fix bug 26100: correct locking and cancellation cleanup in syslog functions

see also https://sourceware.org/bugzilla/show_bug.cgi?id=26100
2020-09-12 16:21:04 +08:00 · 2020-09-12 16:21:04 +08:00 · dc31089322
commit dc31089322
parent a4cceb2590
2 changed files with 126 additions and 1 deletions
--- a/backport-Correct-locking-and-cancellation-cleanup-in-syslog-functions.patch
+++ b/backport-Correct-locking-and-cancellation-cleanup-in-syslog-functions.patch
@ -0,0 +1,120 @@
+From c4e4b2e149705559d28b16a9b47ba2f6142d6a6c Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Tue, 23 Jun 2020 12:55:49 +0200
+Subject: [PATCH] Correct locking and cancellation cleanup in syslog functions
+ (bug 26100)
+
+Properly serialize the access to the global state shared between the
+syslog functions, to avoid races in multithreaded processes.  Protect a
+local allocation in the __vsyslog_internal function from leaking during
+cancellation.
+---
+ misc/syslog.c | 44 ++++++++++++++++++++++++++++----------------
+ 1 file changed, 28 insertions(+), 16 deletions(-)
+
+diff --git a/misc/syslog.c b/misc/syslog.c
+index fd6537edf6..2cc63ef287 100644
+--- a/misc/syslog.c
+++ b/misc/syslog.c
+@@ -91,14 +91,20 @@ struct cleanup_arg
+ static void
+ cancel_handler (void *ptr)
+ {
+-#ifndef NO_SIGPIPE
+   /* Restore the old signal handler.  */
+   struct cleanup_arg *clarg = (struct cleanup_arg *) ptr;
+ 
+-  if (clarg != NULL && clarg->oldaction != NULL)
+-    __sigaction (SIGPIPE, clarg->oldaction, NULL);
+  if (clarg != NULL)
+    {
+#ifndef NO_SIGPIPE
+      if (clarg->oldaction != NULL)
+	__sigaction (SIGPIPE, clarg->oldaction, NULL);
+ #endif
+ 
+      /* Free the memstream buffer,  */
+      free (clarg->buf);
+    }
+
+   /* Free the lock.  */
+   __libc_lock_unlock (syslog_lock);
+ }
+@@ -169,9 +175,17 @@ __vsyslog_internal(int pri, const char *fmt, va_list ap,
+ 		pri &= LOG_PRIMASK|LOG_FACMASK;
+ 	}
+ 
+	/* Prepare for multiple users.  We have to take care: most
+	   syscalls we are using are cancellation points.  */
+	struct cleanup_arg clarg;
+	clarg.buf = NULL;
+	clarg.oldaction = NULL;
+	__libc_cleanup_push (cancel_handler, &clarg);
+	__libc_lock_lock (syslog_lock);
+
+ 	/* Check priority against setlogmask values. */
+ 	if ((LOG_MASK (LOG_PRI (pri)) & LogMask) == 0)
+-		return;
+		goto out;
+ 
+ 	/* Set default facility if none specified. */
+ 	if ((pri & LOG_FACMASK) == 0)
+@@ -235,6 +249,9 @@ __vsyslog_internal(int pri, const char *fmt, va_list ap,
+ 	    /* Close the memory stream; this will finalize the data
+ 	       into a malloc'd buffer in BUF.  */
+ 	    fclose (f);
+
+	    /* Tell the cancellation handler to free this buffer.  */
+	    clarg.buf = buf;
+ 	  }
+ 
+ 	/* Output to stderr if requested. */
+@@ -252,22 +269,10 @@ __vsyslog_internal(int pri, const char *fmt, va_list ap,
+ 		    v->iov_len = 1;
+ 		  }
+ 
+-		__libc_cleanup_push (free, buf == failbuf ? NULL : buf);
+-
+ 		/* writev is a cancellation point.  */
+ 		(void)__writev(STDERR_FILENO, iov, v - iov + 1);
+-
+-		__libc_cleanup_pop (0);
+ 	}
+ 
+-	/* Prepare for multiple users.  We have to take care: open and
+-	   write are cancellation points.  */
+-	struct cleanup_arg clarg;
+-	clarg.buf = buf;
+-	clarg.oldaction = NULL;
+-	__libc_cleanup_push (cancel_handler, &clarg);
+-	__libc_lock_lock (syslog_lock);
+-
+ #ifndef NO_SIGPIPE
+ 	/* Prepare for a broken connection.  */
+  	memset (&action, 0, sizeof (action));
+@@ -320,6 +325,7 @@ __vsyslog_internal(int pri, const char *fmt, va_list ap,
+ 		__sigaction (SIGPIPE, &oldaction, (struct sigaction *) NULL);
+ #endif
+ 
+ out:
+ 	/* End of critical section.  */
+ 	__libc_cleanup_pop (0);
+ 	__libc_lock_unlock (syslog_lock);
+@@ -430,8 +436,14 @@ setlogmask (int pmask)
+ {
+ 	int omask;
+ 
+	/* Protect against multiple users.  */
+	__libc_lock_lock (syslog_lock);
+
+ 	omask = LogMask;
+ 	if (pmask != 0)
+ 		LogMask = pmask;
+
+	__libc_lock_unlock (syslog_lock);
+
+ 	return (omask);
+ }
+-- 
+2.23.0
+
--- a/glibc.spec
+++ b/glibc.spec
@ -59,7 +59,7 @@
 ##############################################################################
 Name: 	 	glibc
 Version: 	2.28
-Release: 	43
+Release: 	44
 Summary: 	The GNU libc libraries
 License:	%{all_license}
 URL: 		http://www.gnu.org/software/glibc/
@ -90,6 +90,7 @@ Patch13: Fix-double-free-in-__printf_fp_l-bug-26214.patch
 Patch14: Fix-memory-leak-in-__printf_fp_l-bug-26215.patch
 Patch15: Fix-CVE-2020-6096-001.patch
 Patch16: Fix-CVE-2020-6096-002.patch
+Patch17: backport-Correct-locking-and-cancellation-cleanup-in-syslog-functions.patch

 Provides: ldconfig rtld(GNU_HASH) bundled(gnulib)

@ -1085,6 +1086,10 @@ fi
 %doc hesiod/README.hesiod

 %changelog
+* Tue Sep 12 2020 liqingqing_1229<liqingqing3@huawei.com> - 2.28-44
+- fix bug 26100: correct locking and cancellation cleanup in syslog functions. 
+- origin bugzilla link is https://sourceware.org/bugzilla/show_bug.cgi?id=26100
+
 * Mon Jul 20 2020 liqingqing<liqingqing3@huawei.com> - 2.28-43
 - fix CVE-2020-6096
 - fix bugzilla 26137, 26214, 26215