summaryrefslogtreecommitdiffstats
path: root/meta/recipes-core
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-01-22 20:13:00 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-18 07:37:49 +0000
commitaefe1fadfa041673360ad31901655ead70c32d75 (patch)
treec6534b47422af14cc477b1292a6e3579e3b69b5f /meta/recipes-core
parent152914f2983c5d69001de1d46ce99547fa1e75fe (diff)
downloadpoky-aefe1fadfa041673360ad31901655ead70c32d75.tar.gz
glibc: CVE-2015-8777.patch
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: bc51411d2edda908cbef733066d78a986dfec0c0) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
Diffstat (limited to 'meta/recipes-core')
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8777.patch123
-rw-r--r--meta/recipes-core/glibc/glibc_2.22.bb1
2 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 0000000000..eeab72d650
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,123 @@
1From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
2From: Florian Weimer <fweimer@redhat.com>
3Date: Thu, 15 Oct 2015 09:23:07 +0200
4Subject: [PATCH] Always enable pointer guard [BZ #18928]
5
6Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
7has security implications. This commit enables pointer guard
8unconditionally, and the environment variable is now ignored.
9
10 [BZ #18928]
11 * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
12 _dl_pointer_guard member.
13 * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
14 initializer.
15 (security_init): Always set up pointer guard.
16 (process_envvars): Do not process LD_POINTER_GUARD.
17
18Upstream-Status: Backport
19CVE: CVE-2015-8777
20[Yocto # 8980]
21
22https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
23
24Signed-off-by: Armin Kuster <akuster@mvista.com>
25
26---
27 ChangeLog | 10 ++++++++++
28 NEWS | 13 ++++++++-----
29 elf/rtld.c | 15 ++++-----------
30 sysdeps/generic/ldsodefs.h | 3 ---
31 4 files changed, 22 insertions(+), 19 deletions(-)
32
33Index: git/ChangeLog
34===================================================================
35--- git.orig/ChangeLog
36+++ git/ChangeLog
37@@ -1,3 +1,14 @@
38+2015-10-15 Florian Weimer <fweimer@redhat.com>
39+
40+ [BZ #18928]
41+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
42+ _dl_pointer_guard member.
43+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
44+ initializer.
45+ (security_init): Always set up pointer guard.
46+ (process_envvars): Do not process LD_POINTER_GUARD.
47+
48+
49 2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com>
50
51 [BZ #18778]
52Index: git/NEWS
53===================================================================
54--- git.orig/NEWS
55+++ git/NEWS
56@@ -34,7 +34,10 @@ Version 2.22
57 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
58 18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
59 18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
60- 18657, 18676, 18694, 18696.
61+ 18657, 18676, 18694, 18696, 18928.
62+
63+* The LD_POINTER_GUARD environment variable can no longer be used to
64+ disable the pointer guard feature. It is always enabled.
65
66 * Cache information can be queried via sysconf() function on s390 e.g. with
67 _SC_LEVEL1_ICACHE_SIZE as argument.
68Index: git/elf/rtld.c
69===================================================================
70--- git.orig/elf/rtld.c
71+++ git/elf/rtld.c
72@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
73 ._dl_hwcap_mask = HWCAP_IMPORTANT,
74 ._dl_lazy = 1,
75 ._dl_fpu_control = _FPU_DEFAULT,
76- ._dl_pointer_guard = 1,
77 ._dl_pagesize = EXEC_PAGESIZE,
78 ._dl_inhibit_cache = 0,
79
80@@ -710,15 +709,12 @@ security_init (void)
81 #endif
82
83 /* Set up the pointer guard as well, if necessary. */
84- if (GLRO(dl_pointer_guard))
85- {
86- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
87- stack_chk_guard);
88+ uintptr_t pointer_chk_guard
89+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
90 #ifdef THREAD_SET_POINTER_GUARD
91- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
92+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
93 #endif
94- __pointer_chk_guard_local = pointer_chk_guard;
95- }
96+ __pointer_chk_guard_local = pointer_chk_guard;
97
98 /* We do not need the _dl_random value anymore. The less
99 information we leave behind, the better, so clear the
100@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
101 GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
102 break;
103 }
104-
105- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
106- GLRO(dl_pointer_guard) = envline[14] != '0';
107 break;
108
109 case 14:
110Index: git/sysdeps/generic/ldsodefs.h
111===================================================================
112--- git.orig/sysdeps/generic/ldsodefs.h
113+++ git/sysdeps/generic/ldsodefs.h
114@@ -600,9 +600,6 @@ struct rtld_global_ro
115 /* List of auditing interfaces. */
116 struct audit_ifaces *_dl_audit;
117 unsigned int _dl_naudit;
118-
119- /* 0 if internal pointer values should not be guarded, 1 if they should. */
120- EXTERN int _dl_pointer_guard;
121 };
122 # define __rtld_global_attribute__
123 # if IS_IN (rtld)
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index eeb97422f0..c828310586 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
43 file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \ 43 file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \
44 file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \ 44 file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
45 file://0029-fix-getmntent-empty-lines.patch \ 45 file://0029-fix-getmntent-empty-lines.patch \
46 file://CVE-2015-8777.patch \
46" 47"
47 48
48SRC_URI += "\ 49SRC_URI += "\