aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-02-28 10:53:32 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-03-21 15:48:21 +0000
commitbb6ce1334bfb3711428b4b82bca4c0d5339ee2f8 (patch)
tree7be69b817f754b6bfa8c0add1426c7053f8e8e69
parentb30a7375f09158575d63367600190a5e3a00b9fc (diff)
downloadopenembedded-core-bb6ce1334bfb3711428b4b82bca4c0d5339ee2f8.tar.gz
openembedded-core-bb6ce1334bfb3711428b4b82bca4c0d5339ee2f8.tar.bz2
openembedded-core-bb6ce1334bfb3711428b4b82bca4c0d5339ee2f8.zip
glibc: CVE-2015-8777
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: 22570ba08d7c6157aec58764c73b1134405b0252) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org> Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8777.patch122
-rw-r--r--meta/recipes-core/glibc/glibc_2.20.bb4
2 files changed, 125 insertions, 1 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 0000000000..780fcb9a53
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,122 @@
+From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 15 Oct 2015 09:23:07 +0200
+Subject: [PATCH] Always enable pointer guard [BZ #18928]
+
+Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
+has security implications. This commit enables pointer guard
+unconditionally, and the environment variable is now ignored.
+
+ [BZ #18928]
+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+ _dl_pointer_guard member.
+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+ initializer.
+ (security_init): Always set up pointer guard.
+ (process_envvars): Do not process LD_POINTER_GUARD.
+
+Upstream-Status: Backport
+CVE: CVE-2015-8777
+[Yocto # 8980]
+
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 10 ++++++++++
+ NEWS | 13 ++++++++-----
+ elf/rtld.c | 15 ++++-----------
+ sysdeps/generic/ldsodefs.h | 3 ---
+ 4 files changed, 22 insertions(+), 19 deletions(-)
+
+Index: git/elf/rtld.c
+===================================================================
+--- git.orig/elf/rtld.c
++++ git/elf/rtld.c
+@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
+ ._dl_hwcap_mask = HWCAP_IMPORTANT,
+ ._dl_lazy = 1,
+ ._dl_fpu_control = _FPU_DEFAULT,
+- ._dl_pointer_guard = 1,
+ ._dl_pagesize = EXEC_PAGESIZE,
+ ._dl_inhibit_cache = 0,
+
+@@ -710,15 +709,12 @@ security_init (void)
+ #endif
+
+ /* Set up the pointer guard as well, if necessary. */
+- if (GLRO(dl_pointer_guard))
+- {
+- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+- stack_chk_guard);
++ uintptr_t pointer_chk_guard
++ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
+ #ifdef THREAD_SET_POINTER_GUARD
+- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ #endif
+- __pointer_chk_guard_local = pointer_chk_guard;
+- }
++ __pointer_chk_guard_local = pointer_chk_guard;
+
+ /* We do not need the _dl_random value anymore. The less
+ information we leave behind, the better, so clear the
+@@ -2476,9 +2472,6 @@ process_envvars (enum mode *modep)
+ GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
+ break;
+ }
+-
+- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+- GLRO(dl_pointer_guard) = envline[14] != '0';
+ break;
+
+ case 14:
+Index: git/sysdeps/generic/ldsodefs.h
+===================================================================
+--- git.orig/sysdeps/generic/ldsodefs.h
++++ git/sysdeps/generic/ldsodefs.h
+@@ -590,9 +590,6 @@ struct rtld_global_ro
+ /* List of auditing interfaces. */
+ struct audit_ifaces *_dl_audit;
+ unsigned int _dl_naudit;
+-
+- /* 0 if internal pointer values should not be guarded, 1 if they should. */
+- EXTERN int _dl_pointer_guard;
+ };
+ # define __rtld_global_attribute__
+ # ifdef IS_IN_rtld
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,13 @@
++2015-10-15 Florian Weimer <fweimer@redhat.com>
++
++ [BZ #18928]
++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
++ _dl_pointer_guard member.
++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
++ initializer.
++ (security_init): Always set up pointer guard.
++ (process_envvars): Do not process LD_POINTER_GUARD.
++
+ 2015-02-05 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #16618] CVE-2015-1472
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -24,7 +24,10 @@ Version 2.20
+ 17031, 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078,
+ 17079, 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150,
+ 17153, 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354,
+- 17625, 17630.
++ 17625, 17630, 18928.
++
++* The LD_POINTER_GUARD environment variable can no longer be used to
++ disable the pointer guard feature. It is always enabled.
+
+ * The nss_dns implementation of getnetbyname could run into an infinite loop
+ if the DNS response contained a PTR record of an unexpected format.
diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb
index a928293ed4..5e03570cf3 100644
--- a/meta/recipes-core/glibc/glibc_2.20.bb
+++ b/meta/recipes-core/glibc/glibc_2.20.bb
@@ -48,7 +48,9 @@ CVEPATCHES = "\
file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \
file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \
file://CVE-2015-7547.patch \
- "
+ file://CVE-2015-8777.patch \
+"
+
LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \
file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \
file://posix/rxspencer/COPYRIGHT;md5=dc5485bb394a13b2332ec1c785f5d83a \