fix double free error in tac, build su with pie again

2010-09-07 10:02:54 +02:00 · 2010-09-07 10:02:54 +02:00 · 626aa7bd2c
parent 24132a00a8
commit 626aa7bd2c
3 changed files with 89 additions and 3 deletions
--- a/coreutils-8.4-su-pie.patch
+++ b/coreutils-8.4-su-pie.patch
@ -0,0 +1,11 @@
+diff -urNp coreutils-8.4-orig/src/Makefile.am coreutils-8.4/src/Makefile.am
+--- coreutils-8.4-orig/src/Makefile.am	2010-09-03 17:34:43.399747649 +0200
+++ coreutils-8.4/src/Makefile.am	2010-09-03 17:36:13.005765125 +0200
+@@ -367,6 +367,7 @@ factor_LDADD += $(LIB_GMP)
+ 
+ # for crypt
+ su_LDADD += $(LIB_CRYPT) @LIB_PAM@
+su_LDFLAGS = -pie
+ 
+ # for various ACL functions
+ copy_LDADD += $(LIB_ACL)
--- a/coreutils-8.5-tac-doublefree.patch
+++ b/coreutils-8.5-tac-doublefree.patch
@ -0,0 +1,66 @@
+From b3959fc691e606857a3c6e9b316ec34819972245 Mon Sep 17 00:00:00 2001
+From: Jim Meyering <meyering@redhat.com>
+Date: Sat, 28 Aug 2010 17:45:29 +0200
+Subject: [PATCH] tac: avoid double free
+
+* src/tac.c (main): Reading a line longer than 16KiB would cause
+tac to realloc its primary buffer.  Then, just before exit, tac
+would mistakenly free the original (now free'd) buffer.
+This bug was introduced by commit be6c13e7, "maint: always free a
+buffer, to avoid even semblance of a leak".
+* tests/misc/tac (double-free): New test, to exercise this.
+Reported by Salvo Tomaselli in <http://bugs.debian.org/594666>.
+---
+ src/tac.c      |    6 ++++--
+ tests/misc/tac |    6 ++++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/tac.c b/src/tac.c
+index cec9736..859e006 100644
+--- a/src/tac.c
+++ b/src/tac.c
+@@ -633,7 +633,6 @@ main (int argc, char **argv)
+   if (! (read_size < half_buffer_size && half_buffer_size < G_buffer_size))
+     xalloc_die ();
+   G_buffer = xmalloc (G_buffer_size);
+-  void *buf = G_buffer;
+   if (sentinel_length)
+     {
+       strcpy (G_buffer, separator);
+@@ -666,6 +665,9 @@ main (int argc, char **argv)
+       error (0, errno, "-");
+       ok = false;
+     }
+-  free (buf);
+
+  size_t offset = sentinel_length ? sentinel_length : 1;
+  free (G_buffer - offset);
+
+   exit (ok ? EXIT_SUCCESS : EXIT_FAILURE);
+ }
+diff --git a/tests/misc/tac b/tests/misc/tac
+index 7631049..4130c00 100755
+--- a/tests/misc/tac
+++ b/tests/misc/tac
+@@ -24,6 +24,9 @@ my $prog = 'tac';
+
+ my $bad_dir = 'no/such/dir';
+
+# This must be longer than 16KiB to trigger the double free in coreutils-8.5.
+my $long_line = 'o' x (16 * 1024 + 1);
+
+ my @Tests =
+ (
+   ['segfault', '-r', {IN=>"a\n"}, {IN=>"b\n"}, {OUT=>"a\nb\n"}],
+@@ -67,6 +70,9 @@ my @Tests =
+    {ERR_SUBST => "s,`$bad_dir': .*,...,"},
+    {ERR => "$prog: cannot create temporary file in ...\n"},
+    {EXIT => 1}],
+
+  # coreutils-8.5's tac would double-free its primary buffer.
+  ['double-free', {IN=>$long_line}, {OUT=>$long_line}],
+ );
+
+ @Tests = triple_test \@Tests;
+--
+1.7.2.2.510.g7180a
--- a/coreutils.spec
+++ b/coreutils.spec
@ -1,7 +1,7 @@
 Summary: A set of basic GNU tools commonly used in shell scripts
 Name:    coreutils
 Version: 8.5
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: GPLv3+
 Group:   System Environment/Base
 Url:     http://www.gnu.org/software/coreutils/
@ -18,6 +18,8 @@ Source202:  coreutils-su-l.pamd
 Source203:  coreutils-runuser-l.pamd

 # From upstream
+#fix double free error in tac (reported in debian bug #594666)
+Patch1: coreutils-8.5-tac-doublefree.patch

 # Our patches
 #general patch to workaround koji build system issues
@ -62,6 +64,8 @@ Patch912: coreutils-overflow.patch
 Patch915: coreutils-split-pam.patch
 #prevent koji build failure with wrong getfacl exit code
 Patch916: coreutils-getfacl-exit-code.patch
+#compile su with pie flag
+Patch917: coreutils-8.4-su-pie.patch

 #SELINUX Patch - implements Redhat changes
 #(upstream did some SELinux implementation unlike with RedHat patch)
@ -121,6 +125,7 @@ Libraries for coreutils package.
 %setup -q

 # From upstream
+%patch1 -p1 -b .doublefree

 # Our patches
 %patch100 -p1 -b .configure
@ -146,6 +151,7 @@ Libraries for coreutils package.
 %patch912 -p1 -b .overflow
 %patch915 -p1 -b .splitl
 %patch916 -p1 -b .getfacl-exit-code
+%patch917 -p1 -b .pie

 #SELinux
 %patch950 -p1 -b .selinux
@ -176,8 +182,7 @@ automake --copy --add-missing
 touch man/*.x

 make all %{?_smp_mflags} \
-         %{?!nopam:CPPFLAGS="-DUSE_PAM"} \
-         su_LDFLAGS="-pie %{?!nopam:-lpam -lpam_misc}"
+         %{?!nopam:CPPFLAGS="-DUSE_PAM"}

 # XXX docs should say /var/run/[uw]tmp not /etc/[uw]tmp
 sed -i -e 's,/etc/utmp,/var/run/utmp,g;s,/etc/wtmp,/var/run/wtmp,g' doc/coreutils.texi
@ -339,6 +344,10 @@ fi
 %{_libdir}/coreutils

 %changelog
+* Tue Sep 07 2010 Ondrej Vasik <ovasik@redhat.com> - 8.5-5
+- compile su with pie again (#630017)
+- fix double free abort in tac (#628213)
+
 * Thu Jul 22 2010 Ondrej Vasik <ovasik@redhat.com> - 8.5-4
 - Add .ear, .war, .sar , for Java jar-like archives to
  dircolors (#616497)