aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorArmin Kuster <akuster@mvista.com>2016-01-22 20:13:00 -0800
committerRichard Purdie <richard.purdie@linuxfoundation.org>2016-02-18 07:37:49 +0000
commitaefe1fadfa041673360ad31901655ead70c32d75 (patch)
treec6534b47422af14cc477b1292a6e3579e3b69b5f
parent152914f2983c5d69001de1d46ce99547fa1e75fe (diff)
downloadopenembedded-core-contrib-aefe1fadfa041673360ad31901655ead70c32d75.tar.gz
openembedded-core-contrib-aefe1fadfa041673360ad31901655ead70c32d75.tar.bz2
openembedded-core-contrib-aefe1fadfa041673360ad31901655ead70c32d75.zip
glibc: CVE-2015-8777.patch
The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. (From OE-Core rev: bc51411d2edda908cbef733066d78a986dfec0c0) Signed-off-by: Armin Kuster <akuster@mvista.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/glibc/glibc/CVE-2015-8777.patch123
-rw-r--r--meta/recipes-core/glibc/glibc_2.22.bb1
2 files changed, 124 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
new file mode 100644
index 00000000000..eeab72d650f
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch
@@ -0,0 +1,123 @@
+From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Thu, 15 Oct 2015 09:23:07 +0200
+Subject: [PATCH] Always enable pointer guard [BZ #18928]
+
+Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
+has security implications. This commit enables pointer guard
+unconditionally, and the environment variable is now ignored.
+
+ [BZ #18928]
+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+ _dl_pointer_guard member.
+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+ initializer.
+ (security_init): Always set up pointer guard.
+ (process_envvars): Do not process LD_POINTER_GUARD.
+
+Upstream-Status: Backport
+CVE: CVE-2015-8777
+[Yocto # 8980]
+
+https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7
+
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog | 10 ++++++++++
+ NEWS | 13 ++++++++-----
+ elf/rtld.c | 15 ++++-----------
+ sysdeps/generic/ldsodefs.h | 3 ---
+ 4 files changed, 22 insertions(+), 19 deletions(-)
+
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,14 @@
++2015-10-15 Florian Weimer <fweimer@redhat.com>
++
++ [BZ #18928]
++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
++ _dl_pointer_guard member.
++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
++ initializer.
++ (security_init): Always set up pointer guard.
++ (process_envvars): Do not process LD_POINTER_GUARD.
++
++
+ 2015-08-10 Maxim Ostapenko <m.ostapenko@partner.samsung.com>
+
+ [BZ #18778]
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -34,7 +34,10 @@ Version 2.22
+ 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547,
+ 18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593,
+ 18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648,
+- 18657, 18676, 18694, 18696.
++ 18657, 18676, 18694, 18696, 18928.
++
++* The LD_POINTER_GUARD environment variable can no longer be used to
++ disable the pointer guard feature. It is always enabled.
+
+ * Cache information can be queried via sysconf() function on s390 e.g. with
+ _SC_LEVEL1_ICACHE_SIZE as argument.
+Index: git/elf/rtld.c
+===================================================================
+--- git.orig/elf/rtld.c
++++ git/elf/rtld.c
+@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at
+ ._dl_hwcap_mask = HWCAP_IMPORTANT,
+ ._dl_lazy = 1,
+ ._dl_fpu_control = _FPU_DEFAULT,
+- ._dl_pointer_guard = 1,
+ ._dl_pagesize = EXEC_PAGESIZE,
+ ._dl_inhibit_cache = 0,
+
+@@ -710,15 +709,12 @@ security_init (void)
+ #endif
+
+ /* Set up the pointer guard as well, if necessary. */
+- if (GLRO(dl_pointer_guard))
+- {
+- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+- stack_chk_guard);
++ uintptr_t pointer_chk_guard
++ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
+ #ifdef THREAD_SET_POINTER_GUARD
+- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ #endif
+- __pointer_chk_guard_local = pointer_chk_guard;
+- }
++ __pointer_chk_guard_local = pointer_chk_guard;
+
+ /* We do not need the _dl_random value anymore. The less
+ information we leave behind, the better, so clear the
+@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep)
+ GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
+ break;
+ }
+-
+- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+- GLRO(dl_pointer_guard) = envline[14] != '0';
+ break;
+
+ case 14:
+Index: git/sysdeps/generic/ldsodefs.h
+===================================================================
+--- git.orig/sysdeps/generic/ldsodefs.h
++++ git/sysdeps/generic/ldsodefs.h
+@@ -600,9 +600,6 @@ struct rtld_global_ro
+ /* List of auditing interfaces. */
+ struct audit_ifaces *_dl_audit;
+ unsigned int _dl_naudit;
+-
+- /* 0 if internal pointer values should not be guarded, 1 if they should. */
+- EXTERN int _dl_pointer_guard;
+ };
+ # define __rtld_global_attribute__
+ # if IS_IN (rtld)
diff --git a/meta/recipes-core/glibc/glibc_2.22.bb b/meta/recipes-core/glibc/glibc_2.22.bb
index eeb97422f00..c8283105864 100644
--- a/meta/recipes-core/glibc/glibc_2.22.bb
+++ b/meta/recipes-core/glibc/glibc_2.22.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0028-Clear-ELF_RTYPE_CLASS_EXTERN_PROTECTED_DATA-for-prel.patch \
file://strcoll-Remove-incorrect-STRDIFF-based-optimization-.patch \
file://0029-fix-getmntent-empty-lines.patch \
+ file://CVE-2015-8777.patch \
"
SRC_URI += "\