[Bug 1904419] Re: Upgrade glibc 2.32 by required upstream patches
Frank Heimes
1904419 at bugs.launchpad.net
Fri Dec 11 18:16:22 UTC 2020
Ok, just wanted to be sure - this will justify a glibc SRU.
(clicking the bug number earlier opened it as LP bug, which is <known to be> wrong and is usually an indicator for me that it's an internal IBM BZ number - but I've found the glibc upstream BZs now
thx ...)
I've created a first SRU justification based on upstream info and added it to the bug description above.
And I've also marked this bug as 'regression' (add it as tag) and such regressions are usually marked (in LP) as critical as well.
** Tags added: regression
** Changed in: ubuntu-z-systems
Importance: High => Critical
** Description changed:
+ SRU Justification:
+
+ [Impact]
+
+ * The glibc version 2.32 in groovy has some regressions with the
+ following impact:
+
+ * A regression that got introduced by commit
+ ffd178c651b827f24acead02284abbb12f3f723b can lead to a crash, because
+ __shmctl calls shmid_to_shmid64 on the input buffer even when cmd is
+ IPC_INFO. If SHM_INFO is immediately followed by unmapped memory,
+ shmid_to_shmid64 will read past its end into unmapped memory and will
+ crash.
+
+ * Starting with glibc-2.31.9000-687-g3283f71113 (glibc-2.32~83) IPC_INFO
+ and MSG_INFO commands of __msgctl and __msgctl64 return garbage because
+ a pointer to an internal buffer on the stack is passed to the kernel.
+ The buffer specified by the user remains unchanged after IPC_INFO and
+ MSG_INFO commands.
+
+ * semctl SEM_STAT_ANY fails to pass the buffer specified by the caller
+ to the kernel. The kernel receives garbage instead of union semun.buf
+ address specified by the caller.
+
+ [ Fix ]
+
+ * a49d7fd4f764e97ccaf922e433046590ae52fce9 "32-bit shmctl(IPC_INFO)
+ crashes when shminfo struct is at the end of a memory mapping"
+
+ * 20a00dbefca5695cccaa44846a482db8ccdd85ab "msgctl IPC_INFO and MSG_INFO
+ return garbage"
+
+ * 574500a108be1d2a6a0dc97a075c9e0a98371aba "semctl SEM_STAT_ANY fails to
+ pass the buffer specified by the caller to the kernel"
+
+ [ Test Case ]
+
+ Execute test script available upstream (1) here:
+ https://sourceware.org/bugzilla/show_bug.cgi?id=26636#c0
+
+ And run the test suite with the newly introduced test-cases that came
+ with the commits.
+
+ [ Where problems could occur ]
+
+ * glibc modification are usually quite sensitive.
+
+ * Erroneous modifications (1) in the area of IPC and SHM (i.e. IPC_INFO
+ and MSG_INFO) and it's control may lead to an even bigger impact - and
+ in worst case the crashes go beyond the case where shminfo is
+ immediately followed by unmapped memory and could happen always (which
+ would break the system entirely).
+
+ * Returning (3) or passing over and pointing to wrong buffers (2), or in worst case to other unwanted areas, can cause virtually any unforeseen consequences.
+ Returning garbage is only one aspect, returning wrong data and even modifying it would be even worse.
+
+ [Other Info]
+
+ * All fixes are upstream accepted and are part of glibc 2.33.
+
+ __________
+
The current libc6-2.32-0ubuntu3 package lacks some of the upstream glibc
commits on the "release/2.32/master" branch (see
http://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.32/master).
Does Ubuntu automatically pick the commits from this release branch?
Otherwise, please update to the latest commits on this branch, especially for:
- 2dfa659a66 resolv: Handle transaction ID collisions in parallel queries (bug 26600)
- 0b9460d22e sysvipc: Fix IPC_INFO and SHM_INFO handling [BZ #26636]
- c4aeedea59 sysvipc: Fix IPC_INFO and MSG_INFO handling [BZ #26639]
- 9b139b6b81 sysvipc: Fix SEM_STAT_ANY kernel argument pass [BZ #26637]
- ...
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to glibc in Ubuntu.
https://bugs.launchpad.net/bugs/1904419
Title:
Upgrade glibc 2.32 by required upstream patches
Status in Ubuntu on IBM z Systems:
Triaged
Status in glibc package in Ubuntu:
Fix Released
Status in glibc source package in Groovy:
New
Status in glibc source package in Hirsute:
Fix Released
Bug description:
SRU Justification:
[Impact]
* The glibc version 2.32 in groovy has some regressions with the
following impact:
* A regression that got introduced by commit
ffd178c651b827f24acead02284abbb12f3f723b can lead to a crash, because
__shmctl calls shmid_to_shmid64 on the input buffer even when cmd is
IPC_INFO. If SHM_INFO is immediately followed by unmapped memory,
shmid_to_shmid64 will read past its end into unmapped memory and will
crash.
* Starting with glibc-2.31.9000-687-g3283f71113 (glibc-2.32~83)
IPC_INFO and MSG_INFO commands of __msgctl and __msgctl64 return
garbage because a pointer to an internal buffer on the stack is passed
to the kernel. The buffer specified by the user remains unchanged
after IPC_INFO and MSG_INFO commands.
* semctl SEM_STAT_ANY fails to pass the buffer specified by the caller
to the kernel. The kernel receives garbage instead of union semun.buf
address specified by the caller.
[ Fix ]
* a49d7fd4f764e97ccaf922e433046590ae52fce9 "32-bit shmctl(IPC_INFO)
crashes when shminfo struct is at the end of a memory mapping"
* 20a00dbefca5695cccaa44846a482db8ccdd85ab "msgctl IPC_INFO and
MSG_INFO return garbage"
* 574500a108be1d2a6a0dc97a075c9e0a98371aba "semctl SEM_STAT_ANY fails
to pass the buffer specified by the caller to the kernel"
[ Test Case ]
Execute test script available upstream (1) here:
https://sourceware.org/bugzilla/show_bug.cgi?id=26636#c0
And run the test suite with the newly introduced test-cases that came
with the commits.
[ Where problems could occur ]
* glibc modification are usually quite sensitive.
* Erroneous modifications (1) in the area of IPC and SHM (i.e.
IPC_INFO and MSG_INFO) and it's control may lead to an even bigger
impact - and in worst case the crashes go beyond the case where
shminfo is immediately followed by unmapped memory and could happen
always (which would break the system entirely).
* Returning (3) or passing over and pointing to wrong buffers (2), or in worst case to other unwanted areas, can cause virtually any unforeseen consequences.
Returning garbage is only one aspect, returning wrong data and even modifying it would be even worse.
[Other Info]
* All fixes are upstream accepted and are part of glibc 2.33.
__________
The current libc6-2.32-0ubuntu3 package lacks some of the upstream
glibc commits on the "release/2.32/master" branch (see
http://sourceware.org/git/?p=glibc.git;a=shortlog;h=refs/heads/release/2.32/master).
Does Ubuntu automatically pick the commits from this release branch?
Otherwise, please update to the latest commits on this branch, especially for:
- 2dfa659a66 resolv: Handle transaction ID collisions in parallel queries (bug 26600)
- 0b9460d22e sysvipc: Fix IPC_INFO and SHM_INFO handling [BZ #26636]
- c4aeedea59 sysvipc: Fix IPC_INFO and MSG_INFO handling [BZ #26639]
- 9b139b6b81 sysvipc: Fix SEM_STAT_ANY kernel argument pass [BZ #26637]
- ...
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu-z-systems/+bug/1904419/+subscriptions
More information about the foundations-bugs
mailing list