summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
blob: 9b9ab3badeee4d11fb95b9235dfae1d320e55c71 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Thu, 15 Oct 2015 09:23:07 +0200
Subject: [PATCH] Always enable pointer guard [BZ #18928]

Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications.  This commit enables pointer guard
unconditionally, and the environment variable is now ignored.

        [BZ #18928]
        * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
        _dl_pointer_guard member.
        * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
        initializer.
        (security_init): Always set up pointer guard.
        (process_envvars): Do not process LD_POINTER_GUARD.

Upstream-Status: Backport
CVE: CVE-2015-8777
[Yocto # 8980]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7

Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 ChangeLog                  | 10 ++++++++++
 NEWS                       | 13 ++++++++-----
 elf/rtld.c                 | 15 ++++-----------
 sysdeps/generic/ldsodefs.h |  3 ---
 4 files changed, 22 insertions(+), 19 deletions(-)

Index: git/elf/rtld.c
===================================================================
--- git.orig/elf/rtld.c
+++ git/elf/rtld.c
@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
     ._dl_hwcap_mask = HWCAP_IMPORTANT,
     ._dl_lazy = 1,
     ._dl_fpu_control = _FPU_DEFAULT,
-    ._dl_pointer_guard = 1,
     ._dl_pagesize = EXEC_PAGESIZE,
     ._dl_inhibit_cache = 0,
 
@@ -710,15 +709,12 @@ security_init (void)
 #endif
 
   /* Set up the pointer guard as well, if necessary.  */
-  if (GLRO(dl_pointer_guard))
-    {
-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
-							     stack_chk_guard);
+  uintptr_t pointer_chk_guard
+    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
 #ifdef THREAD_SET_POINTER_GUARD
-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
 #endif
-      __pointer_chk_guard_local = pointer_chk_guard;
-    }
+  __pointer_chk_guard_local = pointer_chk_guard;
 
   /* We do not need the _dl_random value anymore.  The less
      information we leave behind, the better, so clear the
@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
 	      GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
 	      break;
 	    }
-
-	  if (memcmp (envline, "POINTER_GUARD", 13) == 0)
-	    GLRO(dl_pointer_guard) = envline[14] != '0';
 	  break;
 
 	case 14:
Index: git/sysdeps/generic/ldsodefs.h
===================================================================
--- git.orig/sysdeps/generic/ldsodefs.h
+++ git/sysdeps/generic/ldsodefs.h
@@ -590,9 +590,6 @@ struct rtld_global_ro
   /* List of auditing interfaces.  */
   struct audit_ifaces *_dl_audit;
   unsigned int _dl_naudit;
-
-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
-  EXTERN int _dl_pointer_guard;
 };
 # define __rtld_global_attribute__
 # if IS_IN (rtld)
Index: git/ChangeLog
===================================================================
--- git.orig/ChangeLog
+++ git/ChangeLog
@@ -1,3 +1,13 @@
+2015-10-15  Florian Weimer  <fweimer@redhat.com>
+
+   [BZ #18928]
+   * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+   _dl_pointer_guard member.
+   * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+   initializer.
+   (security_init): Always set up pointer guard.
+   (process_envvars): Do not process LD_POINTER_GUARD.
+
 2015-02-06  Carlos O'Donell  <carlos@systemhalted.org>
 
 	* version.h (RELEASE): Set to "stable".
Index: git/NEWS
===================================================================
--- git.orig/NEWS
+++ git/NEWS
@@ -19,7 +19,10 @@ Version 2.21
   17722, 17723, 17724, 17725, 17732, 17733, 17744, 17745, 17746, 17747,
   17748, 17775, 17777, 17780, 17781, 17782, 17791, 17793, 17796, 17797,
   17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
-  17892.
+  17892, 18928.
+
+* The LD_POINTER_GUARD environment variable can no longer be used to
+  disable the pointer guard feature.  It is always enabled.
 
 * CVE-2015-1472 Under certain conditions wscanf can allocate too little
   memory for the to-be-scanned arguments and overflow the allocated
OpenPOWER on IntegriCloud