glibc: CVE-2015-8777

The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: 22570ba08d7c6157aec58764c73b1134405b0252) (From OE-Core rev: 9cc998978bd67bc5569cc1478f4ddee40020b929) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-02-06 15:14:42 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-02-07 17:23:03 +0000
commit: 7ff74d177cc120c3f25370d1e6e9496ac09adbc4 (patch)
tree: eafc05229d3294e05d63b62eca646bdfe6a89f57
parent: 9845a542a76156adb5aef6fd33ad5bc5777acf64 (diff)
download: poky-7ff74d177cc120c3f25370d1e6e9496ac09adbc4.tar.gz
2 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 0000000000..9b9ab3bade
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,122 @@
+From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 15 Oct 2015 09:23:07 +0200
+Subject: [PATCH] Always enable pointer guard [BZ #18928]
+Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
+has security implications.  This commit enables pointer guard
+unconditionally, and the environment variable is now ignored.
+        [BZ #18928]
+        * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+        _dl_pointer_guard member.
+        * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+        initializer.
+        (security_init): Always set up pointer guard.
+        (process_envvars): Do not process LD_POINTER_GUARD.
+Upstream-Status: Backport
+CVE: CVE-2015-8777
+[Yocto # 8980]
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog                  | 10 ++++++++++
+ NEWS                       | 13 ++++++++-----
+ elf/rtld.c                 | 15 ++++-----------
+ sysdeps/generic/ldsodefs.h |  3 ---
+ 4 files changed, 22 insertions(+), 19 deletions(-)
+Index: git/elf/rtld.c
+===================================================================
+--- git.orig/elf/rtld.c
+++ git/elf/rtld.c
+@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
+     ._dl_hwcap_mask = HWCAP_IMPORTANT,
+     ._dl_lazy = 1,
+     ._dl_fpu_control = _FPU_DEFAULT,
+-    ._dl_pointer_guard = 1,
+     ._dl_pagesize = EXEC_PAGESIZE,
+     ._dl_inhibit_cache = 0,
+ 
+@@ -710,15 +709,12 @@ security_init (void)
+ #endif
+ 
+   /* Set up the pointer guard as well, if necessary.  */
+-  if (GLRO(dl_pointer_guard))
+-    {
+-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+-                                                            stack_chk_guard);
+  uintptr_t pointer_chk_guard
+    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
+ #ifdef THREAD_SET_POINTER_GUARD
+-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ #endif
+-      __pointer_chk_guard_local = pointer_chk_guard;
+-    }
+  __pointer_chk_guard_local = pointer_chk_guard;
+ 
+   /* We do not need the _dl_random value anymore.  The less
+      information we leave behind, the better, so clear the
+@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
+              GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
+              break;
+            }
+-
+-         if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+-           GLRO(dl_pointer_guard) = envline[14] != '0';
+          break;
+ 
+        case 14:
+Index: git/sysdeps/generic/ldsodefs.h
+===================================================================
+--- git.orig/sysdeps/generic/ldsodefs.h
+++ git/sysdeps/generic/ldsodefs.h
+@@ -590,9 +590,6 @@ struct rtld_global_ro
+   /* List of auditing interfaces.  */
+   struct audit_ifaces *_dl_audit;
+   unsigned int _dl_naudit;
+-
+-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
+-  EXTERN int _dl_pointer_guard;
+ };
+ # define __rtld_global_attribute__
+ # if IS_IN (rtld)
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,13 @@
+2015-10-15  Florian Weimer  <fweimer@redhat.com>
+
+   [BZ #18928]
+   * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+   _dl_pointer_guard member.
+   * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+   initializer.
+   (security_init): Always set up pointer guard.
+   (process_envvars): Do not process LD_POINTER_GUARD.
+
+ 2015-02-06  Carlos O'Donell  <carlos@systemhalted.org>
+ 
+        * version.h (RELEASE): Set to "stable".
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -19,7 +19,10 @@ Version 2.21
+   17722, 17723, 17724, 17725, 17732, 17733, 17744, 17745, 17746, 17747,
+   17748, 17775, 17777, 17780, 17781, 17782, 17791, 17793, 17796, 17797,
+   17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
+-  17892.
+  17892, 18928.
+
+* The LD_POINTER_GUARD environment variable can no longer be used to
+  disable the pointer guard feature.  It is always enabled.
+ 
+ * CVE-2015-1472 Under certain conditions wscanf can allocate too little
+   memory for the to-be-scanned arguments and overflow the allocated
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index 3bba7346f9..efbcc9c51e 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -48,6 +48,7 @@ EGLIBCPATCHES = "\
 #
 CVEPATCHES = "\
        file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
+        file://CVE-2015-8777.patch \
 "
 LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
author	Armin Kuster <akuster@mvista.com>	2016-02-06 15:14:42 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-02-07 17:23:03 +0000
commit	7ff74d177cc120c3f25370d1e6e9496ac09adbc4 (patch)
tree	eafc05229d3294e05d63b62eca646bdfe6a89f57
parent	9845a542a76156adb5aef6fd33ad5bc5777acf64 (diff)
download	poky-7ff74d177cc120c3f25370d1e6e9496ac09adbc4.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch new file mode 100644 index 0000000000..9b9ab3bade --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,122 @@
		1	From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Thu, 15 Oct 2015 09:23:07 +0200
		4	Subject: [PATCH] Always enable pointer guard [BZ #18928]
		5
		6	Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
		7	has security implications. This commit enables pointer guard
		8	unconditionally, and the environment variable is now ignored.
		9
		10	[BZ #18928]
		11	* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
		12	_dl_pointer_guard member.
		13	* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
		14	initializer.
		15	(security_init): Always set up pointer guard.
		16	(process_envvars): Do not process LD_POINTER_GUARD.
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2015-8777
		20	[Yocto # 8980]
		21
		22	https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
		23
		24	Signed-off-by: Armin Kuster <akuster@mvista.com>
		25
		26	---
		27	ChangeLog \| 10 ++++++++++
		28	NEWS \| 13 ++++++++-----
		29	elf/rtld.c \| 15 ++++-----------
		30	sysdeps/generic/ldsodefs.h \| 3 ---
		31	4 files changed, 22 insertions(+), 19 deletions(-)
		32
		33	Index: git/elf/rtld.c
		34	===================================================================
		35	--- git.orig/elf/rtld.c
		36	+++ git/elf/rtld.c
		37	@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
		38	._dl_hwcap_mask = HWCAP_IMPORTANT,
		39	._dl_lazy = 1,
		40	._dl_fpu_control = _FPU_DEFAULT,
		41	- ._dl_pointer_guard = 1,
		42	._dl_pagesize = EXEC_PAGESIZE,
		43	._dl_inhibit_cache = 0,
		44
		45	@@ -710,15 +709,12 @@ security_init (void)
		46	#endif
		47
		48	/* Set up the pointer guard as well, if necessary. */
		49	- if (GLRO(dl_pointer_guard))
		50	- {
		51	- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
		52	- stack_chk_guard);
		53	+ uintptr_t pointer_chk_guard
		54	+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
		55	#ifdef THREAD_SET_POINTER_GUARD
		56	- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
		57	+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
		58	#endif
		59	- __pointer_chk_guard_local = pointer_chk_guard;
		60	- }
		61	+ __pointer_chk_guard_local = pointer_chk_guard;
		62
		63	/* We do not need the _dl_random value anymore. The less
		64	information we leave behind, the better, so clear the
		65	@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
		66	GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
		67	break;
		68	}
		69	-
		70	- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
		71	- GLRO(dl_pointer_guard) = envline[14] != '0';
		72	break;
		73
		74	case 14:
		75	Index: git/sysdeps/generic/ldsodefs.h
		76	===================================================================
		77	--- git.orig/sysdeps/generic/ldsodefs.h
		78	+++ git/sysdeps/generic/ldsodefs.h
		79	@@ -590,9 +590,6 @@ struct rtld_global_ro
		80	/* List of auditing interfaces. */
		81	struct audit_ifaces *_dl_audit;
		82	unsigned int _dl_naudit;
		83	-
		84	- /* 0 if internal pointer values should not be guarded, 1 if they should. */
		85	- EXTERN int _dl_pointer_guard;
		86	};
		87	# define __rtld_global_attribute__
		88	# if IS_IN (rtld)
		89	Index: git/ChangeLog
		90	===================================================================
		91	--- git.orig/ChangeLog
		92	+++ git/ChangeLog
		93	@@ -1,3 +1,13 @@
		94	+2015-10-15 Florian Weimer <fweimer@redhat.com>
		95	+
		96	+ [BZ #18928]
		97	+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
		98	+ _dl_pointer_guard member.
		99	+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
		100	+ initializer.
		101	+ (security_init): Always set up pointer guard.
		102	+ (process_envvars): Do not process LD_POINTER_GUARD.
		103	+
		104	2015-02-06 Carlos O'Donell <carlos@systemhalted.org>
		105
		106	* version.h (RELEASE): Set to "stable".
		107	Index: git/NEWS
		108	===================================================================
		109	--- git.orig/NEWS
		110	+++ git/NEWS
		111	@@ -19,7 +19,10 @@ Version 2.21
		112	17722, 17723, 17724, 17725, 17732, 17733, 17744, 17745, 17746, 17747,
		113	17748, 17775, 17777, 17780, 17781, 17782, 17791, 17793, 17796, 17797,
		114	17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
		115	- 17892.
		116	+ 17892, 18928.
		117	+
		118	+* The LD_POINTER_GUARD environment variable can no longer be used to
		119	+ disable the pointer guard feature. It is always enabled.
		120
		121	* CVE-2015-1472 Under certain conditions wscanf can allocate too little
		122	memory for the to-be-scanned arguments and overflow the allocated


diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb index 3bba7346f9..efbcc9c51e 100644 --- a/meta/recipes-core/glibc/glibc_2.21.bb +++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -48,6 +48,7 @@ EGLIBCPATCHES = "\
48	#	48	#
49	CVEPATCHES = "\	49	CVEPATCHES = "\
50	file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \	50	file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
		51	file://CVE-2015-8777.patch \
51	"	52	"
52		53
53	LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \	54	LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \