with this release: + + [12154] Do not fail DNS resolution for CNAMEs which are not host names @@ -113,6 +118,7 @@ + [24816] Fix tst-nss-files-hosts-long on single-stack hosts + [27576] gmon: improve mcount overflow handling + [28846] CMSG_NXTHDR may trigger -Wstrict-overflow warning ++ [29039] Corrupt DTV after reuse of a TLS module ID following dlclose with unused TLS + [29444] gmon: Fix allocated buffer overflow (bug 29444) + [29864] libc: __libc_start_main() should obtain program headers + address (_dl_phdr) from the auxv, not the ELF header. @@ -149,10 +155,13 @@ + [30305] x86_64: Fix asm constraints in feraiseexcept + [30477] libc: [RISCV]: time64 does not work on riscv32 + [30515] _dl_find_object incorrectly returns 1 during early startup -+ [30785] Always call destructors in reverse constructor order ++ [30745] Slight bug in cache info codes for x86 + [30804] F_GETLK, F_SETLK, and F_SETLKW value change for powerpc64 with + -D_FILE_OFFSET_BITS=64 + [30842] Stack read overflow in getaddrinfo in no-aaaa mode (CVE-2023-4527) ++ [30843] potential use-after-free in getcanonname (CVE-2023-4806) ++ [31184] FAIL: elf/tst-tlsgap ++ [31185] Incorrect thread point access in _dl_tlsdesc_undefweak and _dl_tlsdesc_dynamic + Version 2.36 @@ -501,7 +510,7 @@ + DL_CALL_DT_FINI (map, ((void *) map->l_addr + fini->d_un.d_ptr)); +} diff --git a/elf/dl-close.c b/elf/dl-close.c -index bcd6e206e9..640bbd88c3 100644 +index bcd6e206e9..14deca2e2b 100644 --- a/elf/dl-close.c +++ b/elf/dl-close.c @@ -36,11 +36,6 @@ @@ -548,126 +557,10 @@ void _dl_close_worker (struct link_map *map, bool force) { -@@ -168,30 +138,31 @@ _dl_close_worker (struct link_map *map, bool force) - - bool any_tls = false; - const unsigned int nloaded = ns->_ns_nloaded; -- struct link_map *maps[nloaded]; - -- /* Run over the list and assign indexes to the link maps and enter -- them into the MAPS array. */ -+ /* Run over the list and assign indexes to the link maps. */ - int idx = 0; - for (struct link_map *l = ns->_ns_loaded; l != NULL; l = l->l_next) - { - l->l_map_used = 0; - l->l_map_done = 0; - l->l_idx = idx; -- maps[idx] = l; - ++idx; - } - assert (idx == nloaded); - -- /* Keep track of the lowest index link map we have covered already. */ -- int done_index = -1; -- while (++done_index < nloaded) -+ /* Keep marking link maps until no new link maps are found. */ -+ for (struct link_map *l = ns->_ns_loaded; l != NULL; ) - { -- struct link_map *l = maps[done_index]; -+ /* next is reset to earlier link maps for remarking. */ -+ struct link_map *next = l->l_next; -+ int next_idx = l->l_idx + 1; /* next->l_idx, but covers next == NULL. */ - - if (l->l_map_done) -- /* Already handled. */ -- continue; -+ { -+ /* Already handled. */ -+ l = next; -+ continue; -+ } - - /* Check whether this object is still used. */ - if (l->l_type == lt_loaded -@@ -201,7 +172,10 @@ _dl_close_worker (struct link_map *map, bool force) - acquire is sufficient and correct. */ - && atomic_load_acquire (&l->l_tls_dtor_count) == 0 - && !l->l_map_used) -- continue; -+ { -+ l = next; -+ continue; -+ } - - /* We need this object and we handle it now. */ - l->l_map_used = 1; -@@ -228,8 +202,11 @@ _dl_close_worker (struct link_map *map, bool force) - already processed it, then we need to go back - and process again from that point forward to - ensure we keep all of its dependencies also. */ -- if ((*lp)->l_idx - 1 < done_index) -- done_index = (*lp)->l_idx - 1; -+ if ((*lp)->l_idx < next_idx) -+ { -+ next = *lp; -+ next_idx = next->l_idx; -+ } - } - } - -@@ -249,54 +226,65 @@ _dl_close_worker (struct link_map *map, bool force) - if (!jmap->l_map_used) - { - jmap->l_map_used = 1; -- if (jmap->l_idx - 1 < done_index) -- done_index = jmap->l_idx - 1; -+ if (jmap->l_idx < next_idx) -+ { -+ next = jmap; -+ next_idx = next->l_idx; -+ } - } - } - } -- } - -- /* Sort the entries. We can skip looking for the binary itself which is -- at the front of the search list for the main namespace. */ -- _dl_sort_maps (maps, nloaded, (nsid == LM_ID_BASE), true); -+ l = next; -+ } - -- /* Call all termination functions at once. */ -- bool unload_any = false; -- bool scope_mem_left = false; -- unsigned int unload_global = 0; -- unsigned int first_loaded = ~0; -- for (unsigned int i = 0; i < nloaded; ++i) -+ /* Call the destructors in reverse constructor order, and remove the -+ closed link maps from the list. */ -+ for (struct link_map **init_called_head = &_dl_init_called_list; -+ *init_called_head != NULL; ) - { -- struct link_map *imap = maps[i]; -- -- /* All elements must be in the same namespace. */ -- assert (imap->l_ns == nsid); -+ struct link_map *imap = *init_called_head; - -- if (!imap->l_map_used) -+ /* _dl_init_called_list is global, to produce a global odering. -+ Ignore the other namespaces (and link maps that are still used). */ -+ if (imap->l_ns != nsid || imap->l_map_used) -+ init_called_head = &imap->l_init_called_next; -+ else - { - assert (imap->l_type == lt_loaded && !imap->l_nodelete_active); - -- /* Call its termination function. Do not do it for -- half-cooked objects. Temporarily disable exception -- handling, so that errors are fatal. */ -- if (imap->l_init_called) +@@ -280,17 +250,7 @@ _dl_close_worker (struct link_map *map, bool force) + half-cooked objects. Temporarily disable exception + handling, so that errors are fatal. */ + if (imap->l_init_called) - { - /* When debugging print a message first. */ - if (__builtin_expect (GLRO(dl_debug_mask) & DL_DEBUG_IMPCALLS, @@ -679,88 +572,10 @@ - || imap->l_info[DT_FINI] != NULL) - _dl_catch_exception (NULL, call_destructors, imap); - } -+ /* _dl_init_called_list is updated at the same time as -+ l_init_called. */ -+ assert (imap->l_init_called); -+ -+ if (imap->l_info[DT_FINI_ARRAY] != NULL -+ || imap->l_info[DT_FINI] != NULL) + _dl_catch_exception (NULL, _dl_call_fini, imap); #ifdef SHARED /* Auditing checkpoint: we remove an object. */ - _dl_audit_objclose (imap); - #endif -+ /* Unlink this link map. */ -+ *init_called_head = imap->l_init_called_next; -+ } -+ } -+ - -+ bool unload_any = false; -+ bool scope_mem_left = false; -+ unsigned int unload_global = 0; -+ -+ /* For skipping un-unloadable link maps in the second loop. */ -+ struct link_map *first_loaded = ns->_ns_loaded; -+ -+ /* Iterate over the namespace to find objects to unload. Some -+ unloadable objects may not be on _dl_init_called_list due to -+ dlopen failure. */ -+ for (struct link_map *imap = first_loaded; imap != NULL; imap = imap->l_next) -+ { -+ if (!imap->l_map_used) -+ { - /* This object must not be used anymore. */ - imap->l_removed = 1; - -@@ -307,8 +295,8 @@ _dl_close_worker (struct link_map *map, bool force) - ++unload_global; - - /* Remember where the first dynamically loaded object is. */ -- if (i < first_loaded) -- first_loaded = i; -+ if (first_loaded == NULL) -+ first_loaded = imap; - } - /* Else imap->l_map_used. */ - else if (imap->l_type == lt_loaded) -@@ -444,8 +432,8 @@ _dl_close_worker (struct link_map *map, bool force) - imap->l_loader = NULL; - - /* Remember where the first dynamically loaded object is. */ -- if (i < first_loaded) -- first_loaded = i; -+ if (first_loaded == NULL) -+ first_loaded = imap; - } - } - -@@ -516,10 +504,11 @@ _dl_close_worker (struct link_map *map, bool force) - - /* Check each element of the search list to see if all references to - it are gone. */ -- for (unsigned int i = first_loaded; i < nloaded; ++i) -+ for (struct link_map *imap = first_loaded; imap != NULL; ) - { -- struct link_map *imap = maps[i]; -- if (!imap->l_map_used) -+ if (imap->l_map_used) -+ imap = imap->l_next; -+ else - { - assert (imap->l_type == lt_loaded); - -@@ -730,7 +719,9 @@ _dl_close_worker (struct link_map *map, bool force) - if (imap == GL(dl_initfirst)) - GL(dl_initfirst) = NULL; - -+ struct link_map *next = imap->l_next; - free (imap); -+ imap = next; - } - } - diff --git a/elf/dl-find_object.c b/elf/dl-find_object.c index 4d5831b6f4..2e5b456c11 100644 --- a/elf/dl-find_object.c @@ -775,10 +590,10 @@ /* Object not found. */ diff --git a/elf/dl-fini.c b/elf/dl-fini.c -index 030b1fcbcd..50087a1bfc 100644 +index 030b1fcbcd..50ff94db16 100644 --- a/elf/dl-fini.c +++ b/elf/dl-fini.c -@@ -21,155 +21,71 @@ +@@ -21,11 +21,6 @@ #include #include @@ -790,122 +605,10 @@ void _dl_fini (void) { -- /* Lots of fun ahead. We have to call the destructors for all still -- loaded objects, in all namespaces. The problem is that the ELF -- specification now demands that dependencies between the modules -- are taken into account. I.e., the destructor for a module is -- called before the ones for any of its dependencies. -- -- To make things more complicated, we cannot simply use the reverse -- order of the constructors. Since the user might have loaded objects -- using `dlopen' there are possibly several other modules with its -- dependencies to be taken into account. Therefore we have to start -- determining the order of the modules once again from the beginning. */ -- -- /* We run the destructors of the main namespaces last. As for the -- other namespaces, we pick run the destructors in them in reverse -- order of the namespace ID. */ -+ /* Call destructors strictly in the reverse order of constructors. -+ This causes fewer surprises than some arbitrary reordering based -+ on new (relocation) dependencies. None of the objects are -+ unmapped, so applications can deal with this if their DSOs remain -+ in a consistent state after destructors have run. */ -+ -+ /* Protect against concurrent loads and unloads. */ -+ __rtld_lock_lock_recursive (GL(dl_load_lock)); -+ -+ /* Ignore objects which are opened during shutdown. */ -+ struct link_map *local_init_called_list = _dl_init_called_list; -+ -+ for (struct link_map *l = local_init_called_list; l != NULL; -+ l = l->l_init_called_next) -+ /* Bump l_direct_opencount of all objects so that they -+ are not dlclose()ed from underneath us. */ -+ ++l->l_direct_opencount; -+ -+ /* After this point, everything linked from local_init_called_list -+ cannot be unloaded because of the reference counter update. */ -+ __rtld_lock_unlock_recursive (GL(dl_load_lock)); -+ -+ /* Perform two passes: One for non-audit modules, one for audit -+ modules. This way, audit modules receive unload notifications -+ for non-audit objects, and the destructors for audit modules -+ still run. */ - #ifdef SHARED -- int do_audit = 0; -- again: -+ int last_pass = GLRO(dl_naudit) > 0; -+ Lmid_t last_ns = -1; -+ for (int do_audit = 0; do_audit <= last_pass; ++do_audit) - #endif -- for (Lmid_t ns = GL(dl_nns) - 1; ns >= 0; --ns) -- { -- /* Protect against concurrent loads and unloads. */ -- __rtld_lock_lock_recursive (GL(dl_load_lock)); -- -- unsigned int nloaded = GL(dl_ns)[ns]._ns_nloaded; -- /* No need to do anything for empty namespaces or those used for -- auditing DSOs. */ -- if (nloaded == 0 --#ifdef SHARED -- || GL(dl_ns)[ns]._ns_loaded->l_auditing != do_audit --#endif -- ) -- __rtld_lock_unlock_recursive (GL(dl_load_lock)); -- else -- { --#ifdef SHARED -- _dl_audit_activity_nsid (ns, LA_ACT_DELETE); --#endif -- -- /* Now we can allocate an array to hold all the pointers and -- copy the pointers in. */ -- struct link_map *maps[nloaded]; -- -- unsigned int i; -- struct link_map *l; -- assert (nloaded != 0 || GL(dl_ns)[ns]._ns_loaded == NULL); -- for (l = GL(dl_ns)[ns]._ns_loaded, i = 0; l != NULL; l = l->l_next) -- /* Do not handle ld.so in secondary namespaces. */ -- if (l == l->l_real) -- { -- assert (i < nloaded); -- -- maps[i] = l; -- l->l_idx = i; -- ++i; -- -- /* Bump l_direct_opencount of all objects so that they -- are not dlclose()ed from underneath us. */ -- ++l->l_direct_opencount; -- } -- assert (ns != LM_ID_BASE || i == nloaded); -- assert (ns == LM_ID_BASE || i == nloaded || i == nloaded - 1); -- unsigned int nmaps = i; -- -- /* Now we have to do the sorting. We can skip looking for the -- binary itself which is at the front of the search list for -- the main namespace. */ -- _dl_sort_maps (maps, nmaps, (ns == LM_ID_BASE), true); -- -- /* We do not rely on the linked list of loaded object anymore -- from this point on. We have our own list here (maps). The -- various members of this list cannot vanish since the open -- count is too high and will be decremented in this loop. So -- we release the lock so that some code which might be called -- from a destructor can directly or indirectly access the -- lock. */ -- __rtld_lock_unlock_recursive (GL(dl_load_lock)); -- -- /* 'maps' now contains the objects in the right order. Now -- call the destructors. We have to process this array from -- the front. */ -- for (i = 0; i < nmaps; ++i) -- { -- struct link_map *l = maps[i]; -- -- if (l->l_init_called) -- { +@@ -116,38 +111,7 @@ _dl_fini (void) + + if (l->l_init_called) + { - /* Make sure nothing happens if we are called twice. */ - l->l_init_called = 0; - @@ -938,54 +641,10 @@ - (l, l->l_addr + l->l_info[DT_FINI]->d_un.d_ptr); - } - -+ for (struct link_map *l = local_init_called_list; l != NULL; -+ l = l->l_init_called_next) -+ { - #ifdef SHARED -- /* Auditing checkpoint: another object closed. */ -- _dl_audit_objclose (l); -+ if (GL(dl_ns)[l->l_ns]._ns_loaded->l_auditing != do_audit) -+ continue; -+ -+ /* Avoid back-to-back calls of _dl_audit_activity_nsid for the -+ same namespace. */ -+ if (last_ns != l->l_ns) -+ { -+ if (last_ns >= 0) -+ _dl_audit_activity_nsid (last_ns, LA_ACT_CONSISTENT); -+ _dl_audit_activity_nsid (l->l_ns, LA_ACT_DELETE); -+ last_ns = l->l_ns; -+ } - #endif -- } - -- /* Correct the previous increment. */ -- --l->l_direct_opencount; -- } -+ /* There is no need to re-enable exceptions because _dl_fini -+ is not called from a context where exceptions are caught. */ -+ _dl_call_fini (l); - - #ifdef SHARED -- _dl_audit_activity_nsid (ns, LA_ACT_CONSISTENT); -+ /* Auditing checkpoint: another object closed. */ -+ _dl_audit_objclose (l); - #endif -- } -- } -+ } - ++ _dl_call_fini (l); #ifdef SHARED -- if (! do_audit && GLRO(dl_naudit) > 0) -- { -- do_audit = 1; -- goto again; -- } -+ if (last_ns >= 0) -+ _dl_audit_activity_nsid (last_ns, LA_ACT_CONSISTENT); - - if (__glibc_unlikely (GLRO(dl_debug_mask) & DL_DEBUG_STATISTICS)) - _dl_debug_printf ("\nruntime linker statistics:\n" + /* Auditing checkpoint: another object closed. */ + _dl_audit_objclose (l); diff --git a/elf/dl-hwcaps.c b/elf/dl-hwcaps.c index 6f161f6ad5..92eb53790e 100644 --- a/elf/dl-hwcaps.c @@ -1023,15 +682,10 @@ = malloc (*sz * sizeof (*result) + total); if (overall_result == NULL) diff --git a/elf/dl-init.c b/elf/dl-init.c -index deefeb099a..77b2edd838 100644 +index deefeb099a..fca8e3a05e 100644 --- a/elf/dl-init.c +++ b/elf/dl-init.c -@@ -21,14 +21,19 @@ - #include - #include - -+struct link_map *_dl_init_called_list; - +@@ -25,10 +25,14 @@ static void call_init (struct link_map *l, int argc, char **argv, char **env) { @@ -1048,70 +702,6 @@ if (l->l_init_called) /* This object is all done. */ -@@ -38,6 +43,21 @@ call_init (struct link_map *l, int argc, char **argv, char **env) - dependency. */ - l->l_init_called = 1; - -+ /* Help an already-running dlclose: The just-loaded object must not -+ be removed during the current pass. (No effect if no dlclose in -+ progress.) */ -+ l->l_map_used = 1; -+ -+ /* Record execution before starting any initializers. This way, if -+ the initializers themselves call dlopen, their ELF destructors -+ will eventually be run before this object is destructed, matching -+ that their ELF constructors have run before this object was -+ constructed. _dl_fini uses this list for audit callbacks, so -+ register objects on the list even if they do not have a -+ constructor. */ -+ l->l_init_called_next = _dl_init_called_list; -+ _dl_init_called_list = l; -+ - /* Check for object which constructors we do not run here. */ - if (__builtin_expect (l->l_name[0], 'a') == '\0' - && l->l_type == lt_executable) -diff --git a/elf/dl-load.c b/elf/dl-load.c -index 1ad0868dad..cb59c21ce7 100644 ---- a/elf/dl-load.c -+++ b/elf/dl-load.c -@@ -1263,7 +1263,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, - - /* Now process the load commands and map segments into memory. - This is responsible for filling in: -- l_map_start, l_map_end, l_addr, l_contiguous, l_text_end, l_phdr -+ l_map_start, l_map_end, l_addr, l_contiguous, l_phdr - */ - errstring = _dl_map_segments (l, fd, header, type, loadcmds, nloadcmds, - maplength, has_holes, loader); -diff --git a/elf/dl-load.h b/elf/dl-load.h -index f98d264e90..ebf7d74cd0 100644 ---- a/elf/dl-load.h -+++ b/elf/dl-load.h -@@ -83,14 +83,11 @@ struct loadcmd - - /* This is a subroutine of _dl_map_segments. It should be called for each - load command, some time after L->l_addr has been set correctly. It is -- responsible for setting up the l_text_end and l_phdr fields. */ -+ responsible for setting the l_phdr fields */ - static __always_inline void - _dl_postprocess_loadcmd (struct link_map *l, const ElfW(Ehdr) *header, - const struct loadcmd *c) - { -- if (c->prot & PROT_EXEC) -- l->l_text_end = l->l_addr + c->mapend; -- - if (l->l_phdr == 0 - && c->mapoff <= header->e_phoff - && ((size_t) (c->mapend - c->mapstart + c->mapoff) -@@ -103,7 +100,7 @@ _dl_postprocess_loadcmd (struct link_map *l, const ElfW(Ehdr) *header, - - /* This is a subroutine of _dl_map_object_from_fd. It is responsible - for filling in several fields in *L: l_map_start, l_map_end, l_addr, -- l_contiguous, l_text_end, l_phdr. On successful return, all the -+ l_contiguous, l_phdr. On successful return, all the - segments are mapped (or copied, or whatever) from the file into their - final places in the address space, with the correct page permissions, - and any bss-like regions already zeroed. It returns a null pointer diff --git a/elf/dl-lookup.c b/elf/dl-lookup.c index 4c86dc694e..67fb2e31e2 100644 --- a/elf/dl-lookup.c @@ -1311,6 +901,54 @@ call_function_static_weak (_dl_find_object_init); +diff --git a/elf/dl-tls.c b/elf/dl-tls.c +index 093cdddb7e..bf0ff0d9e8 100644 +--- a/elf/dl-tls.c ++++ b/elf/dl-tls.c +@@ -160,6 +160,7 @@ _dl_assign_tls_modid (struct link_map *l) + { + /* Mark the entry as used, so any dependency see it. */ + atomic_store_relaxed (&runp->slotinfo[result - disp].map, l); ++ atomic_store_relaxed (&runp->slotinfo[result - disp].gen, 0); + break; + } + +diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c +index 8e7ee9df10..76cf8b9da3 100644 +--- a/elf/dl-tunables.c ++++ b/elf/dl-tunables.c +@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring) + /* If we reach the end of the string before getting a valid name-value + pair, bail out. */ + if (p[len] == '\0') +- { +- if (__libc_enable_secure) +- tunestr[off] = '\0'; +- return; +- } ++ break; + + /* We did not find a valid name-value pair before encountering the + colon. */ +@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring) + } + } + +- if (p[len] != '\0') +- p += len + 1; ++ /* We reached the end while processing the tunable string. */ ++ if (p[len] == '\0') ++ break; ++ ++ p += len + 1; + } ++ ++ /* Terminate tunestr before we leave. */ ++ if (__libc_enable_secure) ++ tunestr[off] = '\0'; + } + #endif + diff --git a/elf/dl-tunables.list b/elf/dl-tunables.list index e6a56b3070..9fa3b484cf 100644 --- a/elf/dl-tunables.list @@ -1334,34 +972,20 @@ + } } diff --git a/elf/dso-sort-tests-1.def b/elf/dso-sort-tests-1.def -index 5f7f18ef27..61dc54f8ae 100644 +index 5f7f18ef27..4bf9052db1 100644 --- a/elf/dso-sort-tests-1.def +++ b/elf/dso-sort-tests-1.def -@@ -53,14 +53,14 @@ tst-dso-ordering10: {}->a->b->c;soname({})=c - output: b>a>{}b->c->d order). --# The older dynamic_sort=1 algorithm does not achieve this, while the DFS-based --# dynamic_sort=2 algorithm does, although it is still arguable whether going --# beyond spec to do this is the right thing to do. --# The below expected outputs are what the two algorithms currently produce --# respectively, for regression testing purposes. -+# relocation(dynamic) dependencies. For both sorting algorithms, the -+# destruction order is the reverse of the construction order, and -+# relocation dependencies are not taken into account. +@@ -64,3 +64,10 @@ output: b>a>{}b->c->d;d=>[ba];c=>a;b=>e=>a;c=>f=>b;d=>g=>c --output(glibc.rtld.dynamic_sort=1): {+a[d>c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[c>b>a>];+e[e>];+f[f>];+g[g>];+d[];%d(b(e(a()))a()g(c(a()f(b(e(a()))))));-d[];-g[];-f[];-e[];-a[a1;a->a2;a2->a;b->b1;c->a1;c=>a1 -+output: {+a[a2>a1>a>];+b[b1>b>];-b[];%c(a1());}a1>a>];+b[b1>b>];-b[];%c(a1());}a1>a>];+b[b1>b>];-b[];%c(a1());}l_map_end = 0; -- main_map->l_text_end = 0; - /* Perhaps the executable has no PT_LOAD header entries at all. */ - main_map->l_map_start = ~0; - /* And it was opened directly. */ -@@ -1216,8 +1214,6 @@ rtld_setup_main_map (struct link_map *main_map) - allocend = main_map->l_addr + ph->p_vaddr + ph->p_memsz; - if (main_map->l_map_end < allocend) - main_map->l_map_end = allocend; -- if ((ph->p_flags & PF_X) && allocend > main_map->l_text_end) -- main_map->l_text_end = allocend; - - /* The next expected address is the page following this load - segment. */ -@@ -1277,8 +1273,6 @@ rtld_setup_main_map (struct link_map *main_map) - = (char *) main_map->l_tls_initimage + main_map->l_addr; - if (! main_map->l_map_end) - main_map->l_map_end = ~0; -- if (! main_map->l_text_end) -- main_map->l_text_end = ~0; - if (! GL(dl_rtld_map).l_libname && GL(dl_rtld_map).l_name) - { - /* We were invoked directly, so the program might not have a -@@ -2122,6 +2116,12 @@ dl_main (const ElfW(Phdr) *phdr, +@@ -2122,6 +2122,12 @@ dl_main (const ElfW(Phdr) *phdr, if (l->l_faked) /* The library was not found. */ _dl_printf ("\t%s => not found\n", l->l_libname->name); @@ -1444,127 +1034,6 @@ else _dl_printf ("\t%s => %s (0x%0*Zx)\n", DSO_FILENAME (l->l_libname->name), -diff --git a/elf/setup-vdso.h b/elf/setup-vdso.h -index c0807ea82b..415d5057c3 100644 ---- a/elf/setup-vdso.h -+++ b/elf/setup-vdso.h -@@ -51,9 +51,6 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)), - l->l_addr = ph->p_vaddr; - if (ph->p_vaddr + ph->p_memsz >= l->l_map_end) - l->l_map_end = ph->p_vaddr + ph->p_memsz; -- if ((ph->p_flags & PF_X) -- && ph->p_vaddr + ph->p_memsz >= l->l_text_end) -- l->l_text_end = ph->p_vaddr + ph->p_memsz; - } - else - /* There must be no TLS segment. */ -@@ -62,7 +59,6 @@ setup_vdso (struct link_map *main_map __attribute__ ((unused)), - l->l_map_start = (ElfW(Addr)) GLRO(dl_sysinfo_dso); - l->l_addr = l->l_map_start - l->l_addr; - l->l_map_end += l->l_addr; -- l->l_text_end += l->l_addr; - l->l_ld = (void *) ((ElfW(Addr)) l->l_ld + l->l_addr); - elf_get_dynamic_info (l, false, false); - _dl_setup_hash (l); -diff --git a/elf/tst-audit23.c b/elf/tst-audit23.c -index 4904cf1340..f40760bd70 100644 ---- a/elf/tst-audit23.c -+++ b/elf/tst-audit23.c -@@ -98,6 +98,8 @@ do_test (int argc, char *argv[]) - char *lname; - uintptr_t laddr; - Lmid_t lmid; -+ uintptr_t cookie; -+ uintptr_t namespace; - bool closed; - } objs[max_objs] = { [0 ... max_objs-1] = { .closed = false } }; - size_t nobjs = 0; -@@ -117,6 +119,9 @@ do_test (int argc, char *argv[]) - size_t buffer_length = 0; - while (xgetline (&buffer, &buffer_length, out)) - { -+ *strchrnul (buffer, '\n') = '\0'; -+ printf ("info: subprocess output: %s\n", buffer); -+ - if (startswith (buffer, "la_activity: ")) - { - uintptr_t cookie; -@@ -125,29 +130,26 @@ do_test (int argc, char *argv[]) - &cookie); - TEST_COMPARE (r, 2); - -- /* The cookie identifies the object at the head of the link map, -- so we only add a new namespace if it changes from the previous -- one. This works since dlmopen is the last in the test body. */ -- if (cookie != last_act_cookie && last_act_cookie != -1) -- TEST_COMPARE (last_act, LA_ACT_CONSISTENT); -- - if (this_act == LA_ACT_ADD && acts[nacts] != cookie) - { -+ /* The cookie identifies the object at the head of the -+ link map, so we only add a new namespace if it -+ changes from the previous one. This works since -+ dlmopen is the last in the test body. */ -+ if (cookie != last_act_cookie && last_act_cookie != -1) -+ TEST_COMPARE (last_act, LA_ACT_CONSISTENT); -+ - acts[nacts++] = cookie; - last_act_cookie = cookie; - } -- /* The LA_ACT_DELETE is called in the reverse order of LA_ACT_ADD -- at program termination (if the tests adds a dlclose or a library -- with extra dependencies this will need to be adapted). */ -+ /* LA_ACT_DELETE is called multiple times for each -+ namespace, depending on destruction order. */ - else if (this_act == LA_ACT_DELETE) -- { -- last_act_cookie = acts[--nacts]; -- TEST_COMPARE (acts[nacts], cookie); -- acts[nacts] = 0; -- } -+ last_act_cookie = cookie; - else if (this_act == LA_ACT_CONSISTENT) - { - TEST_COMPARE (cookie, last_act_cookie); -+ last_act_cookie = -1; - - /* LA_ACT_DELETE must always be followed by an la_objclose. */ - if (last_act == LA_ACT_DELETE) -@@ -179,6 +181,8 @@ do_test (int argc, char *argv[]) - objs[nobjs].lname = lname; - objs[nobjs].laddr = laddr; - objs[nobjs].lmid = lmid; -+ objs[nobjs].cookie = cookie; -+ objs[nobjs].namespace = last_act_cookie; - objs[nobjs].closed = false; - nobjs++; - -@@ -201,6 +205,12 @@ do_test (int argc, char *argv[]) - if (strcmp (lname, objs[i].lname) == 0 && lmid == objs[i].lmid) - { - TEST_COMPARE (objs[i].closed, false); -+ TEST_COMPARE (objs[i].cookie, cookie); -+ if (objs[i].namespace == -1) -+ /* No LA_ACT_ADD before the first la_objopen call. */ -+ TEST_COMPARE (acts[0], last_act_cookie); -+ else -+ TEST_COMPARE (objs[i].namespace, last_act_cookie); - objs[i].closed = true; - break; - } -@@ -209,11 +219,7 @@ do_test (int argc, char *argv[]) - /* la_objclose should be called after la_activity(LA_ACT_DELETE) for - the closed object's namespace. */ - TEST_COMPARE (last_act, LA_ACT_DELETE); -- if (!seen_first_objclose) -- { -- TEST_COMPARE (last_act_cookie, cookie); -- seen_first_objclose = true; -- } -+ seen_first_objclose = true; - } - } - diff --git a/elf/tst-auditmod28.c b/elf/tst-auditmod28.c index db7ba95abe..9e0a122c38 100644 --- a/elf/tst-auditmod28.c @@ -1746,6 +1215,97 @@ +} + +#include +diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c +index 88182b7b25..5e9e4c5756 100644 +--- a/elf/tst-env-setuid-tunables.c ++++ b/elf/tst-env-setuid-tunables.c +@@ -52,6 +52,8 @@ const char *teststrings[] = + "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", + "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096", + "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.check=2", + "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2", + "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096", + ":glibc.malloc.garbage=2:glibc.malloc.check=1", +@@ -70,6 +72,8 @@ const char *resultstrings[] = + "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=4096", ++ "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", ++ "", + "", + "", + "", +@@ -84,11 +88,18 @@ test_child (int off) + const char *val = getenv ("GLIBC_TUNABLES"); + + #if HAVE_TUNABLES ++ printf (" [%d] GLIBC_TUNABLES is %s\n", off, val); ++ fflush (stdout); + if (val != NULL && strcmp (val, resultstrings[off]) == 0) + return 0; + + if (val != NULL) +- printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val); ++ printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n", ++ off, val, resultstrings[off]); ++ else ++ printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off); ++ ++ fflush (stdout); + + return 1; + #else +@@ -117,21 +128,26 @@ do_test (int argc, char **argv) + if (ret != 0) + exit (1); + +- exit (EXIT_SUCCESS); ++ /* Special return code to make sure that the child executed all the way ++ through. */ ++ exit (42); + } + else + { +- int ret = 0; +- + /* Spawn tests. */ + for (int i = 0; i < array_length (teststrings); i++) + { + char buf[INT_BUFSIZE_BOUND (int)]; + +- printf ("Spawned test for %s (%d)\n", teststrings[i], i); ++ printf ("[%d] Spawned test for %s\n", i, teststrings[i]); + snprintf (buf, sizeof (buf), "%d\n", i); ++ fflush (stdout); + if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0) +- exit (1); ++ { ++ printf (" [%d] Failed to set GLIBC_TUNABLES: %m", i); ++ support_record_failure (); ++ continue; ++ } + + int status = support_capture_subprogram_self_sgid (buf); + +@@ -139,9 +155,14 @@ do_test (int argc, char **argv) + if (WEXITSTATUS (status) == EXIT_UNSUPPORTED) + return EXIT_UNSUPPORTED; + +- ret |= status; ++ if (WEXITSTATUS (status) != 42) ++ { ++ printf (" [%d] child failed with status %d\n", i, ++ WEXITSTATUS (status)); ++ support_record_failure (); ++ } + } +- return ret; ++ return 0; + } + } + diff --git a/elf/tst-ldconfig-p.sh b/elf/tst-ldconfig-p.sh new file mode 100644 index 0000000000..ec937bf4ec @@ -2472,22 +2032,20 @@ @@ -0,0 +1 @@ +#include diff --git a/include/link.h b/include/link.h -index 0ac82d7c77..4eb8fe0d96 100644 +index 0ac82d7c77..87966e8397 100644 --- a/include/link.h +++ b/include/link.h -@@ -253,8 +253,10 @@ struct link_map - /* Start and finish of memory map for this object. l_map_start - need not be the same as l_addr. */ - ElfW(Addr) l_map_start, l_map_end; -- /* End of the executable part of the mapping. */ -- ElfW(Addr) l_text_end; -+ +@@ -278,6 +278,10 @@ struct link_map + /* List of object in order of the init and fini calls. */ + struct link_map **l_initfini; + + /* Linked list of objects in reverse ELF constructor execution + order. Head of list is stored in _dl_init_called_list. */ + struct link_map *l_init_called_next; - - /* Default array for 'l_scope'. */ - struct r_scope_elem *l_scope_mem[4]; ++ + /* List of the dependencies introduced through symbol binding. */ + struct link_map_reldeps + { diff --git a/include/resolv.h b/include/resolv.h index 3590b6f496..4dbbac3800 100644 --- a/include/resolv.h @@ -2801,6 +2359,32 @@ const unsigned char *cp; const unsigned char *usrc; +diff --git a/misc/Makefile b/misc/Makefile +index ba8232a0e9..66e9ded8f9 100644 +--- a/misc/Makefile ++++ b/misc/Makefile +@@ -115,7 +115,10 @@ tests-special += $(objpfx)tst-error1-mem.out \ + $(objpfx)tst-allocate_once-mem.out + endif + +-tests-container := tst-syslog ++tests-container := \ ++ tst-syslog \ ++ tst-syslog-long-progname \ ++ # tests-container + + CFLAGS-select.c += -fexceptions -fasynchronous-unwind-tables + CFLAGS-tsearch.c += $(uses-callbacks) +@@ -175,6 +178,9 @@ $(objpfx)tst-allocate_once-mem.out: $(objpfx)tst-allocate_once.out + $(common-objpfx)malloc/mtrace $(objpfx)tst-allocate_once.mtrace > $@; \ + $(evaluate-test) + ++tst-syslog-long-progname-ENV = GLIBC_TUNABLES=glibc.malloc.check=3 \ ++ LD_PRELOAD=libc_malloc_debug.so.0 ++ + $(objpfx)tst-select: $(librt) + $(objpfx)tst-select-time64: $(librt) + $(objpfx)tst-pselect: $(librt) diff --git a/misc/bits/syslog.h b/misc/bits/syslog.h index fd30dd3114..916d2b6f12 100644 --- a/misc/bits/syslog.h @@ -2890,10 +2474,30 @@ __END_DECLS diff --git a/misc/syslog.c b/misc/syslog.c -index 554089bfc4..f67d4b58a4 100644 +index 554089bfc4..9336036666 100644 --- a/misc/syslog.c +++ b/misc/syslog.c -@@ -167,7 +167,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, +@@ -41,6 +41,7 @@ static char sccsid[] = "@(#)syslog.c 8.4 (Berkeley) 3/18/94"; + #include + #include + #include ++#include + + static int LogType = SOCK_DGRAM; /* type of socket connection */ + static int LogFile = -1; /* fd for log */ +@@ -122,8 +123,9 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + { + /* Try to use a static buffer as an optimization. */ + char bufs[1024]; +- char *buf = NULL; +- size_t bufsize = 0; ++ char *buf = bufs; ++ size_t bufsize; ++ + int msgoff; + int saved_errno = errno; + +@@ -167,7 +169,7 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, _nl_C_locobj_ptr); #define SYSLOG_HEADER(__pri, __timestamp, __msgoff, pid) \ @@ -2902,19 +2506,74 @@ __pri, __timestamp, __msgoff, \ LogTag == NULL ? __progname : LogTag, \ "[" + (pid == 0), pid, "]" + (pid == 0) -@@ -193,28 +193,32 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, - int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc, - mode_flags); - if (0 <= vl && vl < sizeof bufs - l) +@@ -175,53 +177,95 @@ __vsyslog_internal (int pri, const char *fmt, va_list ap, + #define SYSLOG_HEADER_WITHOUT_TS(__pri, __msgoff) \ + "<%d>: %n", __pri, __msgoff + +- int l; ++ int l, vl; + if (has_ts) + l = __snprintf (bufs, sizeof bufs, + SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); + else + l = __snprintf (bufs, sizeof bufs, + SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); +- if (0 <= l && l < sizeof bufs) ++ if (l < 0) ++ goto out; ++ ++ char *pos; ++ size_t len; ++ ++ if (l < sizeof bufs) + { +- va_list apc; +- va_copy (apc, ap); ++ /* At this point, there is still a chance that we can print the ++ remaining part of the log into bufs and use that. */ ++ pos = bufs + l; ++ len = sizeof (bufs) - l; ++ } ++ else ++ { ++ buf = NULL; ++ /* We already know that bufs is too small to use for this log message. ++ The next vsnprintf into bufs is used only to calculate the total ++ required buffer length. We will discard bufs contents and allocate ++ an appropriately sized buffer later instead. */ ++ pos = bufs; ++ len = sizeof (bufs); ++ } + +- /* Restore errno for %m format. */ +- __set_errno (saved_errno); ++ { ++ va_list apc; ++ va_copy (apc, ap); + +- int vl = __vsnprintf_internal (bufs + l, sizeof bufs - l, fmt, apc, +- mode_flags); +- if (0 <= vl && vl < sizeof bufs - l) - { - buf = bufs; - bufsize = l + vl; - } -+ buf = bufs; -+ bufsize = l + vl; ++ /* Restore errno for %m format. */ ++ __set_errno (saved_errno); - va_end (apc); - } +- va_end (apc); +- } ++ vl = __vsnprintf_internal (pos, len, fmt, apc, mode_flags); ++ va_end (apc); ++ ++ if (vl < 0 || vl >= INT_MAX - l) ++ goto out; ++ ++ if (vl >= len) ++ buf = NULL; ++ ++ bufsize = l + vl; ++ } if (buf == NULL) { @@ -2925,23 +2584,94 @@ /* Tell the cancellation handler to free this buffer. */ clarg.buf = buf; ++ int cl; if (has_ts) - __snprintf (bufs, sizeof bufs, -+ __snprintf (buf, l + 1, - SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); +- SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); ++ cl = __snprintf (buf, l + 1, ++ SYSLOG_HEADER (pri, timestamp, &msgoff, pid)); else - __snprintf (bufs, sizeof bufs, -+ __snprintf (buf, l + 1, - SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); +- SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); ++ cl = __snprintf (buf, l + 1, ++ SYSLOG_HEADER_WITHOUT_TS (pri, &msgoff)); ++ if (cl != l) ++ goto out; + + va_list apc; + va_copy (apc, ap); -+ __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, -+ mode_flags); ++ cl = __vsnprintf_internal (buf + l, bufsize - l + 1, fmt, apc, ++ mode_flags); + va_end (apc); ++ ++ if (cl != vl) ++ goto out; } else { ++ int bl; + /* Nothing much to do but emit an error message. */ +- bufsize = __snprintf (bufs, sizeof bufs, +- "out of memory[%d]", __getpid ()); ++ bl = __snprintf (bufs, sizeof bufs, ++ "out of memory[%d]", __getpid ()); ++ if (bl < 0 || bl >= sizeof bufs) ++ goto out; ++ ++ bufsize = bl; + buf = bufs; ++ msgoff = 0; + } + } + +diff --git a/misc/tst-syslog-long-progname.c b/misc/tst-syslog-long-progname.c +new file mode 100644 +index 0000000000..88f37a8a00 +--- /dev/null ++++ b/misc/tst-syslog-long-progname.c +@@ -0,0 +1,39 @@ ++/* Test heap buffer overflow in syslog with long __progname (CVE-2023-6246) ++ Copyright (C) 2023 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++ ++extern char * __progname; ++ ++static int ++do_test (void) ++{ ++ char long_progname[2048]; ++ ++ memset (long_progname, 'X', sizeof (long_progname) - 1); ++ long_progname[sizeof (long_progname) - 1] = '\0'; ++ ++ __progname = long_progname; ++ ++ syslog (LOG_INFO, "Hello, World!"); ++ ++ return 0; ++} ++ ++#include +diff --git a/misc/tst-syslog-long-progname.root/postclean.req b/misc/tst-syslog-long-progname.root/postclean.req +new file mode 100644 +index 0000000000..e69de29bb2 diff --git a/misc/tst-syslog.c b/misc/tst-syslog.c index e550d15796..3560b518a2 100644 --- a/misc/tst-syslog.c @@ -8067,7 +7797,7 @@ ldp q2, q3, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*1] ldp q4, q5, [x29, #OFFSET_RV + DL_OFFSET_RV_V0 + 32*2] diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h -index 050a3032de..ab8a7fbf84 100644 +index 050a3032de..c2627fced7 100644 --- a/sysdeps/generic/ldsodefs.h +++ b/sysdeps/generic/ldsodefs.h @@ -105,6 +105,9 @@ typedef struct link_map *lookup_t; @@ -8080,15 +7810,7 @@ /* On some architectures a pointer to a function is not just a pointer to the actual code of the function but rather an architecture specific descriptor. */ -@@ -1044,13 +1047,24 @@ extern int _dl_check_map_versions (struct link_map *map, int verbose, - extern void _dl_init (struct link_map *main_map, int argc, char **argv, - char **env) attribute_hidden; - -+/* List of ELF objects in reverse order of their constructor -+ invocation. */ -+extern struct link_map *_dl_init_called_list attribute_hidden; -+ - /* Call the finalizer functions of all shared objects whose +@@ -1048,9 +1051,16 @@ extern void _dl_init (struct link_map *main_map, int argc, char **argv, initializer functions have completed. */ extern void _dl_fini (void) attribute_hidden; @@ -10745,6 +10467,37 @@ #define MOVBE_X86_ISA_LEVEL 3 /* ISA level >= 2 guaranteed includes. */ +diff --git a/sysdeps/x86_64/dl-tlsdesc.S b/sysdeps/x86_64/dl-tlsdesc.S +index 0db2cb4152..7619e743e1 100644 +--- a/sysdeps/x86_64/dl-tlsdesc.S ++++ b/sysdeps/x86_64/dl-tlsdesc.S +@@ -61,7 +61,7 @@ _dl_tlsdesc_return: + _dl_tlsdesc_undefweak: + _CET_ENDBR + movq 8(%rax), %rax +- subq %fs:0, %rax ++ sub %fs:0, %RAX_LP + ret + cfi_endproc + .size _dl_tlsdesc_undefweak, .-_dl_tlsdesc_undefweak +@@ -102,7 +102,7 @@ _dl_tlsdesc_dynamic: + /* Preserve call-clobbered registers that we modify. + We need two scratch regs anyway. */ + movq %rsi, -16(%rsp) +- movq %fs:DTV_OFFSET, %rsi ++ mov %fs:DTV_OFFSET, %RSI_LP + movq %rdi, -8(%rsp) + movq TLSDESC_ARG(%rax), %rdi + movq (%rsi), %rax +@@ -116,7 +116,7 @@ _dl_tlsdesc_dynamic: + addq TLSDESC_MODOFF(%rdi), %rax + .Lret: + movq -16(%rsp), %rsi +- subq %fs:0, %rax ++ sub %fs:0, %RAX_LP + movq -8(%rsp), %rdi + ret + .Lslow: diff --git a/sysdeps/x86_64/fpu/fraiseexcpt.c b/sysdeps/x86_64/fpu/fraiseexcpt.c index 864f4777a2..23446ff4ac 100644 --- a/sysdeps/x86_64/fpu/fraiseexcpt.c diff -Nru glibc-2.36/debian/patches/series glibc-2.36/debian/patches/series --- glibc-2.36/debian/patches/series 2024-01-23 20:56:57.000000000 +0000 +++ glibc-2.36/debian/patches/series 2024-03-24 12:07:24.000000000 +0000 @@ -119,8 +119,4 @@ any/local-cross.patch any/git-floatn-gcc-13-support.diff any/local-disable-tst-bz29951.diff -any/local-CVE-2023-4911.patch -any/local-CVE-2023-6246.patch -any/local-CVE-2023-6779.patch -any/local-CVE-2023-6780.patch any/local-qsort-memory-corruption.patch