From 0b0d35d9e2e3d5f6d7a62a61262d0df9c650bb56 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 20 2020 11:28:04 +0000 Subject: import glibc-2.17-316.el7 --- diff --git a/SOURCES/glibc-rh1235112.patch b/SOURCES/glibc-rh1235112.patch new file mode 100644 index 0000000..e7049af --- /dev/null +++ b/SOURCES/glibc-rh1235112.patch @@ -0,0 +1,60 @@ +commit a58ad3f801960fa0dc0bb1106eb0d99f7ebd77b1 +Author: Roland McGrath +Date: Thu Jun 13 15:09:29 2013 -0700 + + Fix raciness in waitid test. + +diff --git a/posix/tst-waitid.c b/posix/tst-waitid.c +index f8a302ea3153a853..d63ad65fbefc64ad 100644 +--- a/posix/tst-waitid.c ++++ b/posix/tst-waitid.c +@@ -145,7 +145,7 @@ do_test (int argc, char *argv[]) + /* Give the child a chance to stop. */ + sleep (3); + +- CHECK_SIGCHLD ("stopped", CLD_STOPPED, SIGSTOP); ++ CHECK_SIGCHLD ("stopped (before waitid)", CLD_STOPPED, SIGSTOP); + + /* Now try a wait that should not succeed. */ + siginfo_t info; +@@ -227,7 +227,7 @@ do_test (int argc, char *argv[]) + expecting_sigchld = 0; + } + else +- CHECK_SIGCHLD ("continued", CLD_CONTINUED, SIGCONT); ++ CHECK_SIGCHLD ("continued (before waitid)", CLD_CONTINUED, SIGCONT); + + info.si_signo = 0; /* A successful call sets it to SIGCHLD. */ + info.si_pid = -1; +@@ -336,6 +336,13 @@ do_test (int argc, char *argv[]) + printf ("kill (%d, SIGSTOP): %m\n", pid); + RETURN (EXIT_FAILURE); + } ++ ++ /* Give the child a chance to stop. The waitpid call below will block ++ until it has stopped, but if we are real quick and enter the waitpid ++ system call before the SIGCHLD has been generated, then it will be ++ discarded and never delivered. */ ++ sleep (3); ++ + pid_t wpid = waitpid (pid, &fail, WUNTRACED); + if (wpid < 0) + { +@@ -354,7 +361,7 @@ do_test (int argc, char *argv[]) + printf ("waitpid WUNTRACED on stopped: status %x\n", fail); + RETURN (EXIT_FAILURE); + } +- CHECK_SIGCHLD ("stopped", CLD_STOPPED, SIGSTOP); ++ CHECK_SIGCHLD ("stopped (after waitpid)", CLD_STOPPED, SIGSTOP); + + expecting_sigchld = 1; + if (kill (pid, SIGCONT) != 0) +@@ -372,7 +379,7 @@ do_test (int argc, char *argv[]) + expecting_sigchld = 0; + } + else +- CHECK_SIGCHLD ("continued", CLD_CONTINUED, SIGCONT); ++ CHECK_SIGCHLD ("continued (before waitpid)", CLD_CONTINUED, SIGCONT); + + wpid = waitpid (pid, &fail, WCONTINUED); + if (wpid < 0) diff --git a/SOURCES/glibc-rh1406732-6.patch b/SOURCES/glibc-rh1406732-6.patch new file mode 100644 index 0000000..e6a9369 --- /dev/null +++ b/SOURCES/glibc-rh1406732-6.patch @@ -0,0 +1,43 @@ +This is a downstream only patch for RHEL 7. + +See bug 1790475 for the history behind --disable-bind-now for ppc64. +In summary: COPY relocations and BIND_NOW are incompatible on ppc64. +The solution is to globally disable BIND_NOW hardening on ppc64 with +--disable-bind-now and then use a downstream-only patch to partially +enable BIND_NOW hardening for ppc64 to the level of hardening that +works given the toolchain. + +diff --git a/sysdeps/powerpc/Makefile b/sysdeps/powerpc/Makefile +index b11edd77bd2c22d4..47a9e7bcf66a8531 100644 +--- a/sysdeps/powerpc/Makefile ++++ b/sysdeps/powerpc/Makefile +@@ -1,3 +1,29 @@ ++################################################################################ ++# Only enabled if we are not building for ppc64le. ++ifeq (,$(filter %le,$(config-machine))) ++# Enable bind-now behaviour by default for POWER. This is a downstream specific ++# change that is required due to a toolchain limitation in handling COPY ++# relocations and BIND_NOW (see rhbz#1790475). ++LDCFLAGS-c.so += -Wl,-z,now ++# Likewise. Take care that this is carefully selected to turn BIND_NOW back on ++# for ld.so without turning it back on for libpthread.so which has the ++# problematic OPD that generates a COPY relocation. Enable these only for the ++# elf subdir which is also used to build libc.so.6. This avoids enabling ++# BIND_NOW for libpthread. ++ifeq ($(subdir),elf) ++z-now-no = -Wl,-z,now ++LDFLAGS-lib.so += -Wl,-z,now ++link-extra-flags += -Wl,-z,now ++endif ++# Likewise. Take care that this is carefully selected to turn BIND_NOW ++# back on for iconv modules to ensure the data-only DSOs have consistently the ++# correct expected flags for DSOs (even if they don't really need them). ++ifeq ($(subdir),iconvdata) ++LDFLAGS.so += -Wl,-z,now ++endif ++endif ++################################################################################ ++ + ifeq ($(subdir),string) + CFLAGS-memcmp.c += -Wno-uninitialized + endif diff --git a/SOURCES/glibc-rh1728915-1.patch b/SOURCES/glibc-rh1728915-1.patch new file mode 100644 index 0000000..691af18 --- /dev/null +++ b/SOURCES/glibc-rh1728915-1.patch @@ -0,0 +1,147 @@ +commit 08b7e9988272113ca5640cf5e115ea51449fb392 +Author: Ian Kent +Date: Mon Sep 2 13:26:14 2019 +0200 + + Use autofs "ignore" mount hint in getmntent_r/getmntent + + Historically autofs mounts were not included in mount table + listings. This is the case in other SysV autofs implementations + and was also the case with Linux autofs. + + But now that /etc/mtab is a symlink to the proc filesystem + mount table the autofs mount entries appear in the mount table + on Linux. + + Prior to the symlinking of /etc/mtab mount table it was + sufficient to call mount(2) and simply not update /etc/mtab + to exclude autofs mounts from mount listings. + + Also, with the symlinking of /etc/mtab we have seen a shift in + usage toward using the proc mount tables directly. + + But the autofs mount entries need to be retained when coming + from the proc file system for applications that need them + (largely autofs file system users themselves) so filtering out + these entries within the kernel itself can't be done. So it + needs be done in user space. + + There are three reasons to omit the autofs mount entries. + + One is that certain types of auto-mounts have an autofs mount + for every entry in their autofs mount map and these maps can + be quite large. This leads to mount table listings containing + a lot of unnecessary entries. + + Also, this change in behaviour between autofs implementations + can cause problems for applications that use getmntent(3) in + other OS implementations as well as Linux. + + Lastly, there's very little that user space can do with autofs + mount entries since this must be left to the autofs mount owner, + typically the automount daemon. But it can also lead to attempts + to access automount managed paths resulting mounts being triggered + when they aren't needed or mounts staying mounted for much longer + thay they need be. While the point of this change ins't to help + with these problems (and it can be quite a problem) it may be + a welcome side effect. + + So the Linux autofs file system has been modified to accept a + pseudo mount option of "ignore" (as is used in other OS + implementations) so that user space can use this as a hint to + skip autofs entries on reading the mount table. + + The Linux autofs automount daemon used getmntent(3) itself and + has been modified to use the proc file system directly so that + it can "ignore" mount option. + + The use of this mount option is opt-in and a configuration + option has been added which defaults to not use this option + so if there are applications that need these entries, other + than autofs itself, they can be retained. Also, since this + filtering is based on an added mount option earlier versions + of Linux autofs iand other autofs file system users will not + use the option and so won't be affected by the change. + +diff -rup a/misc/mntent_r.c b/misc/mntent_r.c +--- a/misc/mntent_r.c 2012-12-24 22:02:13.000000000 -0500 ++++ b/misc/mntent_r.c 2020-01-20 15:55:23.417838854 -0500 +@@ -18,6 +18,7 @@ + + #include + #include ++#include + #include + #include + #include +@@ -112,26 +113,18 @@ decode_name (char *buf) + return buf; + } + +- +-/* Read one mount table entry from STREAM. Returns a pointer to storage +- reused on the next call, or null for EOF or error (use feof/ferror to +- check). */ +-struct mntent * +-__getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz) ++static bool ++get_mnt_entry (FILE *stream, struct mntent *mp, char *buffer, int bufsiz) + { + char *cp; + char *head; + +- flockfile (stream); + do + { + char *end_ptr; + + if (fgets_unlocked (buffer, bufsiz, stream) == NULL) +- { +- funlockfile (stream); +- return NULL; +- } ++ return false; + + end_ptr = strchr (buffer, '\n'); + if (end_ptr != NULL) /* chop newline */ +@@ -173,9 +166,40 @@ __getmntent_r (FILE *stream, struct mnte + case 2: + break; + } ++ ++ return true; ++} ++ ++/* Read one mount table entry from STREAM. Returns a pointer to storage ++ reused on the next call, or null for EOF or error (use feof/ferror to ++ check). */ ++struct mntent * ++__getmntent_r (FILE *stream, struct mntent *mp, char *buffer, int bufsiz) ++{ ++ struct mntent *result; ++ ++ flockfile (stream); ++ while (true) ++ if (get_mnt_entry (stream, mp, buffer, bufsiz)) ++ { ++ /* If the file system is autofs look for a mount option hint ++ ("ignore") to skip the entry. */ ++ if (strcmp (mp->mnt_type, "autofs") == 0 && __hasmntopt (mp, "ignore")) ++ memset (mp, 0, sizeof (*mp)); ++ else ++ { ++ result = mp; ++ break; ++ } ++ } ++ else ++ { ++ result = NULL; ++ break; ++ } + funlockfile (stream); + +- return mp; ++ return result; + } + libc_hidden_def (__getmntent_r) + weak_alias (__getmntent_r, getmntent_r) diff --git a/SOURCES/glibc-rh1728915-2.patch b/SOURCES/glibc-rh1728915-2.patch new file mode 100644 index 0000000..679c3c0 --- /dev/null +++ b/SOURCES/glibc-rh1728915-2.patch @@ -0,0 +1,164 @@ +commit 9a1e7257a4292d3aea45c8317df3956f4331d8ce +Author: Florian Weimer +Date: Mon Sep 2 12:40:38 2019 +0200 + + Add misc/tst-mntent-autofs, testing autofs "ignore" filtering + +diff -rupN a/misc/Makefile b/misc/Makefile +--- a/misc/Makefile 2020-01-20 15:48:16.472243494 -0500 ++++ b/misc/Makefile 2020-01-20 16:03:01.291550472 -0500 +@@ -76,7 +76,8 @@ install-lib := libbsd-compat.a libg.a + gpl2lgpl := error.c error.h + + tests := tst-dirname tst-tsearch tst-fdset tst-efgcvt tst-mntent tst-hsearch \ +- tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 bug18240 ++ tst-error1 tst-pselect tst-insremque tst-mntent2 bug-hsearch1 bug18240 \ ++ tst-mntent-autofs + ifeq ($(run-built-tests),yes) + tests: $(objpfx)tst-error1-mem + endif +diff -rupN a/misc/tst-mntent-autofs.c b/misc/tst-mntent-autofs.c +--- a/misc/tst-mntent-autofs.c 1969-12-31 19:00:00.000000000 -0500 ++++ b/misc/tst-mntent-autofs.c 2020-01-20 16:01:37.233483270 -0500 +@@ -0,0 +1,141 @@ ++/* Test autofs "ignore" filtering for getment_r. ++ Copyright (C) 2019 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++struct test_case ++{ ++ const char *line; ++ struct ++ { ++ /* Like struct mntent, but with const pointers. */ ++ const char *mnt_fsname; ++ const char *mnt_dir; ++ const char *mnt_type; ++ const char *mnt_opts; ++ int mnt_freq; ++ int mnt_passno; ++ } expected; ++}; ++ ++static struct test_case test_cases[] = ++ { ++ { "/etc/auto.direct /mnt/auto/1 autofs defaults 0 0", ++ { "/etc/auto.direct", "/mnt/auto/1", "autofs", "defaults", 0, 0 } }, ++ ++ /* These entries are filtered out. */ ++ { "/etc/auto.2 /mnt/auto/2 autofs ignore 0 0", { NULL, } }, ++ { "/etc/auto.3 /mnt/auto/3 autofs ignore,other 1 2", { NULL, } }, ++ { "/etc/auto.4 /mnt/auto/4 autofs other,ignore 3 4", { NULL, } }, ++ { "/etc/auto.5 /mnt/auto/5 autofs opt1,ignore,opt2 5 6", { NULL, } }, ++ ++ /* Dummy entry to make the desynchronization more obvious. */ ++ { "/dev/sda1 / xfs defaults 0 0", ++ { "/dev/sda1", "/", "xfs", "defaults", 0, 0 } }, ++ ++ /* These are not filtered because the file system is not autofs. */ ++ { "/etc/auto.direct /mnt/auto/6 autofs1 ignore 0 0", ++ { "/etc/auto.direct", "/mnt/auto/6", "autofs1", "ignore", 0, 0 } }, ++ { "/etc/auto.direct /mnt/auto/7 autofs1 ignore,other 0 0", ++ { "/etc/auto.direct", "/mnt/auto/7", "autofs1", "ignore,other", 0, 0 } }, ++ { "/etc/auto.direct /mnt/auto/8 autofs1 other,ignore 0 0", ++ { "/etc/auto.direct", "/mnt/auto/8", "autofs1", "other,ignore", 0, 0 } }, ++ { "/etc/auto.direct /mnt/auto/9 autofs1 opt1,ignore,opt2 0 0", ++ { "/etc/auto.direct", "/mnt/auto/9", "autofs1", "opt1,ignore,opt2", } }, ++ ++ /* These are not filtered because the string "ignore" is not an ++ option name. */ ++ { "/etc/auto.direct /mnt/auto/10 autofs noignore 1 2", ++ { "/etc/auto.direct", "/mnt/auto/10", "autofs", "noignore", 1, 2 } }, ++ { "/etc/auto.direct /mnt/auto/11 autofs noignore,other 0 0", ++ { "/etc/auto.direct", "/mnt/auto/11", "autofs", "noignore,other", } }, ++ { "/etc/auto.direct /mnt/auto/12 autofs other,noignore 0 0", ++ { "/etc/auto.direct", "/mnt/auto/12", "autofs", "other,noignore", } }, ++ { "/etc/auto.direct /mnt/auto/13 autofs errors=ignore 0 0", ++ { "/etc/auto.direct", "/mnt/auto/13", "autofs", "errors=ignore", } }, ++ { "/etc/auto.direct /mnt/auto/14 autofs errors=ignore,other 0 0", ++ { "/etc/auto.direct", "/mnt/auto/14", "autofs", ++ "errors=ignore,other", } }, ++ { "/etc/auto.direct /mnt/auto/15 autofs other,errors=ignore 0 0", ++ { "/etc/auto.direct", "/mnt/auto/15", "autofs", ++ "other,errors=ignore", } }, ++ ++ /* These are not filtered because the string is escaped. '\151' ++ is 'i', but it is not actually decoded by the parser. */ ++ { "/etc/auto.\\151gnore /mnt/auto/16 autofs \\151gnore 0 0", ++ { "/etc/auto.\\151gnore", "/mnt/auto/16", "autofs", ++ "\\151gnore", } }, ++ }; ++ ++static int ++do_test (void) ++{ ++ char *path; ++ xclose (create_temp_file ("tst-mntent-autofs-", &path)); ++ ++ /* Write the test file. */ ++ FILE *fp = xfopen (path, "w"); ++ for (size_t i = 0; i < array_length (test_cases); ++i) ++ fprintf (fp, "%s\n", test_cases[i].line); ++ xfclose (fp); ++ ++ /* Open the test file again, this time for parsing. */ ++ fp = setmntent (path, "r"); ++ TEST_VERIFY_EXIT (fp != NULL); ++ char buffer[512]; ++ struct mntent me; ++ ++ for (size_t i = 0; i < array_length (test_cases); ++i) ++ { ++ if (test_cases[i].expected.mnt_type == NULL) ++ continue; ++ ++ memset (buffer, 0xcc, sizeof (buffer)); ++ memset (&me, 0xcc, sizeof (me)); ++ struct mntent *pme = getmntent_r (fp, &me, buffer, sizeof (buffer)); ++ TEST_VERIFY_EXIT (pme != NULL); ++ TEST_VERIFY (pme == &me); ++ TEST_COMPARE_STRING (test_cases[i].expected.mnt_fsname, me.mnt_fsname); ++ TEST_COMPARE_STRING (test_cases[i].expected.mnt_dir, me.mnt_dir); ++ TEST_COMPARE_STRING (test_cases[i].expected.mnt_type, me.mnt_type); ++ TEST_COMPARE_STRING (test_cases[i].expected.mnt_opts, me.mnt_opts); ++ TEST_COMPARE (test_cases[i].expected.mnt_freq, me.mnt_freq); ++ TEST_COMPARE (test_cases[i].expected.mnt_passno, me.mnt_passno); ++ } ++ ++ TEST_VERIFY (getmntent_r (fp, &me, buffer, sizeof (buffer)) == NULL); ++ ++ TEST_COMPARE (feof (fp), 1); ++ TEST_COMPARE (ferror (fp), 0); ++ errno = 0; ++ TEST_COMPARE (endmntent (fp), 1); ++ TEST_COMPARE (errno, 0); ++ free (path); ++ return 0; ++} ++ ++#include diff --git a/SOURCES/glibc-rh1740039-1.patch b/SOURCES/glibc-rh1740039-1.patch new file mode 100644 index 0000000..cc439f6 --- /dev/null +++ b/SOURCES/glibc-rh1740039-1.patch @@ -0,0 +1,160 @@ +Partial backport of: + +commit a42faf59d6d9f82e5293a9ebcc26d9c9e562b12b +Author: Paul Pluzhnikov +Date: Mon Mar 24 10:58:26 2014 -0700 + + Fix BZ #16634. + + An application that erroneously tries to repeatedly dlopen("a.out", ...) + may hit assertion failure: + + Inconsistency detected by ld.so: dl-tls.c: 474: _dl_allocate_tls_init: + Assertion `listp != ((void *)0)' failed! + + dlopen() actually fails with "./a.out: cannot dynamically load executable", + but it does so after incrementing dl_tls_max_dtv_idx. + + Once we run out of TLS_SLOTINFO_SURPLUS (62), we exit with above assertion + failure. + + 2014-03-24 Paul Pluzhnikov + + [BZ #16634] + + * elf/dl-load.c (open_verify): Add mode parameter. + Error early when ET_EXEC and mode does not have __RTLD_OPENEXEC. + (open_path): Change from boolean 'secure' to complete flag 'mode' + (_dl_map_object): Adjust. + * elf/Makefile (tests): Add tst-dlopen-aout. + * elf/tst-dlopen-aout.c: New test. + +Only the change to elf/dl-load.c is included here. The upstream test +does not work because it depends on --enable-hardcoded-path-in-tests +(which is not available in this tree, despite being documented in the +manual). + +diff --git a/elf/dl-load.c b/elf/dl-load.c +index 6a0005da502c8f37..0ba0712aa5201fa0 100644 +--- a/elf/dl-load.c ++++ b/elf/dl-load.c +@@ -1686,7 +1686,7 @@ print_search_path (struct r_search_path_elem **list, + user might want to know about this. */ + static int + open_verify (const char *name, struct filebuf *fbp, struct link_map *loader, +- int whatcode, bool *found_other_class, bool free_name) ++ int whatcode, int mode, bool *found_other_class, bool free_name) + { + /* This is the expected ELF header. */ + #define ELF32_CLASS ELFCLASS32 +@@ -1863,6 +1863,17 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader, + errstring = N_("only ET_DYN and ET_EXEC can be loaded"); + goto call_lose; + } ++ else if (__glibc_unlikely (ehdr->e_type == ET_EXEC ++ && (mode & __RTLD_OPENEXEC) == 0)) ++ { ++ /* BZ #16634. It is an error to dlopen ET_EXEC (unless ++ __RTLD_OPENEXEC is explicitly set). We return error here ++ so that code in _dl_map_object_from_fd does not try to set ++ l_tls_modid for this module. */ ++ ++ errstring = N_("cannot dynamically load executable"); ++ goto call_lose; ++ } + else if (__builtin_expect (ehdr->e_phentsize, sizeof (ElfW(Phdr))) + != sizeof (ElfW(Phdr))) + { +@@ -1964,7 +1975,7 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader, + if MAY_FREE_DIRS is true. */ + + static int +-open_path (const char *name, size_t namelen, int secure, ++open_path (const char *name, size_t namelen, int mode, + struct r_search_path_struct *sps, char **realname, + struct filebuf *fbp, struct link_map *loader, int whatcode, + bool *found_other_class) +@@ -2016,8 +2027,8 @@ open_path (const char *name, size_t namelen, int secure, + if (__builtin_expect (GLRO(dl_debug_mask) & DL_DEBUG_LIBS, 0)) + _dl_debug_printf (" trying file=%s\n", buf); + +- fd = open_verify (buf, fbp, loader, whatcode, found_other_class, +- false); ++ fd = open_verify (buf, fbp, loader, whatcode, mode, ++ found_other_class, false); + if (this_dir->status[cnt] == unknown) + { + if (fd != -1) +@@ -2046,7 +2057,7 @@ open_path (const char *name, size_t namelen, int secure, + /* Remember whether we found any existing directory. */ + here_any |= this_dir->status[cnt] != nonexisting; + +- if (fd != -1 && __builtin_expect (secure, 0) ++ if (fd != -1 && __builtin_expect (mode & __RTLD_SECURE, 0) + && INTUSE(__libc_enable_secure)) + { + /* This is an extra security effort to make sure nobody can +@@ -2236,7 +2247,7 @@ _dl_map_object (struct link_map *loader, const char *name, + for (l = loader; l; l = l->l_loader) + if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH")) + { +- fd = open_path (name, namelen, mode & __RTLD_SECURE, ++ fd = open_path (name, namelen, mode, + &l->l_rpath_dirs, + &realname, &fb, loader, LA_SER_RUNPATH, + &found_other_class); +@@ -2252,7 +2263,7 @@ _dl_map_object (struct link_map *loader, const char *name, + && main_map != NULL && main_map->l_type != lt_loaded + && cache_rpath (main_map, &main_map->l_rpath_dirs, DT_RPATH, + "RPATH")) +- fd = open_path (name, namelen, mode & __RTLD_SECURE, ++ fd = open_path (name, namelen, mode, + &main_map->l_rpath_dirs, + &realname, &fb, loader ?: main_map, LA_SER_RUNPATH, + &found_other_class); +@@ -2260,7 +2271,7 @@ _dl_map_object (struct link_map *loader, const char *name, + + /* Try the LD_LIBRARY_PATH environment variable. */ + if (fd == -1 && env_path_list.dirs != (void *) -1) +- fd = open_path (name, namelen, mode & __RTLD_SECURE, &env_path_list, ++ fd = open_path (name, namelen, mode, &env_path_list, + &realname, &fb, + loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded, + LA_SER_LIBPATH, &found_other_class); +@@ -2269,7 +2280,7 @@ _dl_map_object (struct link_map *loader, const char *name, + if (fd == -1 && loader != NULL + && cache_rpath (loader, &loader->l_runpath_dirs, + DT_RUNPATH, "RUNPATH")) +- fd = open_path (name, namelen, mode & __RTLD_SECURE, ++ fd = open_path (name, namelen, mode, + &loader->l_runpath_dirs, &realname, &fb, loader, + LA_SER_RUNPATH, &found_other_class); + +@@ -2326,7 +2337,8 @@ _dl_map_object (struct link_map *loader, const char *name, + { + fd = open_verify (cached, + &fb, loader ?: GL(dl_ns)[nsid]._ns_loaded, +- LA_SER_CONFIG, &found_other_class, false); ++ LA_SER_CONFIG, mode, &found_other_class, ++ false); + if (__builtin_expect (fd != -1, 1)) + realname = cached; + else +@@ -2341,7 +2353,7 @@ _dl_map_object (struct link_map *loader, const char *name, + && ((l = loader ?: GL(dl_ns)[nsid]._ns_loaded) == NULL + || __builtin_expect (!(l->l_flags_1 & DF_1_NODEFLIB), 1)) + && rtld_search_dirs.dirs != (void *) -1) +- fd = open_path (name, namelen, mode & __RTLD_SECURE, &rtld_search_dirs, ++ fd = open_path (name, namelen, mode, &rtld_search_dirs, + &realname, &fb, l, LA_SER_DEFAULT, &found_other_class); + + /* Add another newline when we are tracing the library loading. */ +@@ -2359,7 +2371,7 @@ _dl_map_object (struct link_map *loader, const char *name, + else + { + fd = open_verify (realname, &fb, +- loader ?: GL(dl_ns)[nsid]._ns_loaded, 0, ++ loader ?: GL(dl_ns)[nsid]._ns_loaded, 0, mode, + &found_other_class, true); + if (__builtin_expect (fd, 0) == -1) + free (realname); diff --git a/SOURCES/glibc-rh1740039-2.patch b/SOURCES/glibc-rh1740039-2.patch new file mode 100644 index 0000000..7102aa2 --- /dev/null +++ b/SOURCES/glibc-rh1740039-2.patch @@ -0,0 +1,174 @@ +Partial backport of: + +commit 7d3db434f910c23591f748a6d0ac3548af1048bb +Author: Florian Weimer +Date: Thu Oct 17 08:51:21 2019 +0200 + + Rename and split elf/tst-dlopen-aout collection of tests + + From the beginning, elf/tst-dlopen-aout has exercised two different + bugs: (a) failure to report errors for a dlopen of the executable + itself in some cases (bug 24900) and (b) incorrect rollback of the + TLS modid allocation in case of a dlopen failure (bug 16634). + + This commit replaces the test with elf/tst-dlopen-self for (a) and + elf/tst-dlopen-tlsmodid for (b). The latter tests use the + elf/tst-dlopen-self binaries (or iconv) with dlopen, so they are + no longer self-dlopen tests. + + Tested on x86_64-linux-gnu and i686-linux-gnu, with a toolchain that + does not default to PIE. + +Only the non-PIE, non-container test elf/tst-dlopen-tlsmodid is +included. The reason is that the self-dlopen fixes and the PIE TLS +modid fix have not been backported, and that container testing support +is missing downstream. The test binary is adjusted to tst-tls10 +because tst-dlopen-self does not exist in the backport. + +diff --git a/elf/Makefile b/elf/Makefile +index cfd039fc9dfb0be7..c22008b54afc91f5 100644 +--- a/elf/Makefile ++++ b/elf/Makefile +@@ -153,7 +153,7 @@ tests += loadtest restest1 preloadtest loadfail multiload origtest resolvfail \ + tst-stackguard1 tst-addr1 tst-thrlock \ + tst-unique1 tst-unique2 tst-unique3 tst-unique4 \ + tst-initorder tst-initorder2 tst-relsort1 tst-ptrguard1 \ +- tst-big-note ++ tst-big-note tst-dlopen-tlsmodid + # reldep9 + test-srcs = tst-pathopt + selinux-enabled := $(shell cat /selinux/enforce 2> /dev/null) +@@ -1101,6 +1101,9 @@ $(objpfx)tst-addr1: $(libdl) + + $(objpfx)tst-thrlock: $(libdl) $(shared-thread-library) + ++$(objpfx)tst-dlopen-tlsmodid: $(libdl) $(shared-thread-library) ++$(objpfx)tst-dlopen-tlsmodid.out: $(objpfx)tst-tls10 ++ + CFLAGS-ifuncmain1pic.c += $(pic-ccflag) + CFLAGS-ifuncmain1picstatic.c += $(pic-ccflag) + CFLAGS-ifuncmain1staticpic.c += $(pic-ccflag) +diff --git a/elf/tst-dlopen-tlsmodid.c b/elf/tst-dlopen-tlsmodid.c +new file mode 100644 +index 0000000000000000..c5b1c39369aa610c +--- /dev/null ++++ b/elf/tst-dlopen-tlsmodid.c +@@ -0,0 +1,25 @@ ++/* Test case for BZ #16634. Non-PIE version. ++ ++ Verify that incorrectly dlopen()ing an executable without ++ __RTLD_OPENEXEC does not cause assertion in ld.so, and that it ++ actually results in an error. ++ ++ Copyright (C) 2014-2019 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#define TST_DLOPEN_TLSMODID_PATH "tst-tls10" ++#include "tst-dlopen-tlsmodid.h" +diff --git a/elf/tst-dlopen-tlsmodid.h b/elf/tst-dlopen-tlsmodid.h +new file mode 100644 +index 0000000000000000..c747cb14911c72fa +--- /dev/null ++++ b/elf/tst-dlopen-tlsmodid.h +@@ -0,0 +1,87 @@ ++/* Common code for tst-dlopen-tlsmodid, tst-dlopen-tlsmodid-pie, ++ tst-dlopen-tlsmodid-container. ++ ++ Verify that incorrectly dlopen()ing an executable without ++ __RTLD_OPENEXEC does not cause assertion in ld.so, and that it ++ actually results in an error. ++ ++ Copyright (C) 2014-2019 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++/* Before including this file, the macro TST_DLOPEN_TLSMODID_PATH must ++ be defined, to specify the path used for the open operation. */ ++ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++__thread int x; ++ ++void * ++fn (void *p) ++{ ++ return p; ++} ++ ++/* Call dlopen and check that fails with an error message indicating ++ an attempt to open an ET_EXEC or PIE object. */ ++static void ++check_dlopen_failure (void) ++{ ++ void *handle = dlopen (TST_DLOPEN_TLSMODID_PATH, RTLD_LAZY); ++ if (handle != NULL) ++ FAIL_EXIT1 ("dlopen succeeded unexpectedly: %s", TST_DLOPEN_TLSMODID_PATH); ++ ++ const char *message = dlerror (); ++ TEST_VERIFY_EXIT (message != NULL); ++ if ((strstr (message, ++ "cannot dynamically load position-independent executable") ++ == NULL) ++ && strstr (message, "cannot dynamically load executable") == NULL) ++ FAIL_EXIT1 ("invalid dlopen error message: \"%s\"", message); ++} ++ ++static int ++do_test (int argc, char *argv[]) ++{ ++ int j; ++ ++ for (j = 0; j < 100; ++j) ++ { ++ pthread_t thr; ++ ++ check_dlopen_failure (); ++ ++ /* We create threads to force TLS allocation, which triggers ++ the original bug i.e. running out of surplus slotinfo entries ++ for TLS. */ ++ thr = xpthread_create (NULL, fn, NULL); ++ xpthread_join (thr); ++ } ++ ++ check_dlopen_failure (); ++ ++ return 0; ++} ++ ++#define TEST_FUNCTION_ARGV do_test ++#include diff --git a/SOURCES/glibc-rh1747465-1.patch b/SOURCES/glibc-rh1747465-1.patch new file mode 100644 index 0000000..d8d5245 --- /dev/null +++ b/SOURCES/glibc-rh1747465-1.patch @@ -0,0 +1,43 @@ +commit 477e739b324349df854209117047779ac3142130 +Author: Joseph Myers +Date: Fri Mar 15 18:18:40 2019 +0000 + + Update syscall-names.list for Linux 5.0. + + This patch updates sysdeps/unix/sysv/linux/syscall-names.list for + Linux 5.0. Based on testing with build-many-glibcs.py, the only new + entry needed is for old_getpagesize (a newly added __NR_* name for an + old syscall on ia64). (Because 5.0 changes how syscall tables are + handled in the kernel, checking diffs wasn't a useful way of looking + for new syscalls in 5.0 as most of the syscall tables were moved to + the new representation without actually adding any syscalls to them.) + + Tested with build-many-glibcs.py. + + * sysdeps/unix/sysv/linux/syscall-names.list: Update kernel + version to 5.0. + (old_getpagesize): New syscall. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index b650dc07cc..0227e52a5f 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -22,8 +22,8 @@ + # names are only used if the installed kernel headers also provide + # them. + +-# The list of system calls is current as of Linux 4.20. +-kernel 4.20 ++# The list of system calls is current as of Linux 5.0. ++kernel 5.0 + + FAST_atomic_update + FAST_cmpxchg +@@ -261,6 +261,7 @@ nfsservctl + ni_syscall + nice + old_adjtimex ++old_getpagesize + oldfstat + oldlstat + oldolduname diff --git a/SOURCES/glibc-rh1747465-2.patch b/SOURCES/glibc-rh1747465-2.patch new file mode 100644 index 0000000..a336060 --- /dev/null +++ b/SOURCES/glibc-rh1747465-2.patch @@ -0,0 +1,181 @@ +commit 7621676f7a5130c030f7fff1cab72dbf2993b837 +Author: Joseph Myers +Date: Tue May 7 23:57:26 2019 +0000 + + Update syscall-names.list for Linux 5.1. + + This patch updates syscall-names.list for Linux 5.1 (which has many + new syscalls, mainly but not entirely ones for 64-bit time). + + Tested with build-many-glibcs.py (before the revert of the move to + Linux 5.1 there; verified there were no tst-syscall-list failures). + + * sysdeps/unix/sysv/linux/syscall-names.list: Update kernel + version to 5.1. + (clock_adjtime64) New syscall. + (clock_getres_time64) Likewise. + (clock_gettime64) Likewise. + (clock_nanosleep_time64) Likewise. + (clock_settime64) Likewise. + (futex_time64) Likewise. + (io_pgetevents_time64) Likewise. + (io_uring_enter) Likewise. + (io_uring_register) Likewise. + (io_uring_setup) Likewise. + (mq_timedreceive_time64) Likewise. + (mq_timedsend_time64) Likewise. + (pidfd_send_signal) Likewise. + (ppoll_time64) Likewise. + (pselect6_time64) Likewise. + (recvmmsg_time64) Likewise. + (rt_sigtimedwait_time64) Likewise. + (sched_rr_get_interval_time64) Likewise. + (semtimedop_time64) Likewise. + (timer_gettime64) Likewise. + (timer_settime64) Likewise. + (timerfd_gettime64) Likewise. + (timerfd_settime64) Likewise. + (utimensat_time64) Likewise. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index 0227e52a5f..2d0354b8b3 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -22,8 +22,8 @@ + # names are only used if the installed kernel headers also provide + # them. + +-# The list of system calls is current as of Linux 5.0. +-kernel 5.0 ++# The list of system calls is current as of Linux 5.1. ++kernel 5.1 + + FAST_atomic_update + FAST_cmpxchg +@@ -63,10 +63,15 @@ chown + chown32 + chroot + clock_adjtime ++clock_adjtime64 + clock_getres ++clock_getres_time64 + clock_gettime ++clock_gettime64 + clock_nanosleep ++clock_nanosleep_time64 + clock_settime ++clock_settime64 + clone + clone2 + close +@@ -128,6 +133,7 @@ ftime + ftruncate + ftruncate64 + futex ++futex_time64 + futimesat + get_kernel_syms + get_mempolicy +@@ -187,8 +193,12 @@ io_cancel + io_destroy + io_getevents + io_pgetevents ++io_pgetevents_time64 + io_setup + io_submit ++io_uring_enter ++io_uring_register ++io_uring_setup + ioctl + ioperm + iopl +@@ -242,7 +252,9 @@ mq_getsetattr + mq_notify + mq_open + mq_timedreceive ++mq_timedreceive_time64 + mq_timedsend ++mq_timedsend_time64 + mq_unlink + mremap + msgctl +@@ -389,6 +401,7 @@ perf_event_open + perfctr + perfmonctl + personality ++pidfd_send_signal + pipe + pipe2 + pivot_root +@@ -397,6 +410,7 @@ pkey_free + pkey_mprotect + poll + ppoll ++ppoll_time64 + prctl + pread64 + preadv +@@ -407,6 +421,7 @@ process_vm_writev + prof + profil + pselect6 ++pselect6_time64 + ptrace + putpmsg + pwrite64 +@@ -424,6 +439,7 @@ reboot + recv + recvfrom + recvmmsg ++recvmmsg_time64 + recvmsg + remap_file_pages + removexattr +@@ -442,6 +458,7 @@ rt_sigqueueinfo + rt_sigreturn + rt_sigsuspend + rt_sigtimedwait ++rt_sigtimedwait_time64 + rt_tgsigqueueinfo + rtas + s390_guarded_storage +@@ -457,6 +474,7 @@ sched_getattr + sched_getparam + sched_getscheduler + sched_rr_get_interval ++sched_rr_get_interval_time64 + sched_set_affinity + sched_setaffinity + sched_setattr +@@ -470,6 +488,7 @@ semctl + semget + semop + semtimedop ++semtimedop_time64 + send + sendfile + sendfile64 +@@ -567,11 +586,15 @@ timer_create + timer_delete + timer_getoverrun + timer_gettime ++timer_gettime64 + timer_settime ++timer_settime64 + timerfd + timerfd_create + timerfd_gettime ++timerfd_gettime64 + timerfd_settime ++timerfd_settime64 + times + tkill + truncate +@@ -591,6 +614,7 @@ userfaultfd + ustat + utime + utimensat ++utimensat_time64 + utimes + utrap_install + vfork diff --git a/SOURCES/glibc-rh1747465-3.patch b/SOURCES/glibc-rh1747465-3.patch new file mode 100644 index 0000000..5488fe1 --- /dev/null +++ b/SOURCES/glibc-rh1747465-3.patch @@ -0,0 +1,58 @@ +commit 0bb8f8c791862a4ff38a584af23bbb5bf3f90acd +Author: Florian Weimer +Date: Fri May 31 13:52:16 2019 +0200 + + Linux: Add oddly-named arm syscalls to syscall-names.list + + on arm defines the following macros: + + #define __ARM_NR_breakpoint (__ARM_NR_BASE+1) + #define __ARM_NR_cacheflush (__ARM_NR_BASE+2) + #define __ARM_NR_usr26 (__ARM_NR_BASE+3) + #define __ARM_NR_usr32 (__ARM_NR_BASE+4) + #define __ARM_NR_set_tls (__ARM_NR_BASE+5) + #define __ARM_NR_get_tls (__ARM_NR_BASE+6) + + These do not follow the regular __NR_* naming convention and + have so far been ignored by the syscall-names.list consistency + checks. This commit adds these names to the file, preparing + for the availability of these names in the regular __NR_* + namespace. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index 2d0354b8b3..ae8adabb70 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -52,6 +52,7 @@ bdflush + bind + bpf + break ++breakpoint + brk + cachectl + cacheflush +@@ -139,6 +140,7 @@ get_kernel_syms + get_mempolicy + get_robust_list + get_thread_area ++get_tls + getcpu + getcwd + getdents +@@ -499,6 +501,7 @@ set_mempolicy + set_robust_list + set_thread_area + set_tid_address ++set_tls + setdomainname + setfsgid + setfsgid32 +@@ -611,6 +614,8 @@ unlinkat + unshare + uselib + userfaultfd ++usr26 ++usr32 + ustat + utime + utimensat diff --git a/SOURCES/glibc-rh1747465-4.patch b/SOURCES/glibc-rh1747465-4.patch new file mode 100644 index 0000000..53988c6 --- /dev/null +++ b/SOURCES/glibc-rh1747465-4.patch @@ -0,0 +1,30 @@ +commit a63b96fbddbf97feaa068a9efed3b5623a1a1e78 +Author: Vincent Chen +Date: Wed Jun 26 17:30:11 2019 +0800 + + Linux: Add nds32 specific syscalls to syscall-names.list + + The nds32 creates two specific syscalls, udftrap and fp_udfiex_crtl, in + kernel v5.0 and v5.2, respectively. Add these two syscalls to + syscall-names.list. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index ae8adabb70..95aa3ec7a5 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -121,6 +121,7 @@ finit_module + flistxattr + flock + fork ++fp_udfiex_crtl + free_hugepages + fremovexattr + fsetxattr +@@ -603,6 +604,7 @@ tkill + truncate + truncate64 + tuxcall ++udftrap + ugetrlimit + ulimit + umask diff --git a/SOURCES/glibc-rh1747465-5.patch b/SOURCES/glibc-rh1747465-5.patch new file mode 100644 index 0000000..5f29118 --- /dev/null +++ b/SOURCES/glibc-rh1747465-5.patch @@ -0,0 +1,52 @@ +commit 1f7097d09ce628878107ed30341cfc1eb3649a81 +Author: Florian Weimer +Date: Fri Jul 19 08:53:04 2019 +0200 + + Linux: Update syscall-names.list to Linux 5.2 + + This adds the system call names fsconfig, fsmount, fsopen, fspick, + move_mount, open_tree. + + Tested with build-many-glibcs.py. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index 95aa3ec7a5..21bf37c627 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -23,7 +23,7 @@ + # them. + + # The list of system calls is current as of Linux 5.1. +-kernel 5.1 ++kernel 5.2 + + FAST_atomic_update + FAST_cmpxchg +@@ -124,7 +124,11 @@ fork + fp_udfiex_crtl + free_hugepages + fremovexattr ++fsconfig + fsetxattr ++fsmount ++fsopen ++fspick + fstat + fstat64 + fstatat64 +@@ -248,6 +252,7 @@ mmap + mmap2 + modify_ldt + mount ++move_mount + move_pages + mprotect + mpx +@@ -285,6 +290,7 @@ oldumount + olduname + open + open_by_handle_at ++open_tree + openat + osf_adjtime + osf_afs_syscall diff --git a/SOURCES/glibc-rh1747465-6.patch b/SOURCES/glibc-rh1747465-6.patch new file mode 100644 index 0000000..9322a53 --- /dev/null +++ b/SOURCES/glibc-rh1747465-6.patch @@ -0,0 +1,24 @@ +commit 9c37bde5a2067e5b4dc878bac0291d6b207b8add +Author: Joseph Myers +Date: Fri Aug 2 15:08:02 2019 +0000 + + Update kernel version in comment in syscall-names.list. + + This patch updates the Linux kernel version in a comment in + syscall-names.list to agree with the following "kernel" line. + + * sysdeps/unix/sysv/linux/syscall-names.list: Update comment. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index 21bf37c627..9dcdd293d3 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -22,7 +22,7 @@ + # names are only used if the installed kernel headers also provide + # them. + +-# The list of system calls is current as of Linux 5.1. ++# The list of system calls is current as of Linux 5.2. + kernel 5.2 + + FAST_atomic_update diff --git a/SOURCES/glibc-rh1747465-7.patch b/SOURCES/glibc-rh1747465-7.patch new file mode 100644 index 0000000..1728729 --- /dev/null +++ b/SOURCES/glibc-rh1747465-7.patch @@ -0,0 +1,47 @@ +commit 0f02b6cfc44af73d4d4363c46b3cbb18b8ff9171 +Author: Joseph Myers +Date: Wed Sep 18 22:57:46 2019 +0000 + + Update syscall-names.list for Linux 5.3. + + This patch updates syscall-names.list for Linux 5.3, adding two new + syscalls. + + Tested with build-many-glibcs.py. + + * sysdeps/unix/sysv/linux/syscall-names.list: Update kernel + version to 5.3. + (clone3): New syscall. + (pidfd_open): Likewise. + +diff --git a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +index e2382d3414..b55ffbc2a0 100644 +--- a/sysdeps/unix/sysv/linux/syscall-names.list ++++ b/sysdeps/unix/sysv/linux/syscall-names.list +@@ -22,8 +22,8 @@ + # names are only used if the installed kernel headers also provide + # them. + +-# The list of system calls is current as of Linux 5.2. +-kernel 5.2 ++# The list of system calls is current as of Linux 5.3. ++kernel 5.3 + + FAST_atomic_update + FAST_cmpxchg +@@ -75,6 +75,7 @@ clock_settime + clock_settime64 + clone + clone2 ++clone3 + close + cmpxchg_badaddr + connect +@@ -410,6 +411,7 @@ perf_event_open + perfctr + perfmonctl + personality ++pidfd_open + pidfd_send_signal + pipe + pipe2 diff --git a/SOURCES/glibc-rh1747465-8.patch b/SOURCES/glibc-rh1747465-8.patch new file mode 100644 index 0000000..4d5acb7 --- /dev/null +++ b/SOURCES/glibc-rh1747465-8.patch @@ -0,0 +1,50 @@ +commit a331150af65477fc3fa72ab341eed5e0b2daf7f3 +Author: Joseph Myers +Date: Thu Nov 28 20:32:09 2019 +0000 + + Update syscall-names.list for Linux 5.4. + + This patch updates syscall-names.list for Linux 5.4. There are no new + syscalls, so this is just a matter of updating the version number + listed in the file. + + Tested with build-many-glibcs.py. + +Reworked for (rhbz#1747465) + Also update copyright info to match upstream. + Correct some typos in the comments to match upstream. + +diff -Nrup a/sysdeps/unix/sysv/linux/syscall-names.list b/sysdeps/unix/sysv/linux/syscall-names.list +--- a/sysdeps/unix/sysv/linux/syscall-names.list 2020-01-24 12:27:15.212564061 -0500 ++++ b/sysdeps/unix/sysv/linux/syscall-names.list 2020-01-24 14:42:30.175256876 -0500 +@@ -1,5 +1,5 @@ + # List of all known Linux system calls. +-# Copyright (C) 2017-2018 Free Software Foundation, Inc. ++# Copyright (C) 2017-2020 Free Software Foundation, Inc. + # This file is part of the GNU C Library. + # + # The GNU C Library is free software; you can redistribute it and/or +@@ -14,16 +14,15 @@ + # + # You should have received a copy of the GNU Lesser General Public + # License along with the GNU C Library; if not, see +-# . ++# . + +-# This file contains the list of system call names names. It has to +-# remain in alphabetica order. Lines which start with # are treated +-# as comments. This file can list all potential system calls. The +-# names are only used if the installed kernel headers also provide +-# them. ++# This file contains the list of system call names. It has to remain in ++# alphabetical order. Lines which start with # are treated as comments. ++# This file can list all potential system calls. The names are only ++# used if the installed kernel headers also provide them. + +-# The list of system calls is current as of Linux 5.3. +-kernel 5.3 ++# The list of system calls is current as of Linux 5.4. ++kernel 5.4 + + FAST_atomic_update + FAST_cmpxchg diff --git a/SOURCES/glibc-rh1763325.patch b/SOURCES/glibc-rh1763325.patch new file mode 100644 index 0000000..1a60824 --- /dev/null +++ b/SOURCES/glibc-rh1763325.patch @@ -0,0 +1,123 @@ +commit 2c820533c61fed175390bc6058afbbe42d2edc37 +Author: Florian Weimer +Date: Thu Aug 18 11:15:42 2016 +0200 + + argp: Do not override GCC keywords with macros [BZ #16907] + + glibc provides fallback definitions already. It is not necessary to + suppress warnings for unknown attributes because GCC does this + automatically for system headers. + + This commit does not sync with gnulib because gnulib has started to use + _GL_* macros in the header file, which are arguably in the gnulib + implementation space and not suitable for an installed glibc header + file. + +diff --git a/argp/argp-fmtstream.h b/argp/argp-fmtstream.h +index 61c45bf86b6bf8d5..b8e4e2406ff2784e 100644 +--- a/argp/argp-fmtstream.h ++++ b/argp/argp-fmtstream.h +@@ -29,21 +29,6 @@ + #include + #include + +-#ifndef __attribute__ +-/* This feature is available in gcc versions 2.5 and later. */ +-# if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5) || \ +- defined __STRICT_ANSI__ +-# define __attribute__(Spec) /* empty */ +-# endif +-/* The __-protected variants of `format' and `printf' attributes +- are accepted by gcc versions 2.6.4 (effectively 2.7) and later. */ +-# if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 7) || \ +- defined __STRICT_ANSI__ +-# define __format__ format +-# define __printf__ printf +-# endif +-#endif +- + #if defined (__GNU_LIBRARY__) && defined (HAVE_LINEWRAP_H) + /* line_wrap_stream is available, so use that. */ + #define ARGP_FMTSTREAM_USE_LINEWRAP +@@ -111,6 +96,8 @@ struct argp_fmtstream + + typedef struct argp_fmtstream *argp_fmtstream_t; + ++__BEGIN_DECLS ++ + /* Return an argp_fmtstream that outputs to STREAM, and which prefixes lines + written on it with LMARGIN spaces and limits them to RMARGIN columns + total. If WMARGIN >= 0, words that extend past RMARGIN are wrapped by +@@ -297,6 +284,8 @@ __argp_fmtstream_point (argp_fmtstream_t __fs) + + #endif /* __OPTIMIZE__ */ + ++__END_DECLS ++ + #endif /* ARGP_FMTSTREAM_USE_LINEWRAP */ + + #endif /* argp-fmtstream.h */ +diff --git a/argp/argp.h b/argp/argp.h +index 37544fe44a102574..61b792909530aaac 100644 +--- a/argp/argp.h ++++ b/argp/argp.h +@@ -29,48 +29,12 @@ + #define __need_error_t + #include + +-#ifndef __THROW +-# define __THROW +-#endif +-#ifndef __NTH +-# define __NTH(fct) fct __THROW +-#endif +- +-#ifndef __attribute__ +-/* This feature is available in gcc versions 2.5 and later. */ +-# if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5) || \ +- defined __STRICT_ANSI__ +-# define __attribute__(Spec) /* empty */ +-# endif +-/* The __-protected variants of `format' and `printf' attributes +- are accepted by gcc versions 2.6.4 (effectively 2.7) and later. */ +-# if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 7) || \ +- defined __STRICT_ANSI__ +-# define __format__ format +-# define __printf__ printf +-# endif +-#endif +- +-/* GCC 2.95 and later have "__restrict"; C99 compilers have +- "restrict", and "configure" may have defined "restrict". */ +-#ifndef __restrict +-# if ! (2 < __GNUC__ || (2 == __GNUC__ && 95 <= __GNUC_MINOR__)) +-# if defined restrict || 199901L <= __STDC_VERSION__ +-# define __restrict restrict +-# else +-# define __restrict +-# endif +-# endif +-#endif +- + #ifndef __error_t_defined + typedef int error_t; + # define __error_t_defined + #endif + +-#ifdef __cplusplus +-extern "C" { +-#endif ++__BEGIN_DECLS + + /* A description of a particular option. A pointer to an array of + these is passed in the OPTIONS field of an argp structure. Each option +@@ -591,8 +555,6 @@ __NTH (__option_is_end (const struct argp_option *__opt)) + # endif + #endif /* Use extern inlines. */ + +-#ifdef __cplusplus +-} +-#endif ++__END_DECLS + + #endif /* argp.h */ diff --git a/SOURCES/glibc-rh1772307.patch b/SOURCES/glibc-rh1772307.patch new file mode 100644 index 0000000..1ccc6dd --- /dev/null +++ b/SOURCES/glibc-rh1772307.patch @@ -0,0 +1,41 @@ +From 27d3ce1467990f89126e228559dec8f84b96c60e Mon Sep 17 00:00:00 2001 +From: "H.J. Lu" +Date: Fri, 1 Apr 2016 15:08:48 -0700 +Subject: [PATCH] Remove Fast_Copy_Backward from Intel Core processors + +Intel Core i3, i5 and i7 processors have fast unaligned copy and +copy backward is ignored. Remove Fast_Copy_Backward from Intel Core +processors to avoid confusion. + + * sysdeps/x86/cpu-features.c (init_cpu_features): Don't set + bit_arch_Fast_Copy_Backward for Intel Core proessors. +--- + ChangeLog | 5 +++++ + sysdeps/x86/cpu-features.c | 6 +----- + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff -rup a/sysdeps/x86/cpu-features.c b/sysdeps/x86/cpu-features.c +--- a/sysdeps/x86/cpu-features.c 2020-01-21 16:44:28.637555853 -0500 ++++ b/sysdeps/x86/cpu-features.c 2020-01-21 16:46:51.208756416 -0500 +@@ -116,11 +116,8 @@ init_cpu_features (struct cpu_features * + case 0x2c: + case 0x2e: + case 0x2f: +- /* Rep string instructions, copy backward, unaligned loads ++ /* Rep string instructions, unaligned load, unaligned copy, + and pminub are fast on Intel Core i3, i5 and i7. */ +-#if index_Fast_Rep_String != index_Fast_Copy_Backward +-# error index_Fast_Rep_String != index_Fast_Copy_Backward +-#endif + #if index_Fast_Rep_String != index_Fast_Unaligned_Load + # error index_Fast_Rep_String != index_Fast_Unaligned_Load + #endif +@@ -129,7 +126,6 @@ init_cpu_features (struct cpu_features * + #endif + cpu_features->feature[index_Fast_Rep_String] + |= (bit_Fast_Rep_String +- | bit_Fast_Copy_Backward + | bit_Fast_Unaligned_Load + | bit_Prefer_PMINUB_for_stringop); + break; + diff --git a/SOURCES/glibc-rh1775599.patch b/SOURCES/glibc-rh1775599.patch new file mode 100644 index 0000000..31992d5 --- /dev/null +++ b/SOURCES/glibc-rh1775599.patch @@ -0,0 +1,24 @@ +commit d5dfad4326fc683c813df1e37bbf5cf920591c8e +Author: Marcin Koƛcielnicki +Date: Thu Nov 21 00:20:15 2019 +0100 + + rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] + + The problem was introduced in glibc 2.23, in commit + b9eb92ab05204df772eb4929eccd018637c9f3e9 + ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). + +diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +index 1531437359c0ec06..82495780a06d8a05 100644 +--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h ++++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +@@ -31,7 +31,8 @@ + environment variable, LD_PREFER_MAP_32BIT_EXEC. */ + #define EXTRA_LD_ENVVARS \ + case 21: \ +- if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ ++ if (!__libc_enable_secure \ ++ && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + GLRO(dl_x86_cpu_features).feature[index_Prefer_MAP_32BIT_EXEC] \ + |= bit_Prefer_MAP_32BIT_EXEC; \ + break; diff --git a/SOURCES/glibc-rh1775816.patch b/SOURCES/glibc-rh1775816.patch new file mode 100644 index 0000000..960b67b --- /dev/null +++ b/SOURCES/glibc-rh1775816.patch @@ -0,0 +1,32 @@ +commit cb61630ed712d033f54295f776967532d3f4b46a +Author: Florian Weimer +Date: Fri Nov 22 22:10:42 2019 +0100 + + libio: Disable vtable validation for pre-2.1 interposed handles [BZ #25203] + + Commit c402355dfa7807b8e0adb27c009135a7e2b9f1b0 ("libio: Disable + vtable validation in case of interposition [BZ #23313]") only covered + the interposable glibc 2.1 handles, in libio/stdfiles.c. The + parallel code in libio/oldstdfiles.c needs similar detection logic. + + Fixes (again) commit db3476aff19b75c4fdefbe65fcd5f0a90588ba51 + ("libio: Implement vtable verification [BZ #20191]"). + + Change-Id: Ief6f9f17e91d1f7263421c56a7dc018f4f595c21 + +diff --git a/libio/oldstdfiles.c b/libio/oldstdfiles.c +index 870cb0536c52024f..54d3e354fcbf257e 100644 +--- a/libio/oldstdfiles.c ++++ b/libio/oldstdfiles.c +@@ -87,6 +87,11 @@ _IO_check_libio (void) + stdout->_vtable_offset = stderr->_vtable_offset = + ((int) sizeof (struct _IO_FILE) + - (int) sizeof (struct _IO_FILE_complete)); ++ ++ if (_IO_stdin_.vtable != &_IO_old_file_jumps ++ || _IO_stdout_.vtable != &_IO_old_file_jumps ++ || _IO_stderr_.vtable != &_IO_old_file_jumps) ++ IO_set_accept_foreign_vtables (&_IO_vtable_check); + } + } + diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec index 2e16b1e..6c23956 100644 --- a/SPECS/glibc.spec +++ b/SPECS/glibc.spec @@ -1,6 +1,6 @@ %define glibcsrcdir glibc-2.17-c758a686 %define glibcversion 2.17 -%define glibcrelease 306%{?dist} +%define glibcrelease 316%{?dist} ############################################################################## # We support the following options: # --with/--without, @@ -1615,6 +1615,24 @@ Patch2831: glibc-rh1065574-5.patch Patch2832: glibc-rh1065574-6.patch Patch2833: glibc-rh1065574-7.patch Patch2834: glibc-rh1484832.patch +Patch2835: glibc-rh1740039-1.patch +Patch2836: glibc-rh1740039-2.patch +Patch2837: glibc-rh1775599.patch +Patch2838: glibc-rh1235112.patch +Patch2839: glibc-rh1728915-1.patch +Patch2840: glibc-rh1728915-2.patch +Patch2841: glibc-rh1772307.patch +Patch2842: glibc-rh1747465-1.patch +Patch2843: glibc-rh1747465-2.patch +Patch2844: glibc-rh1747465-3.patch +Patch2845: glibc-rh1747465-4.patch +Patch2846: glibc-rh1747465-5.patch +Patch2847: glibc-rh1747465-6.patch +Patch2848: glibc-rh1747465-7.patch +Patch2849: glibc-rh1747465-8.patch +Patch2850: glibc-rh1775816.patch +Patch2851: glibc-rh1763325.patch +Patch2852: glibc-rh1406732-6.patch ############################################################################## # End of glibc patches. @@ -1823,12 +1841,6 @@ which is highly discouraged. Summary: Header files for development using standard C libraries. Group: Development/Libraries Provides: %{name}-headers(%{_target_cpu}) -%ifarch x86_64 -# If both -m32 and -m64 is to be supported on AMD64, x86_64 glibc-headers -# have to be installed, not i586 ones. -Obsoletes: %{name}-headers(i586) -Obsoletes: %{name}-headers(i686) -%endif Requires(pre): kernel-headers Requires: kernel-headers >= 2.2.1, %{name} = %{version}-%{release} BuildRequires: kernel-headers >= 2.6.22 @@ -1906,10 +1918,6 @@ Group: Development/Debug AutoReqProv: no %ifarch %{debuginfocommonarches} Requires: glibc-debuginfo-common = %{version}-%{release} -%else -%ifarch %{ix86} %{sparc} -Obsoletes: glibc-debuginfo-common -%endif %endif %description debuginfo @@ -2970,6 +2978,24 @@ package or when debugging this package. %patch2832 -p1 %patch2833 -p1 %patch2834 -p1 +%patch2835 -p1 +%patch2836 -p1 +%patch2837 -p1 +%patch2838 -p1 +%patch2839 -p1 +%patch2840 -p1 +%patch2841 -p1 +%patch2842 -p1 +%patch2843 -p1 +%patch2844 -p1 +%patch2845 -p1 +%patch2846 -p1 +%patch2847 -p1 +%patch2848 -p1 +%patch2849 -p1 +%patch2850 -p1 +%patch2851 -p1 +%patch2852 -p1 ############################################################################## # %%prep - Additional prep required... @@ -3135,10 +3161,23 @@ build_CFLAGS="$BuildFlags -g -O3 $*" # Some configure checks can spuriously fail for some architectures if # unwind info is present configure_CFLAGS="$build_CFLAGS -fno-asynchronous-unwind-tables" + +# See bug 1790475 for the history behind --disable-bind-now for ppc64. +# In summary: COPY relocations and BIND_NOW are incompatible on ppc64. +# The solution is to globally disable BIND_NOW hardening on ppc64 with +# --disable-bind-now and then use a downstream-only patch +# (glibc-rh1406732-6.patch) to partially enable BIND_NOW hardening for +# ppc64 to the level of hardening that works given the toolchain. + ../configure CC="$GCC" CXX="$GXX" CFLAGS="$configure_CFLAGS" \ --prefix=%{_prefix} \ --enable-add-ons=nptl$AddOns \ - --with-headers=%{_prefix}/include $EnableKernel --enable-bind-now \ + --with-headers=%{_prefix}/include $EnableKernel \ +%ifarch ppc64 + --disable-bind-now \ +%else + --enable-bind-now \ +%endif --build=%{target} \ %ifarch %{multiarcharches} --enable-multi-arch \ @@ -4144,6 +4183,38 @@ rm -f *.filelist* %endif %changelog +* Thu Jan 30 2020 Carlos O'Donell - 2.17-316 +- Adjust security hardening changes for 64-bit POWER BE due to + toolchain limitations (#1793853) + +* Wed Jan 29 2020 Florian Weimer - 2.17-315 +- argp: Do not override GCC keywords with macros (#1763325) + +* Wed Jan 29 2020 Florian Weimer - 2.17-314 +- Disable libio vtable validation for interposed pre-2.1 stdio handles (#1775816) + +* Tue Jan 28 2020 Florian Weimer - 2.17-313 +- Remove problematic Obsoletes: (#1795573) + +* Fri Jan 24 2020 Patsy Griffin - 2.17-312 +- Update syscall-names.list to current version 5.4. (#1747465) + +* Tue Jan 21 2020 DJ Delorie - 2.17-311 +- Improve bcopy performance on Intel Haswell (#1772307) + +* Tue Jan 21 2020 DJ Delorie - 2.17-310 +- Filter "ignore" autofs mount entries in getmntent (#1728915) + +* Tue Jan 21 2020 Arjun Shankar - 2.17-309 +- Fix race condition in tst-waitid (#1235112) + +* Tue Jan 21 2020 Arjun Shankar - 2.17-308 +- CVE-2019-19126: rtld: Check __libc_enable_secure before honoring + LD_PREFER_MAP_32BIT_EXEC (#1775599) + +* Tue Oct 22 2019 Florian Weimer - 2.17-307 +- Fix assert after attempting to dlopen main programs (#1740039) + * Fri Aug 2 2019 Carlos O'Donell - 2.17-306 - Fix dlopen crash when LD_LIBRARY_PATH is set (#1484832)