aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNatanael Copa <ncopa@alpinelinux.org>2020-08-12 14:47:47 +0200
committerNatanael Copa <ncopa@alpinelinux.org>2020-08-28 17:19:43 +0200
commit0d38182d489a6f1dbc91d202680063e7fc32d11d (patch)
tree36d75b14bb7edcf7b6d9033b4205398b5346bcc3
parent8d91876805031982643ede3bc6aff38b89d7d6e1 (diff)
main/libcap-ng: fix deadlock with capng_apply
libvirt will call capng_apply after fork which may result in deadlock if malloc is called. Fix capng_apply to avoid malloc/free. ref #11602 Upstream PR: https://github.com/stevegrubb/libcap-ng/pull/16 (cherry picked from commit 5dc3f84b9885c06cd0b5029d4cba00c1d231a64a)
-rw-r--r--main/libcap-ng/APKBUILD4
-rw-r--r--main/libcap-ng/async-safe-apply.patch29
2 files changed, 32 insertions, 1 deletions
diff --git a/main/libcap-ng/APKBUILD b/main/libcap-ng/APKBUILD
index 5834f6262ee..07654b528e6 100644
--- a/main/libcap-ng/APKBUILD
+++ b/main/libcap-ng/APKBUILD
@@ -1,7 +1,7 @@
# Maintainer: Natanael Copa <ncopa@alpinelinux.org>
pkgname=libcap-ng
pkgver=0.7.10
-pkgrel=0
+pkgrel=1
pkgdesc="POSIX capabilities library"
url="http://people.redhat.com/sgrubb/libcap-ng/index.html"
arch="all"
@@ -11,6 +11,7 @@ makedepends_build=""
makedepends_host="$depends_dev"
subpackages="$pkgname-dev $pkgname-doc $pkgname-utils"
source="https://people.redhat.com/sgrubb/libcap-ng/libcap-ng-$pkgver.tar.gz
+ async-safe-apply.patch
fix-includes.patch
"
builddir="$srcdir/$pkgname-$pkgver"
@@ -48,4 +49,5 @@ utils() {
}
sha512sums="1b93c7f5c20ae5cc705fe5244af3e299454e988388cda95f006e248d97c0713e77da2a81c67ecf15755f3958df373fc6d1ca14197d6357ab1f2d8c3a0fd12def libcap-ng-0.7.10.tar.gz
+cfd97dab1bb1c93434cc6439f78d3967905002efd91946486978dec9b84df60945a2e5f25c8af79b94c5e3a36c783e9afbaec71b9d322ebed0b0b401a6ff34e6 async-safe-apply.patch
8de98ce0fae63812cf7fd17e788343798b0cab63ba029f046ac9b89b2305da17432bafdd3dfa36046fc2cc0a453e0c889f6744c632f4617e0e5fc08e2823e324 fix-includes.patch"
diff --git a/main/libcap-ng/async-safe-apply.patch b/main/libcap-ng/async-safe-apply.patch
new file mode 100644
index 00000000000..1542863e74c
--- /dev/null
+++ b/main/libcap-ng/async-safe-apply.patch
@@ -0,0 +1,29 @@
+Upstream: https://github.com/stevegrubb/libcap-ng/pull/16
+diff --git a/src/cap-ng.c b/src/cap-ng.c
+index 7aa1029..f0ad7e7 100644
+--- a/src/cap-ng.c
++++ b/src/cap-ng.c
+@@ -525,11 +525,12 @@ int capng_apply(capng_select_t set)
+
+ if (set & CAPNG_SELECT_BOUNDS) {
+ #ifdef PR_CAPBSET_DROP
+- void *s = capng_save_state();
++ struct cap_ng state;
++ memcpy(&state, &m, sizeof(state)); /* save state */
+ capng_get_caps_process();
+ if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+ int i;
+- capng_restore_state(&s);
++ memcpy(&m, &state, sizeof(m)); /* restore state */
+ rc = 0;
+ for (i=0; i <= last_cap && rc == 0; i++)
+ if (capng_have_capability(CAPNG_BOUNDING_SET,
+@@ -538,7 +539,7 @@ int capng_apply(capng_select_t set)
+ if (rc == 0)
+ m.state = CAPNG_APPLIED;
+ } else
+- capng_restore_state(&s);
++ memcpy(&m, &state, sizeof(m)); /* restore state */
+ #else
+ rc = 0;
+ #endif