summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-28 18:53:32 (GMT)
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-21 15:48:47 (GMT)
commitdae5ee4e5e41b9bbfb2d0f22521247efa5cadeb0 (patch)
tree85e5264b3adc3fe9c778e9971c6e7bd6d4259917
parentbebaaf1d21f17014bc3671e6496dbb202a048259 (diff)
downloadpoky-dae5ee4e5e41b9bbfb2d0f22521247efa5cadeb0.tar.gz
glibc: CVE-2015-8777
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: 22570ba08d7c6157aec58764c73b1134405b0252) (From OE-Core rev: bb6ce1334bfb3711428b4b82bca4c0d5339ee2f8) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8777.patch122
-rw-r--r--meta/recipes-core/glibc/glibc_2.20.bb4
2 files changed, 125 insertions, 1 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 0000000..780fcb9
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,122 @@
1From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
2From: Florian Weimer <fweimer@redhat.com>
3Date: Thu, 15 Oct 2015 09:23:07 +0200
4Subject: [PATCH] Always enable pointer guard [BZ #18928]
5
6Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
7has security implications. This commit enables pointer guard
8unconditionally, and the environment variable is now ignored.
9
10 [BZ #18928]
11 * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
12 _dl_pointer_guard member.
13 * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
14 initializer.
15 (security_init): Always set up pointer guard.
16 (process_envvars): Do not process LD_POINTER_GUARD.
17
18Upstream-Status: Backport
19CVE: CVE-2015-8777
20[Yocto # 8980]
21
22https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
23
24Signed-off-by: Armin Kuster <akuster@mvista.com>
25
26---
27 ChangeLog | 10 ++++++++++
28 NEWS | 13 ++++++++-----
29 elf/rtld.c | 15 ++++-----------
30 sysdeps/generic/ldsodefs.h | 3 ---
31 4 files changed, 22 insertions(+), 19 deletions(-)
32
33Index: git/elf/rtld.c
34===================================================================
35--- git.orig/elf/rtld.c
36+++ git/elf/rtld.c
37@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
38 ._dl_hwcap_mask = HWCAP_IMPORTANT,
39 ._dl_lazy = 1,
40 ._dl_fpu_control = _FPU_DEFAULT,
41- ._dl_pointer_guard = 1,
42 ._dl_pagesize = EXEC_PAGESIZE,
43 ._dl_inhibit_cache = 0,
44
45@@ -710,15 +709,12 @@ security_init (void)
46 #endif
47
48 /* Set up the pointer guard as well, if necessary. */
49- if (GLRO(dl_pointer_guard))
50- {
51- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
52- stack_chk_guard);
53+ uintptr_t pointer_chk_guard
54+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
55 #ifdef THREAD_SET_POINTER_GUARD
56- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
57+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
58 #endif
59- __pointer_chk_guard_local = pointer_chk_guard;
60- }
61+ __pointer_chk_guard_local = pointer_chk_guard;
62
63 /* We do not need the _dl_random value anymore. The less
64 information we leave behind, the better, so clear the
65@@ -2476,9 +2472,6 @@ process_envvars (enum mode *modep)
66 GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
67 break;
68 }
69-
70- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
71- GLRO(dl_pointer_guard) = envline[14] != '0';
72 break;
73
74 case 14:
75Index: git/sysdeps/generic/ldsodefs.h
76===================================================================
77--- git.orig/sysdeps/generic/ldsodefs.h
78+++ git/sysdeps/generic/ldsodefs.h
79@@ -590,9 +590,6 @@ struct rtld_global_ro
80 /* List of auditing interfaces. */
81 struct audit_ifaces *_dl_audit;
82 unsigned int _dl_naudit;
83-
84- /* 0 if internal pointer values should not be guarded, 1 if they should. */
85- EXTERN int _dl_pointer_guard;
86 };
87 # define __rtld_global_attribute__
88 # ifdef IS_IN_rtld
89Index: git/ChangeLog
90===================================================================
91--- git.orig/ChangeLog
92+++ git/ChangeLog
93@@ -1,3 +1,13 @@
94+2015-10-15 Florian Weimer <fweimer@redhat.com>
95+
96+ [BZ #18928]
97+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
98+ _dl_pointer_guard member.
99+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
100+ initializer.
101+ (security_init): Always set up pointer guard.
102+ (process_envvars): Do not process LD_POINTER_GUARD.
103+
104 2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
105
106 [BZ #16618] CVE-2015-1472
107Index: git/NEWS
108===================================================================
109--- git.orig/NEWS
110+++ git/NEWS
111@@ -24,7 +24,10 @@ Version 2.20
112 17031, 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078,
113 17079, 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150,
114 17153, 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354,
115- 17625, 17630.
116+ 17625, 17630, 18928.
117+
118+* The LD_POINTER_GUARD environment variable can no longer be used to
119+ disable the pointer guard feature. It is always enabled.
120
121 * The nss_dns implementation of getnetbyname could run into an infinite loop
122 if the DNS response contained a PTR record of an unexpected format.
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index a928293..5e03570 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -48,7 +48,9 @@ CVEPATCHES = "\
48 file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \ 48 file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
49 file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ 49 file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
50 file://CVE-2015-7547.patch \ 50 file://CVE-2015-7547.patch \
51 " 51 file://CVE-2015-8777.patch \
52"
53
52LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ 54LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
53 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ 55 file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
54 file://posix/rxspencer/COPYRIGHT;md5=dc5485bb394a13b2332ec1c785f5d83a \ 56 file://posix/rxspencer/COPYRIGHT;md5=dc5485bb394a13b2332ec1c785f5d83a \