summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-06 15:14:42 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-07 17:23:03 +0000
commit7ff74d177cc120c3f25370d1e6e9496ac09adbc4 (patch)
treeeafc05229d3294e05d63b62eca646bdfe6a89f57
parent9845a542a76156adb5aef6fd33ad5bc5777acf64 (diff)
downloadpoky-7ff74d177cc120c3f25370d1e6e9496ac09adbc4.tar.gz
glibc: CVE-2015-8777
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: 22570ba08d7c6157aec58764c73b1134405b0252) (From OE-Core rev: 9cc998978bd67bc5569cc1478f4ddee40020b929) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8777.patch122
-rw-r--r--meta/recipes-core/glibc/glibc_2.21.bb1
2 files changed, 123 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 0000000000..9b9ab3bade
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,122 @@
1From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
2From: Florian Weimer <fweimer@redhat.com>
3Date: Thu, 15 Oct 2015 09:23:07 +0200
4Subject: [PATCH] Always enable pointer guard [BZ #18928]
5
6Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
7has security implications. This commit enables pointer guard
8unconditionally, and the environment variable is now ignored.
9
10 [BZ #18928]
11 * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
12 _dl_pointer_guard member.
13 * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
14 initializer.
15 (security_init): Always set up pointer guard.
16 (process_envvars): Do not process LD_POINTER_GUARD.
17
18Upstream-Status: Backport
19CVE: CVE-2015-8777
20[Yocto # 8980]
21
22https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
23
24Signed-off-by: Armin Kuster <akuster@mvista.com>
25
26---
27 ChangeLog | 10 ++++++++++
28 NEWS | 13 ++++++++-----
29 elf/rtld.c | 15 ++++-----------
30 sysdeps/generic/ldsodefs.h | 3 ---
31 4 files changed, 22 insertions(+), 19 deletions(-)
32
33Index: git/elf/rtld.c
34===================================================================
35--- git.orig/elf/rtld.c
36+++ git/elf/rtld.c
37@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
38 ._dl_hwcap_mask = HWCAP_IMPORTANT,
39 ._dl_lazy = 1,
40 ._dl_fpu_control = _FPU_DEFAULT,
41- ._dl_pointer_guard = 1,
42 ._dl_pagesize = EXEC_PAGESIZE,
43 ._dl_inhibit_cache = 0,
44
45@@ -710,15 +709,12 @@ security_init (void)
46 #endif
47
48 /* Set up the pointer guard as well, if necessary. */
49- if (GLRO(dl_pointer_guard))
50- {
51- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
52- stack_chk_guard);
53+ uintptr_t pointer_chk_guard
54+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
55 #ifdef THREAD_SET_POINTER_GUARD
56- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
57+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
58 #endif
59- __pointer_chk_guard_local = pointer_chk_guard;
60- }
61+ __pointer_chk_guard_local = pointer_chk_guard;
62
63 /* We do not need the _dl_random value anymore. The less
64 information we leave behind, the better, so clear the
65@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
66 GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
67 break;
68 }
69-
70- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
71- GLRO(dl_pointer_guard) = envline[14] != '0';
72 break;
73
74 case 14:
75Index: git/sysdeps/generic/ldsodefs.h
76===================================================================
77--- git.orig/sysdeps/generic/ldsodefs.h
78+++ git/sysdeps/generic/ldsodefs.h
79@@ -590,9 +590,6 @@ struct rtld_global_ro
80 /* List of auditing interfaces. */
81 struct audit_ifaces *_dl_audit;
82 unsigned int _dl_naudit;
83-
84- /* 0 if internal pointer values should not be guarded, 1 if they should. */
85- EXTERN int _dl_pointer_guard;
86 };
87 # define __rtld_global_attribute__
88 # if IS_IN (rtld)
89Index: git/ChangeLog
90===================================================================
91--- git.orig/ChangeLog
92+++ git/ChangeLog
93@@ -1,3 +1,13 @@
94+2015-10-15 Florian Weimer <fweimer@redhat.com>
95+
96+ [BZ #18928]
97+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
98+ _dl_pointer_guard member.
99+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
100+ initializer.
101+ (security_init): Always set up pointer guard.
102+ (process_envvars): Do not process LD_POINTER_GUARD.
103+
104 2015-02-06 Carlos O'Donell <carlos@systemhalted.org>
105
106 * version.h (RELEASE): Set to "stable".
107Index: git/NEWS
108===================================================================
109--- git.orig/NEWS
110+++ git/NEWS
111@@ -19,7 +19,10 @@ Version 2.21
112 17722, 17723, 17724, 17725, 17732, 17733, 17744, 17745, 17746, 17747,
113 17748, 17775, 17777, 17780, 17781, 17782, 17791, 17793, 17796, 17797,
114 17801, 17803, 17806, 17834, 17844, 17848, 17868, 17869, 17870, 17885,
115- 17892.
116+ 17892, 18928.
117+
118+* The LD_POINTER_GUARD environment variable can no longer be used to
119+ disable the pointer guard feature. It is always enabled.
120
121 * CVE-2015-1472 Under certain conditions wscanf can allocate too little
122 memory for the to-be-scanned arguments and overflow the allocated
diff --git a/meta/recipes-core/glibc/glibc_2.21.bb b/meta/recipes-core/glibc/glibc_2.21.bb
index 3bba7346f9..efbcc9c51e 100644
--- a/meta/recipes-core/glibc/glibc_2.21.bb
+++ b/meta/recipes-core/glibc/glibc_2.21.bb
@@ -48,6 +48,7 @@ EGLIBCPATCHES = "\
48# 48#
49CVEPATCHES = "\ 49CVEPATCHES = "\
50 file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \ 50 file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
51 file://CVE-2015-8777.patch \
51" 52"
52 53
53LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ 54LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \