[OE-core] [PATCH] fix(glibc): fix bug 22627

[Andrej Valek]

From: Radovan Scasny <radovan.scasny at siemens.com>

---
 ...030-Bug-22627-do-not-substitute-dst-twice.patch | 56 ++++++++++++++++++++++
 meta/recipes-core/glibc/glibc_2.26.bb              |  1 +
 2 files changed, 57 insertions(+)
 create mode 100644 meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch

diff --git a/meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch b/meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch
new file mode 100644
index 0000000..28855e2
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch
@@ -0,0 +1,56 @@
+glibc: Fix Bug-22627
+
+[No upstream tracking] -- https://sourceware.org/bugzilla/show_bug.cgi?id=22627
+
+elf: Check for empty tokens before dynamic string token expansion
+
+The fillin_rpath function in elf/dl-load.c loops over each RPATH or
+RUNPATH tokens and interprets empty tokens as the current directory
+("./"). In practice the check for empty token is done *after* the
+dynamic string token expansion. The expansion process can return an
+empty string for the $ORIGIN token if __libc_enable_secure is set
+or if the path of the binary can not be determined (/proc not mounted).
+
+Fix that by moving the check for empty tokens before the dynamic string
+token expansion. In addition, check for NULL pointer or empty strings
+return by expand_dynamic_string_token.
+
+The above changes highlighted a bug in decompose_rpath, an empty array
+is represented by the first element being NULL at the fillin_rpath
+level, but by using a -1 pointer in decompose_rpath and other functions.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=bb195224acc14724e9fc2dbaa8d0b20b72ace79b]
+Bug: 22627
+Signed-off-by: Radovan Scasny <radovan.scasny at siemens.com>
+
+diff --git a/glibc/elf/dl-load.c b/glibc/elf/dl-load.c
+index 70c259b..c29257c 100644
+--- a/glibc/elf/dl-load.c
++++ b/glibc/elf/dl-load.c
+@@ -778,25 +778,7 @@ _dl_init_paths (const char *llp)
+     {
+       size_t nllp;
+       const char *cp = llp;
+-      char *llp_tmp;
+-
+-#ifdef SHARED
+-      /* Expand DSTs.  */
+-      size_t cnt = DL_DST_COUNT (llp, 1);
+-      if (__glibc_likely (cnt == 0))
+-	llp_tmp = strdupa (llp);
+-      else
+-	{
+-	  /* Determine the length of the substituted string.  */
+-	  size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);
+-
+-	  /* Allocate the necessary memory.  */
+-	  llp_tmp = (char *) alloca (total + 1);
+-	  llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);
+-	}
+-#else
+-      llp_tmp = strdupa (llp);
+-#endif
++      char *llp_tmp = strdupa (llp);
+ 
+       /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
+ 	 elements it has.  */
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 7eb56b3..e5c171c 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
            file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
            file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
+           file://0030-Bug-22627-do-not-substitute-dst-twice.patch \
            file://CVE-2017-15671.patch \
            file://CVE-2017-16997.patch \
            file://CVE-2017-17426.patch \
-- 
2.1.4