From bb6ce1334bfb3711428b4b82bca4c0d5339ee2f8 Mon Sep 17 00:00:00 2001 From: Armin Kuster Date: Sun, 28 Feb 2016 10:53:32 -0800 Subject: glibc: CVE-2015-8777 The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: 22570ba08d7c6157aec58764c73b1134405b0252) Signed-off-by: Armin Kuster Signed-off-by: Robert Yang Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie Signed-off-by: Armin Kuster Signed-off-by: Richard Purdie --- meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 122 ++++++++++++++++++++++ meta/recipes-core/glibc/glibc_2.20.bb | 4 +- 2 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch new file mode 100644 index 0000000000..780fcb9a53 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch @@ -0,0 +1,122 @@ +From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Thu, 15 Oct 2015 09:23:07 +0200 +Subject: [PATCH] Always enable pointer guard [BZ #18928] + +Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode +has security implications. This commit enables pointer guard +unconditionally, and the environment variable is now ignored. + + [BZ #18928] + * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove + _dl_pointer_guard member. + * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard + initializer. + (security_init): Always set up pointer guard. + (process_envvars): Do not process LD_POINTER_GUARD. + +Upstream-Status: Backport +CVE: CVE-2015-8777 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7 + +Signed-off-by: Armin Kuster + +--- + ChangeLog | 10 ++++++++++ + NEWS | 13 ++++++++----- + elf/rtld.c | 15 ++++----------- + sysdeps/generic/ldsodefs.h | 3 --- + 4 files changed, 22 insertions(+), 19 deletions(-) + +Index: git/elf/rtld.c +=================================================================== +--- git.orig/elf/rtld.c ++++ git/elf/rtld.c +@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at + ._dl_hwcap_mask = HWCAP_IMPORTANT, + ._dl_lazy = 1, + ._dl_fpu_control = _FPU_DEFAULT, +- ._dl_pointer_guard = 1, + ._dl_pagesize = EXEC_PAGESIZE, + ._dl_inhibit_cache = 0, + +@@ -710,15 +709,12 @@ security_init (void) + #endif + + /* Set up the pointer guard as well, if necessary. */ +- if (GLRO(dl_pointer_guard)) +- { +- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, +- stack_chk_guard); ++ uintptr_t pointer_chk_guard ++ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard); + #ifdef THREAD_SET_POINTER_GUARD +- THREAD_SET_POINTER_GUARD (pointer_chk_guard); ++ THREAD_SET_POINTER_GUARD (pointer_chk_guard); + #endif +- __pointer_chk_guard_local = pointer_chk_guard; +- } ++ __pointer_chk_guard_local = pointer_chk_guard; + + /* We do not need the _dl_random value anymore. The less + information we leave behind, the better, so clear the +@@ -2476,9 +2472,6 @@ process_envvars (enum mode *modep) + GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0; + break; + } +- +- if (memcmp (envline, "POINTER_GUARD", 13) == 0) +- GLRO(dl_pointer_guard) = envline[14] != '0'; + break; + + case 14: +Index: git/sysdeps/generic/ldsodefs.h +=================================================================== +--- git.orig/sysdeps/generic/ldsodefs.h ++++ git/sysdeps/generic/ldsodefs.h +@@ -590,9 +590,6 @@ struct rtld_global_ro + /* List of auditing interfaces. */ + struct audit_ifaces *_dl_audit; + unsigned int _dl_naudit; +- +- /* 0 if internal pointer values should not be guarded, 1 if they should. */ +- EXTERN int _dl_pointer_guard; + }; + # define __rtld_global_attribute__ + # ifdef IS_IN_rtld +Index: git/ChangeLog +=================================================================== +--- git.orig/ChangeLog ++++ git/ChangeLog +@@ -1,3 +1,13 @@ ++2015-10-15 Florian Weimer ++ ++ [BZ #18928] ++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove ++ _dl_pointer_guard member. ++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard ++ initializer. ++ (security_init): Always set up pointer guard. ++ (process_envvars): Do not process LD_POINTER_GUARD. ++ + 2015-02-05 Paul Pluzhnikov + + [BZ #16618] CVE-2015-1472 +Index: git/NEWS +=================================================================== +--- git.orig/NEWS ++++ git/NEWS +@@ -24,7 +24,10 @@ Version 2.20 + 17031, 17042, 17048, 17050, 17058, 17061, 17062, 17069, 17075, 17078, + 17079, 17084, 17086, 17088, 17092, 17097, 17125, 17135, 17137, 17150, + 17153, 17187, 17213, 17259, 17261, 17262, 17263, 17319, 17325, 17354, +- 17625, 17630. ++ 17625, 17630, 18928. ++ ++* The LD_POINTER_GUARD environment variable can no longer be used to ++ disable the pointer guard feature. It is always enabled. + + * The nss_dns implementation of getnetbyname could run into an infinite loop + if the DNS response contained a PTR record of an unexpected format. diff --git a/meta/recipes-core/glibc/glibc_2.20.bb b/meta/recipes-core/glibc/glibc_2.20.bb index a928293ed4..5e03570cf3 100644 --- a/meta/recipes-core/glibc/glibc_2.20.bb +++ b/meta/recipes-core/glibc/glibc_2.20.bb @@ -48,7 +48,9 @@ CVEPATCHES = "\ file://CVE-2015-1781-resolv-nss_dns-dns-host.c-buffer-overf.patch \ file://CVE-2015-1472-wscanf-allocates-too-little-memory.patch \ file://CVE-2015-7547.patch \ - " + file://CVE-2015-8777.patch \ +" + LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \ file://COPYING;md5=b234ee4d69f5fce4486a80fdaf4a4263 \ file://posix/rxspencer/COPYRIGHT;md5=dc5485bb394a13b2332ec1c785f5d83a \ -- cgit 1.2.3-korg