glibc: CVE-2015-8777.patch
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: bc51411d2edda908cbef733066d78a986dfec0c0) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
parent
152914f298
commit
aefe1fadfa
|
@ -0,0 +1,123 @@
|
|||
From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
|
||||
From: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Thu, 15 Oct 2015 09:23:07 +0200
|
||||
Subject: [PATCH] Always enable pointer guard [BZ #18928]
|
||||
|
||||
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
|
||||
has security implications. This commit enables pointer guard
|
||||
unconditionally, and the environment variable is now ignored.
|
||||
|
||||
[BZ #18928]
|
||||
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
|
||||
_dl_pointer_guard member.
|
||||
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
|
||||
initializer.
|
||||
(security_init): Always set up pointer guard.
|
||||
(process_envvars): Do not process LD_POINTER_GUARD.
|
||||
|
||||
Upstream-Status: Backport
|
||||
CVE: CVE-2015-8777
|
||||
[Yocto # 8980]
|
||||
|
||||
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
|
||||
|
||||
Signed-off-by: Armin Kuster <akuster@mvista.com>
|
||||
|
||||
---
|
||||
ChangeLog | 10 ++++++++++
|
||||
NEWS | 13 ++++++++-----
|
||||
elf/rtld.c | 15 ++++-----------
|
||||
sysdeps/generic/ldsodefs.h | 3 ---
|
||||
4 files changed, 22 insertions(+), 19 deletions(-)
|
||||
|
||||
Index: git/ChangeLog
|
||||
===================================================================
|
||||
--- git.orig/ChangeLog
|
||||
+++ git/ChangeLog
|
||||
@@ -1,3 +1,14 @@
|
||||
+2015-10-15 Florian Weimer <fweimer@redhat.com>
|
||||
+
|
||||
+ [BZ #18928]
|
||||
+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
|
||||
+ _dl_pointer_guard member.
|
||||
+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
|
||||
+ initializer.
|
||||
+ (security_init): Always set up pointer guard.
|
||||
+ (process_envvars): Do not process LD_POINTER_GUARD.
|
||||
+
|
||||
+
|
||||
2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com>
|
||||
|
||||
[BZ #18778]
|
||||
Index: git/NEWS
|
||||
===================================================================
|
||||
--- git.orig/NEWS
|
||||
+++ git/NEWS
|
||||
@@ -34,7 +34,10 @@ Version 2.22
|
||||
18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
|
||||
18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
|
||||
18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
|
||||
- 18657, 18676, 18694, 18696.
|
||||
+ 18657, 18676, 18694, 18696, 18928.
|
||||
+
|
||||
+* The LD_POINTER_GUARD environment variable can no longer be used to
|
||||
+ disable the pointer guard feature. It is always enabled.
|
||||
|
||||
* Cache information can be queried via sysconf() function on s390 e.g. with
|
||||
_SC_LEVEL1_ICACHE_SIZE as argument.
|
||||
Index: git/elf/rtld.c
|
||||
===================================================================
|
||||
--- git.orig/elf/rtld.c
|
||||
+++ git/elf/rtld.c
|
||||
@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
|
||||
._dl_hwcap_mask = HWCAP_IMPORTANT,
|
||||
._dl_lazy = 1,
|
||||
._dl_fpu_control = _FPU_DEFAULT,
|
||||
- ._dl_pointer_guard = 1,
|
||||
._dl_pagesize = EXEC_PAGESIZE,
|
||||
._dl_inhibit_cache = 0,
|
||||
|
||||
@@ -710,15 +709,12 @@ security_init (void)
|
||||
#endif
|
||||
|
||||
/* Set up the pointer guard as well, if necessary. */
|
||||
- if (GLRO(dl_pointer_guard))
|
||||
- {
|
||||
- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
|
||||
- stack_chk_guard);
|
||||
+ uintptr_t pointer_chk_guard
|
||||
+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
|
||||
#ifdef THREAD_SET_POINTER_GUARD
|
||||
- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
|
||||
+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
|
||||
#endif
|
||||
- __pointer_chk_guard_local = pointer_chk_guard;
|
||||
- }
|
||||
+ __pointer_chk_guard_local = pointer_chk_guard;
|
||||
|
||||
/* We do not need the _dl_random value anymore. The less
|
||||
information we leave behind, the better, so clear the
|
||||
@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
|
||||
GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
|
||||
break;
|
||||
}
|
||||
-
|
||||
- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
|
||||
- GLRO(dl_pointer_guard) = envline[14] != '0';
|
||||
break;
|
||||
|
||||
case 14:
|
||||
Index: git/sysdeps/generic/ldsodefs.h
|
||||
===================================================================
|
||||
--- git.orig/sysdeps/generic/ldsodefs.h
|
||||
+++ git/sysdeps/generic/ldsodefs.h
|
||||
@@ -600,9 +600,6 @@ struct rtld_global_ro
|
||||
/* List of auditing interfaces. */
|
||||
struct audit_ifaces *_dl_audit;
|
||||
unsigned int _dl_naudit;
|
||||
-
|
||||
- /* 0 if internal pointer values should not be guarded, 1 if they should. */
|
||||
- EXTERN int _dl_pointer_guard;
|
||||
};
|
||||
# define __rtld_global_attribute__
|
||||
# if IS_IN (rtld)
|
|
@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
|
|||
file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \
|
||||
file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
|
||||
file://0029-fix-getmntent-empty-lines.patch \
|
||||
file://CVE-2015-8777.patch \
|
||||
"
|
||||
|
||||
SRC_URI += "\
|
||||
|
|
Loading…
Reference in New Issue