From 0d38182d489a6f1dbc91d202680063e7fc32d11d Mon Sep 17 00:00:00 2001
From: Natanael Copa <ncopa@alpinelinux.org>
Date: Wed, 12 Aug 2020 14:47:47 +0200
Subject: main/libcap-ng: fix deadlock with capng_apply

libvirt will call capng_apply after fork which may result in deadlock if
malloc is called. Fix capng_apply to avoid malloc/free.

ref #11602

Upstream PR: https://github.com/stevegrubb/libcap-ng/pull/16

(cherry picked from commit 5dc3f84b9885c06cd0b5029d4cba00c1d231a64a)
---
 main/libcap-ng/APKBUILD               |  4 +++-
 main/libcap-ng/async-safe-apply.patch | 29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 1 deletion(-)
 create mode 100644 main/libcap-ng/async-safe-apply.patch

diff --git a/main/libcap-ng/APKBUILD b/main/libcap-ng/APKBUILD
index 5834f6262ee..07654b528e6 100644
--- a/main/libcap-ng/APKBUILD
+++ b/main/libcap-ng/APKBUILD
@@ -1,7 +1,7 @@
 # Maintainer: Natanael Copa <ncopa@alpinelinux.org>
 pkgname=libcap-ng
 pkgver=0.7.10
-pkgrel=0
+pkgrel=1
 pkgdesc="POSIX capabilities library"
 url="http://people.redhat.com/sgrubb/libcap-ng/index.html"
 arch="all"
@@ -11,6 +11,7 @@ makedepends_build=""
 makedepends_host="$depends_dev"
 subpackages="$pkgname-dev $pkgname-doc $pkgname-utils"
 source="https://people.redhat.com/sgrubb/libcap-ng/libcap-ng-$pkgver.tar.gz
+	async-safe-apply.patch
 	fix-includes.patch
 	"
 builddir="$srcdir/$pkgname-$pkgver"
@@ -48,4 +49,5 @@ utils() {
 }
 
 sha512sums="1b93c7f5c20ae5cc705fe5244af3e299454e988388cda95f006e248d97c0713e77da2a81c67ecf15755f3958df373fc6d1ca14197d6357ab1f2d8c3a0fd12def  libcap-ng-0.7.10.tar.gz
+cfd97dab1bb1c93434cc6439f78d3967905002efd91946486978dec9b84df60945a2e5f25c8af79b94c5e3a36c783e9afbaec71b9d322ebed0b0b401a6ff34e6  async-safe-apply.patch
 8de98ce0fae63812cf7fd17e788343798b0cab63ba029f046ac9b89b2305da17432bafdd3dfa36046fc2cc0a453e0c889f6744c632f4617e0e5fc08e2823e324  fix-includes.patch"
diff --git a/main/libcap-ng/async-safe-apply.patch b/main/libcap-ng/async-safe-apply.patch
new file mode 100644
index 00000000000..1542863e74c
--- /dev/null
+++ b/main/libcap-ng/async-safe-apply.patch
@@ -0,0 +1,29 @@
+Upstream: https://github.com/stevegrubb/libcap-ng/pull/16
+diff --git a/src/cap-ng.c b/src/cap-ng.c
+index 7aa1029..f0ad7e7 100644
+--- a/src/cap-ng.c
++++ b/src/cap-ng.c
+@@ -525,11 +525,12 @@ int capng_apply(capng_select_t set)
+ 
+ 	if (set & CAPNG_SELECT_BOUNDS) { 
+ #ifdef PR_CAPBSET_DROP
+-		void *s = capng_save_state();
++		struct cap_ng state;
++		memcpy(&state, &m, sizeof(state)); /* save state */
+ 		capng_get_caps_process();
+ 		if (capng_have_capability(CAPNG_EFFECTIVE, CAP_SETPCAP)) {
+ 			int i;
+-			capng_restore_state(&s);
++			memcpy(&m, &state, sizeof(m)); /* restore state */
+ 			rc = 0;
+ 			for (i=0; i <= last_cap && rc == 0; i++)
+ 				if (capng_have_capability(CAPNG_BOUNDING_SET,
+@@ -538,7 +539,7 @@ int capng_apply(capng_select_t set)
+ 			if (rc == 0)
+ 				m.state = CAPNG_APPLIED;
+ 		} else
+-			capng_restore_state(&s);
++			memcpy(&m, &state, sizeof(m)); /* restore state */
+ #else
+ 		rc = 0;
+ #endif
-- 
cgit v1.2.3