From: "Tulio Magno Quites Machado Filho" <tuliom@linux.vnet.ibm.com>
To: libc-stable@sourceware.org
Cc: Florian Weimer <fweimer@redhat.com>
Subject: [COMMITTED 2.20] Always enable pointer guard [BZ #18928]
Date: Fri, 01 Jan 2016 00:00:00 -0000 [thread overview]
Message-ID: <1456427204-1730-1-git-send-email-tuliom@linux.vnet.ibm.com> (raw)
From: Florian Weimer <fweimer@redhat.com>
Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications. This commit enables pointer guard
unconditionally, and the environment variable is now ignored.
[BZ #18928]
* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
_dl_pointer_guard member.
* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
initializer.
(security_init): Always set up pointer guard.
(process_envvars): Do not process LD_POINTER_GUARD.
(cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)
Conflicts:
NEWS
---
ChangeLog | 10 ++++++++++
NEWS | 5 ++++-
elf/rtld.c | 15 ++++-----------
sysdeps/generic/ldsodefs.h | 3 ---
4 files changed, 18 insertions(+), 15 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index d9cbce7..32f9e4a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2016-02-25 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #18928]
+ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+ _dl_pointer_guard member.
+ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+ initializer.
+ (security_init): Always set up pointer guard.
+ (process_envvars): Do not process LD_POINTER_GUARD.
+
2015-07-21 Mike Frysinger <vapier@gentoo.org>
[BZ #18694]
diff --git a/NEWS b/NEWS
index b469ad2..34daa03 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,10 @@ Version 2.20.1
* The following bugs are resolved with this release:
16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625,
- 17630, 17801, 18694.
+ 17630, 17801, 18694, 18928.
+
+* The LD_POINTER_GUARD environment variable can no longer be used to
+ disable the pointer guard feature. It is always enabled.
* CVE-2015-1472 Under certain conditions wscanf can allocate too little
memory for the to-be-scanned arguments and overflow the allocated
diff --git a/elf/rtld.c b/elf/rtld.c
index d5cace8..39d3ae2 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -162,7 +162,6 @@ struct rtld_global_ro _rtld_global_ro attribute_relro =
._dl_hwcap_mask = HWCAP_IMPORTANT,
._dl_lazy = 1,
._dl_fpu_control = _FPU_DEFAULT,
- ._dl_pointer_guard = 1,
._dl_pagesize = EXEC_PAGESIZE,
._dl_inhibit_cache = 0,
@@ -709,15 +708,12 @@ security_init (void)
#endif
/* Set up the pointer guard as well, if necessary. */
- if (GLRO(dl_pointer_guard))
- {
- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
- stack_chk_guard);
+ uintptr_t pointer_chk_guard
+ = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
#ifdef THREAD_SET_POINTER_GUARD
- THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
#endif
- __pointer_chk_guard_local = pointer_chk_guard;
- }
+ __pointer_chk_guard_local = pointer_chk_guard;
/* We do not need the _dl_random value anymore. The less
information we leave behind, the better, so clear the
@@ -2471,9 +2467,6 @@ process_envvars (enum mode *modep)
GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
break;
}
-
- if (memcmp (envline, "POINTER_GUARD", 13) == 0)
- GLRO(dl_pointer_guard) = envline[14] != '0';
break;
case 14:
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index e01df84..88383ed 100644
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -582,9 +582,6 @@ struct rtld_global_ro
/* List of auditing interfaces. */
struct audit_ifaces *_dl_audit;
unsigned int _dl_naudit;
-
- /* 0 if internal pointer values should not be guarded, 1 if they should. */
- EXTERN int _dl_pointer_guard;
};
# define __rtld_global_attribute__
# ifdef IS_IN_rtld
--
2.1.0
next reply other threads:[~2016-02-25 19:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-01 0:00 Tulio Magno Quites Machado Filho [this message]
2016-01-01 0:00 ` [COMMITTED 2.20] Fix read past end of pattern in fnmatch (bug 18032) Tulio Magno Quites Machado Filho
2016-01-01 0:00 ` [COMMITTED 2.20] Fix BZ #17269 -- _IO_wstr_overflow integer overflow Tulio Magno Quites Machado Filho
2016-01-01 0:00 ` [COMMITTED 2.20] Harden tls_dtor_list with pointer mangling [BZ #19018] Tulio Magno Quites Machado Filho
2016-01-01 0:00 ` [COMMITTED 2.20] CVE-2015-7547: getaddrinfo() stack-based buffer overflow (Bug 18665) Tulio Magno Quites Machado Filho
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1456427204-1730-1-git-send-email-tuliom@linux.vnet.ibm.com \
--to=tuliom@linux.vnet.ibm.com \
--cc=fweimer@redhat.com \
--cc=libc-stable@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).