[COMMITTED 2.20] Always enable pointer guard [BZ #18928]

["Tulio Magno Quites Machado Filho" <tuliom@linux.vnet.ibm.com>]

From: Florian Weimer <fweimer@redhat.com>

Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications.  This commit enables pointer guard
unconditionally, and the environment variable is now ignored.

        [BZ #18928]
        * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
        _dl_pointer_guard member.
        * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
        initializer.
        (security_init): Always set up pointer guard.
        (process_envvars): Do not process LD_POINTER_GUARD.

(cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)

Conflicts:
	NEWS
---
 ChangeLog                  | 10 ++++++++++
 NEWS                       |  5 ++++-
 elf/rtld.c                 | 15 ++++-----------
 sysdeps/generic/ldsodefs.h |  3 ---
 4 files changed, 18 insertions(+), 15 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index d9cbce7..32f9e4a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2016-02-25  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #18928]
+	* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+	_dl_pointer_guard member.
+	* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+	initializer.
+	(security_init): Always set up pointer guard.
+	(process_envvars): Do not process LD_POINTER_GUARD.
+
 2015-07-21  Mike Frysinger  <vapier@gentoo.org>
 
 	[BZ #18694]
diff --git a/NEWS b/NEWS
index b469ad2..34daa03 100644
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,10 @@ Version 2.20.1
 * The following bugs are resolved with this release:
 
   16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625,
-  17630, 17801, 18694.
+  17630, 17801, 18694, 18928.
+
+* The LD_POINTER_GUARD environment variable can no longer be used to
+  disable the pointer guard feature.  It is always enabled.
 
 * CVE-2015-1472 Under certain conditions wscanf can allocate too little
   memory for the to-be-scanned arguments and overflow the allocated
diff --git a/elf/rtld.c b/elf/rtld.c
index d5cace8..39d3ae2 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -162,7 +162,6 @@ struct rtld_global_ro _rtld_global_ro attribute_relro =
     ._dl_hwcap_mask = HWCAP_IMPORTANT,
     ._dl_lazy = 1,
     ._dl_fpu_control = _FPU_DEFAULT,
-    ._dl_pointer_guard = 1,
     ._dl_pagesize = EXEC_PAGESIZE,
     ._dl_inhibit_cache = 0,
 
@@ -709,15 +708,12 @@ security_init (void)
 #endif
 
   /* Set up the pointer guard as well, if necessary.  */
-  if (GLRO(dl_pointer_guard))
-    {
-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
-							     stack_chk_guard);
+  uintptr_t pointer_chk_guard
+    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
 #ifdef THREAD_SET_POINTER_GUARD
-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
 #endif
-      __pointer_chk_guard_local = pointer_chk_guard;
-    }
+  __pointer_chk_guard_local = pointer_chk_guard;
 
   /* We do not need the _dl_random value anymore.  The less
      information we leave behind, the better, so clear the
@@ -2471,9 +2467,6 @@ process_envvars (enum mode *modep)
 	      GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
 	      break;
 	    }
-
-	  if (memcmp (envline, "POINTER_GUARD", 13) == 0)
-	    GLRO(dl_pointer_guard) = envline[14] != '0';
 	  break;
 
 	case 14:
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index e01df84..88383ed 100644
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -582,9 +582,6 @@ struct rtld_global_ro
   /* List of auditing interfaces.  */
   struct audit_ifaces *_dl_audit;
   unsigned int _dl_naudit;
-
-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
-  EXTERN int _dl_pointer_guard;
 };
 # define __rtld_global_attribute__
 # ifdef IS_IN_rtld
-- 
2.1.0