[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#987808: marked as done (unblock: klibc/2.0.8-6)

Your message dated Sat, 1 May 2021 21:46:42 +0200
with message-id <db830ef6-7cb2-e7d8-4f70-b74c0470c0e4@debian.org>
and subject line Re: Bug#987808: unblock: klibc/2.0.8-6
has caused the Debian Bug report #987808,
regarding unblock: klibc/2.0.8-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
987808: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=987808
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: debian-kernel@lists.debian.org

Please unblock package klibc

[ Reason ]
Fix some possible integer overflows in the heap manager and the cpio
command.  These are probably not too serious considering how klibc is
normally used in Debian, but should still be fixed.

On s390x (plus some non-release architectures), remove the need for
programs to run with an executable stack.  This is a security
mitigation.

[ Impact ]
Close some possible security vulnerabilities.

[ Tests ]
The heap manager and signal handling are covered by automated tests
that run on every package build.

I have tested the changes to the cpio command manually.

[ Risks ]
klibc is used in the initramfs on most Debian systems that need one.
Regressions could result in boot failure.  However, I believe these
changes are adequately covered by tests.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

[ Other info ]
(Anything else the release team should know.)

unblock klibc/2.0.8-6

diff -Nru klibc-2.0.8/debian/changelog klibc-2.0.8/debian/changelog
--- klibc-2.0.8/debian/changelog	2020-08-21 02:34:13.000000000 +0200
+++ klibc-2.0.8/debian/changelog	2021-04-30 03:05:23.000000000 +0200
@@ -1,3 +1,46 @@
+klibc (2.0.8-6) unstable; urgency=medium
+
+  * Upload to unstable
+  * malloc: Set errno on failure
+  * malloc: Fail if requested size > PTRDIFF_MAX (CVE-2021-31873)
+  * calloc: Fail if multiplication overflows (CVE-2021-31870)
+  * cpio: Fix possible integer overflow on 32-bit systems (CVE-2021-31872)
+  * cpio: Fix possible crash on 64-bit systems (CVE-2021-31871)
+
+ -- Ben Hutchings <benh@debian.org>  Fri, 30 Apr 2021 03:05:23 +0200
+
+klibc (2.0.8-5) experimental; urgency=medium
+
+  * alpha: Fix definitions of _NSIG and struct sigaction
+  * ia64: Fix definition of struct sigaction
+
+ -- Ben Hutchings <benh@debian.org>  Fri, 28 Aug 2020 17:41:47 +0100
+
+klibc (2.0.8-4) experimental; urgency=medium
+
+  * signal: Note another reason to define _KLIBC_NEEDS_SA_RESTORER
+  * signal: Add sysconfig setting to force SA_SIGINFO on
+  * s390: Force SA_SIGINFO on and use rt_sigreturn
+  * alpha: Force SA_SIGINFO on
+  * sparc: Force SA_SIGINFO on
+
+ -- Ben Hutchings <benh@debian.org>  Tue, 25 Aug 2020 01:49:14 +0100
+
+klibc (2.0.8-3) experimental; urgency=medium
+
+  * s390: Define __sigreturn() on both s390 and s390x
+  * Revert "alpha: Set sa_restorer for signals and disable executable stack"
+  * alpha: Pass restorer to rt_sigaction() and disable executable stack
+
+ -- Ben Hutchings <benh@debian.org>  Sun, 23 Aug 2020 15:24:00 +0100
+
+klibc (2.0.8-2) experimental; urgency=medium
+
+  * {alpha,s390,sparc}: Set sa_restorer for signals and disable executable
+    stack
+
+ -- Ben Hutchings <benh@debian.org>  Sat, 22 Aug 2020 21:35:52 +0100
+
 klibc (2.0.8-1) unstable; urgency=medium
 
   [ Ben Hutchings ]
diff -Nru klibc-2.0.8/debian/patches/0001-klibc-alpha-Fix-definitions-of-_NSIG-and-struct-siga.patch klibc-2.0.8/debian/patches/0001-klibc-alpha-Fix-definitions-of-_NSIG-and-struct-siga.patch
--- klibc-2.0.8/debian/patches/0001-klibc-alpha-Fix-definitions-of-_NSIG-and-struct-siga.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0001-klibc-alpha-Fix-definitions-of-_NSIG-and-struct-siga.patch	2021-04-30 02:55:10.000000000 +0200
@@ -0,0 +1,103 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 27 Aug 2020 01:58:19 +0100
+Subject: [klibc] alpha: Fix definitions of _NSIG and struct sigaction
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=1cd11aaed1dece773c6b1ce2e99a0fe98b51321e
+
+We use the RT signals API, but include the kernel UAPI header
+that defines _NSIG and struct sigaction for the old API.
+
+Copy over all the definitions and fix those two.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/include/arch/alpha/klibc/archsignal.h | 78 ++++++++++++++++++++++-
+ 1 file changed, 76 insertions(+), 2 deletions(-)
+
+diff --git a/usr/include/arch/alpha/klibc/archsignal.h b/usr/include/arch/alpha/klibc/archsignal.h
+index 2193a352..78be832a 100644
+--- a/usr/include/arch/alpha/klibc/archsignal.h
++++ b/usr/include/arch/alpha/klibc/archsignal.h
+@@ -8,7 +8,81 @@
+ #ifndef _KLIBC_ARCHSIGNAL_H
+ #define _KLIBC_ARCHSIGNAL_H
+ 
+-#include <asm/signal.h>
+-/* No special stuff for this architecture */
++/*
++ * This is identical to <asm/signal.h>, *except* for _NSIG and struct
++ * sigaction, where it has the old definition and we need the new (RT)
++ * definition.
++ */
++
++struct siginfo;
++
++#define NSIG	64
++
++typedef unsigned long sigset_t;
++
++#define SIGHUP		 1
++#define SIGINT		 2
++#define SIGQUIT		 3
++#define SIGILL		 4
++#define SIGTRAP		 5
++#define SIGABRT		 6
++#define SIGEMT		 7
++#define SIGFPE		 8
++#define SIGKILL		 9
++#define SIGBUS		10
++#define SIGSEGV		11
++#define SIGSYS		12
++#define SIGPIPE		13
++#define SIGALRM		14
++#define SIGTERM		15
++#define SIGURG		16
++#define SIGSTOP		17
++#define SIGTSTP		18
++#define SIGCONT		19
++#define SIGCHLD		20
++#define SIGTTIN		21
++#define SIGTTOU		22
++#define SIGIO		23
++#define SIGXCPU		24
++#define SIGXFSZ		25
++#define SIGVTALRM	26
++#define SIGPROF		27
++#define SIGWINCH	28
++#define SIGINFO		29
++#define SIGUSR1		30
++#define SIGUSR2		31
++
++#define SIGPOLL		SIGIO
++#define SIGPWR		SIGINFO
++#define SIGIOT		SIGABRT
++
++#define SA_ONSTACK	0x00000001
++#define SA_RESTART	0x00000002
++#define SA_NOCLDSTOP	0x00000004
++#define SA_NODEFER	0x00000008
++#define SA_RESETHAND	0x00000010
++#define SA_NOCLDWAIT	0x00000020
++#define SA_SIGINFO	0x00000040
++
++#define SA_ONESHOT	SA_RESETHAND
++#define SA_NOMASK	SA_NODEFER
++
++#define MINSIGSTKSZ	4096
++#define SIGSTKSZ	16384
++
++#define SIG_BLOCK	1
++#define SIG_UNBLOCK	2
++#define SIG_SETMASK	3
++
++#include <asm-generic/signal-defs.h>
++
++struct sigaction {
++	union {
++		__sighandler_t	sa_handler;
++		void		(*sa_sigaction)(int, struct siginfo *, void *);
++	};
++        unsigned long   sa_flags;
++        sigset_t        sa_mask;
++};
+ 
+ #endif
diff -Nru klibc-2.0.8/debian/patches/0001-klibc-ia64-Fix-definition-of-struct-sigaction.patch klibc-2.0.8/debian/patches/0001-klibc-ia64-Fix-definition-of-struct-sigaction.patch
--- klibc-2.0.8/debian/patches/0001-klibc-ia64-Fix-definition-of-struct-sigaction.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0001-klibc-ia64-Fix-definition-of-struct-sigaction.patch	2021-04-30 02:55:37.000000000 +0200
@@ -0,0 +1,28 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Fri, 28 Aug 2020 17:36:34 +0100
+Subject: [klibc] ia64: Fix definition of struct sigaction
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=811bff9cec254e3396493f4f2447862d252870ac
+
+ia64 only provides the RT signal API, in which the type of sa_flags is
+unsigned long and sa_mask is the last member of the struct.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/include/arch/ia64/klibc/archsignal.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/usr/include/arch/ia64/klibc/archsignal.h b/usr/include/arch/ia64/klibc/archsignal.h
+index fbc961b4..7cfbf308 100644
+--- a/usr/include/arch/ia64/klibc/archsignal.h
++++ b/usr/include/arch/ia64/klibc/archsignal.h
+@@ -22,8 +22,8 @@ struct sigaction {
+ 		__sighandler_t _sa_handler;
+ 		void (*_sa_sigaction) (int, struct siginfo *, void *);
+ 	} _u;
+-	sigset_t sa_mask;
+-	int sa_flags;
++	unsigned long	sa_flags;
++	sigset_t	sa_mask;
+ };
+ 
+ #define sa_handler      _u._sa_handler
diff -Nru klibc-2.0.8/debian/patches/0001-klibc-signal-Note-another-reason-to-define-_KLIBC_NE.patch klibc-2.0.8/debian/patches/0001-klibc-signal-Note-another-reason-to-define-_KLIBC_NE.patch
--- klibc-2.0.8/debian/patches/0001-klibc-signal-Note-another-reason-to-define-_KLIBC_NE.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0001-klibc-signal-Note-another-reason-to-define-_KLIBC_NE.patch	2021-04-30 02:56:02.000000000 +0200
@@ -0,0 +1,41 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 25 Aug 2020 00:43:33 +0100
+Subject: [klibc] signal: Note another reason to define _KLIBC_NEEDS_SA_RESTORER
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=ccc5c14c44f3fa76f61b8aae947cf3b853a6c833
+
+On some architectures we should set SA_RESTORER to avoid the need for
+a signal trampoline and executable stack.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/include/klibc/sysconfig.h | 3 ++-
+ usr/klibc/sigaction.c         | 2 --
+ 2 files changed, 2 insertions(+), 3 deletions(-)
+
+diff --git a/usr/include/klibc/sysconfig.h b/usr/include/klibc/sysconfig.h
+index c91d5b85..4e38b1fd 100644
+--- a/usr/include/klibc/sysconfig.h
++++ b/usr/include/klibc/sysconfig.h
+@@ -154,7 +154,8 @@
+  *
+  *	Some architectures, like x86-64 and some i386 Fedora kernels,
+  *	do not provide a default sigreturn, and therefore must have
+- *	SA_RESTORER set.
++ *	SA_RESTORER set.  On others, the default sigreturn requires an
++ *	executable stack, which we should avoid.
+  */
+ #ifndef _KLIBC_NEEDS_SA_RESTORER
+ # define _KLIBC_NEEDS_SA_RESTORER 0
+diff --git a/usr/klibc/sigaction.c b/usr/klibc/sigaction.c
+index 19a8a54b..37201f7d 100644
+--- a/usr/klibc/sigaction.c
++++ b/usr/klibc/sigaction.c
+@@ -30,8 +30,6 @@ int sigaction(int sig, const struct sigaction *act, struct sigaction *oact)
+ 		sa = *act;
+ 		act = &sa;
+ 
+-		/* The kernel can't be trusted to have a valid default
+-		   restorer */
+ 		sa.sa_flags |= SA_RESTORER;
+ 		sa.sa_restorer = &__sigreturn;
+ 	}
diff -Nru klibc-2.0.8/debian/patches/0002-klibc-signal-Add-sysconfig-setting-to-force-SA_SIGIN.patch klibc-2.0.8/debian/patches/0002-klibc-signal-Add-sysconfig-setting-to-force-SA_SIGIN.patch
--- klibc-2.0.8/debian/patches/0002-klibc-signal-Add-sysconfig-setting-to-force-SA_SIGIN.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0002-klibc-signal-Add-sysconfig-setting-to-force-SA_SIGIN.patch	2021-04-30 02:56:14.000000000 +0200
@@ -0,0 +1,83 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Tue, 25 Aug 2020 01:05:28 +0100
+Subject: [klibc] signal: Add sysconfig setting to force SA_SIGINFO on
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=2a2a0b6b79c2470f529daabd5c193f58fe188337
+
+On alpha, arm, i386, m68k, powerpc, s390, sh, and sparc (32-bit), the
+kernel sets up the signal stack frame differently depending on the
+SA_SIGINFO flag, not whether the sigaction() or rt_sigaction() system
+call was used to install the handler.
+
+On alpha and sparc, we are going to start providing our own restorer
+that will call rt_sigaction(), so will need to ensure this flag is
+always set.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/include/klibc/sysconfig.h | 14 ++++++++++++++
+ usr/klibc/sigaction.c         | 21 ++++++++++++++-------
+ 2 files changed, 28 insertions(+), 7 deletions(-)
+
+diff --git a/usr/include/klibc/sysconfig.h b/usr/include/klibc/sysconfig.h
+index 4e38b1fd..5722e04f 100644
+--- a/usr/include/klibc/sysconfig.h
++++ b/usr/include/klibc/sysconfig.h
+@@ -162,6 +162,20 @@
+ #endif
+ 
+ 
++/*
++ * _KLIBC_NEEDS_SA_SIGINFO:
++ *
++ *	On some architectures, the signal stack frame is set up for
++ *	either sigreturn() or rt_sigreturn() depending on whether
++ *	SA_SIGINFO is set.  Where this is the case, and we provide our
++ *	own restorer function, this must also be set so that the
++ *	restorer can always use rt_sigreturn().
++ */
++#ifndef _KLIBC_NEEDS_SA_SIGINFO
++# define _KLIBC_NEEDS_SA_SIGINFO 0
++#endif
++
++
+ /*
+  * _KLIBC_STATFS_F_TYPE_64:
+  *
+diff --git a/usr/klibc/sigaction.c b/usr/klibc/sigaction.c
+index 37201f7d..dbf8e220 100644
+--- a/usr/klibc/sigaction.c
++++ b/usr/klibc/sigaction.c
+@@ -21,19 +21,26 @@ __extern int __rt_sigaction(int, const struct sigaction *, struct sigaction *,
+ 
+ int sigaction(int sig, const struct sigaction *act, struct sigaction *oact)
+ {
+-	int rv;
+-
++	unsigned int needed_flags = 0
+ #if _KLIBC_NEEDS_SA_RESTORER
++		| SA_RESTORER
++#endif
++#if _KLIBC_NEEDS_SA_SIGINFO
++		| SA_SIGINFO
++#endif
++		;
+ 	struct sigaction sa;
++	int rv;
+ 
+-	if (act && !(act->sa_flags & SA_RESTORER)) {
++	if (act && (act->sa_flags & needed_flags) != needed_flags) {
+ 		sa = *act;
++		sa.sa_flags |= needed_flags;
++#if _KLIBC_NEEDS_SA_RESTORER
++		if (!(act->sa_flags & SA_RESTORER))
++			sa.sa_restorer = &__sigreturn;
++#endif
+ 		act = &sa;
+-
+-		sa.sa_flags |= SA_RESTORER;
+-		sa.sa_restorer = &__sigreturn;
+ 	}
+-#endif
+ 
+ #if _KLIBC_USE_RT_SIG
+ # ifdef __sparc__
diff -Nru klibc-2.0.8/debian/patches/0003-klibc-s390-Set-sa_restorer-for-signals-and-disable-e.patch klibc-2.0.8/debian/patches/0003-klibc-s390-Set-sa_restorer-for-signals-and-disable-e.patch
--- klibc-2.0.8/debian/patches/0003-klibc-s390-Set-sa_restorer-for-signals-and-disable-e.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0003-klibc-s390-Set-sa_restorer-for-signals-and-disable-e.patch	2021-04-30 02:56:26.000000000 +0200
@@ -0,0 +1,69 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 30 Apr 2020 03:38:34 +0100
+Subject: [klibc] s390: Set sa_restorer for signals and disable executable stack
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=c341c978e3024b9c575fac94012fc5b6f5679334
+
+s390 allows specifiying a signal restorer in the usual way.  We
+should do this to avoid needing an executable stack.
+
+* Define a __sigreturn() routine that calls rt_sigreturn
+* Force the SA_RESTORER flag on for all signal handlers, and set
+  __sigreturn as the restorer if none is already set
+* Force the SA_SIGINFO flag on for all signal handlers, so that we can
+  always return from them with rt_sigreturn
+* Set KLIBCEXECSTACK=n
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/include/arch/s390/klibc/archconfig.h | 5 +++++
+ usr/klibc/SYSCALLS.def                   | 2 +-
+ usr/klibc/arch/s390/MCONFIG              | 5 ++---
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/usr/include/arch/s390/klibc/archconfig.h b/usr/include/arch/s390/klibc/archconfig.h
+index d7a71a4b..b08bbb3f 100644
+--- a/usr/include/arch/s390/klibc/archconfig.h
++++ b/usr/include/arch/s390/klibc/archconfig.h
+@@ -12,4 +12,9 @@
+ /* Both s390 and s390x use the "32-bit" version of this structure */
+ #define _KLIBC_STATFS_F_TYPE_64 0
+ 
++/* So that we can avoid stack trampolines */
++#define _KLIBC_NEEDS_SA_RESTORER 1
++/* Our restorer will call rt_sigreturn() */
++#define _KLIBC_NEEDS_SA_SIGINFO 1
++
+ #endif				/* _KLIBC_ARCHCONFIG_H */
+diff --git a/usr/klibc/SYSCALLS.def b/usr/klibc/SYSCALLS.def
+index 461d9bf6..30ff58b8 100644
+--- a/usr/klibc/SYSCALLS.def
++++ b/usr/klibc/SYSCALLS.def
+@@ -212,7 +212,6 @@ ssize_t sendfile64,sendfile::sendfile(int, int, off_t *, size_t, off_t);
+ int rt_sigsuspend::__rt_sigsuspend(const sigset_t *, size_t);
+ int rt_sigpending::__rt_sigpending(sigset_t *, size_t);
+ int rt_sigprocmask::__rt_sigprocmask(int, const sigset_t *, sigset_t *, size_t);
+-<sparc64> void rt_sigreturn::__sigreturn();
+ #else
+ int sigaction::__sigaction(int, const struct sigaction *, struct sigaction *);
+ int sigpending(sigset_t *);
+@@ -229,6 +228,7 @@ int sigprocmask(int, const sigset_t *, sigset_t *);
+ <sh,sparc,alpha,ppc,sparc64> int sigsuspend::__sigsuspend_s(sigset_t);
+ <arm,frv,i386,m68k,mn10300,s390,s390x> int sigsuspend::__sigsuspend_xxs(int, int, sigset_t);
+ #endif
++<s390,s390x,sparc64> void rt_sigreturn::__sigreturn();
+ int kill(pid_t, int);
+ <?> unsigned int alarm(unsigned int);
+ int getitimer(int, struct itimerval *);
+diff --git a/usr/klibc/arch/s390/MCONFIG b/usr/klibc/arch/s390/MCONFIG
+index c36acd7a..7ffbcc45 100644
+--- a/usr/klibc/arch/s390/MCONFIG
++++ b/usr/klibc/arch/s390/MCONFIG
+@@ -22,6 +22,5 @@ endif
+ KLIBCASMARCH		= s390
+ KLIBCSHAREDFLAGS	= -Ttext-segment 0x40000000
+ 
+-# Kernel uses stack trampoline for signal return unless we set
+-# sa_restorer
+-KLIBCEXECSTACK := y
++# Kernel uses our sa_restorer for signal return
++KLIBCEXECSTACK := n
diff -Nru klibc-2.0.8/debian/patches/0004-klibc-alpha-Pass-restorer-to-rt_sigaction-and-disabl.patch klibc-2.0.8/debian/patches/0004-klibc-alpha-Pass-restorer-to-rt_sigaction-and-disabl.patch
--- klibc-2.0.8/debian/patches/0004-klibc-alpha-Pass-restorer-to-rt_sigaction-and-disabl.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0004-klibc-alpha-Pass-restorer-to-rt_sigaction-and-disabl.patch	2021-04-30 02:56:40.000000000 +0200
@@ -0,0 +1,110 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Sun, 23 Aug 2020 15:18:19 +0100
+Subject: [klibc] alpha: Pass restorer to rt_sigaction() and disable executable stack
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=570ed1e207cbe38ed487c722f8ac7db68e664a94
+
+alpha does not support the SA_RESTORER flag, but allows specifiying a
+restorer callback as an additional parameter to rt_sigaction().  We
+should do this to avoid needing an executable stack.
+
+* Force the SA_SIGINFO flag on for all signal handlers, so that we can
+  always return from them with rt_sigreturn
+* Define a __sigreturn() routine that calls rt_sigreturn
+* Pass that routine as the last argument to rt_sigaction()
+* Set KLIBCEXECSTACK=n
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/include/arch/alpha/klibc/archconfig.h |  2 ++
+ usr/klibc/arch/alpha/Kbuild               |  2 +-
+ usr/klibc/arch/alpha/MCONFIG              |  5 ++---
+ usr/klibc/arch/alpha/sigreturn.S          | 18 ++++++++++++++++++
+ usr/klibc/sigaction.c                     |  4 ++--
+ 5 files changed, 25 insertions(+), 6 deletions(-)
+ create mode 100644 usr/klibc/arch/alpha/sigreturn.S
+
+diff --git a/usr/include/arch/alpha/klibc/archconfig.h b/usr/include/arch/alpha/klibc/archconfig.h
+index 272fee0a..9d28db12 100644
+--- a/usr/include/arch/alpha/klibc/archconfig.h
++++ b/usr/include/arch/alpha/klibc/archconfig.h
+@@ -10,6 +10,8 @@
+ #define _KLIBC_ARCHCONFIG_H
+ 
+ #define _KLIBC_USE_RT_SIG 1
++/* We provide our own restorer that call rt_sigreturn() */
++#define _KLIBC_NEEDS_SA_SIGINFO 1
+ #define _KLIBC_STATFS_F_TYPE_64 0
+ 
+ #endif				/* _KLIBC_ARCHCONFIG_H */
+diff --git a/usr/klibc/arch/alpha/Kbuild b/usr/klibc/arch/alpha/Kbuild
+index 2e566eb6..89386aea 100644
+--- a/usr/klibc/arch/alpha/Kbuild
++++ b/usr/klibc/arch/alpha/Kbuild
+@@ -9,7 +9,7 @@
+ 
+ always  := crt0.o
+ targets := crt0.o
+-klib-y := pipe.o setjmp.o syscall.o sysdual.o
++klib-y := pipe.o setjmp.o sigreturn.o syscall.o sysdual.o
+ 
+ # Special CFLAGS for the divide code
+ DIVCFLAGS = $(KLIBCREQFLAGS) $(KLIBCARCHREQFLAGS) \
+diff --git a/usr/klibc/arch/alpha/MCONFIG b/usr/klibc/arch/alpha/MCONFIG
+index 072adb85..e71db264 100644
+--- a/usr/klibc/arch/alpha/MCONFIG
++++ b/usr/klibc/arch/alpha/MCONFIG
+@@ -15,6 +15,5 @@ KLIBCBITSIZE  = 64
+ # the binary.
+ KLIBCSHAREDFLAGS	= -Ttext-segment 0x1c0000000
+ 
+-# Kernel uses stack trampoline for signal return unless we set
+-# sa_restorer
+-KLIBCEXECSTACK := y
++# Kernel uses our sa_restorer for signal return
++KLIBCEXECSTACK := n
+diff --git a/usr/klibc/arch/alpha/sigreturn.S b/usr/klibc/arch/alpha/sigreturn.S
+new file mode 100644
+index 00000000..a979b7a3
+--- /dev/null
++++ b/usr/klibc/arch/alpha/sigreturn.S
+@@ -0,0 +1,18 @@
++/*
++ * arch/alpha/sigreturn.S
++ */
++
++#include <machine/asm.h>
++#include <asm/unistd.h>
++
++	.text
++	.align	3
++	.type	__sigreturn,@function
++	.ent	__sigreturn,0
++	.globl	__sigreturn
++__sigreturn:
++	mov	sp,a0			# struct sigcontext on stack
++	lda	v0,__NR_rt_sigreturn(zero)
++	callsys
++	.size	__sigreturn,.-__sigreturn
++	.end	__sigreturn
+diff --git a/usr/klibc/sigaction.c b/usr/klibc/sigaction.c
+index dbf8e220..cd2fdfef 100644
+--- a/usr/klibc/sigaction.c
++++ b/usr/klibc/sigaction.c
+@@ -13,7 +13,7 @@ __extern int __rt_sigaction(int, const struct sigaction *, struct sigaction *,
+ 			    void (*)(void), size_t);
+ #elif defined(__alpha__)
+ __extern int __rt_sigaction(int, const struct sigaction *, struct sigaction *,
+-			    size_t, void *);
++			    size_t, void (*)(void));
+ #else
+ __extern int __rt_sigaction(int, const struct sigaction *, struct sigaction *,
+ 			    size_t);
+@@ -52,7 +52,7 @@ int sigaction(int sig, const struct sigaction *act, struct sigaction *oact)
+ 		rv = __rt_sigaction(sig, act, oact, restorer, sizeof(sigset_t));
+ 	}
+ # elif defined(__alpha__)
+-	rv = __rt_sigaction(sig, act, oact, sizeof(sigset_t), NULL);
++	rv = __rt_sigaction(sig, act, oact, sizeof(sigset_t), &__sigreturn);
+ # else
+ 	rv = __rt_sigaction(sig, act, oact, sizeof(sigset_t));
+ # endif
diff -Nru klibc-2.0.8/debian/patches/0005-klibc-sparc-Set-sa_restorer-for-signals-and-disable-.patch klibc-2.0.8/debian/patches/0005-klibc-sparc-Set-sa_restorer-for-signals-and-disable-.patch
--- klibc-2.0.8/debian/patches/0005-klibc-sparc-Set-sa_restorer-for-signals-and-disable-.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0005-klibc-sparc-Set-sa_restorer-for-signals-and-disable-.patch	2021-04-30 02:56:52.000000000 +0200
@@ -0,0 +1,62 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Thu, 30 Apr 2020 13:56:47 +0100
+Subject: [klibc] sparc: Set sa_restorer for signals and disable executable stack
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=05350b72cace18417c1ba00c4796a5e19ebb908b
+
+sparc allows specifiying a signal restorer in the usual way.  We
+should do this to avoid needing an executable stack.
+
+* Define a __sigreturn() routine that calls rt_sigreturn
+* Force the SA_RESTORER flag on for all signal handlers, and set
+  __sigreturn as the restorer if none is already set
+* Force the SA_SIGINFO flag on for all signal handlers, so that we can
+  always return from them with rt_sigreturn
+* Set KLIBCEXECSTACK=n
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/include/arch/sparc/klibc/archconfig.h | 5 +++++
+ usr/klibc/SYSCALLS.def                    | 2 +-
+ usr/klibc/arch/sparc/MCONFIG              | 5 ++---
+ 3 files changed, 8 insertions(+), 4 deletions(-)
+
+diff --git a/usr/include/arch/sparc/klibc/archconfig.h b/usr/include/arch/sparc/klibc/archconfig.h
+index 70d5ef08..651b213d 100644
+--- a/usr/include/arch/sparc/klibc/archconfig.h
++++ b/usr/include/arch/sparc/klibc/archconfig.h
+@@ -12,4 +12,9 @@
+ #define _KLIBC_USE_RT_SIG 1	/* Use rt_* signals */
+ #define _KLIBC_SYS_SOCKETCALL 1 /* Use sys_socketcall unconditionally */
+ 
++/* So that we can avoid stack trampolines */
++#define _KLIBC_NEEDS_SA_RESTORER 1
++/* Our restorer will call rt_sigreturn() */
++#define _KLIBC_NEEDS_SA_SIGINFO 1
++
+ #endif				/* _KLIBC_ARCHCONFIG_H */
+diff --git a/usr/klibc/SYSCALLS.def b/usr/klibc/SYSCALLS.def
+index 30ff58b8..b639fceb 100644
+--- a/usr/klibc/SYSCALLS.def
++++ b/usr/klibc/SYSCALLS.def
+@@ -228,7 +228,7 @@ int sigprocmask(int, const sigset_t *, sigset_t *);
+ <sh,sparc,alpha,ppc,sparc64> int sigsuspend::__sigsuspend_s(sigset_t);
+ <arm,frv,i386,m68k,mn10300,s390,s390x> int sigsuspend::__sigsuspend_xxs(int, int, sigset_t);
+ #endif
+-<s390,s390x,sparc64> void rt_sigreturn::__sigreturn();
++<s390,s390x,sparc,sparc64> void rt_sigreturn::__sigreturn();
+ int kill(pid_t, int);
+ <?> unsigned int alarm(unsigned int);
+ int getitimer(int, struct itimerval *);
+diff --git a/usr/klibc/arch/sparc/MCONFIG b/usr/klibc/arch/sparc/MCONFIG
+index cabc7cd4..fb68ba3f 100644
+--- a/usr/klibc/arch/sparc/MCONFIG
++++ b/usr/klibc/arch/sparc/MCONFIG
+@@ -18,6 +18,5 @@ KLIBCARCHREQFLAGS	+= -D__sparc32__
+ # and call instructions have a 30-bit signed offset, << 2.
+ KLIBCSHAREDFLAGS	 = -Ttext-segment 0x40000000
+ 
+-# Kernel uses stack trampoline for signal return unless we set
+-# sa_restorer
+-KLIBCEXECSTACK := y
++# Kernel uses our sa_restorer for signal return
++KLIBCEXECSTACK := n
diff -Nru klibc-2.0.8/debian/patches/0035-klibc-malloc-Set-errno-on-failure.patch klibc-2.0.8/debian/patches/0035-klibc-malloc-Set-errno-on-failure.patch
--- klibc-2.0.8/debian/patches/0035-klibc-malloc-Set-errno-on-failure.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0035-klibc-malloc-Set-errno-on-failure.patch	2021-04-30 03:00:28.000000000 +0200
@@ -0,0 +1,32 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 28 Apr 2021 03:57:39 +0200
+Subject: [klibc] malloc: Set errno on failure
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=7f6626d12daa2f1efd9953d1f4ba2065348dc5cd
+
+malloc() is specified to set errno = ENOMEM on failure, so do that.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/klibc/malloc.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/usr/klibc/malloc.c b/usr/klibc/malloc.c
+index 413b7337..bb57c9f6 100644
+--- a/usr/klibc/malloc.c
++++ b/usr/klibc/malloc.c
+@@ -8,6 +8,7 @@
+ #include <unistd.h>
+ #include <sys/mman.h>
+ #include <assert.h>
++#include <errno.h>
+ #include "malloc.h"
+ 
+ /* Both the arena list and the free memory list are double linked
+@@ -169,6 +170,7 @@ void *malloc(size_t size)
+ #endif
+ 
+ 	if (fp == (struct free_arena_header *)MAP_FAILED) {
++		errno = ENOMEM;
+ 		return NULL;	/* Failed to get a block */
+ 	}
+ 
diff -Nru klibc-2.0.8/debian/patches/0036-klibc-malloc-Fail-if-requested-size-PTRDIFF_MAX.patch klibc-2.0.8/debian/patches/0036-klibc-malloc-Fail-if-requested-size-PTRDIFF_MAX.patch
--- klibc-2.0.8/debian/patches/0036-klibc-malloc-Fail-if-requested-size-PTRDIFF_MAX.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0036-klibc-malloc-Fail-if-requested-size-PTRDIFF_MAX.patch	2021-04-30 03:04:01.000000000 +0200
@@ -0,0 +1,41 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 28 Apr 2021 04:03:49 +0200
+Subject: [klibc] malloc: Fail if requested size > PTRDIFF_MAX
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=a31ae8c508fc8d1bca4f57e9f9f88127572d5202
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31873
+
+malloc() adds some overhead to the requested size, which may result in
+an integer overflow and subsequent buffer overflow if it is close to
+SIZE_MAX.  It should fail if size is large enough for this to happen.
+
+Further, it's not legal for a C object to be larger than
+PTRDIFF_MAX (half of SIZE_MAX) as pointer arithmetic within it could
+overflow.  So return failure immediately if size is greater than that.
+
+CVE-2021-31873
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/klibc/malloc.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/usr/klibc/malloc.c b/usr/klibc/malloc.c
+index bb57c9f6..abda84c2 100644
+--- a/usr/klibc/malloc.c
++++ b/usr/klibc/malloc.c
+@@ -147,6 +147,15 @@ void *malloc(size_t size)
+ 	if (size == 0)
+ 		return NULL;
+ 
++	/* Various additions below will overflow if size is close to
++	   SIZE_MAX.  Further, it's not legal for a C object to be
++	   larger than PTRDIFF_MAX (half of SIZE_MAX) as pointer
++	   arithmetic within it could overflow. */
++	if (size > PTRDIFF_MAX) {
++		errno = ENOMEM;
++		return NULL;
++	}
++
+ 	/* Add the obligatory arena header, and round up */
+ 	size = (size + 2 * sizeof(struct arena_header) - 1) & ARENA_SIZE_MASK;
+ 
diff -Nru klibc-2.0.8/debian/patches/0037-klibc-calloc-Fail-if-multiplication-overflows.patch klibc-2.0.8/debian/patches/0037-klibc-calloc-Fail-if-multiplication-overflows.patch
--- klibc-2.0.8/debian/patches/0037-klibc-calloc-Fail-if-multiplication-overflows.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0037-klibc-calloc-Fail-if-multiplication-overflows.patch	2021-04-30 03:04:07.000000000 +0200
@@ -0,0 +1,43 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 28 Apr 2021 04:29:50 +0200
+Subject: [klibc] calloc: Fail if multiplication overflows
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=292650f04c2b5348b4efbad61fb014ed09b4f3f2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31870
+
+calloc() multiplies its 2 arguments together and passes the result to
+malloc().  Since the factors and product both have type size_t, this
+can result in an integer overflow and subsequent buffer overflow.
+Check for this and fail if it happens.
+
+CVE-2021-31870
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/klibc/calloc.c | 11 ++++++++---
+ 1 file changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/usr/klibc/calloc.c b/usr/klibc/calloc.c
+index 53dcc6b2..4a81cda1 100644
+--- a/usr/klibc/calloc.c
++++ b/usr/klibc/calloc.c
+@@ -2,12 +2,17 @@
+  * calloc.c
+  */
+ 
++#include <errno.h>
+ #include <stdlib.h>
+ #include <string.h>
+ 
+-/* FIXME: This should look for multiplication overflow */
+-
+ void *calloc(size_t nmemb, size_t size)
+ {
+-	return zalloc(nmemb * size);
++	unsigned long prod;
++
++	if (__builtin_umull_overflow(nmemb, size, &prod)) {
++		errno = ENOMEM;
++		return NULL;
++	}
++	return zalloc(prod);
+ }
diff -Nru klibc-2.0.8/debian/patches/0039-klibc-cpio-Fix-possible-integer-overflow-on-32-bit-s.patch klibc-2.0.8/debian/patches/0039-klibc-cpio-Fix-possible-integer-overflow-on-32-bit-s.patch
--- klibc-2.0.8/debian/patches/0039-klibc-cpio-Fix-possible-integer-overflow-on-32-bit-s.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0039-klibc-cpio-Fix-possible-integer-overflow-on-32-bit-s.patch	2021-04-30 03:04:15.000000000 +0200
@@ -0,0 +1,68 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 28 Apr 2021 05:16:34 +0200
+Subject: [klibc] cpio: Fix possible integer overflow on 32-bit systems
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=9b1c91577aef7f2e72c3aa11a27749160bd278ff
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31872
+
+The maximum name and file sizes in the "new" header format are 32-bit
+unsigned values.  However, the I/O functions mostly use long for sizes
+and offsets, so that sizes >= 2^31 are handled wrongly on 32-bit
+systems.
+
+The current GNU cpio code doesn't seem to have this problem, but the
+divergence between this version and that is large enough that I can't
+simply cherry-pick a fix for it.
+
+As a short-term fix, in read_in_new_ascii(), fail if c_namesize or
+c_filesize is > LONG_MAX.
+
+CVE-2021-31872
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/utils/cpio.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+diff --git a/usr/utils/cpio.c b/usr/utils/cpio.c
+index cb616791..ac481310 100644
+--- a/usr/utils/cpio.c
++++ b/usr/utils/cpio.c
+@@ -17,6 +17,7 @@
+ 
+ #include <errno.h>
+ #include <fcntl.h>
++#include <limits.h>
+ #include <malloc.h>
+ #include <stdbool.h>
+ #include <stdio.h>
+@@ -904,6 +905,15 @@ static void read_in_new_ascii(struct new_cpio_header *file_hdr, int in_des)
+ 		file_hdr->c_hdr[i] = strtoul(hexbuf, NULL, 16);
+ 		ah += 8;
+ 	}
++
++	/* Sizes > LONG_MAX can currently result in integer overflow
++	   in various places.  Fail if name is too large. */
++	if (file_hdr->c_namesize > LONG_MAX) {
++		fprintf(stderr, "%s: name size out of range\n",
++			progname);
++		exit(1);
++	}
++
+ 	/* Read file name from input.  */
+ 	free(file_hdr->c_name);
+ 	file_hdr->c_name = (char *)xmalloc(file_hdr->c_namesize);
+@@ -914,6 +924,14 @@ static void read_in_new_ascii(struct new_cpio_header *file_hdr, int in_des)
+ 	   is rounded up to the next long-word, so we might need to drop
+ 	   1-3 bytes.  */
+ 	tape_skip_padding(in_des, file_hdr->c_namesize + 110);
++
++	/* Fail if file is too large.  We could check this earlier
++	   but it's helpful to report the name. */
++	if (file_hdr->c_filesize > LONG_MAX) {
++		fprintf(stderr, "%s: %s: file size out of range\n",
++			progname, file_hdr->c_name);
++		exit(1);
++	}
+ }
+ 
+ /* Return 16-bit integer I with the bytes swapped.  */
diff -Nru klibc-2.0.8/debian/patches/0040-klibc-cpio-Fix-possible-crash-on-64-bit-systems.patch klibc-2.0.8/debian/patches/0040-klibc-cpio-Fix-possible-crash-on-64-bit-systems.patch
--- klibc-2.0.8/debian/patches/0040-klibc-cpio-Fix-possible-crash-on-64-bit-systems.patch	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/0040-klibc-cpio-Fix-possible-crash-on-64-bit-systems.patch	2021-04-30 03:04:20.000000000 +0200
@@ -0,0 +1,32 @@
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 28 Apr 2021 19:46:47 +0200
+Subject: [klibc] cpio: Fix possible crash on 64-bit systems
+Origin: https://git.kernel.org/pub/scm/libs/klibc/klibc.git/commit/?id=2e48a12ab1e30d43498c2d53e878a11a1b5102d5
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2021-31871
+
+copyin_link() tries to allocate (unsigned int)c_filesize + 1 bytes.
+If c_filesize == UINT_MAX, this works out as 0 bytes, resulting in a
+null pointer and a subsequent SIGSEGV.
+
+The previous commit made this impossible on 32-bit systems.
+
+CVE-2021-31871
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ usr/utils/cpio.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/usr/utils/cpio.c b/usr/utils/cpio.c
+index ac481310..9b0b6ae9 100644
+--- a/usr/utils/cpio.c
++++ b/usr/utils/cpio.c
+@@ -832,7 +832,7 @@ static void copyin_link(struct new_cpio_header *file_hdr, int in_file_des)
+ 	char *link_name = NULL;	/* Name of hard and symbolic links.  */
+ 	int res;		/* Result of various function calls.  */
+ 
+-	link_name = (char *)xmalloc((unsigned int)file_hdr->c_filesize + 1);
++	link_name = (char *)xmalloc(file_hdr->c_filesize + 1);
+ 	link_name[file_hdr->c_filesize] = '\0';
+ 	tape_buffered_read(link_name, in_file_des, file_hdr->c_filesize);
+ 	tape_skip_padding(in_file_des, file_hdr->c_filesize);
diff -Nru klibc-2.0.8/debian/patches/series klibc-2.0.8/debian/patches/series
--- klibc-2.0.8/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ klibc-2.0.8/debian/patches/series	2021-04-30 02:38:31.000000000 +0200
@@ -0,0 +1,12 @@
+0001-klibc-alpha-Fix-definitions-of-_NSIG-and-struct-siga.patch
+0001-klibc-signal-Note-another-reason-to-define-_KLIBC_NE.patch
+0002-klibc-signal-Add-sysconfig-setting-to-force-SA_SIGIN.patch
+0003-klibc-s390-Set-sa_restorer-for-signals-and-disable-e.patch
+0004-klibc-alpha-Pass-restorer-to-rt_sigaction-and-disabl.patch
+0005-klibc-sparc-Set-sa_restorer-for-signals-and-disable-.patch
+0001-klibc-ia64-Fix-definition-of-struct-sigaction.patch
+0035-klibc-malloc-Set-errno-on-failure.patch
+0036-klibc-malloc-Fail-if-requested-size-PTRDIFF_MAX.patch
+0037-klibc-calloc-Fail-if-multiplication-overflows.patch
+0039-klibc-cpio-Fix-possible-integer-overflow-on-32-bit-s.patch
+0040-klibc-cpio-Fix-possible-crash-on-64-bit-systems.patch

--- End Message ---
--- Begin Message --- 
Hi,

On 30-04-2021 04:24, Ben Hutchings wrote:
> Please unblock package klibc

unblocked.

Paul

PS: 0001-klibc-signal-Note-another-reason-to-define-_KLIBC_NE.patch
looked a bit overdone for the freeze, but alas.

Attachment: OpenPGP_signature
Description: OpenPGP digital signature


--- End Message ---
Reply to: