* [COMMITTED 2.18] Always enable pointer guard [BZ #18928]
@ 2015-01-01 0:00 Tulio Magno Quites Machado Filho
2015-01-01 0:00 ` [COMMITTED 2.18] Harden tls_dtor_list with pointer mangling [BZ #19018] Tulio Magno Quites Machado Filho
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: Tulio Magno Quites Machado Filho @ 2015-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Florian Weimer
From: Florian Weimer <fweimer@redhat.com>
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications. This commit enables pointer guard
unconditionally, and the environment variable is now ignored.
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
initializer.
(security_init): Always set up pointer guard.
(process_envvars): Do not process LD_POINTER_GUARD.
(cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)
Conflicts:
NEWS
---
ChangeLog | 10 ++++++++++
NEWS | 5 ++++-
elf/rtld.c | 15 ++++-----------
sysdeps/generic/ldsodefs.h | 3 ---
4 files changed, 18 insertions(+), 15 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 9c95cc0..d90460f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2015-12-30 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18928]
+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+ _dl_pointer_guard member.
+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+ initializer.
+ (security_init): Always set up pointer guard.
+ (process_envvars): Do not process LD_POINTER_GUARD.
+
2014-06-03 Guo Yixuan <culu.gyx@gmail.com>
[BZ #16882]
diff --git a/NEWS b/NEWS
index 31664e4..d8e7c4d 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,10 @@ Version 2.18.1
* The following bugs are resolved with this release:
15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916,
- 16943, 16958.
+ 16943, 16958, 18928.
+
+* The LD_POINTER_GUARD environment variable can no longer be used to
+ disable the pointer guard feature. It is always enabled.
\f
Version 2.18
diff --git a/elf/rtld.c b/elf/rtld.c
index 91da88c..b2fce26 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -162,7 +162,6 @@ struct rtld_global_ro _rtld_global_ro attribute_relro =
._dl_hwcap_mask = HWCAP_IMPORTANT,
._dl_lazy = 1,
._dl_fpu_control = _FPU_DEFAULT,
- ._dl_pointer_guard = 1,
._dl_pagesize = EXEC_PAGESIZE,
._dl_inhibit_cache = 0,
@@ -857,15 +856,12 @@ security_init (void)
#endif
/* Set up the pointer guard as well, if necessary. */
- if (GLRO(dl_pointer_guard))
- {
- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
- stack_chk_guard);
+ uintptr_t pointer_chk_guard
+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
#ifdef THREAD_SET_POINTER_GUARD
- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
#endif
- __pointer_chk_guard_local = pointer_chk_guard;
- }
+ __pointer_chk_guard_local = pointer_chk_guard;
/* We do not need the _dl_random value anymore. The less
information we leave behind, the better, so clear the
@@ -2606,9 +2602,6 @@ process_envvars (enum mode *modep)
GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
break;
}
-
- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
- GLRO(dl_pointer_guard) = envline[14] != '0';
break;
case 14:
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index e7b0516..6ccbd71 100644
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -589,9 +589,6 @@ struct rtld_global_ro
/* List of auditing interfaces. */
struct audit_ifaces *_dl_audit;
unsigned int _dl_naudit;
-
- /* 0 if internal pointer values should not be guarded, 1 if they should. */
- EXTERN int _dl_pointer_guard;
};
# define __rtld_global_attribute__
# ifdef IS_IN_rtld
--
2.1.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [COMMITTED 2.18] Fix read past end of pattern in fnmatch (bug 18032)
2015-01-01 0:00 [COMMITTED 2.18] Always enable pointer guard [BZ #18928] Tulio Magno Quites Machado Filho
2015-01-01 0:00 ` [COMMITTED 2.18] Harden tls_dtor_list with pointer mangling [BZ #19018] Tulio Magno Quites Machado Filho
@ 2015-01-01 0:00 ` Tulio Magno Quites Machado Filho
2015-01-01 0:00 ` [COMMITTED 2.18] Fix BZ #17269 -- _IO_wstr_overflow integer overflow Tulio Magno Quites Machado Filho
2 siblings, 0 replies; 4+ messages in thread
From: Tulio Magno Quites Machado Filho @ 2015-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Andreas Schwab
From: Andreas Schwab <schwab@suse.de>
(cherry picked from commit 4a28f4d55a6cc33474c0792fe93b5942d81bf185)
Conflicts:
NEWS
posix/tst-fnmatch3.c
---
ChangeLog | 7 +++++++
NEWS | 2 +-
posix/fnmatch_loop.c | 5 ++---
posix/tst-fnmatch3.c | 32 ++++++++++++++++++++++++++++++++
4 files changed, 42 insertions(+), 4 deletions(-)
create mode 100644 posix/tst-fnmatch3.c
diff --git a/ChangeLog b/ChangeLog
index 14d95f8..79a59d5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2015-12-30 Andreas Schwab <schwab@suse.de>
+
+ [BZ #18032]
+ * posix/fnmatch_loop.c (FCT): Remove extra increment when skipping
+ over collating symbol inside a bracket expression. Minor cleanup.
+ * posix/tst-fnmatch3.c (do_test): Add test case.
+
2015-12-30 Florian Weimer <fweimer@redhat.com>
[BZ #19018]
diff --git a/NEWS b/NEWS
index 52e77ee..3ae4211 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.18.1
* The following bugs are resolved with this release:
15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916,
- 16943, 16958, 18928, 19018.
+ 16943, 16958, 18032, 18928, 19018.
* The LD_POINTER_GUARD environment variable can no longer be used to
disable the pointer guard feature. It is always enabled.
diff --git a/posix/fnmatch_loop.c b/posix/fnmatch_loop.c
index 078b982..5002ccb 100644
--- a/posix/fnmatch_loop.c
+++ b/posix/fnmatch_loop.c
@@ -951,14 +951,13 @@ FCT (pattern, string, string_end, no_leading_period, flags, ends, alloca_used)
}
else if (c == L('[') && *p == L('.'))
{
- ++p;
while (1)
{
c = *++p;
- if (c == '\0')
+ if (c == L('\0'))
return FNM_NOMATCH;
- if (*p == L('.') && p[1] == L(']'))
+ if (c == L('.') && p[1] == L(']'))
break;
}
p += 2;
diff --git a/posix/tst-fnmatch3.c b/posix/tst-fnmatch3.c
new file mode 100644
index 0000000..75bc00a
--- /dev/null
+++ b/posix/tst-fnmatch3.c
@@ -0,0 +1,32 @@
+/* Test for fnmatch not reading past the end of the pattern.
+ Copyright (C) 2014-2015 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <fnmatch.h>
+
+int
+do_test (void)
+{
+ if (fnmatch ("[[:alpha:]'[:alpha:]\0]", "a", 0) != FNM_NOMATCH)
+ return 1;
+ if (fnmatch ("[a[.\0.]]", "a", 0) != FNM_NOMATCH)
+ return 1;
+ return 0;
+}
+
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
--
2.1.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [COMMITTED 2.18] Fix BZ #17269 -- _IO_wstr_overflow integer overflow
2015-01-01 0:00 [COMMITTED 2.18] Always enable pointer guard [BZ #18928] Tulio Magno Quites Machado Filho
2015-01-01 0:00 ` [COMMITTED 2.18] Harden tls_dtor_list with pointer mangling [BZ #19018] Tulio Magno Quites Machado Filho
2015-01-01 0:00 ` [COMMITTED 2.18] Fix read past end of pattern in fnmatch (bug 18032) Tulio Magno Quites Machado Filho
@ 2015-01-01 0:00 ` Tulio Magno Quites Machado Filho
2 siblings, 0 replies; 4+ messages in thread
From: Tulio Magno Quites Machado Filho @ 2015-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Paul Pluzhnikov
From: Paul Pluzhnikov <ppluzhnikov@google.com>
(cherry picked from commit bdf1ff052a8e23d637f2c838fa5642d78fcedc33)
Conflicts:
NEWS
---
ChangeLog | 6 ++++++
NEWS | 2 +-
libio/wstrops.c | 8 +++++++-
3 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 79a59d5..435d189 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2015-12-30 Paul Pluzhnikov <ppluzhnikov@google.com>
+
+ [BZ #17269]
+ * libio/wstrops.c (_IO_wstr_overflow): Guard against integer overflow
+ (enlarge_userbuf): Likewise.
+
2015-12-30 Andreas Schwab <schwab@suse.de>
[BZ #18032]
diff --git a/NEWS b/NEWS
index 3ae4211..0196d04 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.18.1
* The following bugs are resolved with this release:
15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916,
- 16943, 16958, 18032, 18928, 19018.
+ 16943, 16958, 17269, 18032, 18928, 19018.
* The LD_POINTER_GUARD environment variable can no longer be used to
disable the pointer guard feature. It is always enabled.
diff --git a/libio/wstrops.c b/libio/wstrops.c
index 8283930..19193e4 100644
--- a/libio/wstrops.c
+++ b/libio/wstrops.c
@@ -95,8 +95,11 @@ _IO_wstr_overflow (fp, c)
wchar_t *old_buf = fp->_wide_data->_IO_buf_base;
size_t old_wblen = _IO_wblen (fp);
_IO_size_t new_size = 2 * old_wblen + 100;
- if (new_size < old_wblen)
+
+ if (__glibc_unlikely (new_size < old_wblen)
+ || __glibc_unlikely (new_size > SIZE_MAX / sizeof (wchar_t)))
return EOF;
+
new_buf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (new_size
* sizeof (wchar_t));
@@ -186,6 +189,9 @@ enlarge_userbuf (_IO_FILE *fp, _IO_off64_t offset, int reading)
return 1;
_IO_size_t newsize = offset + 100;
+ if (__glibc_unlikely (newsize > SIZE_MAX / sizeof (wchar_t)))
+ return 1;
+
wchar_t *oldbuf = wd->_IO_buf_base;
wchar_t *newbuf
= (wchar_t *) (*((_IO_strfile *) fp)->_s._allocate_buffer) (newsize
--
2.1.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* [COMMITTED 2.18] Harden tls_dtor_list with pointer mangling [BZ #19018]
2015-01-01 0:00 [COMMITTED 2.18] Always enable pointer guard [BZ #18928] Tulio Magno Quites Machado Filho
@ 2015-01-01 0:00 ` Tulio Magno Quites Machado Filho
2015-01-01 0:00 ` [COMMITTED 2.18] Fix read past end of pattern in fnmatch (bug 18032) Tulio Magno Quites Machado Filho
2015-01-01 0:00 ` [COMMITTED 2.18] Fix BZ #17269 -- _IO_wstr_overflow integer overflow Tulio Magno Quites Machado Filho
2 siblings, 0 replies; 4+ messages in thread
From: Tulio Magno Quites Machado Filho @ 2015-01-01 0:00 UTC (permalink / raw)
To: libc-stable; +Cc: Florian Weimer
From: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit f586e1328681b400078c995a0bb6ad301ef73549)
Conflicts:
NEWS
stdlib/cxa_thread_atexit_impl.c
---
ChangeLog | 7 +++++++
NEWS | 2 +-
stdlib/cxa_thread_atexit_impl.c | 12 ++++++++++--
3 files changed, 18 insertions(+), 3 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index d90460f..14d95f8 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2015-12-30 Florian Weimer <fweimer@redhat.com>
+ [BZ #19018]
+ * stdlib/cxa_thread_atexit_impl.c (__cxa_thread_atexit_impl):
+ Mangle function pointer before storing it.
+ (__call_tls_dtors): Demangle function pointer before calling it.
+
+2015-12-30 Florian Weimer <fweimer@redhat.com>
+
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
diff --git a/NEWS b/NEWS
index d8e7c4d..52e77ee 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,7 @@ Version 2.18.1
* The following bugs are resolved with this release:
15073, 15128, 15909, 15996, 16150, 16169, 16387, 16510, 16885, 16916,
- 16943, 16958, 18928.
+ 16943, 16958, 18928, 19018.
* The LD_POINTER_GUARD environment variable can no longer be used to
disable the pointer guard feature. It is always enabled.
diff --git a/stdlib/cxa_thread_atexit_impl.c b/stdlib/cxa_thread_atexit_impl.c
index dfd4c7e..6b7455d 100644
--- a/stdlib/cxa_thread_atexit_impl.c
+++ b/stdlib/cxa_thread_atexit_impl.c
@@ -42,6 +42,10 @@ static __thread struct link_map *lm_cache;
int
__cxa_thread_atexit_impl (dtor_func func, void *obj, void *dso_symbol)
{
+#ifdef PTR_MANGLE
+ PTR_MANGLE (func);
+#endif
+
/* Prepend. */
struct dtor_list *new = calloc (1, sizeof (struct dtor_list));
new->func = func;
@@ -83,9 +87,13 @@ __call_tls_dtors (void)
while (tls_dtor_list)
{
struct dtor_list *cur = tls_dtor_list;
- tls_dtor_list = tls_dtor_list->next;
+ dtor_func func = cur->func;
+#ifdef PTR_DEMANGLE
+ PTR_DEMANGLE (func);
+#endif
- cur->func (cur->obj);
+ tls_dtor_list = tls_dtor_list->next;
+ func (cur->obj);
__rtld_lock_lock_recursive (GL(dl_load_lock));
--
2.1.0
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2015-12-31 12:52 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-01-01 0:00 [COMMITTED 2.18] Always enable pointer guard [BZ #18928] Tulio Magno Quites Machado Filho
2015-01-01 0:00 ` [COMMITTED 2.18] Harden tls_dtor_list with pointer mangling [BZ #19018] Tulio Magno Quites Machado Filho
2015-01-01 0:00 ` [COMMITTED 2.18] Fix read past end of pattern in fnmatch (bug 18032) Tulio Magno Quites Machado Filho
2015-01-01 0:00 ` [COMMITTED 2.18] Fix BZ #17269 -- _IO_wstr_overflow integer overflow Tulio Magno Quites Machado Filho
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).