r4142 - in glibc-package/trunk/debian: . patches patches/any
Author: aurel32
Date: 2010-02-07 13:03:49 +0000 (Sun, 07 Feb 2010)
New Revision: 4142
Added:
glibc-package/trunk/debian/patches/any/submitted-leading-zero-stack-guard.diff
glibc-package/trunk/debian/patches/any/submitted-stack-guard-quick-randomization.diff
Modified:
glibc-package/trunk/debian/changelog
glibc-package/trunk/debian/patches/series
Log:
* Add patches/any/submitted-leading-zero-stack-guard.diff and
patches/any/submitted-stack-guard-quick-randomization.diff from Ubuntu and
Fedora to improve stack randomisation. Closes: #568488.
Modified: glibc-package/trunk/debian/changelog
===================================================================
--- glibc-package/trunk/debian/changelog 2010-02-07 12:59:01 UTC (rev 4141)
+++ glibc-package/trunk/debian/changelog 2010-02-07 13:03:49 UTC (rev 4142)
@@ -12,6 +12,9 @@
arguments.
* Add patches/ia64/submitted-memchr.diff to fix memchr() overshoot on ia64.
Closes: #563882
+ * Add patches/any/submitted-leading-zero-stack-guard.diff and
+ patches/any/submitted-stack-guard-quick-randomization.diff from Ubuntu and
+ Fedora to improve stack randomisation. Closes: #568488.
[ Samuel Thibault ]
* patches/hurd-i386/local-pthread.diff: New hurd-only patch to provide
@@ -26,7 +29,7 @@
* patches/hurd-i386/submitted-getnprocs.diff: New patch to add get_nprocs()
and such weak aliases.
- -- Aurelien Jarno <aurel32@debian.org> Fri, 05 Feb 2010 21:11:00 +0100
+ -- Aurelien Jarno <aurel32@debian.org> Sun, 07 Feb 2010 14:02:27 +0100
eglibc (2.10.2-5) unstable; urgency=low
Added: glibc-package/trunk/debian/patches/any/submitted-leading-zero-stack-guard.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/submitted-leading-zero-stack-guard.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/submitted-leading-zero-stack-guard.diff 2010-02-07 13:03:49 UTC (rev 4142)
@@ -0,0 +1,54 @@
+Description: require that the first byte in the stack guard in a NULL byte,
+ to improve mitigation of NULL-terminated string overflows.
+Bug: http://sourceware.org/bugzilla/show_bug.cgi?id=10149
+Bug-Ubuntu: https://bugs.launchpad.net/bugs/413278
+Author: Kees Cook <kees.cook@canonical.com>
+
+--- a/sysdeps/unix/sysv/linux/dl-osinfo.h
++++ b/sysdeps/unix/sysv/linux/dl-osinfo.h
+@@ -65,7 +65,12 @@
+ static inline uintptr_t __attribute__ ((always_inline))
+ _dl_setup_stack_chk_guard (void *dl_random)
+ {
+- uintptr_t ret;
++ uintptr_t ret = 0;
++ /* Having a leading zero byte protects the stack guard from being
++ overwritten with str* write operations or exposed by an
++ unterminated str* read operation. */
++ unsigned char *p = ((unsigned char *) &ret) + 1;
++ int size = sizeof (ret) - 1;
+ #ifndef __ASSUME_AT_RANDOM
+ if (__builtin_expect (dl_random == NULL, 0))
+ {
+@@ -73,16 +78,16 @@
+ int fd = __open ("/dev/urandom", O_RDONLY);
+ if (fd >= 0)
+ {
+- ssize_t reslen = __read (fd, &ret, sizeof (ret));
++ ssize_t reslen = __read (fd, p, size);
+ __close (fd);
+- if (reslen == (ssize_t) sizeof (ret))
++ if (reslen == (ssize_t) size)
+ return ret;
+ }
+ # endif
+- ret = 0;
+- unsigned char *p = (unsigned char *) &ret;
+- p[sizeof (ret) - 1] = 255;
+- p[sizeof (ret) - 2] = '\n';
++ /* Lacking any other form of randomized stack guard, add other
++ terminators in an attempt to block things like fgets, etc. */
++ p[size - 1] = 255;
++ p[size - 2] = '\n';
+ #ifdef HP_TIMING_NOW
+ hp_timing_t hpt;
+ HP_TIMING_NOW (hpt);
+@@ -115,7 +120,7 @@
+ /* We need in the moment only 8 bytes on 32-bit platforms and 16
+ bytes on 64-bit platforms. Therefore we can use the data
+ directly and not use the kernel-provided data to seed a PRNG. */
+- memcpy (&ret, dl_random, sizeof (ret));
++ memcpy (p, dl_random, size);
+ return ret;
+ }
+
Added: glibc-package/trunk/debian/patches/any/submitted-stack-guard-quick-randomization.diff
===================================================================
--- glibc-package/trunk/debian/patches/any/submitted-stack-guard-quick-randomization.diff (rev 0)
+++ glibc-package/trunk/debian/patches/any/submitted-stack-guard-quick-randomization.diff 2010-02-07 13:03:49 UTC (rev 4142)
@@ -0,0 +1,119 @@
+Description: when AT_RANDOM is not available, attempt to build randomization
+ of stack guard value from the ASLR of stack and heap locations, and finally
+ the hp_timing_t value. Upstream glibc does not want this patch, as they
+ feel AT_RANDOM is sufficient.
+Author: Jakub Jelinek
+Origin: http://cvs.fedora.redhat.com/viewvc/devel/glibc/
+Forwarded: not-needed
+
+---
+ elf/tst-stackguard1.c | 8 ++++++--
+ nptl/tst-stackguard1.c | 8 ++++++--
+ sysdeps/unix/sysv/linux/dl-osinfo.h | 29 +++++++++++++++++++++++++++++
+ 3 files changed, 41 insertions(+), 4 deletions(-)
+
+--- a/sysdeps/unix/sysv/linux/dl-osinfo.h
++++ b/sysdeps/unix/sysv/linux/dl-osinfo.h
+@@ -17,10 +17,13 @@
+ Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
+ 02111-1307 USA. */
+
++#include <errno.h>
+ #include <kernel-features.h>
+ #include <dl-sysdep.h>
+ #include <fcntl.h>
+ #include <stdint.h>
++#include <hp-timing.h>
++#include <endian.h>
+
+ #ifndef MIN
+ # define MIN(a,b) (((a)<(b))?(a):(b))
+@@ -80,6 +83,32 @@
+ unsigned char *p = (unsigned char *) &ret;
+ p[sizeof (ret) - 1] = 255;
+ p[sizeof (ret) - 2] = '\n';
++#ifdef HP_TIMING_NOW
++ hp_timing_t hpt;
++ HP_TIMING_NOW (hpt);
++ hpt = (hpt & 0xffff) << 8;
++ ret ^= hpt;
++#endif
++ uintptr_t stk;
++ /* Avoid GCC being too smart. */
++ asm ("" : "=r" (stk) : "r" (p));
++ stk &= 0x7ffff0;
++#if __BYTE_ORDER == __LITTLE_ENDIAN
++ stk <<= (__WORDSIZE - 23);
++#elif __WORDSIZE == 64
++ stk <<= 31;
++#endif
++ ret ^= stk;
++ /* Avoid GCC being too smart. */
++ p = (unsigned char *) &errno;
++ asm ("" : "=r" (stk) : "r" (p));
++ stk &= 0x7fff00;
++#if __BYTE_ORDER == __LITTLE_ENDIAN
++ stk <<= (__WORDSIZE - 29);
++#else
++ stk >>= 8;
++#endif
++ ret ^= stk;
+ }
+ else
+ #endif
+Index: b/elf/tst-stackguard1.c
+===================================================================
+--- a/elf/tst-stackguard1.c
++++ b/elf/tst-stackguard1.c
+@@ -160,17 +160,21 @@
+ the 16 runs, something is very wrong. */
+ int ndifferences = 0;
+ int ndefaults = 0;
++ int npartlyrandomized = 0;
+ for (i = 0; i < N; ++i)
+ {
+ if (child_stack_chk_guards[i] != child_stack_chk_guards[i+1])
+ ndifferences++;
+ else if (child_stack_chk_guards[i] == default_guard)
+ ndefaults++;
++ else if (*(char *) &child_stack_chk_guards[i] == 0)
++ npartlyrandomized++;
+ }
+
+- printf ("differences %d defaults %d\n", ndifferences, ndefaults);
++ printf ("differences %d defaults %d partly randomized %d\n",
++ ndifferences, ndefaults, npartlyrandomized);
+
+- if (ndifferences < N / 2 && ndefaults < N / 2)
++ if ((ndifferences + ndefaults + npartlyrandomized) < 3 * N / 4)
+ {
+ puts ("stack guard canaries are not randomized enough");
+ puts ("nor equal to the default canary value");
+Index: b/nptl/tst-stackguard1.c
+===================================================================
+--- a/nptl/tst-stackguard1.c
++++ b/nptl/tst-stackguard1.c
+@@ -190,17 +190,21 @@
+ the 16 runs, something is very wrong. */
+ int ndifferences = 0;
+ int ndefaults = 0;
++ int npartlyrandomized = 0;
+ for (i = 0; i < N; ++i)
+ {
+ if (child_stack_chk_guards[i] != child_stack_chk_guards[i+1])
+ ndifferences++;
+ else if (child_stack_chk_guards[i] == default_guard)
+ ndefaults++;
++ else if (*(char *) &child_stack_chk_guards[i] == 0)
++ npartlyrandomized++;
+ }
+
+- printf ("differences %d defaults %d\n", ndifferences, ndefaults);
++ printf ("differences %d defaults %d partly randomized %d\n",
++ ndifferences, ndefaults, npartlyrandomized);
+
+- if (ndifferences < N / 2 && ndefaults < N / 2)
++ if ((ndifferences + ndefaults + npartlyrandomized) < 3 * N / 4)
+ {
+ puts ("stack guard canaries are not randomized enough");
+ puts ("nor equal to the default canary value");
Modified: glibc-package/trunk/debian/patches/series
===================================================================
--- glibc-package/trunk/debian/patches/series 2010-02-07 12:59:01 UTC (rev 4141)
+++ glibc-package/trunk/debian/patches/series 2010-02-07 13:03:49 UTC (rev 4142)
@@ -233,3 +233,6 @@
any/submitted-nis-shadow.diff
any/local-no-SOCK_NONBLOCK.diff
any/cvs-malloc_info-init.diff
+any/submitted-leading-zero-stack-guard.diff
+any/submitted-stack-guard-quick-randomization.diff
+
Reply to: