glibc:hjl/pr22715/2.24

Last commit made on 2018-01-17
Get this branch:
git clone -b hjl/pr22715/2.24 https://git.launchpad.net/glibc

Branch merges

Branch information

Name:
hjl/pr22715/2.24
Repository:
lp:glibc

Recent commits

1c9a233... by "H.J. Lu" <email address hidden> on 2018-01-16

x86-64: Properly align La_x86_64_retval to VEC_SIZE [BZ #22715]

_dl_runtime_profile calls _dl_call_pltexit, passing a pointer to
La_x86_64_retval which is allocated on stack. The lrv_vector0
field in La_x86_64_retval must be aligned to size of vector register.
When allocating stack space for La_x86_64_retval, we need to make sure
that the address of La_x86_64_retval + RV_VECTOR0_OFFSET is aligned to
VEC_SIZE. This patch checks the alignment of the lrv_vector0 field
and pads the stack space if needed.

Tested with x32 and x86-64 on SSE4, AVX and AVX512 machines. It fixed

FAIL: elf/tst-audit10
FAIL: elf/tst-audit4
FAIL: elf/tst-audit5
FAIL: elf/tst-audit6
FAIL: elf/tst-audit7

on x32 AVX512 machine.

(cherry picked from commit 207a72e2988c6d6343f50fe0128eb4fc4edfdd15)

 [BZ #22715]
 * sysdeps/x86_64/dl-trampoline.h (_dl_runtime_profile): Properly
 align La_x86_64_retval to VEC_SIZE.

f24c345... by Aurelien Jarno <email address hidden> on 2017-12-30

elf: Check for empty tokens before dynamic string token expansion [BZ #22625]

The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and interprets empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).

Fix that by moving the check for empty tokens before the dynamic string
token expansion. In addition, check for NULL pointer or empty strings
return by expand_dynamic_string_token.

The above changes highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath
level, but by using a -1 pointer in decompose_rpath and other functions.

Changelog:
 [BZ #22625]
 * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
 string token expansion. Check for NULL pointer or empty string possibly
 returned by expand_dynamic_string_token.
 (decompose_rpath): Check for empty path after dynamic string
 token expansion.
(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)

2484754... by Dmitry V. Levin on 2017-12-17

elf: do not substitute dst in $LD_LIBRARY_PATH twice [BZ #22627]

Starting with commit
glibc-2.18.90-470-g2a939a7e6d81f109d49306bc2e10b4ac9ceed8f9 that
introduced substitution of dynamic string tokens in fillin_rpath,
_dl_init_paths invokes _dl_dst_substitute for $LD_LIBRARY_PATH twice:
the first time it's called directly, the second time the result
is passed on to fillin_rpath which calls expand_dynamic_string_token
which in turn calls _dl_dst_substitute, leading to the following
behaviour:

$ mkdir -p /tmp/'$ORIGIN' && cd /tmp/'$ORIGIN' &&
  echo 'int main(){}' |gcc -xc - &&
  strace -qq -E LD_LIBRARY_PATH='$ORIGIN' -e /open ./a.out
open("/tmp//tmp/$ORIGIN/tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3

Fix this by removing the direct _dl_dst_substitute invocation.

* elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
code and invocation.

(cherry picked from commit bb195224acc14724e9fc2dbaa8d0b20b72ace79b)

c5b38f2... by Florian Weimer on 2017-12-14

elf: Count components of the expanded path in _dl_init_path [BZ #22607]

(cherry picked from commit 3ff3dfa5af313a6ea33f3393916f30eece4f0171)

28aa533... by Florian Weimer on 2017-12-14

elf: Compute correct array size in _dl_init_paths [BZ #22606]

(cherry picked from commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e)

a4fc3a0... by Florian Weimer on 2017-11-02

<array_length.h>: New array_length and array_end macros

(cherry picked from commit c94a5688fb1228a862b2d4a3f1239cdc0e3349e5)

d81254d... by Aurelien Jarno <email address hidden> on 2017-12-01

Update NEWS to add CVE-2017-15804 entry

(cherry picked from commit 15e84c63c05e0652047ba5e738c54d79d62ba74b)

bddc572... by Florian Weimer on 2017-11-02

posix/tst-glob-tilde.c: Add test for bug 22332

(cherry picked from commit 2fac6a6cd50c22ac28c97d0864306594807ade3e)

94825c8... by Paul Eggert on 2017-10-22

glob: Fix buffer overflow during GLOB_TILDE unescaping [BZ #22332]

(cherry picked from commit a159b53fa059947cc2548e3b0d5bdcf7b9630ba8)

1e53b88... by Florian Weimer on 2017-10-22

Update NEWS and ChangeLog for CVE-2017-15671

(cherry picked from commit 914c9994d27b80bc3b71c483e801a4f04e269ba6)