From 4a78b2b04f3f63eaf1c29dca12d44d820bb9374a Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Tue, 4 Feb 2020 22:36:42 +0100 Subject: [PATCH 01/14] glibc: 2.30 -> 2.31 https://lists.gnu.org/archive/html/info-gnu/2020-02/msg00001.html --- .../libraries/glibc/2.27-CVE-2019-19126.patch | 18 ------------------ pkgs/development/libraries/glibc/common.nix | 6 ++---- 2 files changed, 2 insertions(+), 22 deletions(-) delete mode 100644 pkgs/development/libraries/glibc/2.27-CVE-2019-19126.patch diff --git a/pkgs/development/libraries/glibc/2.27-CVE-2019-19126.patch b/pkgs/development/libraries/glibc/2.27-CVE-2019-19126.patch deleted file mode 100644 index 2c558f53b735..000000000000 --- a/pkgs/development/libraries/glibc/2.27-CVE-2019-19126.patch +++ /dev/null @@ -1,18 +0,0 @@ -Adapted from https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=patch;h=4d5cfeb510125345cb41431afc9022492994cffa, omitting changes to NEWS -diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h -index 1943691..ac694c0 100644 ---- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h -+++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h -@@ -31,7 +31,8 @@ - environment variable, LD_PREFER_MAP_32BIT_EXEC. */ - #define EXTRA_LD_ENVVARS \ - case 21: \ -- if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ -+ if (!__libc_enable_secure \ -+ && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ - GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ - |= bit_arch_Prefer_MAP_32BIT_EXEC; \ - break; --- -2.9.3 - diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 36b6bea61cd4..0cd61de4548d 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -36,9 +36,9 @@ } @ args: let - version = "2.30"; + version = "2.31"; patchSuffix = ""; - sha256 = "1bxqpg91d02qnaz837a5kamm0f43pr1il4r9pknygywsar713i72"; + sha256 = "05zxkyz9bv3j9h0xyid1rhvh3klhsmrpkf3bcs6frvlgyr2gwilj"; in assert withLinuxHeaders -> linuxHeaders != null; @@ -108,8 +108,6 @@ stdenv.mkDerivation ({ }) ./fix-x64-abi.patch - ./2.27-CVE-2019-19126.patch - ./2.30-cve-2020-1752.patch ] ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch; From 4847222db128d2d257dd60304d946a5272d5e912 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Wed, 19 Feb 2020 22:33:48 +0100 Subject: [PATCH 02/14] busybox: fix build w/glibc-2.31 --- .../0001-Fix-build-with-glibc-2.31.patch | 71 +++++++++++++++++++ pkgs/os-specific/linux/busybox/default.nix | 1 + 2 files changed, 72 insertions(+) create mode 100644 pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch diff --git a/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch b/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch new file mode 100644 index 000000000000..029333b57e4d --- /dev/null +++ b/pkgs/os-specific/linux/busybox/0001-Fix-build-with-glibc-2.31.patch @@ -0,0 +1,71 @@ +From c29b637b55c93214993f40b1a223233d40b8a7d6 Mon Sep 17 00:00:00 2001 +From: Maximilian Bosch +Date: Wed, 19 Feb 2020 22:32:28 +0100 +Subject: [PATCH] Fix build with glibc 2.31 + +This is derived from the corresponding upstream patch[1], however this +one doesn't apply cleanly on busybox-1.31.1, so I rebased the patch +locally and added it directly to nixpkgs. + +[1] https://git.busybox.net/busybox/patch/?id=d3539be8f27b8cbfdfee460fe08299158f08bcd9 +--- + coreutils/date.c | 2 +- + libbb/missing_syscalls.c | 8 -------- + util-linux/rdate.c | 8 ++++++-- + 3 files changed, 7 insertions(+), 11 deletions(-) + +diff --git a/coreutils/date.c b/coreutils/date.c +index 3414d38..931b7f9 100644 +--- a/coreutils/date.c ++++ b/coreutils/date.c +@@ -303,7 +303,7 @@ int date_main(int argc UNUSED_PARAM, char **argv) + ts.tv_sec = validate_tm_time(date_str, &tm_time); + + /* if setting time, set it */ +- if ((opt & OPT_SET) && stime(&ts.tv_sec) < 0) { ++ if ((opt & OPT_SET) && clock_settime(CLOCK_REALTIME, &ts) < 0) { + bb_perror_msg("can't set date"); + } + } +diff --git a/libbb/missing_syscalls.c b/libbb/missing_syscalls.c +index 87cf59b..dc40d91 100644 +--- a/libbb/missing_syscalls.c ++++ b/libbb/missing_syscalls.c +@@ -15,14 +15,6 @@ pid_t getsid(pid_t pid) + return syscall(__NR_getsid, pid); + } + +-int stime(const time_t *t) +-{ +- struct timeval tv; +- tv.tv_sec = *t; +- tv.tv_usec = 0; +- return settimeofday(&tv, NULL); +-} +- + int sethostname(const char *name, size_t len) + { + return syscall(__NR_sethostname, name, len); +diff --git a/util-linux/rdate.c b/util-linux/rdate.c +index 70f829e..878375d 100644 +--- a/util-linux/rdate.c ++++ b/util-linux/rdate.c +@@ -95,9 +95,13 @@ int rdate_main(int argc UNUSED_PARAM, char **argv) + if (!(flags & 2)) { /* no -p (-s may be present) */ + if (time(NULL) == remote_time) + bb_error_msg("current time matches remote time"); +- else +- if (stime(&remote_time) < 0) ++ else { ++ struct timespec ts; ++ ts.tv_sec = remote_time; ++ ts.tv_nsec = 0; ++ if (clock_settime(CLOCK_REALTIME, &ts) < 0) + bb_perror_msg_and_die("can't set time of day"); ++ } + } + + if (flags != 1) /* not lone -s */ +-- +2.25.0 + diff --git a/pkgs/os-specific/linux/busybox/default.nix b/pkgs/os-specific/linux/busybox/default.nix index 430066831b87..cbdedaa62a78 100644 --- a/pkgs/os-specific/linux/busybox/default.nix +++ b/pkgs/os-specific/linux/busybox/default.nix @@ -49,6 +49,7 @@ stdenv.mkDerivation rec { patches = [ ./busybox-in-store.patch + ./0001-Fix-build-with-glibc-2.31.patch ] ++ stdenv.lib.optional (stdenv.hostPlatform != stdenv.buildPlatform) ./clang-cross.patch; postPatch = "patchShebangs ."; From cff1a1eefca8af3c13a94a0b9257a3f9ff721c37 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Thu, 20 Feb 2020 02:06:23 +0100 Subject: [PATCH 03/14] gcc7: fix build w/glibc-2.31 Applied a patch from the `gcc9` branch for `gcc7` to fix `libsanitizer` for glibc-2.31. --- .../gcc/7/0001-Fix-build-for-glibc-2.31.patch | 62 +++++++++++++++++++ pkgs/development/compilers/gcc/7/default.nix | 2 + 2 files changed, 64 insertions(+) create mode 100644 pkgs/development/compilers/gcc/7/0001-Fix-build-for-glibc-2.31.patch diff --git a/pkgs/development/compilers/gcc/7/0001-Fix-build-for-glibc-2.31.patch b/pkgs/development/compilers/gcc/7/0001-Fix-build-for-glibc-2.31.patch new file mode 100644 index 000000000000..d8aad14942bf --- /dev/null +++ b/pkgs/development/compilers/gcc/7/0001-Fix-build-for-glibc-2.31.patch @@ -0,0 +1,62 @@ +From 2d03b6eaf823fc2db6a32b4a95e18f8a7474b47f Mon Sep 17 00:00:00 2001 +From: Maximilian Bosch +Date: Thu, 20 Feb 2020 01:56:42 +0100 +Subject: [PATCH] Fix build for glibc 2.31 + +--- + .../sanitizer_platform_limits_posix.cc | 5 +++-- + .../sanitizer_platform_limits_posix.h | 15 +-------------- + 2 files changed, 4 insertions(+), 16 deletions(-) + +diff --git a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc +index 97eae3fc7..4089d4695 100644 +--- a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc ++++ b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc +@@ -1145,8 +1145,9 @@ CHECK_SIZE_AND_OFFSET(ipc_perm, uid); + CHECK_SIZE_AND_OFFSET(ipc_perm, gid); + CHECK_SIZE_AND_OFFSET(ipc_perm, cuid); + CHECK_SIZE_AND_OFFSET(ipc_perm, cgid); +-#if !defined(__aarch64__) || !SANITIZER_LINUX || __GLIBC_PREREQ (2, 21) +-/* On aarch64 glibc 2.20 and earlier provided incorrect mode field. */ ++#if !SANITIZER_LINUX || __GLIBC_PREREQ (2, 31) ++/* glibc 2.30 and earlier provided 16-bit mode field instead of 32-bit ++ on many architectures. */ + CHECK_SIZE_AND_OFFSET(ipc_perm, mode); + #endif + +diff --git a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h +index c13932283..3456fb2db 100644 +--- a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h ++++ b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h +@@ -204,27 +204,14 @@ namespace __sanitizer { + unsigned __seq; + u64 __unused1; + u64 __unused2; +-#elif defined(__mips__) || defined(__aarch64__) || defined(__s390x__) +- unsigned int mode; +- unsigned short __seq; +- unsigned short __pad1; +- unsigned long __unused1; +- unsigned long __unused2; + #elif defined(__sparc__) +-# if defined(__arch64__) + unsigned mode; +- unsigned short __pad1; +-# else +- unsigned short __pad1; +- unsigned short mode; + unsigned short __pad2; +-# endif + unsigned short __seq; + unsigned long long __unused1; + unsigned long long __unused2; + #else +- unsigned short mode; +- unsigned short __pad1; ++ unsigned int mode; + unsigned short __seq; + unsigned short __pad2; + #if defined(__x86_64__) && !defined(_LP64) +-- +2.25.0 + diff --git a/pkgs/development/compilers/gcc/7/default.nix b/pkgs/development/compilers/gcc/7/default.nix index 89933c22edd4..dcd129ff25a7 100644 --- a/pkgs/development/compilers/gcc/7/default.nix +++ b/pkgs/development/compilers/gcc/7/default.nix @@ -53,6 +53,8 @@ let majorVersion = "7"; ./riscv-pthread-reentrant.patch # https://gcc.gnu.org/ml/gcc-patches/2018-03/msg00297.html ./riscv-no-relax.patch + + ./0001-Fix-build-for-glibc-2.31.patch ] ++ optional (targetPlatform != hostPlatform) ../libstdc++-target.patch ++ optionals targetPlatform.isNetBSD [ From d348694fb680bc134ea893cc031439a21576a485 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Thu, 20 Feb 2020 15:09:22 +0100 Subject: [PATCH 04/14] gcc6: fix build w/glibc-2.31 --- .../gcc/6/0001-Fix-build-for-glibc-2.31.patch | 62 +++++++++++++++++++ pkgs/development/compilers/gcc/6/default.nix | 2 +- 2 files changed, 63 insertions(+), 1 deletion(-) create mode 100644 pkgs/development/compilers/gcc/6/0001-Fix-build-for-glibc-2.31.patch diff --git a/pkgs/development/compilers/gcc/6/0001-Fix-build-for-glibc-2.31.patch b/pkgs/development/compilers/gcc/6/0001-Fix-build-for-glibc-2.31.patch new file mode 100644 index 000000000000..0cd04e218caf --- /dev/null +++ b/pkgs/development/compilers/gcc/6/0001-Fix-build-for-glibc-2.31.patch @@ -0,0 +1,62 @@ +From 8b55f1047cf3491429c1af607e5dac08a81db6e1 Mon Sep 17 00:00:00 2001 +From: Maximilian Bosch +Date: Thu, 20 Feb 2020 15:08:36 +0100 +Subject: [PATCH] Fix build for glibc 2.31 + +--- + .../sanitizer_platform_limits_posix.cc | 5 +++-- + .../sanitizer_platform_limits_posix.h | 15 +-------------- + 2 files changed, 4 insertions(+), 16 deletions(-) + +diff --git a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc +index 069d8d557..c49c28c6e 100644 +--- a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc ++++ b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.cc +@@ -1130,8 +1130,9 @@ CHECK_SIZE_AND_OFFSET(ipc_perm, cgid); + #ifndef __GLIBC_PREREQ + #define __GLIBC_PREREQ(x, y) 0 + #endif +-#if !defined(__aarch64__) || !SANITIZER_LINUX || __GLIBC_PREREQ (2, 21) +-/* On aarch64 glibc 2.20 and earlier provided incorrect mode field. */ ++#if !SANITIZER_LINUX || __GLIBC_PREREQ (2, 31) ++/* glibc 2.30 and earlier provided 16-bit mode field instead of 32-bit ++ on many architectures. */ + CHECK_SIZE_AND_OFFSET(ipc_perm, mode); + #endif + +diff --git a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h +index 304d04e39..568081a79 100644 +--- a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h ++++ b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h +@@ -200,27 +200,14 @@ namespace __sanitizer { + unsigned __seq; + u64 __unused1; + u64 __unused2; +-#elif defined(__mips__) || defined(__aarch64__) +- unsigned int mode; +- unsigned short __seq; +- unsigned short __pad1; +- unsigned long __unused1; +- unsigned long __unused2; + #elif defined(__sparc__) +-# if defined(__arch64__) + unsigned mode; +- unsigned short __pad1; +-# else +- unsigned short __pad1; +- unsigned short mode; + unsigned short __pad2; +-# endif + unsigned short __seq; + unsigned long long __unused1; + unsigned long long __unused2; + #else +- unsigned short mode; +- unsigned short __pad1; ++ unsigned int mode; + unsigned short __seq; + unsigned short __pad2; + #if defined(__x86_64__) && !defined(_LP64) +-- +2.25.0 + diff --git a/pkgs/development/compilers/gcc/6/default.nix b/pkgs/development/compilers/gcc/6/default.nix index f3b15eac55d2..f1bc490bd772 100644 --- a/pkgs/development/compilers/gcc/6/default.nix +++ b/pkgs/development/compilers/gcc/6/default.nix @@ -65,7 +65,7 @@ let majorVersion = "6"; inherit (stdenv) buildPlatform hostPlatform targetPlatform; patches = - [ ../use-source-date-epoch.patch ] + [ ../use-source-date-epoch.patch ./0001-Fix-build-for-glibc-2.31.patch ] ++ optional (targetPlatform != hostPlatform) ../libstdc++-target.patch ++ optional noSysDirs ../no-sys-dirs.patch ++ optional langAda ../gnat-cflags.patch From f95acb5cc602b95c87e2da54c6dc10235ebac9fe Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Thu, 18 Jun 2020 00:38:32 +0200 Subject: [PATCH 05/14] imagemagick7: 7.0.10-17 -> 7.0.10-19, fix build w/glibc-2.31 --- pkgs/applications/graphics/ImageMagick/7.0.nix | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/pkgs/applications/graphics/ImageMagick/7.0.nix b/pkgs/applications/graphics/ImageMagick/7.0.nix index 9bcf517e1d9e..2216fe9199db 100644 --- a/pkgs/applications/graphics/ImageMagick/7.0.nix +++ b/pkgs/applications/graphics/ImageMagick/7.0.nix @@ -13,8 +13,8 @@ let else throw "ImageMagick is not supported on this platform."; cfg = { - version = "7.0.10-17"; - sha256 = "15cj9qkikx13j6gfqaawi4nh09lnzg3asf5mdcswx6z6yhbf90zx"; + version = "7.0.10-19"; + sha256 = "12ilfdbxllkaa3bs9z86d2nkklqz5c0l57kqj91l2ixjlvra64w0"; patches = []; }; in From 7193603c5f91395f936a6522486aac2b7badc227 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Fri, 26 Jun 2020 14:38:19 +0200 Subject: [PATCH 06/14] datefudge: fix build w/glibc-2.31 https://hydra.nixos.org/build/122874972 --- pkgs/tools/system/datefudge/default.nix | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/pkgs/tools/system/datefudge/default.nix b/pkgs/tools/system/datefudge/default.nix index 839e14a20d8a..fd0cc5f582a2 100644 --- a/pkgs/tools/system/datefudge/default.nix +++ b/pkgs/tools/system/datefudge/default.nix @@ -1,4 +1,4 @@ -{ stdenv, fetchgit }: +{ stdenv, fetchgit, fetchpatch }: stdenv.mkDerivation { pname = "datefudge"; @@ -10,15 +10,20 @@ stdenv.mkDerivation { sha256 = "0r9g8v9xnv60hq3j20wqy34kyig3sc2pisjxl4irn7jjx85f1spv"; }; - patchPhase = '' + patches = [ + (fetchpatch { + url = "https://src.fedoraproject.org/rpms/datefudge/raw/master/f/datefudge_1.23-tz.patch"; + sha256 = "19c2fvhm06wnp3059b0rnd7dqdchkan8iycjh8jk8y25j870zkvn"; + }) + ]; + + postPatch = '' substituteInPlace Makefile \ --replace "/usr" "/" \ --replace "-o root -g root" "" substituteInPlace datefudge.sh \ --replace "@LIBDIR@" "$out/lib/" - ''; - - preInstallPhase = "mkdir -P $out/lib/datefudge"; + ''; installFlags = [ "DESTDIR=$(out)" ]; From 44fb6cc037c9702430a5a1e77a848a2f6f6a0efa Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Fri, 26 Jun 2020 14:49:13 +0200 Subject: [PATCH 07/14] vdr: fix build w/glibc-2.31 https://hydra.nixos.org/build/122891193 --- pkgs/applications/video/vdr/default.nix | 7 ++++++- .../applications/video/vdr/glibc2.31-compat.patch | 15 +++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 pkgs/applications/video/vdr/glibc2.31-compat.patch diff --git a/pkgs/applications/video/vdr/default.nix b/pkgs/applications/video/vdr/default.nix index d025554835ef..14ca503f2e91 100644 --- a/pkgs/applications/video/vdr/default.nix +++ b/pkgs/applications/video/vdr/default.nix @@ -1,5 +1,5 @@ { stdenv, fetchurl, fontconfig, libjpeg, libcap, freetype, fribidi, pkgconfig -, gettext, systemd, perl, lib +, gettext, systemd, perl, lib, fetchpatch , enableSystemd ? true , enableBidi ? true }: stdenv.mkDerivation rec { @@ -12,6 +12,11 @@ sha256 = "1p51b14aqzncx3xpfg0rjplc48pg7520035i5p6r5zzkqhszihr5"; }; + patches = [ + # Derived from http://git.tvdr.de/?p=vdr.git;a=commit;h=930c2cd2eb8947413e88404fa94c66e4e1db5ad6 + ./glibc2.31-compat.patch + ]; + enableParallelBuilding = true; postPatch = "substituteInPlace Makefile --replace libsystemd-daemon libsystemd"; diff --git a/pkgs/applications/video/vdr/glibc2.31-compat.patch b/pkgs/applications/video/vdr/glibc2.31-compat.patch new file mode 100644 index 000000000000..9a52d4b290b1 --- /dev/null +++ b/pkgs/applications/video/vdr/glibc2.31-compat.patch @@ -0,0 +1,15 @@ +diff --git a/eit.c b/eit.c +index 50d8229..373dbca 100644 +--- a/eit.c ++++ b/eit.c +@@ -391,7 +391,9 @@ cTDT::cTDT(const u_char *Data) + if (abs(diff) > MAX_TIME_DIFF) { + mutex.Lock(); + if (abs(diff) > MAX_ADJ_DIFF) { +- if (stime(&dvbtim) == 0) ++ timespec ts = { 0 }; ++ ts.tv_sec = dvbtim; ++ if (clock_settime(CLOCK_REALTIME, &ts) == 0) + isyslog("system time changed from %s (%ld) to %s (%ld)", *TimeToString(loctim), loctim, *TimeToString(dvbtim), dvbtim); + else + esyslog("ERROR while setting system time: %m"); From 2c60e7c2d090a0b5934b50316660bd9d463789a7 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Fri, 26 Jun 2020 16:36:00 +0200 Subject: [PATCH 08/14] llvm*: compiler-rt: fix build w/glibc-2.31 https://hydra.nixos.org/build/122885657 and more. Original upstream fix (available in llvm_10): https://github.com/llvm/llvm-project/commit/947f9692440836dcb8d88b74b69dd379d85974ce --- .../compilers/llvm/5/compiler-rt.nix | 1 + .../compilers/llvm/6/compiler-rt.nix | 1 + .../compilers/llvm/7/compiler-rt-glibc.patch | 48 +++++++++++++++++++ .../compilers/llvm/7/compiler-rt.nix | 3 ++ .../compilers/llvm/8/compiler-rt.nix | 1 + .../compilers/llvm/9/compiler-rt.nix | 1 + 6 files changed, 55 insertions(+) create mode 100644 pkgs/development/compilers/llvm/7/compiler-rt-glibc.patch diff --git a/pkgs/development/compilers/llvm/5/compiler-rt.nix b/pkgs/development/compilers/llvm/5/compiler-rt.nix index 624034b52286..32d6dd3d4795 100644 --- a/pkgs/development/compilers/llvm/5/compiler-rt.nix +++ b/pkgs/development/compilers/llvm/5/compiler-rt.nix @@ -47,6 +47,7 @@ stdenv.mkDerivation { patches = [ ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory + ../7/compiler-rt-glibc.patch ] ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch ++ stdenv.lib.optional (stdenv.hostPlatform.libc == "glibc") ./compiler-rt-sys-ustat.patch ++ stdenv.lib.optional stdenv.hostPlatform.isAarch32 ./compiler-rt-armv7l.patch; diff --git a/pkgs/development/compilers/llvm/6/compiler-rt.nix b/pkgs/development/compilers/llvm/6/compiler-rt.nix index 13abf6d95611..89f25cad2c54 100644 --- a/pkgs/development/compilers/llvm/6/compiler-rt.nix +++ b/pkgs/development/compilers/llvm/6/compiler-rt.nix @@ -47,6 +47,7 @@ stdenv.mkDerivation { patches = [ ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory + ../7/compiler-rt-glibc.patch ] ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch ++ stdenv.lib.optional stdenv.hostPlatform.isAarch32 ./compiler-rt-armv7l.patch; diff --git a/pkgs/development/compilers/llvm/7/compiler-rt-glibc.patch b/pkgs/development/compilers/llvm/7/compiler-rt-glibc.patch new file mode 100644 index 000000000000..2d211795fc80 --- /dev/null +++ b/pkgs/development/compilers/llvm/7/compiler-rt-glibc.patch @@ -0,0 +1,48 @@ +diff --git a/lib/sanitizer_common/sanitizer_platform_limits_posix.cc b/lib/sanitizer_common/sanitizer_platform_limits_posix.cc +index 54da635..c5dc1cd 100644 +--- a/lib/sanitizer_common/sanitizer_platform_limits_posix.cc ++++ b/lib/sanitizer_common/sanitizer_platform_limits_posix.cc +@@ -1158,8 +1158,9 @@ CHECK_SIZE_AND_OFFSET(ipc_perm, uid); + CHECK_SIZE_AND_OFFSET(ipc_perm, gid); + CHECK_SIZE_AND_OFFSET(ipc_perm, cuid); + CHECK_SIZE_AND_OFFSET(ipc_perm, cgid); +-#if !defined(__aarch64__) || !SANITIZER_LINUX || __GLIBC_PREREQ (2, 21) +-/* On aarch64 glibc 2.20 and earlier provided incorrect mode field. */ ++#if !SANITIZER_LINUX || __GLIBC_PREREQ (2, 31) ++/* glibc 2.30 and earlier provided 16-bit mode field instead of 32-bit ++ on many architectures. */ + CHECK_SIZE_AND_OFFSET(ipc_perm, mode); + #endif + +diff --git a/lib/sanitizer_common/sanitizer_platform_limits_posix.h b/lib/sanitizer_common/sanitizer_platform_limits_posix.h +index f89a113..f6f986f 100644 +--- a/lib/sanitizer_common/sanitizer_platform_limits_posix.h ++++ b/lib/sanitizer_common/sanitizer_platform_limits_posix.h +@@ -213,26 +213,13 @@ namespace __sanitizer { + u64 __unused1; + u64 __unused2; + #elif defined(__sparc__) +-#if defined(__arch64__) + unsigned mode; +- unsigned short __pad1; +-#else +- unsigned short __pad1; +- unsigned short mode; + unsigned short __pad2; +-#endif + unsigned short __seq; + unsigned long long __unused1; + unsigned long long __unused2; +-#elif defined(__mips__) || defined(__aarch64__) || defined(__s390x__) +- unsigned int mode; +- unsigned short __seq; +- unsigned short __pad1; +- unsigned long __unused1; +- unsigned long __unused2; + #else +- unsigned short mode; +- unsigned short __pad1; ++ unsigned int mode; + unsigned short __seq; + unsigned short __pad2; + #if defined(__x86_64__) && !defined(_LP64) diff --git a/pkgs/development/compilers/llvm/7/compiler-rt.nix b/pkgs/development/compilers/llvm/7/compiler-rt.nix index 84ca6af3b36d..97a5d73f3041 100644 --- a/pkgs/development/compilers/llvm/7/compiler-rt.nix +++ b/pkgs/development/compilers/llvm/7/compiler-rt.nix @@ -46,6 +46,9 @@ stdenv.mkDerivation { outputs = [ "out" "dev" ]; patches = [ + # https://github.com/llvm/llvm-project/commit/947f9692440836dcb8d88b74b69dd379d85974ce + ./compiler-rt-glibc.patch + ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory ] ++ stdenv.lib.optional (useLLVM) ./crtbegin-and-end.patch ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch diff --git a/pkgs/development/compilers/llvm/8/compiler-rt.nix b/pkgs/development/compilers/llvm/8/compiler-rt.nix index 15e55800dc8e..a907d4086550 100644 --- a/pkgs/development/compilers/llvm/8/compiler-rt.nix +++ b/pkgs/development/compilers/llvm/8/compiler-rt.nix @@ -46,6 +46,7 @@ stdenv.mkDerivation { outputs = [ "out" "dev" ]; patches = [ + ../7/compiler-rt-glibc.patch ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory ]# ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch ++ stdenv.lib.optional (useLLVM) ./crtbegin-and-end.patch diff --git a/pkgs/development/compilers/llvm/9/compiler-rt.nix b/pkgs/development/compilers/llvm/9/compiler-rt.nix index 0183754a2fd4..394f66ff7f1a 100644 --- a/pkgs/development/compilers/llvm/9/compiler-rt.nix +++ b/pkgs/development/compilers/llvm/9/compiler-rt.nix @@ -46,6 +46,7 @@ stdenv.mkDerivation rec { outputs = [ "out" "dev" ]; patches = [ + ../7/compiler-rt-glibc.patch ./compiler-rt-codesign.patch # Revert compiler-rt commit that makes codesign mandatory ]# ++ stdenv.lib.optional stdenv.hostPlatform.isMusl ./sanitizers-nongnu.patch ++ stdenv.lib.optional stdenv.hostPlatform.isAarch32 ./compiler-rt-armv7l.patch; From 872f65db46f2e11f7f287d77d2bae3158d349a6a Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 27 Jun 2020 13:13:28 +0200 Subject: [PATCH 09/14] llvm/clang: remove deprecated attrs for 4, 3.5 and 3.9 --- pkgs/top-level/aliases.nix | 17 ----------------- 1 file changed, 17 deletions(-) diff --git a/pkgs/top-level/aliases.nix b/pkgs/top-level/aliases.nix index 959bfd90d2f1..8240bb157315 100644 --- a/pkgs/top-level/aliases.nix +++ b/pkgs/top-level/aliases.nix @@ -703,23 +703,6 @@ mapAliases ({ # added 2020-02-09 dina-font-pcf = dina-font; - /* Cleanup before 20.09 */ - llvm_4 = throw '' - The LLVM versions 3.5, 3.9 and 4.0 have been removed in NixOS 20.03 - due to a lack of compatibility with glibc 2.30! - ''; - llvm_39 = llvm_4; - llvm_35 = llvm_4; - lld_4 = llvm_4; - - llvmPackages_4 = llvm_4; - llvmPackages_39 = llvm_4; - llvmPackages_35 = llvm_4; - - clang_39 = llvm_4; - clang_35 = llvm_4; - clang_4 = llvm_4; - # added 2019-04-13 # *-polly pointed to llvmPackages_latest llvm-polly = throw "clang is now built with polly-plugin by default"; From 22b69ed143809b64e2179b244d958336379d15e7 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 27 Jun 2020 13:39:00 +0200 Subject: [PATCH 10/14] python3Packages.supervisor: fix build w/glibc-2.31 https://hydra.nixos.org/build/122877074 --- .../python-modules/supervisor/default.nix | 7 +++++++ .../python-modules/supervisor/glibc-2.31.patch | 13 +++++++++++++ 2 files changed, 20 insertions(+) create mode 100644 pkgs/development/python-modules/supervisor/glibc-2.31.patch diff --git a/pkgs/development/python-modules/supervisor/default.nix b/pkgs/development/python-modules/supervisor/default.nix index 343aaddfbb5d..cee258dbd3a6 100644 --- a/pkgs/development/python-modules/supervisor/default.nix +++ b/pkgs/development/python-modules/supervisor/default.nix @@ -14,6 +14,13 @@ buildPythonPackage rec { sha256 = "64082ebedf6d36ff409ab2878f1aad5c9035f916c5f15a9a1ec7dffc6dfbbed8"; }; + patches = [ + # SOMAXCONN limit of glibc-2.31 has been increased from 128 to 4096: + # * https://sourceware.org/git/?p=glibc.git;a=commit;h=96958e2700f5b4f4d1183a0606b2b9848a53ea44 + # * https://github.com/Supervisor/supervisor/issues/1346 + ./glibc-2.31.patch + ]; + # wants to write to /tmp/foo which is likely already owned by another # nixbld user on hydra doCheck = !stdenv.isDarwin; diff --git a/pkgs/development/python-modules/supervisor/glibc-2.31.patch b/pkgs/development/python-modules/supervisor/glibc-2.31.patch new file mode 100644 index 000000000000..b2d9564eea1f --- /dev/null +++ b/pkgs/development/python-modules/supervisor/glibc-2.31.patch @@ -0,0 +1,13 @@ +diff --git a/supervisor/tests/base.py b/supervisor/tests/base.py +index 643e609..8aa45e7 100644 +--- a/supervisor/tests/base.py ++++ b/supervisor/tests/base.py +@@ -358,7 +358,7 @@ class DummySocketConfig: + return not self.__eq__(other) + + def get_backlog(self): +- return 128 ++ return 4096 + + def create_and_bind(self): + return DummySocket(self.fd) From 923b6bff55837bcda35eb136a5bee69f8b9801cb Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sat, 27 Jun 2020 13:45:20 +0200 Subject: [PATCH 11/14] cups-bjnp: fix build w/glibc-2.31 https://hydra.nixos.org/build/122883083 --- pkgs/misc/cups/drivers/cups-bjnp/default.nix | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/pkgs/misc/cups/drivers/cups-bjnp/default.nix b/pkgs/misc/cups/drivers/cups-bjnp/default.nix index e9fac1c73e2f..9dbfdd8b8030 100644 --- a/pkgs/misc/cups/drivers/cups-bjnp/default.nix +++ b/pkgs/misc/cups/drivers/cups-bjnp/default.nix @@ -11,7 +11,11 @@ stdenv.mkDerivation rec { preConfigure = ''configureFlags="--with-cupsbackenddir=$out/lib/cups/backend"''; buildInputs = [cups]; - NIX_CFLAGS_COMPILE = [ "-include stdio.h" "-Wno-error=stringop-truncation" ]; + NIX_CFLAGS_COMPILE = [ + "-include stdio.h" + "-Wno-error=stringop-truncation" + "-Wno-error=deprecated-declarations" + ]; meta = { description = "CUPS back-end for Canon printers"; From 114f97e77e0f9bba09edf2251963495a41baeb64 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sun, 28 Jun 2020 17:40:26 +0200 Subject: [PATCH 12/14] gcc49: fix build w/glibc-2.31 The same `libsanitizer` problem as in llvm<10 and newer GCCs. https://hydra.nixos.org/build/122902814 https://hydra.nixos.org/build/122903349 --- .../development/compilers/gcc/4.9/default.nix | 1 + .../compilers/gcc/4.9/libsanitizer.patch | 24 +++++++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 pkgs/development/compilers/gcc/4.9/libsanitizer.patch diff --git a/pkgs/development/compilers/gcc/4.9/default.nix b/pkgs/development/compilers/gcc/4.9/default.nix index 0a35ed023c6f..6f4fd415fc09 100644 --- a/pkgs/development/compilers/gcc/4.9/default.nix +++ b/pkgs/development/compilers/gcc/4.9/default.nix @@ -63,6 +63,7 @@ let majorVersion = "4"; patches = [ ../use-source-date-epoch.patch ../parallel-bconfig.patch ./parallel-strsignal.patch + ./libsanitizer.patch (fetchpatch { name = "avoid-ustat-glibc-2.28.patch"; url = "https://gitweb.gentoo.org/proj/gcc-patches.git/plain/4.9.4/gentoo/100_all_avoid-ustat-glibc-2.28.patch?id=55fcb515620a8f7d3bb77eba938aa0fcf0d67c96"; diff --git a/pkgs/development/compilers/gcc/4.9/libsanitizer.patch b/pkgs/development/compilers/gcc/4.9/libsanitizer.patch new file mode 100644 index 000000000000..f1a438a4e5f0 --- /dev/null +++ b/pkgs/development/compilers/gcc/4.9/libsanitizer.patch @@ -0,0 +1,24 @@ +diff --git a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h +index aec950454..5bda9b3a3 100644 +--- a/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h ++++ b/libsanitizer/sanitizer_common/sanitizer_platform_limits_posix.h +@@ -156,18 +156,13 @@ namespace __sanitizer { + #elif defined(__sparc__) + # if defined(__arch64__) + unsigned mode; +- unsigned short __pad1; +-# else +- unsigned short __pad1; +- unsigned short mode; + unsigned short __pad2; + # endif + unsigned short __seq; + unsigned long long __unused1; + unsigned long long __unused2; + #else +- unsigned short mode; +- unsigned short __pad1; ++ unsigned int mode; + unsigned short __seq; + unsigned short __pad2; + #if defined(__x86_64__) && !defined(_LP64) From 116f39ff8264b2084c613c088b6876e7eeba43f9 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Sun, 28 Jun 2020 23:15:25 +0200 Subject: [PATCH 13/14] swift: fix build w/glibc-2.31 https://hydra.nixos.org/build/123279517 Internally used `compiler-rt` had to be fixed for `glibc-2.31`, basically the same approach as in the LLVM fix (7137183bbe05738246be2be0e704c1be9bf19947). As soon as a newer `compiler-rt` is used for `swift`, this patch can be removed again. --- pkgs/development/compilers/swift/default.nix | 3 ++ .../compilers/swift/patches/swift-llvm.patch | 48 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 pkgs/development/compilers/swift/patches/swift-llvm.patch diff --git a/pkgs/development/compilers/swift/default.nix b/pkgs/development/compilers/swift/default.nix index 1ebef9a9ba5c..b838aa59177e 100644 --- a/pkgs/development/compilers/swift/default.nix +++ b/pkgs/development/compilers/swift/default.nix @@ -182,6 +182,9 @@ stdenv.mkDerivation { ''; patchPhase = '' + # Glibc 2.31 fix + patch -p1 -i ${./patches/swift-llvm.patch} + # Just patch all the things for now, we can focus this later patchShebangs $SWIFT_SOURCE_ROOT diff --git a/pkgs/development/compilers/swift/patches/swift-llvm.patch b/pkgs/development/compilers/swift/patches/swift-llvm.patch new file mode 100644 index 000000000000..fcd9533fd72a --- /dev/null +++ b/pkgs/development/compilers/swift/patches/swift-llvm.patch @@ -0,0 +1,48 @@ +diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cc b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cc +index bc6675bf4..2f3514b64 100644 +--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cc ++++ b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.cc +@@ -1129,8 +1129,9 @@ CHECK_SIZE_AND_OFFSET(ipc_perm, uid); + CHECK_SIZE_AND_OFFSET(ipc_perm, gid); + CHECK_SIZE_AND_OFFSET(ipc_perm, cuid); + CHECK_SIZE_AND_OFFSET(ipc_perm, cgid); +-#if !defined(__aarch64__) || !SANITIZER_LINUX || __GLIBC_PREREQ (2, 21) +-/* On aarch64 glibc 2.20 and earlier provided incorrect mode field. */ ++#if !SANITIZER_LINUX || __GLIBC_PREREQ (2, 31) ++/* glibc 2.30 and earlier provided 16-bit mode field instead of 32-bit ++ on many architectures. */ + CHECK_SIZE_AND_OFFSET(ipc_perm, mode); + #endif + +diff --git a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h +index de69852d3..652d5cb3b 100644 +--- a/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h ++++ b/compiler-rt/lib/sanitizer_common/sanitizer_platform_limits_posix.h +@@ -204,26 +204,13 @@ namespace __sanitizer { + u64 __unused1; + u64 __unused2; + #elif defined(__sparc__) +-#if defined(__arch64__) + unsigned mode; +- unsigned short __pad1; +-#else +- unsigned short __pad1; +- unsigned short mode; + unsigned short __pad2; +-#endif + unsigned short __seq; + unsigned long long __unused1; + unsigned long long __unused2; +-#elif defined(__mips__) || defined(__aarch64__) || defined(__s390x__) +- unsigned int mode; +- unsigned short __seq; +- unsigned short __pad1; +- unsigned long __unused1; +- unsigned long __unused2; + #else +- unsigned short mode; +- unsigned short __pad1; ++ unsigned int mode; + unsigned short __seq; + unsigned short __pad2; + #if defined(__x86_64__) && !defined(_LP64) From 9cd98386a38891d1074fc18036b842dc4416f562 Mon Sep 17 00:00:00 2001 From: Maximilian Bosch Date: Tue, 30 Jun 2020 13:18:22 +0200 Subject: [PATCH 14/14] glibc: build with patches for CVE-2020-1752 & CVE-2020-10029 /cc roundup #88306 --- .../libraries/glibc/2.31-cve-2020-10029.patch | 79 +++++++++++++++++++ pkgs/development/libraries/glibc/common.nix | 2 + 2 files changed, 81 insertions(+) create mode 100644 pkgs/development/libraries/glibc/2.31-cve-2020-10029.patch diff --git a/pkgs/development/libraries/glibc/2.31-cve-2020-10029.patch b/pkgs/development/libraries/glibc/2.31-cve-2020-10029.patch new file mode 100644 index 000000000000..8334398e8912 --- /dev/null +++ b/pkgs/development/libraries/glibc/2.31-cve-2020-10029.patch @@ -0,0 +1,79 @@ +diff --git a/sysdeps/ieee754/ldbl-96/Makefile b/sysdeps/ieee754/ldbl-96/Makefile +index 995e90d6da..318628aed6 100644 +--- a/sysdeps/ieee754/ldbl-96/Makefile ++++ b/sysdeps/ieee754/ldbl-96/Makefile +@@ -17,5 +17,6 @@ + # . + + ifeq ($(subdir),math) +-tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 ++tests += test-canonical-ldbl-96 test-totalorderl-ldbl-96 test-sinl-pseudo ++CFLAGS-test-sinl-pseudo.c += -fstack-protector-all + endif +diff --git a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c +index 5f742321ae..bcdf20179f 100644 +--- a/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c ++++ b/sysdeps/ieee754/ldbl-96/e_rem_pio2l.c +@@ -210,6 +210,18 @@ __ieee754_rem_pio2l (long double x, long double *y) + return 0; + } + ++ if ((i0 & 0x80000000) == 0) ++ { ++ /* Pseudo-zero and unnormal representations are not valid ++ representations of long double. We need to avoid stack ++ corruption in __kernel_rem_pio2, which expects input in a ++ particular normal form, but those representations do not need ++ to be consistently handled like any particular floating-point ++ value. */ ++ y[1] = y[0] = __builtin_nanl (""); ++ return 0; ++ } ++ + /* Split the 64 bits of the mantissa into three 24-bit integers + stored in a double array. */ + exp = j0 - 23; +--- /dev/null ++++ b/sysdeps/ieee754/ldbl-96/test-sinl-pseudo.c +@@ -0,0 +1,41 @@ ++/* Test sinl for pseudo-zeros and unnormals for ldbl-96 (bug 25487). ++ Copyright (C) 2020 Free Software Foundation, Inc. ++ This file is part of the GNU C Library. ++ ++ The GNU C Library is free software; you can redistribute it and/or ++ modify it under the terms of the GNU Lesser General Public ++ License as published by the Free Software Foundation; either ++ version 2.1 of the License, or (at your option) any later version. ++ ++ The GNU C Library is distributed in the hope that it will be useful, ++ but WITHOUT ANY WARRANTY; without even the implied warranty of ++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU ++ Lesser General Public License for more details. ++ ++ You should have received a copy of the GNU Lesser General Public ++ License along with the GNU C Library; if not, see ++ . */ ++ ++#include ++#include ++#include ++ ++static int ++do_test (void) ++{ ++ for (int i = 0; i < 64; i++) ++ { ++ uint64_t sig = i == 63 ? 0 : 1ULL << i; ++ long double ld; ++ SET_LDOUBLE_WORDS (ld, 0x4141, ++ sig >> 32, sig & 0xffffffffULL); ++ /* The requirement is that no stack overflow occurs when the ++ pseudo-zero or unnormal goes through range reduction. */ ++ volatile long double ldr; ++ ldr = sinl (ld); ++ (void) ldr; ++ } ++ return 0; ++} ++ ++#include diff --git a/pkgs/development/libraries/glibc/common.nix b/pkgs/development/libraries/glibc/common.nix index 0cd61de4548d..8afea21729a1 100644 --- a/pkgs/development/libraries/glibc/common.nix +++ b/pkgs/development/libraries/glibc/common.nix @@ -108,6 +108,8 @@ stdenv.mkDerivation ({ }) ./fix-x64-abi.patch + ./2.30-cve-2020-1752.patch + ./2.31-cve-2020-10029.patch ] ++ lib.optional stdenv.hostPlatform.isMusl ./fix-rpc-types-musl-conflicts.patch ++ lib.optional stdenv.buildPlatform.isDarwin ./darwin-cross-build.patch;