more upstream fixes

5 files changed, 338 insertions, 0 deletions

diff --git a/src/patchsets/glibc/2.22/00_all_0046-Fix-x86_64-fma4-pow-inappropriate-contraction-bug-19.patch b/src/patchsets/glibc/2.22/00_all_0046-Fix-x86_64-fma4-pow-inappropriate-contraction-bug-19.patch
new file mode 100644
index 0000000000..6e268f61db
--- /dev/null
+++ b/src/patchsets/glibc/2.22/00_all_0046-Fix-x86_64-fma4-pow-inappropriate-contraction-bug-19.patch
@@ -0,0 +1,41 @@
+From 209606141fb74f9bfa8ad4ca56900077f0cad2b7 Mon Sep 17 00:00:00 2001
+From: Joseph Myers <joseph@codesourcery.com>
+Date: Thu, 24 Sep 2015 16:48:32 +0000
+Subject: [PATCH] Fix x86_64 fma4 pow inappropriate contraction (bug 19003).
+
+The x86_64 fma4 version of pow fails to disable contraction of
+operations other than those explicitly intended to use fma
+instructions, so resulting in large ulps errors on processors with
+fma4 instructions, as in bug 18104 (165ulp for the test added for that
+bug; error originally reported by "blaaa" on #glibc).  This patch adds
+$(config-cflags-nofma) for e_pow-fma4.c, corresponding to the use for
+e_pow.c in sysdeps/ieee754/dbl-64/Makefile.
+
+Tested for x86_64 on a processor with fma4.
+
+	[BZ #19003]
+	* sysdeps/x86_64/fpu/multiarch/Makefile (CFLAGS-e_pow-fma4.c): Add
+	$(config-cflags-nofma).
+
+(cherry picked from commit 51df2605064a2bfd44fa0655ef9815812347de80)
+(cherry picked from commit c95a56e2a8b16eeb911eed5c1bdc8fd26f337f4d)
+---
+ sysdeps/x86_64/fpu/multiarch/Makefile | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/sysdeps/x86_64/fpu/multiarch/Makefile b/sysdeps/x86_64/fpu/multiarch/Makefile
+index 86ea473..631534a 100644
+--- a/sysdeps/x86_64/fpu/multiarch/Makefile
++++ b/sysdeps/x86_64/fpu/multiarch/Makefile
+@@ -16,7 +16,7 @@ CFLAGS-e_asin-fma4.c = -mfma4
+ CFLAGS-e_atan2-fma4.c = -mfma4
+ CFLAGS-e_exp-fma4.c = -mfma4
+ CFLAGS-e_log-fma4.c = -mfma4
+-CFLAGS-e_pow-fma4.c = -mfma4
++CFLAGS-e_pow-fma4.c = -mfma4 $(config-cflags-nofma)
+ CFLAGS-halfulp-fma4.c = -mfma4
+ CFLAGS-mpa-fma4.c = -mfma4
+ CFLAGS-mpatan-fma4.c = -mfma4
+-- 
+2.7.4
+
diff --git a/src/patchsets/glibc/2.22/00_all_0047-Use-PIC-relocation-in-ALIAS_IMPL.patch b/src/patchsets/glibc/2.22/00_all_0047-Use-PIC-relocation-in-ALIAS_IMPL.patch
new file mode 100644
index 0000000000..0b16769efc
--- /dev/null
+++ b/src/patchsets/glibc/2.22/00_all_0047-Use-PIC-relocation-in-ALIAS_IMPL.patch
@@ -0,0 +1,35 @@
+From 3ffe1a9e559b88ed2c1096a798cec5fb17194e99 Mon Sep 17 00:00:00 2001
+From: Andrew Senkevich <andrew.senkevich@intel.com>
+Date: Wed, 17 Feb 2016 14:23:32 -0800
+Subject: [PATCH] Use PIC relocation in ALIAS_IMPL
+
+Since libmvec_nonshared.a may be linked into shared objects, ALIAS_IMPL
+should use PIC relocation.
+
+	[BZ #19590]
+	* sysdeps/x86_64/fpu/svml_finite_alias.S (ALIAS_IMPL): Use PIC
+	relocation.
+
+(cherry picked from commit a5df3210a641c175138052037fcdad34298bfa4d)
+(cherry picked from commit 2b8ab5c3f618e4d9e0a9147c24f8cf6bbf35a1d8)
+---
+ sysdeps/x86_64/fpu/svml_finite_alias.S | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+diff --git a/sysdeps/x86_64/fpu/svml_finite_alias.S b/sysdeps/x86_64/fpu/svml_finite_alias.S
+index f8bcfeb..aed1661 100644
+--- a/sysdeps/x86_64/fpu/svml_finite_alias.S
++++ b/sysdeps/x86_64/fpu/svml_finite_alias.S
+@@ -23,8 +23,7 @@
+ 
+ #define ALIAS_IMPL(alias, target) \
+ ENTRY (alias); \
+-	call target; \
+-	ret; \
++	jmp *target@GOTPCREL(%rip); \
+ END (alias)
+ 
+ 	.text
+-- 
+2.7.4
+
diff --git a/src/patchsets/glibc/2.22/00_all_0048-Fix-resource-leak-in-resolver-bug-19257.patch b/src/patchsets/glibc/2.22/00_all_0048-Fix-resource-leak-in-resolver-bug-19257.patch
new file mode 100644
index 0000000000..0405d57024
--- /dev/null
+++ b/src/patchsets/glibc/2.22/00_all_0048-Fix-resource-leak-in-resolver-bug-19257.patch
@@ -0,0 +1,31 @@
+From 066bfd462534b7141aaaac23aadc5c0ec3e4e7f3 Mon Sep 17 00:00:00 2001
+From: Andreas Schwab <schwab@suse.de>
+Date: Wed, 18 Nov 2015 15:45:59 +0100
+Subject: [PATCH] Fix resource leak in resolver (bug 19257)
+
+The number of currently defined nameservers is stored in ->nscount,
+whereas ->_u._ext.nscount is set by __libc_res_nsend only after local
+initializations.
+
+(cherry picked from commit 5e7fdabd7df1fc6c56d104e61390bf5a6b526c38)
+(cherry picked from commit e5d560e0e7f621b5cde4bcbbac424f8b2742395a)
+---
+ resolv/res_init.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/resolv/res_init.c b/resolv/res_init.c
+index 66561ff..77873c1 100644
+--- a/resolv/res_init.c
++++ b/resolv/res_init.c
+@@ -593,7 +593,7 @@ __res_iclose(res_state statp, bool free_addr) {
+ 		statp->_vcsock = -1;
+ 		statp->_flags &= ~(RES_F_VC | RES_F_CONN);
+ 	}
+-	for (ns = 0; ns < statp->_u._ext.nscount; ns++)
++	for (ns = 0; ns < statp->nscount; ns++)
+ 		if (statp->_u._ext.nsaddrs[ns]) {
+ 			if (statp->_u._ext.nssocks[ns] != -1) {
+ 				close_not_cancel_no_status(statp->_u._ext.nssocks[ns]);
+-- 
+2.7.4
+
diff --git a/src/patchsets/glibc/2.22/00_all_0049-resolv-Always-set-resplen2-out-parameter-in-send_dg-.patch b/src/patchsets/glibc/2.22/00_all_0049-resolv-Always-set-resplen2-out-parameter-in-send_dg-.patch
new file mode 100644
index 0000000000..22ebc26a60
--- /dev/null
+++ b/src/patchsets/glibc/2.22/00_all_0049-resolv-Always-set-resplen2-out-parameter-in-send_dg-.patch
@@ -0,0 +1,225 @@
+From b286c83dcbd06314859bf86319782611c81e283d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Fri, 25 Mar 2016 11:49:51 +0100
+Subject: [PATCH] resolv: Always set *resplen2 out parameter in send_dg [BZ
+ #19791]
+
+Since commit 44d20bca52ace85850012b0ead37b360e3ecd96e (Implement
+second fallback mode for DNS requests), there is a code path which
+returns early, before *resplen2 is initialized.  This happens if the
+name server address is immediately recognized as invalid (because of
+lack of protocol support, or if it is a broadcast address such
+255.255.255.255, or another invalid address).
+
+If this happens and *resplen2 was non-zero (which is the case if a
+previous query resulted in a failure), __libc_res_nquery would reuse
+an existing second answer buffer.  This answer has been previously
+identified as unusable (for example, it could be an NXDOMAIN
+response).  Due to the presence of a second answer, no name server
+switching will occur.  The result is a name resolution failure,
+although a successful resolution would have been possible if name
+servers have been switched and queries had proceeded along the search
+path.
+
+The above paragraph still simplifies the situation.  Before glibc
+2.23, if the second answer needed malloc, the stub resolver would
+still attempt to reuse the second answer, but this is not possible
+because __libc_res_nsearch has freed it, after the unsuccessful call
+to __libc_res_nquerydomain, and set the buffer pointer to NULL.  This
+eventually leads to an assertion failure in __libc_res_nquery:
+
+	/* Make sure both hp and hp2 are defined */
+	assert((hp != NULL) && (hp2 != NULL));
+
+If assertions are disabled, the consequence is a NULL pointer
+dereference on the next line.
+
+Starting with glibc 2.23, as a result of commit
+e9db92d3acfe1822d56d11abcea5bfc4c41cf6ca (CVE-2015-7547: getaddrinfo()
+stack-based buffer overflow (Bug 18665)), the second answer is always
+allocated with malloc.  This means that the assertion failure happens
+with small responses as well because there is no buffer to reuse, as
+soon as there is a name resolution failure which triggers a search for
+an answer along the search path.
+
+This commit addresses the issue by ensuring that *resplen2 is
+initialized before the send_dg function returns.
+
+This commit also addresses a bug where an invalid second reply is
+incorrectly returned as a valid to the caller.
+
+(cherry picked from commit b66d837bb5398795c6b0f651bd5a5d66091d8577)
+(cherry picked from commit 5a1a5f0dd2744044801c91bf2588444c29cda533)
+---
+ resolv/res_send.c | 63 +++++++++++++++++++++++++++++++++++--------------------
+ 1 file changed, 40 insertions(+), 23 deletions(-)
+
+diff --git a/resolv/res_send.c b/resolv/res_send.c
+index 6511bb1..0add3d2 100644
+--- a/resolv/res_send.c
++++ b/resolv/res_send.c
+@@ -657,6 +657,18 @@ get_nsaddr (res_state statp, int n)
+     return (struct sockaddr *) (void *) &statp->nsaddr_list[n];
+ }
+ 
++/* Close the resolver structure, assign zero to *RESPLEN2 if RESPLEN2
++   is not NULL, and return zero.  */
++static int
++__attribute__ ((warn_unused_result))
++close_and_return_error (res_state statp, int *resplen2)
++{
++  __res_iclose(statp, false);
++  if (resplen2 != NULL)
++    *resplen2 = 0;
++  return 0;
++}
++
+ /* The send_vc function is responsible for sending a DNS query over TCP
+    to the nameserver numbered NS from the res_state STATP i.e.
+    EXT(statp).nssocks[ns].  The function supports sending both IPv4 and
+@@ -1159,7 +1171,11 @@ send_dg(res_state statp,
+  retry_reopen:
+ 	retval = reopen (statp, terrno, ns);
+ 	if (retval <= 0)
+-		return retval;
++	  {
++	    if (resplen2 != NULL)
++	      *resplen2 = 0;
++	    return retval;
++	  }
+  retry:
+ 	evNowTime(&now);
+ 	evConsTime(&timeout, seconds, 0);
+@@ -1172,8 +1188,6 @@ send_dg(res_state statp,
+ 	int recvresp2 = buf2 == NULL;
+ 	pfd[0].fd = EXT(statp).nssocks[ns];
+ 	pfd[0].events = POLLOUT;
+-	if (resplen2 != NULL)
+-	  *resplen2 = 0;
+  wait:
+ 	if (need_recompute) {
+ 	recompute_resend:
+@@ -1181,9 +1195,7 @@ send_dg(res_state statp,
+ 		if (evCmpTime(finish, now) <= 0) {
+ 		poll_err_out:
+ 			Perror(statp, stderr, "poll", errno);
+-		err_out:
+-			__res_iclose(statp, false);
+-			return (0);
++			return close_and_return_error (statp, resplen2);
+ 		}
+ 		evSubTime(&timeout, &finish, &now);
+ 		need_recompute = 0;
+@@ -1230,7 +1242,9 @@ send_dg(res_state statp,
+ 		  }
+ 
+ 		*gotsomewhere = 1;
+-		return (0);
++		if (resplen2 != NULL)
++		  *resplen2 = 0;
++		return 0;
+ 	}
+ 	if (n < 0) {
+ 		if (errno == EINTR)
+@@ -1298,7 +1312,7 @@ send_dg(res_state statp,
+ 
+ 		      fail_sendmmsg:
+ 			Perror(statp, stderr, "sendmmsg", errno);
+-			goto err_out;
++			return close_and_return_error (statp, resplen2);
+ 		      }
+ 		  }
+ 		else
+@@ -1316,7 +1330,7 @@ send_dg(res_state statp,
+ 		      if (errno == EINTR || errno == EAGAIN)
+ 			goto recompute_resend;
+ 		      Perror(statp, stderr, "send", errno);
+-		      goto err_out;
++		      return close_and_return_error (statp, resplen2);
+ 		    }
+ 		  just_one:
+ 		    if (nwritten != 0 || buf2 == NULL || single_request)
+@@ -1394,7 +1408,7 @@ send_dg(res_state statp,
+ 				goto wait;
+ 			}
+ 			Perror(statp, stderr, "recvfrom", errno);
+-			goto err_out;
++			return close_and_return_error (statp, resplen2);
+ 		}
+ 		*gotsomewhere = 1;
+ 		if (__glibc_unlikely (*thisresplenp < HFIXEDSZ))       {
+@@ -1405,7 +1419,7 @@ send_dg(res_state statp,
+ 			       (stdout, ";; undersized: %d\n",
+ 				*thisresplenp));
+ 			*terrno = EMSGSIZE;
+-			goto err_out;
++			return close_and_return_error (statp, resplen2);
+ 		}
+ 		if ((recvresp1 || hp->id != anhp->id)
+ 		    && (recvresp2 || hp2->id != anhp->id)) {
+@@ -1454,7 +1468,7 @@ send_dg(res_state statp,
+ 				? *thisanssizp : *thisresplenp);
+ 			/* record the error */
+ 			statp->_flags |= RES_F_EDNS0ERR;
+-			goto err_out;
++			return close_and_return_error (statp, resplen2);
+ 	}
+ #endif
+ 		if (!(statp->options & RES_INSECURE2)
+@@ -1506,10 +1520,10 @@ send_dg(res_state statp,
+ 			    goto wait;
+ 			  }
+ 
+-			__res_iclose(statp, false);
+ 			/* don't retry if called from dig */
+ 			if (!statp->pfcode)
+-				return (0);
++			  return close_and_return_error (statp, resplen2);
++			__res_iclose(statp, false);
+ 		}
+ 		if (anhp->rcode == NOERROR && anhp->ancount == 0
+ 		    && anhp->aa == 0 && anhp->ra == 0 && anhp->arcount == 0) {
+@@ -1531,6 +1545,8 @@ send_dg(res_state statp,
+ 			__res_iclose(statp, false);
+ 			// XXX if we have received one reply we could
+ 			// XXX use it and not repeat it over TCP...
++			if (resplen2 != NULL)
++			  *resplen2 = 0;
+ 			return (1);
+ 		}
+ 		/* Mark which reply we received.  */
+@@ -1546,21 +1562,22 @@ send_dg(res_state statp,
+ 					__res_iclose (statp, false);
+ 					retval = reopen (statp, terrno, ns);
+ 					if (retval <= 0)
+-						return retval;
++					  {
++					    if (resplen2 != NULL)
++					      *resplen2 = 0;
++					    return retval;
++					  }
+ 					pfd[0].fd = EXT(statp).nssocks[ns];
+ 				}
+ 			}
+ 			goto wait;
+ 		}
+-		/*
+-		 * All is well, or the error is fatal.  Signal that the
+-		 * next nameserver ought not be tried.
+-		 */
++		/* All is well.  We have received both responses (if
++		   two responses were requested).  */
+ 		return (resplen);
+-	} else if (pfd[0].revents & (POLLERR | POLLHUP | POLLNVAL)) {
+-		/* Something went wrong.  We can stop trying.  */
+-		goto err_out;
+-	}
++	} else if (pfd[0].revents & (POLLERR | POLLHUP | POLLNVAL))
++	  /* Something went wrong.  We can stop trying.  */
++	  return close_and_return_error (statp, resplen2);
+ 	else {
+ 		/* poll should not have returned > 0 in this case.  */
+ 		abort ();
+-- 
+2.7.4
+
diff --git a/src/patchsets/glibc/2.22/README.history b/src/patchsets/glibc/2.22/README.history
index d4d29ca342..c8402d0ccc 100644
--- a/src/patchsets/glibc/2.22/README.history
+++ b/src/patchsets/glibc/2.22/README.history
@@ -1,3 +1,9 @@
+12		30 Mar 2016
+	+ 00_all_0046-Fix-x86_64-fma4-pow-inappropriate-contraction-bug-19.patch
+	+ 00_all_0047-Use-PIC-relocation-in-ALIAS_IMPL.patch
+	+ 00_all_0048-Fix-resource-leak-in-resolver-bug-19257.patch
+	+ 00_all_0049-resolv-Always-set-resplen2-out-parameter-in-send_dg-.patch
+
 11		07 Mar 2016
 	+ 00_all_0041-CVE-2015-7547-getaddrinfo-stack-based-buffer-overflo.patch
 	+ 00_all_0042-powerpc-Enforce-compiler-barriers-on-hardware-transa.patch