diff options
author | Armin Kuster <akuster@mvista.com> | 2016-02-06 15:14:42 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2016-02-07 17:23:03 +0000 |
commit | 7ff74d177cc120c3f25370d1e6e9496ac09adbc4 (patch) | |
tree | eafc05229d3294e05d63b62eca646bdfe6a89f57 | |
parent | 9845a542a76156adb5aef6fd33ad5bc5777acf64 (diff) | |
download | poky-7ff74d177cc120c3f25370d1e6e9496ac09adbc4.tar.gz |
glibc: CVE-2015-8777
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or
libc6) before 2.23 allows local users to bypass a pointer-guarding protection
mechanism via a zero value of the LD_POINTER_GUARD environment variable.
(From OE-Core rev: 22570ba08d7c6157aec58764c73b1134405b0252)
(From OE-Core rev: 9cc998978bd67bc5569cc1478f4ddee40020b929)
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Robert Yang <liezhi.yang@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Signed-off-by: Armin Kuster <akuster@mvista.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 122 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.21.bb | 1 |
2 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch new file mode 100644 index 0000000000..9b9ab3bade --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | |||
@@ -0,0 +1,122 @@ | |||
1 | From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001 | ||
2 | From: Florian Weimer <fweimer@redhat.com> | ||
3 | Date: Thu, 15 Oct 2015 09:23:07 +0200 | ||
4 | Subject: [PATCH] Always enable pointer guard [BZ #18928] | ||
5 | |||
6 | Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode | ||
7 | has security implications. This commit enables pointer guard | ||
8 | unconditionally, and the environment variable is now ignored. | ||
9 | |||
10 | [BZ #18928] | ||
11 | * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove | ||
12 | _dl_pointer_guard member. | ||
13 | * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard | ||
14 | initializer. | ||
15 | (security_init): Always set up pointer guard. | ||
16 | (process_envvars): Do not process LD_POINTER_GUARD. | ||
17 | |||
18 | Upstream-Status: Backport | ||
19 | CVE: CVE-2015-8777 | ||
20 | [Yocto # 8980] | ||
21 | |||
22 | https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7 | ||
23 | |||
24 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
25 | |||
26 | --- | ||
27 | ChangeLog | 10 ++++++++++ | ||
28 | NEWS | 13 ++++++++----- | ||
29 | elf/rtld.c | 15 ++++----------- | ||
30 | sysdeps/generic/ldsodefs.h | 3 --- | ||
31 | 4 files changed, 22 insertions(+), 19 deletions(-) | ||
32 | |||
33 | Index: git/elf/rtld.c | ||
34 | =================================================================== | ||
35 | --- git.orig/elf/rtld.c | ||
36 | +++ git/elf/rtld.c | ||
37 | @@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at | ||
38 | ._dl_hwcap_mask = HWCAP_IMPORTANT, | ||
39 | ._dl_lazy = 1, | ||
40 | ._dl_fpu_control = _FPU_DEFAULT, | ||
41 | - ._dl_pointer_guard = 1, | ||
42 | ._dl_pagesize = EXEC_PAGESIZE, | ||
43 | ._dl_inhibit_cache = 0, | ||
44 | |||
45 | @@ -710,15 +709,12 @@ security_init (void) | ||
46 | #endif | ||
47 | |||
48 | /* Set up the pointer guard as well, if necessary. */ | ||
49 | - if (GLRO(dl_pointer_guard)) | ||
50 | - { | ||
51 | - uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, | ||
52 | - stack_chk_guard); | ||
53 | + uintptr_t pointer_chk_guard | ||
54 | + = _dl_setup_pointer_guard (_dl_random, stack_chk_guard); | ||
55 | #ifdef THREAD_SET_POINTER_GUARD | ||
56 | - THREAD_SET_POINTER_GUARD (pointer_chk_guard); | ||
57 | + THREAD_SET_POINTER_GUARD (pointer_chk_guard); | ||
58 | #endif | ||
59 | - __pointer_chk_guard_local = pointer_chk_guard; | ||
60 | - } | ||
61 | + __pointer_chk_guard_local = pointer_chk_guard; | ||
62 | |||
63 | /* We do not need the _dl_random value anymore. The less | ||
64 | information we leave behind, the better, so clear the | ||
65 | @@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep) | ||
66 | GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0; | ||
67 | break; | ||
68 | } | ||
69 | - | ||
70 | - if (memcmp (envline, "POINTER_GUARD", 13) == 0) | ||
71 | - GLRO(dl_pointer_guard) = envline[14] != '0'; | ||
72 | break; | ||
73 | |||
74 | case 14: | ||
75 | Index: git/sysdeps/generic/ldsodefs.h | ||
76 | =================================================================== | ||
77 | --- git.orig/sysdeps/generic/ldsodefs.h | ||
78 | +++ git/sysdeps/generic/ldsodefs.h | ||
79 | @@ -590,9 +590,6 @@ struct rtld_global_ro | ||
80 | /* List of auditing interfaces. */ | ||
81 | struct audit_ifaces *_dl_audit; | ||
82 | unsigned int _dl_naudit; | ||
83 | - | ||
84 | - /* 0 if internal pointer values should not be guarded, 1 if they should. */ | ||
85 | - EXTERN int _dl_pointer_guard; | ||
86 | }; | ||
87 | # define __rtld_global_attribute__ | ||
88 | # if IS_IN (rtld) | ||
89 | Index: git/ChangeLog | ||
90 | =================================================================== | ||
91 | --- git.orig/ChangeLog | ||
92 | +++ git/ChangeLog | ||
93 | @@ -1,3 +1,13 @@ | ||
94 | +2015-10-15 Florian Weimer <fweimer@redhat.com> | ||
95 | + | ||
96 | + [BZ #18928] | ||
97 | + * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove | ||
98 | + _dl_pointer_guard member. | ||
99 | + * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard | ||
100 | + initializer. | ||
101 | + (security_init): Always set up pointer guard. | ||
102 | + (process_envvars): Do not process LD_POINTER_GUARD. | ||
103 | + | ||
104 | 2015-02-06 Carlos O'Donell <carlos@systemhalted.org> | ||
105 | |||
106 | * version.h (RELEASE): Set to "stable". | ||
107 | Index: git/NEWS | ||
108 | =================================================================== | ||
109 | --- git.orig/NEWS | ||
110 | +++ git/NEWS | ||
111 | @@ -19,7 +19,10 @@ Version 2.21 | ||
112 | 17722, 17723, 17724, 17725, 17732, 17733, 17744, 17745, 17746, 17747, | ||
113 | 17748, 17775, 17777, 17780, 17781, 17782, 17791, 17793, 17796, 17797, | ||
114 | 17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885, | ||
115 | - 17892. | ||
116 | + 17892, 18928. | ||
117 | + | ||
118 | +* The LD_POINTER_GUARD environment variable can no longer be used to | ||
119 | + disable the pointer guard feature. It is always enabled. | ||
120 | |||
121 | * CVE-2015-1472 Under certain conditions wscanf can allocate too little | ||
122 | memory for the to-be-scanned arguments and overflow the allocated | ||
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb index 3bba7346f9..efbcc9c51e 100644 --- a/meta/recipes-core/glibc/glibc_2.21.bb +++ b/meta/recipes-core/glibc/glibc_2.21.bb | |||
@@ -48,6 +48,7 @@ EGLIBCPATCHES = "\ | |||
48 | # | 48 | # |
49 | CVEPATCHES = "\ | 49 | CVEPATCHES = "\ |
50 | file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \ | 50 | file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \ |
51 | file://CVE-2015-8777.patch \ | ||
51 | " | 52 | " |
52 | 53 | ||
53 | LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ | 54 | LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ |