From eb45bb90d41d4414def8c30d4902b3132628a1b9 Mon Sep 17 00:00:00 2001 From: "Alexandros C. Couloumbis" Date: Thu, 18 Nov 2010 14:58:37 +0000 Subject: toolchain/uClibc: push some upstream patches for uClibc-0.9.31. should resolve isses of #8269 SVN-Revision: 24029 --- .../000-initialize_stdio_locking.patch | 33 +++++++++ .../000-upstream-attribute_optimize_fix.patch | 25 +++++++ .../000-upstream-calloc_return_zeroed_memory.patch | 33 +++++++++ .../patches-0.9.31/000-upstream-ctime_fix.patch | 86 ++++++++++++++++++++++ .../patches-0.9.31/000-upstream-enum_fix.patch | 20 +++++ ...fix_usage_of_uninitialized_DNS_parameters.patch | 40 ++++++++++ ...02-Fix-use-after-free-bug-in-__dns_lookup.patch | 40 ---------- 7 files changed, 237 insertions(+), 40 deletions(-) create mode 100644 toolchain/uClibc/patches-0.9.31/000-initialize_stdio_locking.patch create mode 100644 toolchain/uClibc/patches-0.9.31/000-upstream-attribute_optimize_fix.patch create mode 100644 toolchain/uClibc/patches-0.9.31/000-upstream-calloc_return_zeroed_memory.patch create mode 100644 toolchain/uClibc/patches-0.9.31/000-upstream-ctime_fix.patch create mode 100644 toolchain/uClibc/patches-0.9.31/000-upstream-enum_fix.patch create mode 100644 toolchain/uClibc/patches-0.9.31/000-upstream-fix_usage_of_uninitialized_DNS_parameters.patch delete mode 100644 toolchain/uClibc/patches-0.9.31/902-Fix-use-after-free-bug-in-__dns_lookup.patch diff --git a/toolchain/uClibc/patches-0.9.31/000-initialize_stdio_locking.patch b/toolchain/uClibc/patches-0.9.31/000-initialize_stdio_locking.patch new file mode 100644 index 0000000000..6a32e5d7c0 --- /dev/null +++ b/toolchain/uClibc/patches-0.9.31/000-initialize_stdio_locking.patch @@ -0,0 +1,33 @@ +From d4ede2b0a4727c1f5236dd9308f09cbf7a39761a Mon Sep 17 00:00:00 2001 +From: Timo Teräs +Date: Tue, 13 Apr 2010 06:38:59 +0000 +Subject: linuxthreads.new: initialize stdio locking + +uClibc requires the threading library to enable locking for +stdio, or the locking is not done at all. + +Signed-off-by: Timo Teräs +Signed-off-by: Austin Foxley +--- +diff --git a/libpthread/linuxthreads/pthread.c b/libpthread/linuxthreads/pthread.c +index 6ae9a10..614cad1 100644 +--- a/libpthread/linuxthreads/pthread.c ++++ b/libpthread/linuxthreads/pthread.c +@@ -613,6 +613,17 @@ static void pthread_initialize(void) + #ifdef USE_TLS + GL(dl_init_static_tls) = &__pthread_init_static_tls; + #endif ++ ++ /* uClibc-specific stdio initialization for threads. */ ++ { ++ FILE *fp; ++ _stdio_user_locking = 0; /* 2 if threading not initialized */ ++ for (fp = _stdio_openlist; fp != NULL; fp = fp->__nextopen) { ++ if (fp->__user_locking != 1) { ++ fp->__user_locking = 0; ++ } ++ } ++ } + } + + void __pthread_initialize(void) diff --git a/toolchain/uClibc/patches-0.9.31/000-upstream-attribute_optimize_fix.patch b/toolchain/uClibc/patches-0.9.31/000-upstream-attribute_optimize_fix.patch new file mode 100644 index 0000000000..841b5b7d6f --- /dev/null +++ b/toolchain/uClibc/patches-0.9.31/000-upstream-attribute_optimize_fix.patch @@ -0,0 +1,25 @@ +From a115ee502fca8b1eb8ce327d764562d3ae669954 Mon Sep 17 00:00:00 2001 +From: Bernhard Reutner-Fischer +Date: Mon, 12 Apr 2010 13:09:25 +0000 +Subject: attribute_optimize: fix typo with args + +curious how 308f5c6e5fd56ea3d1a5512e34388aad788f1180 ever worked.. :P + +Signed-off-by: Bernhard Reutner-Fischer +--- +diff --git a/include/libc-symbols.h b/include/libc-symbols.h +index 2729d30..4615a6a 100644 +--- a/include/libc-symbols.h ++++ b/include/libc-symbols.h +@@ -86,9 +86,9 @@ + #endif + + #if defined __GNUC__ && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 4)) +-# define attribute_optimize(lvl) __attribute__ ((optimize(x))) ++# define attribute_optimize(x) __attribute__ ((optimize(x))) + #else +-# define attribute_optimize(lvl) ++# define attribute_optimize(x) + #endif + + #define attribute_unused __attribute__ ((unused)) diff --git a/toolchain/uClibc/patches-0.9.31/000-upstream-calloc_return_zeroed_memory.patch b/toolchain/uClibc/patches-0.9.31/000-upstream-calloc_return_zeroed_memory.patch new file mode 100644 index 0000000000..b0715058da --- /dev/null +++ b/toolchain/uClibc/patches-0.9.31/000-upstream-calloc_return_zeroed_memory.patch @@ -0,0 +1,33 @@ +From afd7606ca42a2586b8823c7bd1a4a7cfd2476e3b Mon Sep 17 00:00:00 2001 +From: Steven J. Magnani +Date: Wed, 09 Jun 2010 14:02:21 +0000 +Subject: malloc-simple: Make calloc() return zeroed memory + +The 0.9.31 release included a change to malloc-simple to request +uninitialized memory from noMMU kernels. Unfortunately, the corresponding +calloc() code assumed that memory returned by malloc() was already zeroed, +which leads to all kinds of nastiness. + +Signed-off-by: Steven J. Magnani +Signed-off-by: Bernhard Reutner-Fischer +--- +diff --git a/libc/stdlib/malloc-simple/alloc.c b/libc/stdlib/malloc-simple/alloc.c +index 51da14a..914c89d 100644 +--- a/libc/stdlib/malloc-simple/alloc.c ++++ b/libc/stdlib/malloc-simple/alloc.c +@@ -60,11 +60,10 @@ void * calloc(size_t nmemb, size_t lsize) + __set_errno(ENOMEM); + return NULL; + } +- result=malloc(size); +-#if 0 +- /* Standard unix mmap using /dev/zero clears memory so calloc +- * doesn't need to actually zero anything.... +- */ ++ result = malloc(size); ++ ++#ifndef __ARCH_USE_MMU__ ++ /* mmap'd with MAP_UNINITIALIZE, we have to blank memory ourselves */ + if (result != NULL) { + memset(result, 0, size); + } diff --git a/toolchain/uClibc/patches-0.9.31/000-upstream-ctime_fix.patch b/toolchain/uClibc/patches-0.9.31/000-upstream-ctime_fix.patch new file mode 100644 index 0000000000..668662c347 --- /dev/null +++ b/toolchain/uClibc/patches-0.9.31/000-upstream-ctime_fix.patch @@ -0,0 +1,86 @@ +From f6651fa449e1d4bbbb466b091f34e6752f6506f9 Mon Sep 17 00:00:00 2001 +From: David A Ramos +Date: Tue, 27 Jul 2010 11:10:15 +0000 +Subject: Fix ctime() standard compliance bug + +fixes issue2209: +ctime() was updated in 0.9.31 to call localtime_r() instead of +localtime() to +avoid using a static buffer. Unfortunately, this change replaces the +static +buffer (which is zeroed out on initialization) with an uninitialized +local +buffer. + +In the common case, this has no effect. However, with a sufficiently +large +time_t value, the value returned differs from that returned by +asctime(localtime(t)), and thus violates the ANSI/ISO standard. + +An example input is (on a 64-bit machine): +time_t t = 0x7ffffffffff6c600; + +Signed-off-by: Bernhard Reutner-Fischer +--- +diff --git a/libc/misc/time/time.c b/libc/misc/time/time.c +index dfa8c0d..0d12bf3 100644 +--- a/libc/misc/time/time.c ++++ b/libc/misc/time/time.c +@@ -479,6 +479,7 @@ char *ctime(const time_t *t) + * localtime's static buffer: + */ + struct tm xtm; ++ memset(&xtm, 0, sizeof(xtm)); + + return asctime(localtime_r(t, &xtm)); + } +diff --git a/test/time/tst-ctime.c b/test/time/tst-ctime.c +new file mode 100644 +index 0000000..91d827a +--- a/dev/null ++++ b/test/time/tst-ctime.c +@@ -0,0 +1,44 @@ ++/* vi: set sw=4 ts=4: */ ++/* testcase for ctime(3) with large time ++ * Copyright (C) 2010 David A Ramos ++ * Licensed under the LGPL v2.1, see the file COPYING.LIB in this tarball. ++ */ ++ ++#include ++#include ++#include ++#include ++ ++#define MAX_POSITIVE(type) (~0 & ~((type) 1 << (sizeof(type)*8 - 1))) ++ ++int do_test(int argc, char **argv) { ++ char *correct = 0, *s; ++ int status; ++ ++ /* need a very high positive number (e.g., max - 1024) */ ++ time_t test = MAX_POSITIVE(time_t) - 1024; ++ ++ s = asctime(localtime(&test)); ++ ++ if (s) { ++ // copy static buffer to heap ++ correct = malloc(strlen(s)+1); ++ strcpy(correct, s); ++ } ++ ++ s = ctime(&test); ++ ++ printf("ANSI:\t%suClibc:\t%s", correct, s); ++ ++ if (s != correct && strcmp(correct, s)) ++ status = EXIT_FAILURE; ++ else ++ status = EXIT_SUCCESS; ++ ++ if (correct) ++ free(correct); ++ ++ return status; ++} ++ ++#include diff --git a/toolchain/uClibc/patches-0.9.31/000-upstream-enum_fix.patch b/toolchain/uClibc/patches-0.9.31/000-upstream-enum_fix.patch new file mode 100644 index 0000000000..bac1a0d39e --- /dev/null +++ b/toolchain/uClibc/patches-0.9.31/000-upstream-enum_fix.patch @@ -0,0 +1,20 @@ +From ac86be72f8b01ac3792737f4b67283541cf2c15b Mon Sep 17 00:00:00 2001 +From: Bernhard Reutner-Fischer +Date: Tue, 27 Jul 2010 15:05:59 +0000 +Subject: remove trailing comma in enum + +Signed-off-by: Bernhard Reutner-Fischer +--- +diff --git a/libc/sysdeps/linux/common/bits/confname.h b/libc/sysdeps/linux/common/bits/confname.h +index ec4b72a..97ddd47 100644 +--- a/libc/sysdeps/linux/common/bits/confname.h ++++ b/libc/sysdeps/linux/common/bits/confname.h +@@ -527,7 +527,7 @@ enum + + _SC_THREAD_ROBUST_PRIO_INHERIT, + #define _SC_THREAD_ROBUST_PRIO_INHERIT _SC_THREAD_ROBUST_PRIO_INHERIT +- _SC_THREAD_ROBUST_PRIO_PROTECT, ++ _SC_THREAD_ROBUST_PRIO_PROTECT + #define _SC_THREAD_ROBUST_PRIO_PROTECT _SC_THREAD_ROBUST_PRIO_PROTECT + }; + diff --git a/toolchain/uClibc/patches-0.9.31/000-upstream-fix_usage_of_uninitialized_DNS_parameters.patch b/toolchain/uClibc/patches-0.9.31/000-upstream-fix_usage_of_uninitialized_DNS_parameters.patch new file mode 100644 index 0000000000..c33614afd7 --- /dev/null +++ b/toolchain/uClibc/patches-0.9.31/000-upstream-fix_usage_of_uninitialized_DNS_parameters.patch @@ -0,0 +1,40 @@ +From c602079e5b7ba998d1dd6cae4a305af80e6cba52 Mon Sep 17 00:00:00 2001 +From: Gabor Juhos +Date: Tue, 23 Mar 2010 08:35:27 +0100 +Subject: [PATCH] Fix use-after-free bug in __dns_lookup. + +If the type of the first answer does not match with the requested type, +then the dotted name will be freed. If there are no further answers in +the DNS reply, this pointer will be used later on in the same function. +Additionally it is passed to the caller, and may cause strange behaviour. + +For example, the following busybox commands are triggering a segmentation +fault with uClibc 0.9.30.x + + - nslookup ipv6.google.com + - ping ipv6.google.com + - wget http//ipv6.google.com/ + +Signed-off-by: Gabor Juhos + +--- + +See https://dev.openwrt.org/ticket/6886 for a testcase +--- + libc/inet/resolv.c | 4 +--- + 1 files changed, 1 insertions(+), 3 deletions(-) + +--- a/libc/inet/resolv.c ++++ b/libc/inet/resolv.c +@@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const + memcpy(a, &ma, sizeof(ma)); + if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA))) + break; +- if (a->atype != type) { +- free(a->dotted); ++ if (a->atype != type) + continue; +- } + a->add_count = h.ancount - j - 1; + if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen) + break; diff --git a/toolchain/uClibc/patches-0.9.31/902-Fix-use-after-free-bug-in-__dns_lookup.patch b/toolchain/uClibc/patches-0.9.31/902-Fix-use-after-free-bug-in-__dns_lookup.patch deleted file mode 100644 index c33614afd7..0000000000 --- a/toolchain/uClibc/patches-0.9.31/902-Fix-use-after-free-bug-in-__dns_lookup.patch +++ /dev/null @@ -1,40 +0,0 @@ -From c602079e5b7ba998d1dd6cae4a305af80e6cba52 Mon Sep 17 00:00:00 2001 -From: Gabor Juhos -Date: Tue, 23 Mar 2010 08:35:27 +0100 -Subject: [PATCH] Fix use-after-free bug in __dns_lookup. - -If the type of the first answer does not match with the requested type, -then the dotted name will be freed. If there are no further answers in -the DNS reply, this pointer will be used later on in the same function. -Additionally it is passed to the caller, and may cause strange behaviour. - -For example, the following busybox commands are triggering a segmentation -fault with uClibc 0.9.30.x - - - nslookup ipv6.google.com - - ping ipv6.google.com - - wget http//ipv6.google.com/ - -Signed-off-by: Gabor Juhos - ---- - -See https://dev.openwrt.org/ticket/6886 for a testcase ---- - libc/inet/resolv.c | 4 +--- - 1 files changed, 1 insertions(+), 3 deletions(-) - ---- a/libc/inet/resolv.c -+++ b/libc/inet/resolv.c -@@ -1517,10 +1517,8 @@ int attribute_hidden __dns_lookup(const - memcpy(a, &ma, sizeof(ma)); - if (a->atype != T_SIG && (NULL == a->buf || (type != T_A && type != T_AAAA))) - break; -- if (a->atype != type) { -- free(a->dotted); -+ if (a->atype != type) - continue; -- } - a->add_count = h.ancount - j - 1; - if ((a->rdlength + sizeof(struct in_addr*)) * a->add_count > a->buflen) - break; -- cgit v1.2.3