glibc: CVE-2015-8777.patch

The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: bc51411d2edda908cbef733066d78a986dfec0c0) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster@mvista.com> 2016-01-22 20:13:00 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2016-02-18 07:37:49 +0000
commit: aefe1fadfa041673360ad31901655ead70c32d75 (patch)
tree: c6534b47422af14cc477b1292a6e3579e3b69b5f /meta/recipes-core
parent: 152914f2983c5d69001de1d46ce99547fa1e75fe (diff)
download: poky-aefe1fadfa041673360ad31901655ead70c32d75.tar.gz
2 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 0000000000..eeab72d650
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,123 @@
+From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 15 Oct 2015 09:23:07 +0200
+Subject: [PATCH] Always enable pointer guard [BZ #18928]
+Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
+has security implications.  This commit enables pointer guard
+unconditionally, and the environment variable is now ignored.
+        [BZ #18928]
+        * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+        _dl_pointer_guard member.
+        * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+        initializer.
+        (security_init): Always set up pointer guard.
+        (process_envvars): Do not process LD_POINTER_GUARD.
+Upstream-Status: Backport
+CVE: CVE-2015-8777
+[Yocto # 8980]
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog                  | 10 ++++++++++
+ NEWS                       | 13 ++++++++-----
+ elf/rtld.c                 | 15 ++++-----------
+ sysdeps/generic/ldsodefs.h |  3 ---
+ 4 files changed, 22 insertions(+), 19 deletions(-)
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,14 @@
+2015-10-15  Florian Weimer  <fweimer@redhat.com>
+
+   [BZ #18928]
+   * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+   _dl_pointer_guard member.
+   * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+   initializer.
+   (security_init): Always set up pointer guard.
+   (process_envvars): Do not process LD_POINTER_GUARD.
+
+
+ 2015-08-10  Maxim Ostapenko  <m.ostapenko@partner.samsung.com>
+ 
+        [BZ #18778]
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -34,7 +34,10 @@ Version 2.22
+   18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
+   18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
+   18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
+-  18657, 18676, 18694, 18696.
+  18657, 18676, 18694, 18696, 18928.
+
+* The LD_POINTER_GUARD environment variable can no longer be used to
+  disable the pointer guard feature.  It is always enabled.
+ 
+ * Cache information can be queried via sysconf() function on s390 e.g. with
+   _SC_LEVEL1_ICACHE_SIZE as argument.
+Index: git/elf/rtld.c
+===================================================================
+--- git.orig/elf/rtld.c
+++ git/elf/rtld.c
+@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
+     ._dl_hwcap_mask = HWCAP_IMPORTANT,
+     ._dl_lazy = 1,
+     ._dl_fpu_control = _FPU_DEFAULT,
+-    ._dl_pointer_guard = 1,
+     ._dl_pagesize = EXEC_PAGESIZE,
+     ._dl_inhibit_cache = 0,
+ 
+@@ -710,15 +709,12 @@ security_init (void)
+ #endif
+ 
+   /* Set up the pointer guard as well, if necessary.  */
+-  if (GLRO(dl_pointer_guard))
+-    {
+-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+-                                                            stack_chk_guard);
+  uintptr_t pointer_chk_guard
+    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
+ #ifdef THREAD_SET_POINTER_GUARD
+-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ #endif
+-      __pointer_chk_guard_local = pointer_chk_guard;
+-    }
+  __pointer_chk_guard_local = pointer_chk_guard;
+ 
+   /* We do not need the _dl_random value anymore.  The less
+      information we leave behind, the better, so clear the
+@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
+              GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
+              break;
+            }
+-
+-         if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+-           GLRO(dl_pointer_guard) = envline[14] != '0';
+          break;
+ 
+        case 14:
+Index: git/sysdeps/generic/ldsodefs.h
+===================================================================
+--- git.orig/sysdeps/generic/ldsodefs.h
+++ git/sysdeps/generic/ldsodefs.h
+@@ -600,9 +600,6 @@ struct rtld_global_ro
+   /* List of auditing interfaces.  */
+   struct audit_ifaces *_dl_audit;
+   unsigned int _dl_naudit;
+-
+-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
+-  EXTERN int _dl_pointer_guard;
+ };
+ # define __rtld_global_attribute__
+ # if IS_IN (rtld)
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index eeb97422f0..c828310586 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \
           file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
           file://0029-fix-getmntent-empty-lines.patch \
+           file://CVE-2015-8777.patch \
 "
 SRC_URI += "\
author	Armin Kuster <akuster@mvista.com>	2016-01-22 20:13:00 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2016-02-18 07:37:49 +0000
commit	aefe1fadfa041673360ad31901655ead70c32d75 (patch)
tree	c6534b47422af14cc477b1292a6e3579e3b69b5f /meta/recipes-core
parent	152914f2983c5d69001de1d46ce99547fa1e75fe (diff)
download	poky-aefe1fadfa041673360ad31901655ead70c32d75.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch new file mode 100644 index 0000000000..eeab72d650 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,123 @@
		1	From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
		2	From: Florian Weimer <fweimer@redhat.com>
		3	Date: Thu, 15 Oct 2015 09:23:07 +0200
		4	Subject: [PATCH] Always enable pointer guard [BZ #18928]
		5
		6	Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
		7	has security implications. This commit enables pointer guard
		8	unconditionally, and the environment variable is now ignored.
		9
		10	[BZ #18928]
		11	* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
		12	_dl_pointer_guard member.
		13	* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
		14	initializer.
		15	(security_init): Always set up pointer guard.
		16	(process_envvars): Do not process LD_POINTER_GUARD.
		17
		18	Upstream-Status: Backport
		19	CVE: CVE-2015-8777
		20	[Yocto # 8980]
		21
		22	https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
		23
		24	Signed-off-by: Armin Kuster <akuster@mvista.com>
		25
		26	---
		27	ChangeLog \| 10 ++++++++++
		28	NEWS \| 13 ++++++++-----
		29	elf/rtld.c \| 15 ++++-----------
		30	sysdeps/generic/ldsodefs.h \| 3 ---
		31	4 files changed, 22 insertions(+), 19 deletions(-)
		32
		33	Index: git/ChangeLog
		34	===================================================================
		35	--- git.orig/ChangeLog
		36	+++ git/ChangeLog
		37	@@ -1,3 +1,14 @@
		38	+2015-10-15 Florian Weimer <fweimer@redhat.com>
		39	+
		40	+ [BZ #18928]
		41	+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
		42	+ _dl_pointer_guard member.
		43	+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
		44	+ initializer.
		45	+ (security_init): Always set up pointer guard.
		46	+ (process_envvars): Do not process LD_POINTER_GUARD.
		47	+
		48	+
		49	2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com>
		50
		51	[BZ #18778]
		52	Index: git/NEWS
		53	===================================================================
		54	--- git.orig/NEWS
		55	+++ git/NEWS
		56	@@ -34,7 +34,10 @@ Version 2.22
		57	18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
		58	18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
		59	18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
		60	- 18657, 18676, 18694, 18696.
		61	+ 18657, 18676, 18694, 18696, 18928.
		62	+
		63	+* The LD_POINTER_GUARD environment variable can no longer be used to
		64	+ disable the pointer guard feature. It is always enabled.
		65
		66	* Cache information can be queried via sysconf() function on s390 e.g. with
		67	_SC_LEVEL1_ICACHE_SIZE as argument.
		68	Index: git/elf/rtld.c
		69	===================================================================
		70	--- git.orig/elf/rtld.c
		71	+++ git/elf/rtld.c
		72	@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
		73	._dl_hwcap_mask = HWCAP_IMPORTANT,
		74	._dl_lazy = 1,
		75	._dl_fpu_control = _FPU_DEFAULT,
		76	- ._dl_pointer_guard = 1,
		77	._dl_pagesize = EXEC_PAGESIZE,
		78	._dl_inhibit_cache = 0,
		79
		80	@@ -710,15 +709,12 @@ security_init (void)
		81	#endif
		82
		83	/* Set up the pointer guard as well, if necessary. */
		84	- if (GLRO(dl_pointer_guard))
		85	- {
		86	- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
		87	- stack_chk_guard);
		88	+ uintptr_t pointer_chk_guard
		89	+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
		90	#ifdef THREAD_SET_POINTER_GUARD
		91	- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
		92	+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
		93	#endif
		94	- __pointer_chk_guard_local = pointer_chk_guard;
		95	- }
		96	+ __pointer_chk_guard_local = pointer_chk_guard;
		97
		98	/* We do not need the _dl_random value anymore. The less
		99	information we leave behind, the better, so clear the
		100	@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
		101	GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
		102	break;
		103	}
		104	-
		105	- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
		106	- GLRO(dl_pointer_guard) = envline[14] != '0';
		107	break;
		108
		109	case 14:
		110	Index: git/sysdeps/generic/ldsodefs.h
		111	===================================================================
		112	--- git.orig/sysdeps/generic/ldsodefs.h
		113	+++ git/sysdeps/generic/ldsodefs.h
		114	@@ -600,9 +600,6 @@ struct rtld_global_ro
		115	/* List of auditing interfaces. */
		116	struct audit_ifaces *_dl_audit;
		117	unsigned int _dl_naudit;
		118	-
		119	- /* 0 if internal pointer values should not be guarded, 1 if they should. */
		120	- EXTERN int _dl_pointer_guard;
		121	};
		122	# define __rtld_global_attribute__
		123	# if IS_IN (rtld)


diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb index eeb97422f0..c828310586 100644 --- a/meta/recipes-core/glibc/glibc_2.22.bb +++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
43	file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \	43	file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \
44	file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \	44	file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
45	file://0029-fix-getmntent-empty-lines.patch \	45	file://0029-fix-getmntent-empty-lines.patch \
		46	file://CVE-2015-8777.patch \
46	"	47	"
47		48
48	SRC_URI += "\	49	SRC_URI += "\