powerel7
/
base
2
0
Fork 0
Code Issues Pull Requests Releases Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
646 Commits
1 Branch
0 Tags
390 MiB
 
 
 
 
 
 
Tree: b558cfd63a
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from 'b558cfd63a'
${ noResults }
base/SOURCES/glibc-rh990481-CVE-2013-478...

428 lines
14 KiB
Raw Blame History

#
# As of 2013-08-09 this patch is posted upstream here, but not checked in yet:
# http://sourceware.org/ml/libc-alpha/2013-07/msg00367.html
# http://sourceware.org/ml/libc-alpha/2013-08/msg00057.html
#
# Red Hat bug:
# https://bugzilla.redhat.com/show_bug.cgi?id=990481
#
# Upstream bug:
# http://sourceware.org/bugzilla/show_bug.cgi?id=15754
#
# 2013-07-19 Carlos O'Donell <carlos@redhat.com>
#
# [BZ #15754]
# * elf/Makefile (tests): Add tst-ptrguard1.
# (tests-static): Add tst-ptrguard1-static.
# (tst-ptrguard1-ARGS): Define.
# (tst-ptrguard1-static-ARGS): Define.
# * elf/tst-ptrguard1.c: New file.
# * elf/tst-ptrguard1-static.c: New file.
# * sysdeps/x86_64/stackguard-macros.h: Define POINTER_CHK_GUARD.
# * sysdeps/i386/stackguard-macros.h: Likewise.
# * sysdeps/powerpc/powerpc32/stackguard-macros.h: Likewise.
# * sysdeps/powerpc/powerpc64/stackguard-macros.h: Likewise.
# * sysdeps/s390/s390-32/stackguard-macros.h: Likewise.
# * sysdeps/s390/s390-64/stackguard-macros.h: Likewise.
#
# 2013-07-19 Hector Marco <hecmargi@upv.es>
# Ismael Ripoll <iripoll@disca.upv.es>
# Carlos O'Donell <carlos@redhat.com>
#
# [BZ #15754]
# * sysdeps/generic/stackguard-macros.h: Define __pointer_chk_guard_local
# and POINTER_CHK_GUARD.
# * csu/libc-start.c [!SHARED && !THREAD_SET_POINTER_GUARD]:
# Define __pointer_chk_guard_local.
# (LIBC_START_MAIN) [!SHARED]: Call _dl_setup_pointer_guard.
# Use THREAD_SET_POINTER_GUARD or set __pointer_chk_guard_local.
#
diff -urN glibc-2.17-c758a686/csu/libc-start.c glibc-2.17-c758a686/csu/libc-start.c
--- glibc-2.17-c758a686/csu/libc-start.c 2013-08-09 17:40:41.662856773 -0400
+++ glibc-2.17-c758a686/csu/libc-start.c 2013-08-09 17:53:40.383236966 -0400
@@ -38,6 +38,12 @@
in thread local area. */
uintptr_t __stack_chk_guard attribute_relro;
# endif
+# ifndef THREAD_SET_POINTER_GUARD
+/* Only exported for architectures that don't store the pointer guard
+ value in thread local area. */
+uintptr_t __pointer_chk_guard_local
+ attribute_relro attribute_hidden __attribute__ ((nocommon));
+# endif
#endif
#ifdef HAVE_PTR_NTHREADS
@@ -184,6 +190,16 @@
# else
__stack_chk_guard = stack_chk_guard;
# endif
+
+ /* Set up the pointer guard value. */
+ uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
+ stack_chk_guard);
+# ifdef THREAD_SET_POINTER_GUARD
+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+# else
+ __pointer_chk_guard_local = pointer_chk_guard;
+# endif
+
#endif
/* Register the destructor of the dynamic linker if there is any. */
diff -urN glibc-2.17-c758a686/elf/Makefile glibc-2.17-c758a686/elf/Makefile
--- glibc-2.17-c758a686/elf/Makefile 2013-08-09 17:40:41.757856472 -0400
+++ glibc-2.17-c758a686/elf/Makefile 2013-08-09 17:53:40.383236966 -0400
@@ -121,7 +121,8 @@
tests = tst-tls1 tst-tls2 tst-tls9 tst-leaks1 \
tst-array1 tst-array2 tst-array3 tst-array4 tst-array5
tests-static = tst-tls1-static tst-tls2-static tst-stackguard1-static \
- tst-leaks1-static tst-array1-static tst-array5-static
+ tst-leaks1-static tst-array1-static tst-array5-static \
+ tst-ptrguard1-static
ifeq (yes,$(build-shared))
tests-static += tst-tls9-static
tst-tls9-static-ENV = \
@@ -145,7 +146,7 @@
tst-audit1 tst-audit2 tst-audit8 tst-audit9 \
tst-stackguard1 tst-addr1 tst-thrlock \
tst-unique1 tst-unique2 tst-unique3 tst-unique4 \
- tst-initorder tst-initorder2 tst-relsort1
+ tst-initorder tst-initorder2 tst-relsort1 tst-ptrguard1
# reldep9
test-srcs = tst-pathopt
selinux-enabled := $(shell cat /selinux/enforce 2> /dev/null)
@@ -1062,6 +1063,9 @@
tst-stackguard1-ARGS = --command "$(host-built-program-cmd) --child"
tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child"
+tst-ptrguard1-ARGS = --command "$(host-built-program-cmd) --child"
+tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child"
+
$(objpfx)tst-leaks1: $(libdl)
$(objpfx)tst-leaks1-mem: $(objpfx)tst-leaks1.out
$(common-objpfx)malloc/mtrace $(objpfx)tst-leaks1.mtrace > $@
diff -urN glibc-2.17-c758a686/elf/tst-ptrguard1.c glibc-2.17-c758a686/elf/tst-ptrguard1.c
--- glibc-2.17-c758a686/elf/tst-ptrguard1.c 1969-12-31 19:00:00.000000000 -0500
+++ glibc-2.17-c758a686/elf/tst-ptrguard1.c 2013-08-09 17:53:40.383236966 -0400
@@ -0,0 +1,202 @@
+/* Copyright (C) 2013 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#include <errno.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/wait.h>
+#include <stackguard-macros.h>
+#include <tls.h>
+#include <unistd.h>
+
+#ifndef POINTER_CHK_GUARD
+extern uintptr_t __pointer_chk_guard_local;
+# define POINTER_CHK_GUARD __pointer_chk_guard_local
+#endif
+
+static const char *command;
+static bool child;
+static uintptr_t ptr_chk_guard_copy;
+static bool ptr_chk_guard_copy_set;
+static int fds[2];
+
+static void __attribute__ ((constructor))
+con (void)
+{
+ ptr_chk_guard_copy = POINTER_CHK_GUARD;
+ ptr_chk_guard_copy_set = true;
+}
+
+static int
+uintptr_t_cmp (const void *a, const void *b)
+{
+ if (*(uintptr_t *) a < *(uintptr_t *) b)
+ return 1;
+ if (*(uintptr_t *) a > *(uintptr_t *) b)
+ return -1;
+ return 0;
+}
+
+static int
+do_test (void)
+{
+ if (!ptr_chk_guard_copy_set)
+ {
+ puts ("constructor has not been run");
+ return 1;
+ }
+
+ if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
+ {
+ puts ("POINTER_CHK_GUARD changed between constructor and do_test");
+ return 1;
+ }
+
+ if (child)
+ {
+ write (2, &ptr_chk_guard_copy, sizeof (ptr_chk_guard_copy));
+ return 0;
+ }
+
+ if (command == NULL)
+ {
+ puts ("missing --command or --child argument");
+ return 1;
+ }
+
+#define N 16
+ uintptr_t child_ptr_chk_guards[N + 1];
+ child_ptr_chk_guards[N] = ptr_chk_guard_copy;
+ int i;
+ for (i = 0; i < N; ++i)
+ {
+ if (pipe (fds) < 0)
+ {
+ printf ("couldn't create pipe: %m\n");
+ return 1;
+ }
+
+ pid_t pid = fork ();
+ if (pid < 0)
+ {
+ printf ("fork failed: %m\n");
+ return 1;
+ }
+
+ if (!pid)
+ {
+ if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
+ {
+ puts ("POINTER_CHK_GUARD changed after fork");
+ exit (1);
+ }
+
+ close (fds[0]);
+ close (2);
+ dup2 (fds[1], 2);
+ close (fds[1]);
+
+ system (command);
+ exit (0);
+ }
+
+ close (fds[1]);
+
+ if (TEMP_FAILURE_RETRY (read (fds[0], &child_ptr_chk_guards[i],
+ sizeof (uintptr_t))) != sizeof (uintptr_t))
+ {
+ puts ("could not read ptr_chk_guard value from child");
+ return 1;
+ }
+
+ close (fds[0]);
+
+ pid_t termpid;
+ int status;
+ termpid = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0));
+ if (termpid == -1)
+ {
+ printf ("waitpid failed: %m\n");
+ return 1;
+ }
+ else if (termpid != pid)
+ {
+ printf ("waitpid returned %ld != %ld\n",
+ (long int) termpid, (long int) pid);
+ return 1;
+ }
+ else if (!WIFEXITED (status) || WEXITSTATUS (status))
+ {
+ puts ("child hasn't exited with exit status 0");
+ return 1;
+ }
+ }
+
+ qsort (child_ptr_chk_guards, N + 1, sizeof (uintptr_t), uintptr_t_cmp);
+
+ /* The default pointer guard is the same as the default stack guard.
+ They are only set to default if dl_random is NULL. */
+ uintptr_t default_guard = 0;
+ unsigned char *p = (unsigned char *) &default_guard;
+ p[sizeof (uintptr_t) - 1] = 255;
+ p[sizeof (uintptr_t) - 2] = '\n';
+ p[0] = 0;
+
+ /* Test if the pointer guard canaries are either randomized,
+ or equal to the default pointer guard canary value.
+ Even with randomized pointer guards it might happen
+ that the random number generator generates the same
+ values, but if that happens in more than half from
+ the 16 runs, something is very wrong. */
+ int ndifferences = 0;
+ int ndefaults = 0;
+ for (i = 0; i < N; ++i)
+ {
+ if (child_ptr_chk_guards[i] != child_ptr_chk_guards[i+1])
+ ndifferences++;
+ else if (child_ptr_chk_guards[i] == default_guard)
+ ndefaults++;
+ }
+
+ printf ("differences %d defaults %d\n", ndifferences, ndefaults);
+
+ if (ndifferences < N / 2 && ndefaults < N / 2)
+ {
+ puts ("pointer guard canaries are not randomized enough");
+ puts ("nor equal to the default canary value");
+ return 1;
+ }
+
+ return 0;
+}
+
+#define OPT_COMMAND 10000
+#define OPT_CHILD 10001
+#define CMDLINE_OPTIONS \
+ { "command", required_argument, NULL, OPT_COMMAND }, \
+ { "child", no_argument, NULL, OPT_CHILD },
+#define CMDLINE_PROCESS \
+ case OPT_COMMAND: \
+ command = optarg; \
+ break; \
+ case OPT_CHILD: \
+ child = true; \
+ break;
+#define TEST_FUNCTION do_test ()
+#include "../test-skeleton.c"
diff -urN glibc-2.17-c758a686/elf/tst-ptrguard1-static.c glibc-2.17-c758a686/elf/tst-ptrguard1-static.c
--- glibc-2.17-c758a686/elf/tst-ptrguard1-static.c 1969-12-31 19:00:00.000000000 -0500
+++ glibc-2.17-c758a686/elf/tst-ptrguard1-static.c 2013-08-09 17:53:40.384236962 -0400
@@ -0,0 +1 @@
+#include "tst-ptrguard1.c"
diff -urN glibc-2.17-c758a686/sysdeps/generic/stackguard-macros.h glibc-2.17-c758a686/sysdeps/generic/stackguard-macros.h
--- glibc-2.17-c758a686/sysdeps/generic/stackguard-macros.h 2013-08-09 17:40:41.917855965 -0400
+++ glibc-2.17-c758a686/sysdeps/generic/stackguard-macros.h 2013-08-09 17:53:40.384236962 -0400
@@ -2,3 +2,6 @@
extern uintptr_t __stack_chk_guard;
#define STACK_CHK_GUARD __stack_chk_guard
+
+extern uintptr_t __pointer_chk_guard_local;
+#define POINTER_CHK_GUARD __pointer_chk_guard_local
diff -urN glibc-2.17-c758a686/sysdeps/i386/stackguard-macros.h glibc-2.17-c758a686/sysdeps/i386/stackguard-macros.h
--- glibc-2.17-c758a686/sysdeps/i386/stackguard-macros.h 2013-08-09 17:40:41.893856041 -0400
+++ glibc-2.17-c758a686/sysdeps/i386/stackguard-macros.h 2013-08-09 22:44:04.774298862 -0400
@@ -2,3 +2,11 @@
#define STACK_CHK_GUARD \
({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; })
+
+#define POINTER_CHK_GUARD \
+ ({ \
+ uintptr_t x; \
+ asm ("movl %%gs:%c1, %0" : "=r" (x) \
+ : "i" (offsetof (tcbhead_t, pointer_guard))); \
+ x; \
+ })
diff -urN glibc-2.17-c758a686/sysdeps/powerpc/powerpc32/stackguard-macros.h glibc-2.17-c758a686/sysdeps/powerpc/powerpc32/stackguard-macros.h
--- glibc-2.17-c758a686/sysdeps/powerpc/powerpc32/stackguard-macros.h 2013-08-09 17:40:42.006855683 -0400
+++ glibc-2.17-c758a686/sysdeps/powerpc/powerpc32/stackguard-macros.h 2013-08-09 22:24:48.778793075 -0400
@@ -2,3 +2,13 @@
#define STACK_CHK_GUARD \
({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })
+
+#define POINTER_CHK_GUARD \
+ ({ \
+ uintptr_t x; \
+ asm ("lwz %0,%1(2)" \
+ : "=r" (x) \
+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
+ ); \
+ x; \
+ })
diff -urN glibc-2.17-c758a686/sysdeps/powerpc/powerpc64/stackguard-macros.h glibc-2.17-c758a686/sysdeps/powerpc/powerpc64/stackguard-macros.h
--- glibc-2.17-c758a686/sysdeps/powerpc/powerpc64/stackguard-macros.h 2013-08-09 17:40:41.994855721 -0400
+++ glibc-2.17-c758a686/sysdeps/powerpc/powerpc64/stackguard-macros.h 2013-08-09 22:24:47.831795865 -0400
@@ -2,3 +2,13 @@
#define STACK_CHK_GUARD \
({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })
+
+#define POINTER_CHK_GUARD \
+ ({ \
+ uintptr_t x; \
+ asm ("ld %0,%1(13)" \
+ : "=r" (x) \
+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
+ ); \
+ x; \
+ })
diff -urN glibc-2.17-c758a686/sysdeps/s390/s390-32/stackguard-macros.h glibc-2.17-c758a686/sysdeps/s390/s390-32/stackguard-macros.h
--- glibc-2.17-c758a686/sysdeps/s390/s390-32/stackguard-macros.h 2013-08-09 17:40:42.059855515 -0400
+++ glibc-2.17-c758a686/sysdeps/s390/s390-32/stackguard-macros.h 2013-08-09 22:39:31.913120373 -0400
@@ -2,3 +2,15 @@
#define STACK_CHK_GUARD \
({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })
+
+/* On s390/s390x there is no unique pointer guard, instead we use the
+ same value as the stack guard. */
+#define POINTER_CHK_GUARD \
+ ({ \
+ uintptr_t x; \
+ asm ("ear %0,%%a0; l %0,%1(%0)" \
+ : "=a" (x) \
+ : "i" (offsetof (tcbhead_t, stack_guard))); \
+ x; \
+ })
+
diff -urN glibc-2.17-c758a686/sysdeps/x86_64/stackguard-macros.h glibc-2.17-c758a686/sysdeps/x86_64/stackguard-macros.h
--- glibc-2.17-c758a686/sysdeps/x86_64/stackguard-macros.h 2013-08-09 17:40:42.013855661 -0400
+++ glibc-2.17-c758a686/sysdeps/x86_64/stackguard-macros.h 2013-08-09 22:44:53.550153736 -0400
@@ -4,3 +4,11 @@
({ uintptr_t x; \
asm ("mov %%fs:%c1, %0" : "=r" (x) \
: "i" (offsetof (tcbhead_t, stack_guard))); x; })
+
+#define POINTER_CHK_GUARD \
+ ({ \
+ uintptr_t x; \
+ asm ("mov %%fs:%c1, %0" : "=r" (x) \
+ : "i" (offsetof (tcbhead_t, pointer_guard))); \
+ x; \
+ })
--- glibc-2.17-c758a686/sysdeps/s390/s390-64/stackguard-macros.h 2013-08-09 17:40:42.057855522 -0400
+++ glibc-2.17-c758a686/sysdeps/s390/s390-64/stackguard-macros.h 2013-08-26 15:21:27.239043425 -0400
@@ -2,3 +2,17 @@
#define STACK_CHK_GUARD \
({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })
+
+/* On s390/s390x there is no unique pointer guard, instead we use the
+ same value as the stack guard. */
+#define POINTER_CHK_GUARD \
+ ({ \
+ uintptr_t x; \
+ asm ("ear %0,%%a0;" \
+ "sllg %0,%0,32;" \
+ "ear %0,%%a1;" \
+ "lg %0,%1(%0)" \
+ : "=a" (x) \
+ : "i" (offsetof (tcbhead_t, stack_guard))); \
+ x; \
+ })