public inbox for libc-ports@sourceware.org
 help / color / mirror / Atom feed
* All machines: Pointer guard testing update (Bug 15754, CVE-2013-4788).
@ 2013-09-26 14:52 Carlos O'Donell
  2013-09-26 15:39 ` Will Newton
  2013-09-27  1:06 ` Kaz Kojima
  0 siblings, 2 replies; 6+ messages in thread
From: Carlos O'Donell @ 2013-09-26 14:52 UTC (permalink / raw)
  To: libc-ports

All machines,

The fix for CVE-2013-4788 (bug 15754) contains a regression
test to ensure that the pointer guard is both random and
changes between processes.

In order to create the test it was necessary to add a new
accessor macro POINTER_CHK_GUARD to allow the regression
test to locate and read the pointer guard value from outside
of the library.

I have added a POINTER_CHK_GUARD implementation for *all*
machines. You need not do any work at this point. However,
for some machines I wrote the implementation without testing
it e.g. stack guard was just before pointer guard so
POINTER_CHK_GUARD is the same code with a different offset.

My request is that you run the testsuite and verify that
tst-ptrguard1 and tst-ptrguard1-static pass. If they don't
pass please email me and we can work out what might be
wrong with your POINTER_CHK_GUARD implementation.

Cheers,
Carlos.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: All machines: Pointer guard testing update (Bug 15754, CVE-2013-4788).
  2013-09-26 14:52 All machines: Pointer guard testing update (Bug 15754, CVE-2013-4788) Carlos O'Donell
@ 2013-09-26 15:39 ` Will Newton
  2013-09-26 16:26   ` Richard Henderson
  2013-09-27  1:06 ` Kaz Kojima
  1 sibling, 1 reply; 6+ messages in thread
From: Will Newton @ 2013-09-26 15:39 UTC (permalink / raw)
  To: Carlos O'Donell; +Cc: libc-ports

On 26 September 2013 15:52, Carlos O'Donell <carlos@redhat.com> wrote:

Hi Carlos,

> The fix for CVE-2013-4788 (bug 15754) contains a regression
> test to ensure that the pointer guard is both random and
> changes between processes.
>
> In order to create the test it was necessary to add a new
> accessor macro POINTER_CHK_GUARD to allow the regression
> test to locate and read the pointer guard value from outside
> of the library.
>
> I have added a POINTER_CHK_GUARD implementation for *all*
> machines. You need not do any work at this point. However,
> for some machines I wrote the implementation without testing
> it e.g. stack guard was just before pointer guard so
> POINTER_CHK_GUARD is the same code with a different offset.
>
> My request is that you run the testsuite and verify that
> tst-ptrguard1 and tst-ptrguard1-static pass. If they don't
> pass please email me and we can work out what might be
> wrong with your POINTER_CHK_GUARD implementation.

I noticed that alpha does something strange in this regard.

ports/sysdeps/unix/alpha/sysdep.h:

/* There exists generic C code that assumes that PTR_MANGLE is always
   defined.  When generating code for the static libc, we don't have
   __pointer_chk_guard defined.  Nor is there any place that would
   initialize it if it were defined, so there's little point in doing
   anything more than nothing.  */
# ifndef __ASSEMBLER__
#  define PTR_MANGLE(var)
#  define PTR_DEMANGLE(var)
# endif

This looks like in the static case alpha will not benefit from the new
fix. I don't have an alpha toolchain or any particular knowledge of
alpha to verify that though.

-- 
Will Newton
Toolchain Working Group, Linaro

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: All machines: Pointer guard testing update (Bug 15754, CVE-2013-4788).
  2013-09-26 15:39 ` Will Newton
@ 2013-09-26 16:26   ` Richard Henderson
  0 siblings, 0 replies; 6+ messages in thread
From: Richard Henderson @ 2013-09-26 16:26 UTC (permalink / raw)
  To: Will Newton; +Cc: Carlos O'Donell, libc-ports

On 09/26/2013 08:39 AM, Will Newton wrote:
> On 26 September 2013 15:52, Carlos O'Donell <carlos@redhat.com> wrote:
> 
> Hi Carlos,
> 
>> The fix for CVE-2013-4788 (bug 15754) contains a regression
>> test to ensure that the pointer guard is both random and
>> changes between processes.
>>
>> In order to create the test it was necessary to add a new
>> accessor macro POINTER_CHK_GUARD to allow the regression
>> test to locate and read the pointer guard value from outside
>> of the library.
>>
>> I have added a POINTER_CHK_GUARD implementation for *all*
>> machines. You need not do any work at this point. However,
>> for some machines I wrote the implementation without testing
>> it e.g. stack guard was just before pointer guard so
>> POINTER_CHK_GUARD is the same code with a different offset.
>>
>> My request is that you run the testsuite and verify that
>> tst-ptrguard1 and tst-ptrguard1-static pass. If they don't
>> pass please email me and we can work out what might be
>> wrong with your POINTER_CHK_GUARD implementation.
> 
> I noticed that alpha does something strange in this regard.
> 
> ports/sysdeps/unix/alpha/sysdep.h:
> 
> /* There exists generic C code that assumes that PTR_MANGLE is always
>    defined.  When generating code for the static libc, we don't have
>    __pointer_chk_guard defined.  Nor is there any place that would
>    initialize it if it were defined, so there's little point in doing
>    anything more than nothing.  */
> # ifndef __ASSEMBLER__
> #  define PTR_MANGLE(var)
> #  define PTR_DEMANGLE(var)
> # endif
> 
> This looks like in the static case alpha will not benefit from the new
> fix. I don't have an alpha toolchain or any particular knowledge of
> alpha to verify that though.
> 

It looks like Carlos will have just allowed that to be fixed in his patch,
since __pointer_chk_guard_local is now defined if THREAD_SET_POINTER_GUARD isn't.


r~

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: All machines: Pointer guard testing update (Bug 15754, CVE-2013-4788).
  2013-09-26 14:52 All machines: Pointer guard testing update (Bug 15754, CVE-2013-4788) Carlos O'Donell
  2013-09-26 15:39 ` Will Newton
@ 2013-09-27  1:06 ` Kaz Kojima
  2013-09-27  1:43   ` Carlos O'Donell
  1 sibling, 1 reply; 6+ messages in thread
From: Kaz Kojima @ 2013-09-27  1:06 UTC (permalink / raw)
  To: carlos; +Cc: libc-ports, thomas

Hi,

"Carlos O'Donell" <carlos@redhat.com> wrote:
> My request is that you run the testsuite and verify that
> tst-ptrguard1 and tst-ptrguard1-static pass. If they don't
> pass please email me and we can work out what might be
> wrong with your POINTER_CHK_GUARD implementation.

New ptrguard tests fail on SH because the target uses generic
stackguard-macros.h but defines THREAD_SET_POINTER_GUARD.
The attached patch works for me.

Regards,
	kaz
--
	* sysdeps/sh/stackguard-macros.h: New file.

diff --git a/sysdeps/sh/stackguard-macros.h b/sysdeps/sh/stackguard-macros.h
new file mode 100644
index 0000000..55a5771
--- /dev/null
+++ b/sysdeps/sh/stackguard-macros.h
@@ -0,0 +1,6 @@
+#include <stdint.h>
+
+extern uintptr_t __stack_chk_guard;
+#define STACK_CHK_GUARD __stack_chk_guard
+
+#define POINTER_CHK_GUARD THREAD_GET_POINTER_GUARD()

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: All machines: Pointer guard testing update (Bug 15754, CVE-2013-4788).
  2013-09-27  1:06 ` Kaz Kojima
@ 2013-09-27  1:43   ` Carlos O'Donell
  2013-09-27  2:15     ` Kaz Kojima
  0 siblings, 1 reply; 6+ messages in thread
From: Carlos O'Donell @ 2013-09-27  1:43 UTC (permalink / raw)
  To: Kaz Kojima; +Cc: libc-ports, thomas

On 09/26/2013 09:06 PM, Kaz Kojima wrote:
> Hi,
> 
> "Carlos O'Donell" <carlos@redhat.com> wrote:
>> My request is that you run the testsuite and verify that
>> tst-ptrguard1 and tst-ptrguard1-static pass. If they don't
>> pass please email me and we can work out what might be
>> wrong with your POINTER_CHK_GUARD implementation.
> 
> New ptrguard tests fail on SH because the target uses generic
> stackguard-macros.h but defines THREAD_SET_POINTER_GUARD.
> The attached patch works for me.
> 
> Regards,
> 	kaz
> --
> 	* sysdeps/sh/stackguard-macros.h: New file.
> 
> diff --git a/sysdeps/sh/stackguard-macros.h b/sysdeps/sh/stackguard-macros.h
> new file mode 100644
> index 0000000..55a5771
> --- /dev/null
> +++ b/sysdeps/sh/stackguard-macros.h
> @@ -0,0 +1,6 @@
> +#include <stdint.h>
> +
> +extern uintptr_t __stack_chk_guard;
> +#define STACK_CHK_GUARD __stack_chk_guard
> +
> +#define POINTER_CHK_GUARD THREAD_GET_POINTER_GUARD()
> 

Kaz,

That looks good to me. I will admit that's not a
combination I thought about. Thanks for fixing it.

Cheers,
Carlos.

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: All machines: Pointer guard testing update (Bug 15754, CVE-2013-4788).
  2013-09-27  1:43   ` Carlos O'Donell
@ 2013-09-27  2:15     ` Kaz Kojima
  0 siblings, 0 replies; 6+ messages in thread
From: Kaz Kojima @ 2013-09-27  2:15 UTC (permalink / raw)
  To: carlos; +Cc: libc-ports, thomas

"Carlos O'Donell" <carlos@redhat.com> wrote:
> That looks good to me. I will admit that's not a
> combination I thought about. Thanks for fixing it.

Thanks for your comment.  I've committed it with the ChangeLog
entry below.

Regards,
	kaz
--
2013-09-27  Kaz Kojima  <kkojima@rr.iij4u.or.jp>

	* sysdeps/sh/stackguard-macros.h: New file.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2013-09-27  2:15 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-09-26 14:52 All machines: Pointer guard testing update (Bug 15754, CVE-2013-4788) Carlos O'Donell
2013-09-26 15:39 ` Will Newton
2013-09-26 16:26   ` Richard Henderson
2013-09-27  1:06 ` Kaz Kojima
2013-09-27  1:43   ` Carlos O'Donell
2013-09-27  2:15     ` Kaz Kojima

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).