Use __pthread_attr_copy in mq_notify (bug 27896)

Make a deep copy of the pthread attribute object to remove a potential
use-after-free issue.

NEWS

@@ -62,6 +62,10 @@ Security related changes:
   potentially resulting in degraded service or Denial of Service on the
   local system.  Reported by Chris Schanzle.
 
+  CVE-2021-33574: The mq_notify function has a potential use-after-free
+  issue when using a notification type of SIGEV_THREAD and a thread
+  attribute with a non-default affinity mask.
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by

sysdeps/unix/sysv/linux/mq_notify.c

@@ -133,8 +133,11 @@ helper_thread (void *arg)
 	    (void) __pthread_barrier_wait (&notify_barrier);
 	}
       else if (data.raw[NOTIFY_COOKIE_LEN - 1] == NOTIFY_REMOVED)
-	/* The only state we keep is the copy of the thread attributes.  */
+	{
-	free (data.attr);
+	  /* The only state we keep is the copy of the thread attributes.  */
+	  pthread_attr_destroy (data.attr);
+	  free (data.attr);
+	}
     }
   return NULL;
 }
@@ -255,8 +258,7 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
       if (data.attr == NULL)
 	return -1;
 
-      memcpy (data.attr, notification->sigev_notify_attributes,
+      __pthread_attr_copy (data.attr, notification->sigev_notify_attributes);
-	      sizeof (pthread_attr_t));
     }
 
   /* Construct the new request.  */
@@ -270,7 +272,10 @@ mq_notify (mqd_t mqdes, const struct sigevent *notification)
 
   /* If it failed, free the allocated memory.  */
   if (__glibc_unlikely (retval != 0))
-    free (data.attr);
+    {
+      pthread_attr_destroy (data.attr);
+      free (data.attr);
+    }
 
   return retval;
 }