summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSona Sarmadi <sona.sarmadi@enea.com>2016-02-03 10:59:16 (GMT)
committerTudor Florea <tudor.florea@enea.com>2016-02-03 21:21:58 (GMT)
commit1ad606237b61bc851e25976ba69f458374287f78 (patch)
treea8897c5c0c1331b16c479dea43e9b16ab8539547
parenta3b82f660c689b3310f1c1d9197cfd7494cc8e5e (diff)
downloadpoky-1ad606237b61bc851e25976ba69f458374287f78.tar.gz
glibc: CVE-2015-8777
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: 22570ba08d7c6157aec58764c73b1134405b0252) References: https://sourceware.org/bugzilla/show_bug.cgi?id=18928 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8777 Reproducing steps available at: http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html CVE request: http://seclists.org/oss-sec/2015/q3/504 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Tudor Florea <tudor.florea@enea.com>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8777.patch88
-rw-r--r--meta/recipes-core/glibc/glibc_2.20.bb1
2 files changed, 89 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 0000000..ebcb59b
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,88 @@
1From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
2From: Florian Weimer <fweimer@redhat.com>
3Date: Thu, 15 Oct 2015 09:23:07 +0200
4Subject: [PATCH] Always enable pointer guard [BZ #18928]
5
6Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
7has security implications. This commit enables pointer guard
8unconditionally, and the environment variable is now ignored.
9
10 [BZ #18928]
11 * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
12 _dl_pointer_guard member.
13 * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
14 initializer.
15 (security_init): Always set up pointer guard.
16 (process_envvars): Do not process LD_POINTER_GUARD.
17
18Upstream-Status: Backport
19CVE: CVE-2015-8777
20[Yocto # 8980]
21
22https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
23
24Signed-off-by: Armin Kuster <akuster@mvista.com>
25
26---
27 ChangeLog | 10 ++++++++++
28 NEWS | 13 ++++++++-----
29 elf/rtld.c | 15 ++++-----------
30 sysdeps/generic/ldsodefs.h | 3 ---
31 4 files changed, 22 insertions(+), 19 deletions(-)
32
33Index: git/elf/rtld.c
34===================================================================
35--- git.orig/elf/rtld.c
36+++ git/elf/rtld.c
37@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
38 ._dl_hwcap_mask = HWCAP_IMPORTANT,
39 ._dl_lazy = 1,
40 ._dl_fpu_control = _FPU_DEFAULT,
41- ._dl_pointer_guard = 1,
42 ._dl_pagesize = EXEC_PAGESIZE,
43 ._dl_inhibit_cache = 0,
44
45@@ -710,15 +709,12 @@ security_init (void)
46 #endif
47
48 /* Set up the pointer guard as well, if necessary. */
49- if (GLRO(dl_pointer_guard))
50- {
51- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
52- stack_chk_guard);
53+ uintptr_t pointer_chk_guard
54+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
55 #ifdef THREAD_SET_POINTER_GUARD
56- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
57+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
58 #endif
59- __pointer_chk_guard_local = pointer_chk_guard;
60- }
61+ __pointer_chk_guard_local = pointer_chk_guard;
62
63 /* We do not need the _dl_random value anymore. The less
64 information we leave behind, the better, so clear the
65@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
66 GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
67 break;
68 }
69-
70- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
71- GLRO(dl_pointer_guard) = envline[14] != '0';
72 break;
73
74 case 14:
75Index: git/sysdeps/generic/ldsodefs.h
76===================================================================
77--- git.orig/sysdeps/generic/ldsodefs.h
78+++ git/sysdeps/generic/ldsodefs.h
79@@ -600,9 +600,6 @@ struct rtld_global_ro
80 /* List of auditing interfaces. */
81 struct audit_ifaces *_dl_audit;
82 unsigned int _dl_naudit;
83-
84- /* 0 if internal pointer values should not be guarded, 1 if they should. */
85- EXTERN int _dl_pointer_guard;
86 };
87 # define __rtld_global_attribute__
88 # if IS_IN (rtld)
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index 4b0e927..7bf4dba 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -52,6 +52,7 @@ CVEPATCHES = "\
52 file://CVE-2014-9761_1.patch \ 52 file://CVE-2014-9761_1.patch \
53 file://CVE-2014-9761_2.patch \ 53 file://CVE-2014-9761_2.patch \
54 file://CVE-2015-8776.patch \ 54 file://CVE-2015-8776.patch \
55 file://CVE-2015-8777.patch \
55 " 56 "
56LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ 57LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
57 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 58 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \