r5865 - in glibc-package/branches/glibc-branch-wheezy/debian: . patches patches/any
Author: aurel32
Date: 2013-12-04 10:43:52 +0000 (Wed, 04 Dec 2013)
New Revision: 5865
Added:
glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4788.diff
Modified:
glibc-package/branches/glibc-branch-wheezy/debian/changelog
glibc-package/branches/glibc-branch-wheezy/debian/patches/series
Log:
* patches/any/cvs-CVE-2013-4788.diff: backport patch to fix PTR_MANGLE
ineffectivity for statically linked binaries, addressing CVE-2013-4788
(Closes: #717178). *** Note that static binaries need to be recompiled
to take advantage of the fix ***.
Modified: glibc-package/branches/glibc-branch-wheezy/debian/changelog
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/changelog 2013-12-04 07:51:51 UTC (rev 5864)
+++ glibc-package/branches/glibc-branch-wheezy/debian/changelog 2013-12-04 10:43:52 UTC (rev 5865)
@@ -20,6 +20,10 @@
* patches/any/cvs-CVE-2013-4458.diff: backport stack (frame) overflow fixes
in getaddrinfo() when called with AF_INET6, addressing CVE-2013-4458
(Closes: #727181).
+ * patches/any/cvs-CVE-2013-4788.diff: backport patch to fix PTR_MANGLE
+ ineffectivity for statically linked binaries, addressing CVE-2013-4788
+ (Closes: #717178). *** Note that static binaries need to be recompiled
+ to take advantage of the fix ***.
* patches/any/cvs-findlocale-div-by-zero.diff: patch from upstream to fix
a SIGFPE when locale-archive has been corrupted to all zeros (Closes:
#718890, #730336).
Added: glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4788.diff
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4788.diff (rev 0)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/any/cvs-CVE-2013-4788.diff 2013-12-04 10:43:52 UTC (rev 5865)
@@ -0,0 +1,420 @@
+2013-09-25 Adhemerval Zanella <azanella@linux.vnet.ibm.com>
+
+ * sysdeps/powerpc/powerpc64/stackguard-macros.h (POINTER_CHK_GUARD:
+ Fix thread ID register.
+
+2013-09-23 Carlos O'Donell <carlos@redhat.com>
+
+ [BZ #15754]
+ * sysdeps/generic/stackguard-macros.h: If PTRGUARD_LOCAL use
+ __pointer_chk_guard_local, otherwise __pointer_chk_guard.
+ * elf/Makefile: Define CFLAGS-tst-ptrguard1-static.c.
+
+ [BZ #15754]
+ * elf/Makefile (tests): Add tst-ptrguard1.
+ (tests-static): Add tst-ptrguard1-static.
+ (tst-ptrguard1-ARGS): Define.
+ (tst-ptrguard1-static-ARGS): Define.
+ * elf/tst-ptrguard1.c: New file.
+ * elf/tst-ptrguard1-static.c: New file.
+ * sysdeps/x86_64/stackguard-macros.h: Define POINTER_CHK_GUARD.
+ * sysdeps/i386/stackguard-macros.h: Likewise.
+ * sysdeps/powerpc/powerpc32/stackguard-macros.h: Likewise.
+ * sysdeps/powerpc/powerpc64/stackguard-macros.h: Likewise.
+ * sysdeps/s390/s390-32/stackguard-macros.h: Likewise.
+ * sysdeps/s390/s390-64/stackguard-macros.h: Likewise.
+ * sysdeps/sparc/sparc32/stackguard-macros.h: Likewise.
+ * sysdeps/sparc/sparc64/stackguard-macros.h: Likewise.
+
+2013-09-23 Hector Marco <hecmargi@upv.es>
+ Ismael Ripoll <iripoll@disca.upv.es>
+ Carlos O'Donell <carlos@redhat.com>
+
+ [BZ #15754]
+ * sysdeps/generic/stackguard-macros.h: Define
+ __pointer_chk_guard_local and POINTER_CHK_GUARD.
+ * csu/libc-start.c [!SHARED && !THREAD_SET_POINTER_GUARD]:
+ Define __pointer_chk_guard_local.
+ (LIBC_START_MAIN) [!SHARED]: Call _dl_setup_pointer_guard.
+ Use THREAD_SET_POINTER_GUARD or set __pointer_chk_guard_local.
+
+2013-09-22 Carlos O'Donell <carlos@redhat.com>
+
+ [BZ #15754]
+ * sysdeps/ia64/stackguard-macros.h: Define POINTER_CHK_GUARD.
+
+
+--- a/csu/libc-start.c
++++ b/csu/libc-start.c
+@@ -39,6 +39,12 @@
+ in thread local area. */
+ uintptr_t __stack_chk_guard attribute_relro;
+ # endif
++# ifndef THREAD_SET_POINTER_GUARD
++/* Only exported for architectures that don't store the pointer guard
++ value in thread local area. */
++uintptr_t __pointer_chk_guard_local
++ attribute_relro attribute_hidden __attribute__ ((nocommon));
++# endif
+ #endif
+
+ #ifdef HAVE_PTR_NTHREADS
+@@ -154,6 +160,16 @@
+ # else
+ __stack_chk_guard = stack_chk_guard;
+ # endif
++
++ /* Set up the pointer guard value. */
++ uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
++ stack_chk_guard);
++# ifdef THREAD_SET_POINTER_GUARD
++ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
++# else
++ __pointer_chk_guard_local = pointer_chk_guard;
++# endif
++
+ #endif
+
+ /* Register the destructor of the dynamic linker if there is any. */
+--- a/elf/Makefile
++++ b/elf/Makefile
+@@ -179,7 +179,7 @@
+ tests += tst-array1 tst-array2 tst-array3 tst-array4 tst-array5
+ endif
+ ifeq (yes,$(build-static))
+-tests-static = tst-tls1-static tst-tls2-static tst-stackguard1-static
++tests-static = tst-tls1-static tst-tls2-static tst-stackguard1-static tst-ptrguard1-static
+ ifeq (yesyesyes,$(build-static)$(build-shared)$(elf))
+ tests-static += tst-tls9-static
+ tst-tls9-static-ENV = \
+@@ -208,7 +208,8 @@
+ tst-audit1 tst-audit2 \
+ tst-stackguard1 tst-addr1 tst-thrlock \
+ tst-unique1 tst-unique2 \
+- tst-initorder
++ tst-initorder \
++ tst-ptrguard1
+ # reldep9
+ test-srcs = tst-pathopt
+ tests-execstack-yes = tst-execstack tst-execstack-needed tst-execstack-prog
+@@ -1076,6 +1077,12 @@
+ tst-stackguard1-ARGS = --command "$(local-built-program-cmd) --child"
+ tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child"
+
++tst-ptrguard1-ARGS = --command "$(host-test-program-cmd) --child"
++# When built statically, the pointer guard interface uses
++# __pointer_chk_guard_local.
++CFLAGS-tst-ptrguard1-static.c = -DPTRGUARD_LOCAL
++tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child"
++
+ $(objpfx)tst-leaks1: $(libdl)
+ $(objpfx)tst-leaks1-mem: $(objpfx)tst-leaks1.out
+ $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks1.mtrace > $@
+--- /dev/null
++++ b/elf/tst-ptrguard1-static.c
+@@ -0,0 +1 @@
++#include "tst-ptrguard1.c"
+--- /dev/null
++++ b/elf/tst-ptrguard1.c
+@@ -0,0 +1,202 @@
++/* Copyright (C) 2013 Free Software Foundation, Inc.
++ This file is part of the GNU C Library.
++
++ The GNU C Library is free software; you can redistribute it and/or
++ modify it under the terms of the GNU Lesser General Public
++ License as published by the Free Software Foundation; either
++ version 2.1 of the License, or (at your option) any later version.
++
++ The GNU C Library is distributed in the hope that it will be useful,
++ but WITHOUT ANY WARRANTY; without even the implied warranty of
++ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
++ Lesser General Public License for more details.
++
++ You should have received a copy of the GNU Lesser General Public
++ License along with the GNU C Library; if not, see
++ <http://www.gnu.org/licenses/>. */
++
++#include <errno.h>
++#include <stdbool.h>
++#include <stdio.h>
++#include <stdlib.h>
++#include <string.h>
++#include <sys/wait.h>
++#include <stackguard-macros.h>
++#include <tls.h>
++#include <unistd.h>
++
++#ifndef POINTER_CHK_GUARD
++extern uintptr_t __pointer_chk_guard;
++# define POINTER_CHK_GUARD __pointer_chk_guard
++#endif
++
++static const char *command;
++static bool child;
++static uintptr_t ptr_chk_guard_copy;
++static bool ptr_chk_guard_copy_set;
++static int fds[2];
++
++static void __attribute__ ((constructor))
++con (void)
++{
++ ptr_chk_guard_copy = POINTER_CHK_GUARD;
++ ptr_chk_guard_copy_set = true;
++}
++
++static int
++uintptr_t_cmp (const void *a, const void *b)
++{
++ if (*(uintptr_t *) a < *(uintptr_t *) b)
++ return 1;
++ if (*(uintptr_t *) a > *(uintptr_t *) b)
++ return -1;
++ return 0;
++}
++
++static int
++do_test (void)
++{
++ if (!ptr_chk_guard_copy_set)
++ {
++ puts ("constructor has not been run");
++ return 1;
++ }
++
++ if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
++ {
++ puts ("POINTER_CHK_GUARD changed between constructor and do_test");
++ return 1;
++ }
++
++ if (child)
++ {
++ write (2, &ptr_chk_guard_copy, sizeof (ptr_chk_guard_copy));
++ return 0;
++ }
++
++ if (command == NULL)
++ {
++ puts ("missing --command or --child argument");
++ return 1;
++ }
++
++#define N 16
++ uintptr_t child_ptr_chk_guards[N + 1];
++ child_ptr_chk_guards[N] = ptr_chk_guard_copy;
++ int i;
++ for (i = 0; i < N; ++i)
++ {
++ if (pipe (fds) < 0)
++ {
++ printf ("couldn't create pipe: %m\n");
++ return 1;
++ }
++
++ pid_t pid = fork ();
++ if (pid < 0)
++ {
++ printf ("fork failed: %m\n");
++ return 1;
++ }
++
++ if (!pid)
++ {
++ if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
++ {
++ puts ("POINTER_CHK_GUARD changed after fork");
++ exit (1);
++ }
++
++ close (fds[0]);
++ close (2);
++ dup2 (fds[1], 2);
++ close (fds[1]);
++
++ system (command);
++ exit (0);
++ }
++
++ close (fds[1]);
++
++ if (TEMP_FAILURE_RETRY (read (fds[0], &child_ptr_chk_guards[i],
++ sizeof (uintptr_t))) != sizeof (uintptr_t))
++ {
++ puts ("could not read ptr_chk_guard value from child");
++ return 1;
++ }
++
++ close (fds[0]);
++
++ pid_t termpid;
++ int status;
++ termpid = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0));
++ if (termpid == -1)
++ {
++ printf ("waitpid failed: %m\n");
++ return 1;
++ }
++ else if (termpid != pid)
++ {
++ printf ("waitpid returned %ld != %ld\n",
++ (long int) termpid, (long int) pid);
++ return 1;
++ }
++ else if (!WIFEXITED (status) || WEXITSTATUS (status))
++ {
++ puts ("child hasn't exited with exit status 0");
++ return 1;
++ }
++ }
++
++ qsort (child_ptr_chk_guards, N + 1, sizeof (uintptr_t), uintptr_t_cmp);
++
++ /* The default pointer guard is the same as the default stack guard.
++ They are only set to default if dl_random is NULL. */
++ uintptr_t default_guard = 0;
++ unsigned char *p = (unsigned char *) &default_guard;
++ p[sizeof (uintptr_t) - 1] = 255;
++ p[sizeof (uintptr_t) - 2] = '\n';
++ p[0] = 0;
++
++ /* Test if the pointer guard canaries are either randomized,
++ or equal to the default pointer guard value.
++ Even with randomized pointer guards it might happen
++ that the random number generator generates the same
++ values, but if that happens in more than half from
++ the 16 runs, something is very wrong. */
++ int ndifferences = 0;
++ int ndefaults = 0;
++ for (i = 0; i < N; ++i)
++ {
++ if (child_ptr_chk_guards[i] != child_ptr_chk_guards[i+1])
++ ndifferences++;
++ else if (child_ptr_chk_guards[i] == default_guard)
++ ndefaults++;
++ }
++
++ printf ("differences %d defaults %d\n", ndifferences, ndefaults);
++
++ if (ndifferences < N / 2 && ndefaults < N / 2)
++ {
++ puts ("pointer guard values are not randomized enough");
++ puts ("nor equal to the default value");
++ return 1;
++ }
++
++ return 0;
++}
++
++#define OPT_COMMAND 10000
++#define OPT_CHILD 10001
++#define CMDLINE_OPTIONS \
++ { "command", required_argument, NULL, OPT_COMMAND }, \
++ { "child", no_argument, NULL, OPT_CHILD },
++#define CMDLINE_PROCESS \
++ case OPT_COMMAND: \
++ command = optarg; \
++ break; \
++ case OPT_CHILD: \
++ child = true; \
++ break;
++#define TEST_FUNCTION do_test ()
++#include "../test-skeleton.c"
+--- a/elf/stackguard-macros.h
++++ b/elf/stackguard-macros.h
+@@ -3,31 +3,96 @@
+ #ifdef __i386__
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; })
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("movl %%gs:%c1, %0" : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard))); \
++ x; \
++ })
+ #elif defined __x86_64__
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("movq %%fs:0x28, %0" : "=r" (x)); x; })
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; \
++ asm ("mov %%fs:%c1, %0" : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard))); x; })
+ #elif defined __powerpc64__
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("ld %0,%1(13)" \
++ : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
++ ); \
++ x; \
++ })
+ #elif defined __powerpc__
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("lwz %0,%1(2)" \
++ : "=r" (x) \
++ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
++ ); \
++ x; \
++ })
+ #elif defined __sparc__ && defined __arch64__
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; })
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; })
+ #elif defined __sparc__
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; })
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; })
+ #elif defined __s390x__
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })
++/* On s390/s390x there is no unique pointer guard, instead we use the
++ same value as the stack guard. */
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("ear %0,%%a0;" \
++ "sllg %0,%0,32;" \
++ "ear %0,%%a1;" \
++ "lg %0,%1(%0)" \
++ : "=a" (x) \
++ : "i" (offsetof (tcbhead_t, stack_guard))); \
++ x; \
++ })
+ #elif defined __s390__
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })
++/* On s390/s390x there is no unique pointer guard, instead we use the
++ same value as the stack guard. */
++#define POINTER_CHK_GUARD \
++ ({ \
++ uintptr_t x; \
++ asm ("ear %0,%%a0; l %0,%1(%0)" \
++ : "=a" (x) \
++ : "i" (offsetof (tcbhead_t, stack_guard))); \
++ x; \
++ })
+ #elif defined __ia64__
+ # define STACK_CHK_GUARD \
+ ({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
++#define POINTER_CHK_GUARD \
++ ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
+ #else
+ extern uintptr_t __stack_chk_guard;
+ # define STACK_CHK_GUARD __stack_chk_guard
++#ifdef PTRGUARD_LOCAL
++extern uintptr_t __pointer_chk_guard_local;
++# define POINTER_CHK_GUARD __pointer_chk_guard_local
++#else
++extern uintptr_t __pointer_chk_guard;
++# define POINTER_CHK_GUARD __pointer_chk_guard
++#endif
+ #endif
Modified: glibc-package/branches/glibc-branch-wheezy/debian/patches/series
===================================================================
--- glibc-package/branches/glibc-branch-wheezy/debian/patches/series 2013-12-04 07:51:51 UTC (rev 5864)
+++ glibc-package/branches/glibc-branch-wheezy/debian/patches/series 2013-12-04 10:43:52 UTC (rev 5865)
@@ -381,4 +381,5 @@
any/cvs-CVE-2013-4237.diff
any/cvs-CVE-2013-4332.diff
any/cvs-CVE-2013-4458.diff
+any/cvs-CVE-2013-4788.diff
any/cvs-findlocale-div-by-zero.diff
Reply to: