[packages/php/PHP_5_3] Add php-fpm-shm-corruption.patch before bug-81026-CVE-2021-21703.patch

glen glen at pld-linux.org
Wed Dec 1 14:42:21 CET 2021 

commit 1797a3f9566209520174e724f97823cbfc760002
Author: Elan Ruusamäe <glen at pld-linux.org>
Date:   Fri Oct 29 12:26:02 2021 +0300

    Add php-fpm-shm-corruption.patch before bug-81026-CVE-2021-21703.patch

 php-fpm-shm-corruption.patch | 86 ++++++++++++++++++++++++++++++++++++++++++++
 php.spec                     |  4 ++-
 2 files changed, 89 insertions(+), 1 deletion(-)
---
diff --git a/php.spec b/php.spec
index df1035e..2b841a3 100644
--- a/php.spec
+++ b/php.spec
@@ -252,7 +252,8 @@ Patch75:	openssl.patch
 Patch76:	php-bug-61930.patch
 Patch77:	php-icu64.patch
 Patch78:	icu69.patch
-Patch79:	bug-81026-CVE-2021-21703.patch
+Patch79:	php-fpm-shm-corruption.patch
+Patch80:	bug-81026-CVE-2021-21703.patch
 # Fixes for security bugs
 # https://repo.webtatic.com/yum/centos/5/SRPMS/repoview/php.html
 # also from RHEL6/CentOS7
@@ -2166,6 +2167,7 @@ gzip -dc %{SOURCE15} | tar xf - -C sapi/
 %patch77 -p1
 %patch78 -p1
 %patch79 -p1
+%patch80 -p1
 
 %patch220 -p1
 %patch221 -p1
diff --git a/php-fpm-shm-corruption.patch b/php-fpm-shm-corruption.patch
new file mode 100644
index 0000000..c1c2ded
--- /dev/null
+++ b/php-fpm-shm-corruption.patch
@@ -0,0 +1,86 @@
+From a22175b06f22965e0d79e2b5bb6c734950adfc5d Mon Sep 17 00:00:00 2001
+From: Julien Pauli <jpauli at php.net>
+Date: Fri, 23 Sep 2016 13:24:31 +0200
+Subject: [PATCH] Formatting. Fix possible memory corruption in FPM SHM
+ management
+
+---
+ sapi/fpm/fpm/fpm_scoreboard.c | 28 ++++++++++++++++------------
+ 1 file changed, 16 insertions(+), 12 deletions(-)
+
+diff --git a/sapi/fpm/fpm/fpm_scoreboard.c b/sapi/fpm/fpm/fpm_scoreboard.c
+index 3e57333e9f..e1e69c9780 100644
+--- a/sapi/fpm/fpm/fpm_scoreboard.c
++++ b/sapi/fpm/fpm/fpm_scoreboard.c
+@@ -25,7 +25,7 @@ static float fpm_scoreboard_tick;
+ int fpm_scoreboard_init_main() /* {{{ */
+ {
+ 	struct fpm_worker_pool_s *wp;
+-	int i;
++	unsigned int i;
+ 
+ #ifdef HAVE_TIMES
+ #if (defined(HAVE_SYSCONF) && defined(_SC_CLK_TCK))
+@@ -42,6 +42,9 @@ int fpm_scoreboard_init_main() /* {{{ */
+ 
+ 
+ 	for (wp = fpm_worker_all_pools; wp; wp = wp->next) {
++		size_t scoreboard_size, scoreboard_nprocs_size;
++		void *shm_mem;
++
+ 		if (wp->config->pm_max_children < 1) {
+ 			zlog(ZLOG_ERROR, "[pool %s] Unable to create scoreboard SHM because max_client is not set", wp->config->name);
+ 			return -1;
+@@ -52,21 +55,22 @@ int fpm_scoreboard_init_main() /* {{{ */
+ 			return -1;
+ 		}
+ 
+-		int scoreboard_size = sizeof(struct fpm_scoreboard_s) + (wp->config->pm_max_children) * sizeof(struct fpm_scoreboard_proc_s *);
+-		int scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children;
+-        void *shm_mem = fpm_shm_alloc(scoreboard_size + scoreboard_nprocs_size);
++		scoreboard_size        = sizeof(struct fpm_scoreboard_s) + (wp->config->pm_max_children) * sizeof(struct fpm_scoreboard_proc_s *);
++		scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * wp->config->pm_max_children;
++		shm_mem                = fpm_shm_alloc(scoreboard_size + scoreboard_nprocs_size);
++
+ 		if (!shm_mem) {
+ 			return -1;
+ 		}
+-		wp->scoreboard = shm_mem;
++		wp->scoreboard         = shm_mem;
+ 		wp->scoreboard->nprocs = wp->config->pm_max_children;
+-		shm_mem += scoreboard_size;
+-		for (i = 0; i < wp->scoreboard->nprocs; i++) {
++		shm_mem               += scoreboard_size;
++
++		for (i = 0; i < wp->scoreboard->nprocs; i++, shm_mem += sizeof(struct fpm_scoreboard_proc_s)) {
+ 			wp->scoreboard->procs[i] = shm_mem;
+-			shm_mem += sizeof(struct fpm_scoreboard_proc_s);
+ 		}
+ 
+-		wp->scoreboard->pm = wp->config->pm;
++		wp->scoreboard->pm          = wp->config->pm;
+ 		wp->scoreboard->start_epoch = time(NULL);
+ 		strlcpy(wp->scoreboard->pool, wp->config->name, sizeof(wp->scoreboard->pool));
+ 	}
+@@ -234,15 +238,15 @@ void fpm_scoreboard_proc_release(struct fpm_scoreboard_proc_s *proc) /* {{{ */
+ 
+ void fpm_scoreboard_free(struct fpm_scoreboard_s *scoreboard) /* {{{ */
+ {
+-	int i;
++	size_t scoreboard_size, scoreboard_nprocs_size;
+ 
+ 	if (!scoreboard) {
+ 		zlog(ZLOG_ERROR, "**scoreboard is NULL");
+ 		return;
+ 	}
+ 
+-	int scoreboard_size = sizeof(struct fpm_scoreboard_s) + (scoreboard->nprocs) * sizeof(struct fpm_scoreboard_proc_s *);
+-	int scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * scoreboard->nprocs;
++	scoreboard_size        = sizeof(struct fpm_scoreboard_s) + (scoreboard->nprocs) * sizeof(struct fpm_scoreboard_proc_s *);
++	scoreboard_nprocs_size = sizeof(struct fpm_scoreboard_proc_s) * scoreboard->nprocs;
+ 	
+ 	fpm_shm_free(scoreboard, scoreboard_size + scoreboard_nprocs_size);
+ }
+-- 
+2.33.1
+
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/php.git/commitdiff/8359939cab722919c56e747283a64e725a78dcee

More information about the pld-cvs-commit mailing list