Reviewed-by: Adolf Belka On 04/02/2022 17:47, Michael Tremer wrote: > Signed-off-by: Michael Tremer > --- > config/rootfiles/common/aarch64/glibc | 40 ++++------ > config/rootfiles/common/armv6l/glibc | 40 ++++------ > config/rootfiles/common/x86_64/glibc | 43 +++++------ > lfs/glibc | 8 +- > ...x-null-pointer-dereference-bug-28213.patch | 40 ---------- > ...ead_attr_copy-in-mq_notify-bug-27896.patch | 74 ------------------- > 6 files changed, 50 insertions(+), 195 deletions(-) > delete mode 100644 src/patches/glibc-2.33-librt-fix-null-pointer-dereference-bug-28213.patch > delete mode 100644 src/patches/glibc-2.33-use-__pthread_attr_copy-in-mq_notify-bug-27896.patch > > diff --git a/config/rootfiles/common/aarch64/glibc b/config/rootfiles/common/aarch64/glibc > index 0849703f9..634f1686e 100644 > --- a/config/rootfiles/common/aarch64/glibc > +++ b/config/rootfiles/common/aarch64/glibc > @@ -1,41 +1,25 @@ > #etc/ld.so.cache > etc/rpc > -lib/ld-2.33.so > lib/ld-linux-aarch64.so.1 > -lib/libBrokenLocale-2.33.so > lib/libBrokenLocale.so.1 > #lib/libSegFault.so > -lib/libanl-2.33.so > lib/libanl.so.1 > -lib/libc-2.33.so > lib/libc.so.6 > -lib/libdl-2.33.so > +#lib/libc_malloc_debug.so.0 > lib/libdl.so.2 > -lib/libm-2.33.so > lib/libm.so.6 > #lib/libmemusage.so > -lib/libnsl-2.33.so > lib/libnsl.so.1 > -lib/libnss_compat-2.33.so > lib/libnss_compat.so.2 > -lib/libnss_db-2.33.so > lib/libnss_db.so.2 > -lib/libnss_dns-2.33.so > lib/libnss_dns.so.2 > -lib/libnss_files-2.33.so > lib/libnss_files.so.2 > -lib/libnss_hesiod-2.33.so > lib/libnss_hesiod.so.2 > #lib/libpcprofile.so > -lib/libpthread-2.33.so > lib/libpthread.so.0 > -lib/libresolv-2.33.so > lib/libresolv.so.2 > -lib/librt-2.33.so > lib/librt.so.1 > -lib/libthread_db-1.0.so > lib/libthread_db.so.1 > -lib/libutil-2.33.so > lib/libutil.so.1 > sbin/ldconfig > #sbin/sln > @@ -145,6 +129,8 @@ usr/bin/locale > #usr/include/bits/procfs-id.h > #usr/include/bits/procfs-prregset.h > #usr/include/bits/procfs.h > +#usr/include/bits/pthread_stack_min-dynamic.h > +#usr/include/bits/pthread_stack_min.h > #usr/include/bits/pthreadtypes-arch.h > #usr/include/bits/pthreadtypes.h > #usr/include/bits/ptrace-shared.h > @@ -169,6 +155,7 @@ usr/bin/locale > #usr/include/bits/signum-arch.h > #usr/include/bits/signum-generic.h > #usr/include/bits/sigstack.h > +#usr/include/bits/sigstksz.h > #usr/include/bits/sigthread.h > #usr/include/bits/sockaddr.h > #usr/include/bits/socket-constants.h > @@ -197,6 +184,7 @@ usr/bin/locale > #usr/include/bits/struct_mutex.h > #usr/include/bits/struct_rwlock.h > #usr/include/bits/struct_stat.h > +#usr/include/bits/struct_stat_time64_helper.h > #usr/include/bits/syscall.h > #usr/include/bits/syslog-ldbl.h > #usr/include/bits/syslog-path.h > @@ -245,11 +233,17 @@ usr/bin/locale > #usr/include/bits/types/struct___jmp_buf_tag.h > #usr/include/bits/types/struct_iovec.h > #usr/include/bits/types/struct_itimerspec.h > +#usr/include/bits/types/struct_msqid64_ds.h > +#usr/include/bits/types/struct_msqid64_ds_helper.h > #usr/include/bits/types/struct_msqid_ds.h > #usr/include/bits/types/struct_osockaddr.h > #usr/include/bits/types/struct_rusage.h > #usr/include/bits/types/struct_sched_param.h > +#usr/include/bits/types/struct_semid64_ds.h > +#usr/include/bits/types/struct_semid64_ds_helper.h > #usr/include/bits/types/struct_semid_ds.h > +#usr/include/bits/types/struct_shmid64_ds.h > +#usr/include/bits/types/struct_shmid64_ds_helper.h > #usr/include/bits/types/struct_shmid_ds.h > #usr/include/bits/types/struct_sigstack.h > #usr/include/bits/types/struct_statx.h > @@ -292,6 +286,7 @@ usr/bin/locale > #usr/include/error.h > #usr/include/execinfo.h > #usr/include/fcntl.h > +#usr/include/features-time64.h > #usr/include/features.h > #usr/include/fenv.h > #usr/include/finclude > @@ -775,6 +770,8 @@ usr/lib/gconv > #usr/lib/gconv/UTF-7.so > #usr/lib/gconv/VISCII.so > #usr/lib/gconv/gconv-modules > +#usr/lib/gconv/gconv-modules.d > +#usr/lib/gconv/gconv-modules.d/gconv-modules-extra.conf > #usr/lib/gconv/libCNS.so > #usr/lib/gconv/libGB.so > #usr/lib/gconv/libISOIR165.so > @@ -793,27 +790,22 @@ usr/lib/gconv > #usr/lib/libanl.so > #usr/lib/libc.a > #usr/lib/libc.so > +#usr/lib/libc_malloc_debug.so > #usr/lib/libc_nonshared.a > #usr/lib/libdl.a > -#usr/lib/libdl.so > #usr/lib/libg.a > #usr/lib/libm.a > #usr/lib/libm.so > #usr/lib/libmcheck.a > #usr/lib/libnss_compat.so > #usr/lib/libnss_db.so > -#usr/lib/libnss_dns.so > -#usr/lib/libnss_files.so > #usr/lib/libnss_hesiod.so > #usr/lib/libpthread.a > -#usr/lib/libpthread.so > #usr/lib/libresolv.a > #usr/lib/libresolv.so > #usr/lib/librt.a > -#usr/lib/librt.so > #usr/lib/libthread_db.so > #usr/lib/libutil.a > -#usr/lib/libutil.so > usr/lib/locale > #usr/lib/locale/aa_DJ > #usr/lib/locale/aa_DJ.utf8 > @@ -8372,7 +8364,5 @@ usr/lib/locale > #usr/share/locale/zh_TW > #usr/share/locale/zh_TW/LC_MESSAGES > #usr/share/locale/zh_TW/LC_MESSAGES/libc.mo > -#var/cache/ldconfig > -#var/cache/ldconfig/aux-cache > #var/db > #var/db/Makefile > diff --git a/config/rootfiles/common/armv6l/glibc b/config/rootfiles/common/armv6l/glibc > index de1a6519c..3348bc098 100644 > --- a/config/rootfiles/common/armv6l/glibc > +++ b/config/rootfiles/common/armv6l/glibc > @@ -1,41 +1,25 @@ > #etc/ld.so.cache > etc/rpc > -lib/ld-2.33.so > lib/ld-linux.so.3 > -lib/libBrokenLocale-2.33.so > lib/libBrokenLocale.so.1 > #lib/libSegFault.so > -lib/libanl-2.33.so > lib/libanl.so.1 > -lib/libc-2.33.so > lib/libc.so.6 > -lib/libdl-2.33.so > +#lib/libc_malloc_debug.so.0 > lib/libdl.so.2 > -lib/libm-2.33.so > lib/libm.so.6 > #lib/libmemusage.so > -lib/libnsl-2.33.so > lib/libnsl.so.1 > -lib/libnss_compat-2.33.so > lib/libnss_compat.so.2 > -lib/libnss_db-2.33.so > lib/libnss_db.so.2 > -lib/libnss_dns-2.33.so > lib/libnss_dns.so.2 > -lib/libnss_files-2.33.so > lib/libnss_files.so.2 > -lib/libnss_hesiod-2.33.so > lib/libnss_hesiod.so.2 > #lib/libpcprofile.so > -lib/libpthread-2.33.so > lib/libpthread.so.0 > -lib/libresolv-2.33.so > lib/libresolv.so.2 > -lib/librt-2.33.so > lib/librt.so.1 > -lib/libthread_db-1.0.so > lib/libthread_db.so.1 > -lib/libutil-2.33.so > lib/libutil.so.1 > sbin/ldconfig > #sbin/sln > @@ -145,6 +129,8 @@ usr/bin/locale > #usr/include/bits/procfs-id.h > #usr/include/bits/procfs-prregset.h > #usr/include/bits/procfs.h > +#usr/include/bits/pthread_stack_min-dynamic.h > +#usr/include/bits/pthread_stack_min.h > #usr/include/bits/pthreadtypes-arch.h > #usr/include/bits/pthreadtypes.h > #usr/include/bits/ptrace-shared.h > @@ -169,6 +155,7 @@ usr/bin/locale > #usr/include/bits/signum-arch.h > #usr/include/bits/signum-generic.h > #usr/include/bits/sigstack.h > +#usr/include/bits/sigstksz.h > #usr/include/bits/sigthread.h > #usr/include/bits/sockaddr.h > #usr/include/bits/socket-constants.h > @@ -197,6 +184,7 @@ usr/bin/locale > #usr/include/bits/struct_mutex.h > #usr/include/bits/struct_rwlock.h > #usr/include/bits/struct_stat.h > +#usr/include/bits/struct_stat_time64_helper.h > #usr/include/bits/syscall.h > #usr/include/bits/syslog-ldbl.h > #usr/include/bits/syslog-path.h > @@ -245,11 +233,17 @@ usr/bin/locale > #usr/include/bits/types/struct___jmp_buf_tag.h > #usr/include/bits/types/struct_iovec.h > #usr/include/bits/types/struct_itimerspec.h > +#usr/include/bits/types/struct_msqid64_ds.h > +#usr/include/bits/types/struct_msqid64_ds_helper.h > #usr/include/bits/types/struct_msqid_ds.h > #usr/include/bits/types/struct_osockaddr.h > #usr/include/bits/types/struct_rusage.h > #usr/include/bits/types/struct_sched_param.h > +#usr/include/bits/types/struct_semid64_ds.h > +#usr/include/bits/types/struct_semid64_ds_helper.h > #usr/include/bits/types/struct_semid_ds.h > +#usr/include/bits/types/struct_shmid64_ds.h > +#usr/include/bits/types/struct_shmid64_ds_helper.h > #usr/include/bits/types/struct_shmid_ds.h > #usr/include/bits/types/struct_sigstack.h > #usr/include/bits/types/struct_statx.h > @@ -292,6 +286,7 @@ usr/bin/locale > #usr/include/error.h > #usr/include/execinfo.h > #usr/include/fcntl.h > +#usr/include/features-time64.h > #usr/include/features.h > #usr/include/fenv.h > #usr/include/finclude > @@ -774,6 +769,8 @@ usr/lib/gconv > #usr/lib/gconv/UTF-7.so > #usr/lib/gconv/VISCII.so > #usr/lib/gconv/gconv-modules > +#usr/lib/gconv/gconv-modules.d > +#usr/lib/gconv/gconv-modules.d/gconv-modules-extra.conf > #usr/lib/gconv/libCNS.so > #usr/lib/gconv/libGB.so > #usr/lib/gconv/libISOIR165.so > @@ -795,27 +792,22 @@ usr/lib/gconv > #usr/lib/libanl.so > #usr/lib/libc.a > #usr/lib/libc.so > +#usr/lib/libc_malloc_debug.so > #usr/lib/libc_nonshared.a > #usr/lib/libdl.a > -#usr/lib/libdl.so > #usr/lib/libg.a > #usr/lib/libm.a > #usr/lib/libm.so > #usr/lib/libmcheck.a > #usr/lib/libnss_compat.so > #usr/lib/libnss_db.so > -#usr/lib/libnss_dns.so > -#usr/lib/libnss_files.so > #usr/lib/libnss_hesiod.so > #usr/lib/libpthread.a > -#usr/lib/libpthread.so > #usr/lib/libresolv.a > #usr/lib/libresolv.so > #usr/lib/librt.a > -#usr/lib/librt.so > #usr/lib/libthread_db.so > #usr/lib/libutil.a > -#usr/lib/libutil.so > usr/lib/locale > #usr/lib/locale/aa_DJ > #usr/lib/locale/aa_DJ.utf8 > @@ -8374,7 +8366,5 @@ usr/lib/locale > #usr/share/locale/zh_TW > #usr/share/locale/zh_TW/LC_MESSAGES > #usr/share/locale/zh_TW/LC_MESSAGES/libc.mo > -#var/cache/ldconfig > -#var/cache/ldconfig/aux-cache > #var/db > #var/db/Makefile > diff --git a/config/rootfiles/common/x86_64/glibc b/config/rootfiles/common/x86_64/glibc > index 74f7e38fd..40bd175f4 100644 > --- a/config/rootfiles/common/x86_64/glibc > +++ b/config/rootfiles/common/x86_64/glibc > @@ -1,43 +1,26 @@ > #etc/ld.so.cache > etc/rpc > -lib/ld-2.33.so > lib/ld-linux-x86-64.so.2 > -lib/libBrokenLocale-2.33.so > lib/libBrokenLocale.so.1 > #lib/libSegFault.so > -lib/libanl-2.33.so > lib/libanl.so.1 > -lib/libc-2.33.so > lib/libc.so.6 > -lib/libdl-2.33.so > +#lib/libc_malloc_debug.so.0 > lib/libdl.so.2 > -lib/libm-2.33.so > lib/libm.so.6 > #lib/libmemusage.so > -lib/libmvec-2.33.so > lib/libmvec.so.1 > -lib/libnsl-2.33.so > lib/libnsl.so.1 > -lib/libnss_compat-2.33.so > lib/libnss_compat.so.2 > -lib/libnss_db-2.33.so > lib/libnss_db.so.2 > -lib/libnss_dns-2.33.so > lib/libnss_dns.so.2 > -lib/libnss_files-2.33.so > lib/libnss_files.so.2 > -lib/libnss_hesiod-2.33.so > lib/libnss_hesiod.so.2 > #lib/libpcprofile.so > -lib/libpthread-2.33.so > lib/libpthread.so.0 > -lib/libresolv-2.33.so > lib/libresolv.so.2 > -lib/librt-2.33.so > lib/librt.so.1 > -lib/libthread_db-1.0.so > lib/libthread_db.so.1 > -lib/libutil-2.33.so > lib/libutil.so.1 > sbin/ldconfig > #sbin/sln > @@ -137,6 +120,8 @@ usr/bin/locale > #usr/include/bits/msq.h > #usr/include/bits/netdb.h > #usr/include/bits/param.h > +#usr/include/bits/platform > +#usr/include/bits/platform/x86.h > #usr/include/bits/poll.h > #usr/include/bits/poll2.h > #usr/include/bits/posix1_lim.h > @@ -147,6 +132,8 @@ usr/bin/locale > #usr/include/bits/procfs-id.h > #usr/include/bits/procfs-prregset.h > #usr/include/bits/procfs.h > +#usr/include/bits/pthread_stack_min-dynamic.h > +#usr/include/bits/pthread_stack_min.h > #usr/include/bits/pthreadtypes-arch.h > #usr/include/bits/pthreadtypes.h > #usr/include/bits/ptrace-shared.h > @@ -171,6 +158,7 @@ usr/bin/locale > #usr/include/bits/signum-arch.h > #usr/include/bits/signum-generic.h > #usr/include/bits/sigstack.h > +#usr/include/bits/sigstksz.h > #usr/include/bits/sigthread.h > #usr/include/bits/sockaddr.h > #usr/include/bits/socket-constants.h > @@ -199,6 +187,7 @@ usr/bin/locale > #usr/include/bits/struct_mutex.h > #usr/include/bits/struct_rwlock.h > #usr/include/bits/struct_stat.h > +#usr/include/bits/struct_stat_time64_helper.h > #usr/include/bits/syscall.h > #usr/include/bits/syslog-ldbl.h > #usr/include/bits/syslog-path.h > @@ -247,11 +236,17 @@ usr/bin/locale > #usr/include/bits/types/struct___jmp_buf_tag.h > #usr/include/bits/types/struct_iovec.h > #usr/include/bits/types/struct_itimerspec.h > +#usr/include/bits/types/struct_msqid64_ds.h > +#usr/include/bits/types/struct_msqid64_ds_helper.h > #usr/include/bits/types/struct_msqid_ds.h > #usr/include/bits/types/struct_osockaddr.h > #usr/include/bits/types/struct_rusage.h > #usr/include/bits/types/struct_sched_param.h > +#usr/include/bits/types/struct_semid64_ds.h > +#usr/include/bits/types/struct_semid64_ds_helper.h > #usr/include/bits/types/struct_semid_ds.h > +#usr/include/bits/types/struct_shmid64_ds.h > +#usr/include/bits/types/struct_shmid64_ds_helper.h > #usr/include/bits/types/struct_shmid_ds.h > #usr/include/bits/types/struct_sigstack.h > #usr/include/bits/types/struct_statx.h > @@ -294,6 +289,7 @@ usr/bin/locale > #usr/include/error.h > #usr/include/execinfo.h > #usr/include/fcntl.h > +#usr/include/features-time64.h > #usr/include/features.h > #usr/include/fenv.h > #usr/include/finclude > @@ -783,6 +779,8 @@ usr/lib/gconv > #usr/lib/gconv/UTF-7.so > #usr/lib/gconv/VISCII.so > #usr/lib/gconv/gconv-modules > +#usr/lib/gconv/gconv-modules.d > +#usr/lib/gconv/gconv-modules.d/gconv-modules-extra.conf > #usr/lib/gconv/libCNS.so > #usr/lib/gconv/libGB.so > #usr/lib/gconv/libISOIR165.so > @@ -801,11 +799,11 @@ usr/lib/gconv > #usr/lib/libanl.so > #usr/lib/libc.a > #usr/lib/libc.so > +#usr/lib/libc_malloc_debug.so > #usr/lib/libc_nonshared.a > #usr/lib/libdl.a > -#usr/lib/libdl.so > #usr/lib/libg.a > -#usr/lib/libm-2.33.a > +#usr/lib/libm-2.34.a > #usr/lib/libm.a > #usr/lib/libm.so > #usr/lib/libmcheck.a > @@ -813,18 +811,13 @@ usr/lib/gconv > #usr/lib/libmvec.so > #usr/lib/libnss_compat.so > #usr/lib/libnss_db.so > -#usr/lib/libnss_dns.so > -#usr/lib/libnss_files.so > #usr/lib/libnss_hesiod.so > #usr/lib/libpthread.a > -#usr/lib/libpthread.so > #usr/lib/libresolv.a > #usr/lib/libresolv.so > #usr/lib/librt.a > -#usr/lib/librt.so > #usr/lib/libthread_db.so > #usr/lib/libutil.a > -#usr/lib/libutil.so > usr/lib/locale > #usr/lib/locale/aa_DJ > #usr/lib/locale/aa_DJ.utf8 > diff --git a/lfs/glibc b/lfs/glibc > index d2d3aff91..e7f2a71c5 100644 > --- a/lfs/glibc > +++ b/lfs/glibc > @@ -24,7 +24,7 @@ > > include Config > > -VER = 2.33 > +VER = 2.34 > > THISAPP = glibc-$(VER) > DL_FILE = $(THISAPP).tar.xz > @@ -73,7 +73,7 @@ objects = $(DL_FILE) > > $(DL_FILE) = $(DL_FROM)/$(DL_FILE) > > -$(DL_FILE)_MD5 = 390bbd889c7e8e8a7041564cb6b27cca > +$(DL_FILE)_MD5 = 31998b53fb39cb946e96abc310af1c89 > > install : $(TARGET) > > @@ -105,10 +105,6 @@ $(TARGET) : $(patsubst %,$(DIR_DL)/%,$(objects)) > @rm -rf $(DIR_APP) $(DIR_SRC)/glibc-build && cd $(DIR_SRC) && tar axf $(DIR_DL)/$(DL_FILE) > @mkdir $(DIR_SRC)/glibc-build > > - # Security Fixes > - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-2.33-use-__pthread_attr_copy-in-mq_notify-bug-27896.patch > - cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-2.33-librt-fix-null-pointer-dereference-bug-28213.patch > - > cd $(DIR_APP) && patch -Np1 < $(DIR_SRC)/src/patches/glibc-localedef-no-archive.patch > > ifneq "$(TOOLCHAIN)" "1" > diff --git a/src/patches/glibc-2.33-librt-fix-null-pointer-dereference-bug-28213.patch b/src/patches/glibc-2.33-librt-fix-null-pointer-dereference-bug-28213.patch > deleted file mode 100644 > index d2083e6e2..000000000 > --- a/src/patches/glibc-2.33-librt-fix-null-pointer-dereference-bug-28213.patch > +++ /dev/null > @@ -1,40 +0,0 @@ > -From 27a78fd712c06748737dfa9638fab96ea362fca9 Mon Sep 17 00:00:00 2001 > -From: Nikita Popov > -Date: Mon, 9 Aug 2021 20:17:34 +0530 > -Subject: [PATCH] librt: fix NULL pointer dereference (bug 28213) > - > -Helper thread frees copied attribute on NOTIFY_REMOVED message > -received from the OS kernel. Unfortunately, it fails to check whether > -copied attribute actually exists (data.attr != NULL). This worked > -earlier because free() checks passed pointer before actually > -attempting to release corresponding memory. But > -__pthread_attr_destroy assumes pointer is not NULL. > - > -So passing NULL pointer to __pthread_attr_destroy will result in > -segmentation fault. This scenario is possible if > -notification->sigev_notify_attributes == NULL (which means default > -thread attributes should be used). > - > -Signed-off-by: Nikita Popov > -Reviewed-by: Siddhesh Poyarekar > -(cherry picked from commit b805aebd42364fe696e417808a700fdb9800c9e8) > ---- > - sysdeps/unix/sysv/linux/mq_notify.c | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c > -index 6f46d29d1d..1714e1cc5f 100644 > ---- a/sysdeps/unix/sysv/linux/mq_notify.c > -+++ b/sysdeps/unix/sysv/linux/mq_notify.c > -@@ -132,7 +132,7 @@ helper_thread (void *arg) > - to wait until it is done with it. */ > - (void) __pthread_barrier_wait (¬ify_barrier); > - } > -- else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) > -+ else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED && data.attr != NULL) > - { > - /* The only state we keep is the copy of the thread attributes. */ > - pthread_attr_destroy (data.attr); > --- > -2.20.1 > - > diff --git a/src/patches/glibc-2.33-use-__pthread_attr_copy-in-mq_notify-bug-27896.patch b/src/patches/glibc-2.33-use-__pthread_attr_copy-in-mq_notify-bug-27896.patch > deleted file mode 100644 > index f846b37b8..000000000 > --- a/src/patches/glibc-2.33-use-__pthread_attr_copy-in-mq_notify-bug-27896.patch > +++ /dev/null > @@ -1,74 +0,0 @@ > -From 4b6be914bd3920500a67ef6ca1aa7d1c37e5e859 Mon Sep 17 00:00:00 2001 > -From: Andreas Schwab > -Date: Thu, 27 May 2021 12:49:47 +0200 > -Subject: [PATCH] Use __pthread_attr_copy in mq_notify (bug 27896) > - > -Make a deep copy of the pthread attribute object to remove a potential > -use-after-free issue. > - > -(cherry picked from commit 42d359350510506b87101cf77202fefcbfc790cb) > ---- > - NEWS | 6 ++++++ > - sysdeps/unix/sysv/linux/mq_notify.c | 15 ++++++++++----- > - 2 files changed, 16 insertions(+), 5 deletions(-) > - > -diff --git a/NEWS b/NEWS > -index 0c33a80af9..b9e570b4a4 100644 > ---- a/NEWS > -+++ b/NEWS > -@@ -13,6 +13,12 @@ Major new features: > - a dump of information related to IFUNC resolver operation and > - glibc-hwcaps subdirectory selection. > - > -+Security related changes: > -+ > -+ CVE-2021-33574: The mq_notify function has a potential use-after-free > -+ issue when using a notification type of SIGEV_THREAD and a thread > -+ attribute with a non-default affinity mask. > -+ > - The following bugs are resolved with this release: > - > - [15271] dlfcn function failure after dlmopen terminates process > -diff --git a/sysdeps/unix/sysv/linux/mq_notify.c b/sysdeps/unix/sysv/linux/mq_notify.c > -index cc575a0cdd..f7ddfe5a6c 100644 > ---- a/sysdeps/unix/sysv/linux/mq_notify.c > -+++ b/sysdeps/unix/sysv/linux/mq_notify.c > -@@ -133,8 +133,11 @@ helper_thread (void *arg) > - (void) __pthread_barrier_wait (¬ify_barrier); > - } > - else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED) > -- /* The only state we keep is the copy of the thread attributes. */ > -- free (data.attr); > -+ { > -+ /* The only state we keep is the copy of the thread attributes. */ > -+ pthread_attr_destroy (data.attr); > -+ free (data.attr); > -+ } > - } > - return NULL; > - } > -@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) > - if (data.attr == NULL) > - return -1; > - > -- memcpy (data.attr, notification->sigev_notify_attributes, > -- sizeof (pthread_attr_t)); > -+ __pthread_attr_copy (data.attr, notification->sigev_notify_attributes); > - } > - > - /* Construct the new request. */ > -@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification) > - > - /* If it failed, free the allocated memory. */ > - if (__glibc_unlikely (retval != 0)) > -- free (data.attr); > -+ { > -+ pthread_attr_destroy (data.attr); > -+ free (data.attr); > -+ } > - > - return retval; > - } > --- > -2.20.1 > -