[OE-core] [PATCH 1/4] glibc: CVE-2015-8777
From: Armin KusterSigned-off-by: Armin Kuster --- meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 143 ++ meta/recipes-core/glibc/glibc_2.21.bb | 1 + 2 files changed, 144 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch new file mode 100644 index 000..4041af6 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch @@ -0,0 +1,143 @@ +From fd3a7f229e52be32414d889977fef245da6055d4 Mon Sep 17 00:00:00 2001 +From: Armin Kuster +Date: Fri, 22 Jan 2016 20:13:00 -0800 +Subject: [PATCH 1/4] glibc: CVE-2015-8777.patch + +The process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or +libc6) before 2.23 allows local users to bypass a pointer-guarding protection +mechanism via a zero value of the LD_POINTER_GUARD environment variable. + +Signed-off-by: Armin Kuster +--- + meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 123 ++ + 2 files changed, 124 insertions(+) + create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch + +Index: git/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch +=== +--- /dev/null git/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch +@@ -0,0 +1,123 @@ ++From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001 ++From: Florian Weimer ++Date: Thu, 15 Oct 2015 09:23:07 +0200 ++Subject: [PATCH] Always enable pointer guard [BZ #18928] ++ ++Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode ++has security implications. This commit enables pointer guard ++unconditionally, and the environment variable is now ignored. ++ ++[BZ #18928] ++* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove ++_dl_pointer_guard member. ++* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard ++initializer. ++(security_init): Always set up pointer guard. ++(process_envvars): Do not process LD_POINTER_GUARD. ++ ++Upstream-Status: Backport ++CVE: CVE-2015-8777 ++[Yocto # 8980] ++ ++https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7 ++ ++Signed-off-by: Armin Kuster ++ ++--- ++ ChangeLog | 10 ++ ++ NEWS | 13 - ++ elf/rtld.c | 15 --- ++ sysdeps/generic/ldsodefs.h | 3 --- ++ 4 files changed, 22 insertions(+), 19 deletions(-) ++ ++Index: git/ChangeLog ++=== ++--- git.orig/ChangeLog + git/ChangeLog ++@@ -1,3 +1,14 @@ +++2015-10-15 Florian Weimer +++ +++ [BZ #18928] +++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove +++ _dl_pointer_guard member. +++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard +++ initializer. +++ (security_init): Always set up pointer guard. +++ (process_envvars): Do not process LD_POINTER_GUARD. +++ +++ ++ 2015-08-10 Maxim Ostapenko ++ ++ [BZ #18778] ++Index: git/NEWS ++=== ++--- git.orig/NEWS + git/NEWS ++@@ -34,7 +34,10 @@ Version 2.22 ++ 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547, ++ 18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593, ++ 18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648, ++- 18657, 18676, 18694, 18696. +++ 18657, 18676, 18694, 18696, 18928. +++ +++* The LD_POINTER_GUARD environment variable can no longer be used to +++ disable the pointer guard feature. It is always enabled. ++ ++ * Cache information can be queried via sysconf() function on s390 e.g. with ++ _SC_LEVEL1_ICACHE_SIZE as argument. ++Index: git/elf/rtld.c ++=== ++--- git.orig/elf/rtld.c + git/elf/rtld.c ++@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at ++ ._dl_hwcap_mask = HWCAP_IMPORTANT, ++ ._dl_lazy = 1, ++ ._dl_fpu_control = _FPU_DEFAULT, ++-._dl_pointer_guard = 1, ++ ._dl_pagesize = EXEC_PAGESIZE, ++ ._dl_inhibit_cache = 0, ++ ++@@ -710,15 +709,12 @@ security_init (void) ++ #endif ++ ++ /* Set up the pointer guard as well, if necessary. */ ++- if (GLRO(dl_pointer_guard)) ++-{ ++- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, ++- stack_chk_guard); +++ uintptr_t pointer_chk_guard +++= _dl_setup_pointer_guard (_dl_random, stack_chk_guard); ++ #ifdef THREAD_SET_POINTER_GUARD ++- THREAD_SET_POINTER_GUARD (pointer_chk_guard); +++
[OE-core] [PATCH 1/4] glibc: CVE-2015-8777.patch
From: Armin KusterThe process_envvars function in elf/rtld.c in the GNU C Library (aka glibc or libc6) before 2.23 allows local users to bypass a pointer-guarding protection mechanism via a zero value of the LD_POINTER_GUARD environment variable. Signed-off-by: Armin Kuster --- meta/recipes-core/glibc/glibc/CVE-2015-8777.patch | 123 ++ meta/recipes-core/glibc/glibc_2.22.bb | 1 + 2 files changed, 124 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/CVE-2015-8777.patch diff --git a/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch new file mode 100644 index 000..eeab72d --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2015-8777.patch @@ -0,0 +1,123 @@ +From a014cecd82b71b70a6a843e250e06b541ad524f7 Mon Sep 17 00:00:00 2001 +From: Florian Weimer +Date: Thu, 15 Oct 2015 09:23:07 +0200 +Subject: [PATCH] Always enable pointer guard [BZ #18928] + +Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode +has security implications. This commit enables pointer guard +unconditionally, and the environment variable is now ignored. + +[BZ #18928] +* sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove +_dl_pointer_guard member. +* elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard +initializer. +(security_init): Always set up pointer guard. +(process_envvars): Do not process LD_POINTER_GUARD. + +Upstream-Status: Backport +CVE: CVE-2015-8777 +[Yocto # 8980] + +https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=a014cecd82b71b70a6a843e250e06b541ad524f7 + +Signed-off-by: Armin Kuster + +--- + ChangeLog | 10 ++ + NEWS | 13 - + elf/rtld.c | 15 --- + sysdeps/generic/ldsodefs.h | 3 --- + 4 files changed, 22 insertions(+), 19 deletions(-) + +Index: git/ChangeLog +=== +--- git.orig/ChangeLog git/ChangeLog +@@ -1,3 +1,14 @@ ++2015-10-15 Florian Weimer ++ ++ [BZ #18928] ++ * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove ++ _dl_pointer_guard member. ++ * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard ++ initializer. ++ (security_init): Always set up pointer guard. ++ (process_envvars): Do not process LD_POINTER_GUARD. ++ ++ + 2015-08-10 Maxim Ostapenko + + [BZ #18778] +Index: git/NEWS +=== +--- git.orig/NEWS git/NEWS +@@ -34,7 +34,10 @@ Version 2.22 + 18533, 18534, 18536, 18539, 18540, 18542, 18544, 18545, 18546, 18547, + 18549, 18553, 18557, 18558, 18569, 18583, 18585, 18586, 18592, 18593, + 18594, 18602, 18612, 18613, 18619, 18633, 18635, 18641, 18643, 18648, +- 18657, 18676, 18694, 18696. ++ 18657, 18676, 18694, 18696, 18928. ++ ++* The LD_POINTER_GUARD environment variable can no longer be used to ++ disable the pointer guard feature. It is always enabled. + + * Cache information can be queried via sysconf() function on s390 e.g. with + _SC_LEVEL1_ICACHE_SIZE as argument. +Index: git/elf/rtld.c +=== +--- git.orig/elf/rtld.c git/elf/rtld.c +@@ -163,7 +163,6 @@ struct rtld_global_ro _rtld_global_ro at + ._dl_hwcap_mask = HWCAP_IMPORTANT, + ._dl_lazy = 1, + ._dl_fpu_control = _FPU_DEFAULT, +-._dl_pointer_guard = 1, + ._dl_pagesize = EXEC_PAGESIZE, + ._dl_inhibit_cache = 0, + +@@ -710,15 +709,12 @@ security_init (void) + #endif + + /* Set up the pointer guard as well, if necessary. */ +- if (GLRO(dl_pointer_guard)) +-{ +- uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, +- stack_chk_guard); ++ uintptr_t pointer_chk_guard ++= _dl_setup_pointer_guard (_dl_random, stack_chk_guard); + #ifdef THREAD_SET_POINTER_GUARD +- THREAD_SET_POINTER_GUARD (pointer_chk_guard); ++ THREAD_SET_POINTER_GUARD (pointer_chk_guard); + #endif +- __pointer_chk_guard_local = pointer_chk_guard; +-} ++ __pointer_chk_guard_local = pointer_chk_guard; + + /* We do not need the _dl_random value anymore. The less + information we leave behind, the better, so clear the +@@ -2478,9 +2474,6 @@ process_envvars (enum mode *modep) + GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0; + break; + } +- +-if (memcmp (envline, "POINTER_GUARD", 13) == 0) +- GLRO(dl_pointer_guard) = envline[14] != '0'; + break; + + case 14: +Index: git/sysdeps/generic/ldsodefs.h +=== +--- git.orig/sysdeps/generic/ldsodefs.h