- Fix bogus underflow (#760935)

- Correctly handle dns request where large numbers of A and AAA records are returned (#795498) - Fix nscd crash when group has many members (#788959)
2012-02-24 10:41:06 -07:00 · 2012-02-24 10:41:06 -07:00 · c0564b95e0
parent 0e190d479d
commit c0564b95e0
4 changed files with 179 additions and 1 deletions
--- a/glibc-rh760935.patch
+++ b/glibc-rh760935.patch
@ -0,0 +1,18 @@
+diff -rup a/sysdeps/ieee754/dbl-64/w_exp.c b/sysdeps/ieee754/dbl-64/w_exp.c
+--- a/sysdeps/ieee754/dbl-64/w_exp.c	2012-01-01 05:16:32.000000000 -0700
+++ b/sysdeps/ieee754/dbl-64/w_exp.c	2012-02-24 10:32:52.769230965 -0700
+@@ -32,12 +32,12 @@ __exp (double x)
+   if (__builtin_expect (x > o_threshold, 0))
+     {
+       if (_LIB_VERSION != _IEEE_)
+-	return __kernel_standard_f (x, x, 6);
+	return __kernel_standard (x, x, 6);
+     }
+   else if (__builtin_expect (x < u_threshold, 0))
+     {
+       if (_LIB_VERSION != _IEEE_)
+-	return __kernel_standard_f (x, x, 7);
+	return __kernel_standard (x, x, 7);
+     }
+ 
+   return __ieee754_exp (x);
--- a/glibc-rh788989.patch
+++ b/glibc-rh788989.patch
@ -0,0 +1,131 @@
+diff --git a/nis/nss_compat/compat-initgroups.c b/nis/nss_compat/compat-initgroups.c
+index a70d66d..ad6ab35 100644
+--- a/nis/nss_compat/compat-initgroups.c
+++ b/nis/nss_compat/compat-initgroups.c
+@@ -296,6 +296,8 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
+       if (nss_initgroups_dyn (user, group, &mystart, &mysize, &mygroups,
+ 			      limit, errnop) == NSS_STATUS_SUCCESS)
+ 	{
+	  status = NSS_STATUS_NOTFOUND;
+
+ 	  /* If there is no blacklist we can trust the underlying
+ 	     initgroups implementation.  */
+ 	  if (ent->blacklist.current <= 1)
+@@ -308,6 +310,7 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
+ 		 overwrite the pointer with one to a bigger buffer.  */
+ 	      char *tmpbuf = buffer;
+ 	      size_t tmplen = buflen;
+	      bool use_malloc = false;
+ 
+ 	      for (int i = 0; i < mystart; i++)
+ 		{
+@@ -315,21 +318,36 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
+ 						   tmpbuf, tmplen, errnop))
+ 			 == NSS_STATUS_TRYAGAIN
+ 			 && *errnop == ERANGE)
+-		    if (tmpbuf == buffer)
+-		      {
+-			tmplen *= 2;
+-			tmpbuf = __alloca (tmplen);
+-		      }
+-		    else
+-		      tmpbuf = extend_alloca (tmpbuf, tmplen, 2 * tmplen);
+                    {
+                      if (__libc_use_alloca (tmplen * 2))
+                        {
+                          if (tmpbuf == buffer)
+                            {
+                              tmplen *= 2;
+                              tmpbuf = __alloca (tmplen);
+                            }
+                          else
+                            tmpbuf = extend_alloca (tmpbuf, tmplen, tmplen * 2);
+                        }
+                      else
+                        {
+                          tmplen *= 2;
+                          char *newbuf = realloc (use_malloc ? tmpbuf : NULL, tmplen);
+
+                          if (newbuf == NULL)
+                            {
+                              status = NSS_STATUS_TRYAGAIN;
+			      goto done;
+                            }
+                          use_malloc = true;
+                          tmpbuf = newbuf;
+                        }
+                    }
+ 
+ 		  if (__builtin_expect  (status != NSS_STATUS_NOTFOUND, 1))
+ 		    {
+ 		      if (__builtin_expect  (status != NSS_STATUS_SUCCESS, 0))
+-			{
+-			  free (mygroups);
+-			  return status;
+-			}
+		        goto done;
+ 
+ 		      if (!in_blacklist (grpbuf.gr_name,
+ 					 strlen (grpbuf.gr_name), ent)
+@@ -347,11 +365,17 @@ getgrent_next_nss (ent_t *ent, char *buffer, size_t buflen, const char *user,
+ 			}
+ 		    }
+ 		}
+
+	      status = NSS_STATUS_NOTFOUND;
+
+ done:
+	      if (use_malloc)
+	        free (tmpbuf);
+ 	    }
+ 
+ 	  free (mygroups);
+ 
+-	  return NSS_STATUS_NOTFOUND;
+	  return status;
+ 	}
+ 
+       free (mygroups);
+@@ -508,6 +532,7 @@ _nss_compat_initgroups_dyn (const char *user, gid_t group, long int *start,
+   char *tmpbuf;
+   enum nss_status status;
+   ent_t intern = { true, false, false, NULL, {NULL, 0, 0} };
+  bool use_malloc = false;
+ 
+   status = internal_setgrent (&intern);
+   if (status != NSS_STATUS_SUCCESS)
+@@ -521,13 +546,32 @@ _nss_compat_initgroups_dyn (const char *user, gid_t group, long int *start,
+ 					    user, group, start, size,
+ 					    groupsp, limit, errnop))
+ 	     == NSS_STATUS_TRYAGAIN && *errnop == ERANGE)
+-	tmpbuf = extend_alloca (tmpbuf, buflen, 2 * buflen);
+        if (__libc_use_alloca (buflen * 2))
+          tmpbuf = extend_alloca (tmpbuf, buflen, 2 * buflen);
+        else
+          {
+            buflen *= 2;
+            char *newbuf = realloc (use_malloc ? tmpbuf : NULL, buflen);
+            if (newbuf == NULL)
+              {
+                status = NSS_STATUS_TRYAGAIN;
+                goto done;
+              }
+            use_malloc = true;
+            tmpbuf = newbuf;
+          }
+     }
+   while (status == NSS_STATUS_SUCCESS);
+ 
+  status = NSS_STATUS_SUCCESS;
+
+ done:
+  if (use_malloc)
+    free (tmpbuf);
+
+   internal_endgrent (&intern);
+ 
+-  return NSS_STATUS_SUCCESS;
+  return status;
+ }
+ 
+ 
--- a/glibc-rh795498.patch
+++ b/glibc-rh795498.patch
@ -0,0 +1,13 @@
+diff --git a/resolv/nss_dns/dns-host.c b/resolv/nss_dns/dns-host.c
+index 01369f6..44ad04d 100644
+--- a/resolv/nss_dns/dns-host.c
+++ b/resolv/nss_dns/dns-host.c
+@@ -1219,7 +1219,7 @@ gaih_getanswer (const querybuf *answer1, int anslen1, const querybuf *answer2,
+ 				  &first);
+   if ((status == NSS_STATUS_SUCCESS || status == NSS_STATUS_NOTFOUND
+        || (status == NSS_STATUS_TRYAGAIN
+-	   && (errno != ERANGE || *h_errnop != NO_RECOVERY)))
+	   && (*errnop != ERANGE || *h_errnop == NO_RECOVERY)))
+       && answer2 != NULL && anslen2 > 0)
+     {
+       enum nss_status status2 = gaih_getanswer_slice(answer2, anslen2, qname,
--- a/glibc.spec
+++ b/glibc.spec
@ -28,7 +28,7 @@
 Summary: The GNU libc libraries
 Name: glibc
 Version: %{glibcversion}
-Release: 23%{?dist}
+Release: 24%{?dist}
 # GPLv2+ is used in a bunch of programs, LGPLv2+ is used for libraries.
 # Things that are linked directly into dynamically linked programs
 # and shared libraries (e.g. crt files, lib*_nonshared.a) have an additional
@ -100,6 +100,13 @@ Patch32 : %{name}-rh739743.patch
 Patch33 : %{name}-rh789238.patch
 # Patch posted upstream, discussion ongoing, Paul E. seems to think it's OK
 Patch34 : %{name}-rh794797.patch
+# Posted upstream
+Patch35 : %{name}-rh788989.patch
+# Posted upstream
+Patch36 : %{name}-rh795498.patch
+# Posted upstream (bz 13705)
+Patch37 : %{name}-rh795498.patch
+


 Buildroot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@ -353,6 +360,9 @@ rm -rf %{glibcportsdir}
 %patch32 -p1
 %patch33 -p1
 %patch34 -p1
+%patch35 -p1
+%patch36 -p1
+%patch37 -p1

 # A lot of programs still misuse memcpy when they have to use
 # memmove. The memcpy implementation below is not tolerant at
@ -1205,6 +1215,12 @@ rm -f *.filelist*
 %endif

 %changelog
+* Fri Feb 24 2012 Jeff Law <law@redhat.com> - 2.15-24
+  - Fix bogus underflow (#760935)
+  - Correctly handle dns request where large numbers of A and AAA records
+    are returned (#795498)
+  - Fix nscd crash when group has many members (#788959)
+ 
 * Mon Feb 20 2012 Jeff Law <law@redhat.com> - 2.15-23
  - Avoid "nargs" integer overflow which could be used to bypass FORTIFY_SOURCE (#794797)