[coreutils/f14/master] fix double free error in tac, build su with pie again
Ondrej Vasik
ovasik at fedoraproject.org
Tue Sep 7 08:02:54 UTC 2010
commit 626aa7bd2c1cf857f3a1309b9d214bfd272a3e66
Author: Ondřej Vašík <ovasik at redhat.com>
Date: Tue Sep 7 10:02:54 2010 +0200
fix double free error in tac, build su with pie again
coreutils-8.4-su-pie.patch | 11 ++++++
coreutils-8.5-tac-doublefree.patch | 66 ++++++++++++++++++++++++++++++++++++
coreutils.spec | 15 ++++++--
3 files changed, 89 insertions(+), 3 deletions(-)
---
diff --git a/coreutils-8.4-su-pie.patch b/coreutils-8.4-su-pie.patch
new file mode 100644
index 0000000..75db725
--- /dev/null
+++ b/coreutils-8.4-su-pie.patch
@@ -0,0 +1,11 @@
+diff -urNp coreutils-8.4-orig/src/Makefile.am coreutils-8.4/src/Makefile.am
+--- coreutils-8.4-orig/src/Makefile.am 2010-09-03 17:34:43.399747649 +0200
++++ coreutils-8.4/src/Makefile.am 2010-09-03 17:36:13.005765125 +0200
+@@ -367,6 +367,7 @@ factor_LDADD += $(LIB_GMP)
+
+ # for crypt
+ su_LDADD += $(LIB_CRYPT) @LIB_PAM@
++su_LDFLAGS = -pie
+
+ # for various ACL functions
+ copy_LDADD += $(LIB_ACL)
diff --git a/coreutils-8.5-tac-doublefree.patch b/coreutils-8.5-tac-doublefree.patch
new file mode 100644
index 0000000..467c202
--- /dev/null
+++ b/coreutils-8.5-tac-doublefree.patch
@@ -0,0 +1,66 @@
+From b3959fc691e606857a3c6e9b316ec34819972245 Mon Sep 17 00:00:00 2001
+From: Jim Meyering <meyering at redhat.com>
+Date: Sat, 28 Aug 2010 17:45:29 +0200
+Subject: [PATCH] tac: avoid double free
+
+* src/tac.c (main): Reading a line longer than 16KiB would cause
+tac to realloc its primary buffer. Then, just before exit, tac
+would mistakenly free the original (now free'd) buffer.
+This bug was introduced by commit be6c13e7, "maint: always free a
+buffer, to avoid even semblance of a leak".
+* tests/misc/tac (double-free): New test, to exercise this.
+Reported by Salvo Tomaselli in <http://bugs.debian.org/594666>.
+---
+ src/tac.c | 6 ++++--
+ tests/misc/tac | 6 ++++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+diff --git a/src/tac.c b/src/tac.c
+index cec9736..859e006 100644
+--- a/src/tac.c
++++ b/src/tac.c
+@@ -633,7 +633,6 @@ main (int argc, char **argv)
+ if (! (read_size < half_buffer_size && half_buffer_size < G_buffer_size))
+ xalloc_die ();
+ G_buffer = xmalloc (G_buffer_size);
+- void *buf = G_buffer;
+ if (sentinel_length)
+ {
+ strcpy (G_buffer, separator);
+@@ -666,6 +665,9 @@ main (int argc, char **argv)
+ error (0, errno, "-");
+ ok = false;
+ }
+- free (buf);
++
++ size_t offset = sentinel_length ? sentinel_length : 1;
++ free (G_buffer - offset);
++
+ exit (ok ? EXIT_SUCCESS : EXIT_FAILURE);
+ }
+diff --git a/tests/misc/tac b/tests/misc/tac
+index 7631049..4130c00 100755
+--- a/tests/misc/tac
++++ b/tests/misc/tac
+@@ -24,6 +24,9 @@ my $prog = 'tac';
+
+ my $bad_dir = 'no/such/dir';
+
++# This must be longer than 16KiB to trigger the double free in coreutils-8.5.
++my $long_line = 'o' x (16 * 1024 + 1);
++
+ my @Tests =
+ (
+ ['segfault', '-r', {IN=>"a\n"}, {IN=>"b\n"}, {OUT=>"a\nb\n"}],
+@@ -67,6 +70,9 @@ my @Tests =
+ {ERR_SUBST => "s,`$bad_dir': .*,...,"},
+ {ERR => "$prog: cannot create temporary file in ...\n"},
+ {EXIT => 1}],
++
++ # coreutils-8.5's tac would double-free its primary buffer.
++ ['double-free', {IN=>$long_line}, {OUT=>$long_line}],
+ );
+
+ @Tests = triple_test \@Tests;
+--
+1.7.2.2.510.g7180a
diff --git a/coreutils.spec b/coreutils.spec
index 7c313d5..bcca460 100644
--- a/coreutils.spec
+++ b/coreutils.spec
@@ -1,7 +1,7 @@
Summary: A set of basic GNU tools commonly used in shell scripts
Name: coreutils
Version: 8.5
-Release: 4%{?dist}
+Release: 5%{?dist}
License: GPLv3+
Group: System Environment/Base
Url: http://www.gnu.org/software/coreutils/
@@ -18,6 +18,8 @@ Source202: coreutils-su-l.pamd
Source203: coreutils-runuser-l.pamd
# From upstream
+#fix double free error in tac (reported in debian bug #594666)
+Patch1: coreutils-8.5-tac-doublefree.patch
# Our patches
#general patch to workaround koji build system issues
@@ -62,6 +64,8 @@ Patch912: coreutils-overflow.patch
Patch915: coreutils-split-pam.patch
#prevent koji build failure with wrong getfacl exit code
Patch916: coreutils-getfacl-exit-code.patch
+#compile su with pie flag
+Patch917: coreutils-8.4-su-pie.patch
#SELINUX Patch - implements Redhat changes
#(upstream did some SELinux implementation unlike with RedHat patch)
@@ -121,6 +125,7 @@ Libraries for coreutils package.
%setup -q
# From upstream
+%patch1 -p1 -b .doublefree
# Our patches
%patch100 -p1 -b .configure
@@ -146,6 +151,7 @@ Libraries for coreutils package.
%patch912 -p1 -b .overflow
%patch915 -p1 -b .splitl
%patch916 -p1 -b .getfacl-exit-code
+%patch917 -p1 -b .pie
#SELinux
%patch950 -p1 -b .selinux
@@ -176,8 +182,7 @@ automake --copy --add-missing
touch man/*.x
make all %{?_smp_mflags} \
- %{?!nopam:CPPFLAGS="-DUSE_PAM"} \
- su_LDFLAGS="-pie %{?!nopam:-lpam -lpam_misc}"
+ %{?!nopam:CPPFLAGS="-DUSE_PAM"}
# XXX docs should say /var/run/[uw]tmp not /etc/[uw]tmp
sed -i -e 's,/etc/utmp,/var/run/utmp,g;s,/etc/wtmp,/var/run/wtmp,g' doc/coreutils.texi
@@ -339,6 +344,10 @@ fi
%{_libdir}/coreutils
%changelog
+* Tue Sep 07 2010 Ondrej Vasik <ovasik at redhat.com> - 8.5-5
+- compile su with pie again (#630017)
+- fix double free abort in tac (#628213)
+
* Thu Jul 22 2010 Ondrej Vasik <ovasik at redhat.com> - 8.5-4
- Add .ear, .war, .sar , for Java jar-like archives to
dircolors (#616497)
More information about the scm-commits
mailing list