mirror of
https://github.com/NixOS/nixpkgs.git
synced 2024-11-25 07:00:43 +00:00
glibc: Various CVE fixes
CVE-2012-4412, CVE-2012-4424, CVE-2013-4237, CVE-2013-4332, CVE-2013-4458, CVE-2013-4788.
This commit is contained in:
parent
ab377d2a3d
commit
101f62ad33
|
@ -53,6 +53,12 @@ stdenv.mkDerivation ({
|
|||
rfc3484_sort: Assertion `src->results[i].native == -1 ||
|
||||
src->results[i].native == a2_native' failed." crashes. */
|
||||
./glibc-rh739743.patch
|
||||
|
||||
./cve-2012-4412+4424.patch
|
||||
./cve-2013-4237.patch
|
||||
./cve-2013-4332.patch
|
||||
./cve-2013-4458.patch
|
||||
./cve-2013-4788.patch
|
||||
];
|
||||
|
||||
postPatch = ''
|
||||
|
|
1006
pkgs/development/libraries/glibc/2.18/cve-2012-4412+4424.patch
Normal file
1006
pkgs/development/libraries/glibc/2.18/cve-2012-4412+4424.patch
Normal file
File diff suppressed because it is too large
Load diff
302
pkgs/development/libraries/glibc/2.18/cve-2013-4237.patch
Normal file
302
pkgs/development/libraries/glibc/2.18/cve-2013-4237.patch
Normal file
|
@ -0,0 +1,302 @@
|
|||
commit 91ce40854d0b7f865cf5024ef95a8026b76096f3
|
||||
Author: Florian Weimer <fweimer@redhat.com>
|
||||
Date: Fri Aug 16 09:38:52 2013 +0200
|
||||
|
||||
CVE-2013-4237, BZ #14699: Buffer overflow in readdir_r
|
||||
|
||||
* sysdeps/posix/dirstream.h (struct __dirstream): Add errcode
|
||||
member.
|
||||
* sysdeps/posix/opendir.c (__alloc_dir): Initialize errcode
|
||||
member.
|
||||
* sysdeps/posix/rewinddir.c (rewinddir): Reset errcode member.
|
||||
* sysdeps/posix/readdir_r.c (__READDIR_R): Enforce NAME_MAX limit.
|
||||
Return delayed error code. Remove GETDENTS_64BIT_ALIGNED
|
||||
conditional.
|
||||
* sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c: Do not define
|
||||
GETDENTS_64BIT_ALIGNED.
|
||||
* sysdeps/unix/sysv/linux/i386/readdir64_r.c: Likewise.
|
||||
* manual/filesys.texi (Reading/Closing Directory): Document
|
||||
ENAMETOOLONG return value of readdir_r. Recommend readdir more
|
||||
strongly.
|
||||
* manual/conf.texi (Limits for Files): Add portability note to
|
||||
NAME_MAX, PATH_MAX.
|
||||
(Pathconf): Add portability note for _PC_NAME_MAX, _PC_PATH_MAX.
|
||||
|
||||
diff --git a/manual/conf.texi b/manual/conf.texi
|
||||
index 7eb8b36..c720063 100644
|
||||
--- a/manual/conf.texi
|
||||
+++ b/manual/conf.texi
|
||||
@@ -1149,6 +1149,9 @@ typed ahead as input. @xref{I/O Queues}.
|
||||
@deftypevr Macro int NAME_MAX
|
||||
The uniform system limit (if any) for the length of a file name component, not
|
||||
including the terminating null character.
|
||||
+
|
||||
+@strong{Portability Note:} On some systems, @theglibc{} defines
|
||||
+@code{NAME_MAX}, but does not actually enforce this limit.
|
||||
@end deftypevr
|
||||
|
||||
@comment limits.h
|
||||
@@ -1157,6 +1160,9 @@ including the terminating null character.
|
||||
The uniform system limit (if any) for the length of an entire file name (that
|
||||
is, the argument given to system calls such as @code{open}), including the
|
||||
terminating null character.
|
||||
+
|
||||
+@strong{Portability Note:} @Theglibc{} does not enforce this limit
|
||||
+even if @code{PATH_MAX} is defined.
|
||||
@end deftypevr
|
||||
|
||||
@cindex limits, pipe buffer size
|
||||
@@ -1476,6 +1482,9 @@ Inquire about the value of @code{POSIX_REC_MIN_XFER_SIZE}.
|
||||
Inquire about the value of @code{POSIX_REC_XFER_ALIGN}.
|
||||
@end table
|
||||
|
||||
+@strong{Portability Note:} On some systems, @theglibc{} does not
|
||||
+enforce @code{_PC_NAME_MAX} or @code{_PC_PATH_MAX} limits.
|
||||
+
|
||||
@node Utility Limits
|
||||
@section Utility Program Capacity Limits
|
||||
|
||||
diff --git a/manual/filesys.texi b/manual/filesys.texi
|
||||
index 1df9cf2..814c210 100644
|
||||
--- a/manual/filesys.texi
|
||||
+++ b/manual/filesys.texi
|
||||
@@ -444,9 +444,9 @@ symbols are declared in the header file @file{dirent.h}.
|
||||
@comment POSIX.1
|
||||
@deftypefun {struct dirent *} readdir (DIR *@var{dirstream})
|
||||
This function reads the next entry from the directory. It normally
|
||||
-returns a pointer to a structure containing information about the file.
|
||||
-This structure is statically allocated and can be rewritten by a
|
||||
-subsequent call.
|
||||
+returns a pointer to a structure containing information about the
|
||||
+file. This structure is associated with the @var{dirstream} handle
|
||||
+and can be rewritten by a subsequent call.
|
||||
|
||||
@strong{Portability Note:} On some systems @code{readdir} may not
|
||||
return entries for @file{.} and @file{..}, even though these are always
|
||||
@@ -461,19 +461,61 @@ conditions are defined for this function:
|
||||
The @var{dirstream} argument is not valid.
|
||||
@end table
|
||||
|
||||
-@code{readdir} is not thread safe. Multiple threads using
|
||||
-@code{readdir} on the same @var{dirstream} may overwrite the return
|
||||
-value. Use @code{readdir_r} when this is critical.
|
||||
+To distinguish between an end-of-directory condition or an error, you
|
||||
+must set @code{errno} to zero before calling @code{readdir}. To avoid
|
||||
+entering an infinite loop, you should stop reading from the directory
|
||||
+after the first error.
|
||||
+
|
||||
+In POSIX.1-2008, @code{readdir} is not thread-safe. In @theglibc{}
|
||||
+implementation, it is safe to call @code{readdir} concurrently on
|
||||
+different @var{dirstream}s, but multiple threads accessing the same
|
||||
+@var{dirstream} result in undefined behavior. @code{readdir_r} is a
|
||||
+fully thread-safe alternative, but suffers from poor portability (see
|
||||
+below). It is recommended that you use @code{readdir}, with external
|
||||
+locking if multiple threads access the same @var{dirstream}.
|
||||
@end deftypefun
|
||||
|
||||
@comment dirent.h
|
||||
@comment GNU
|
||||
@deftypefun int readdir_r (DIR *@var{dirstream}, struct dirent *@var{entry}, struct dirent **@var{result})
|
||||
-This function is the reentrant version of @code{readdir}. Like
|
||||
-@code{readdir} it returns the next entry from the directory. But to
|
||||
-prevent conflicts between simultaneously running threads the result is
|
||||
-not stored in statically allocated memory. Instead the argument
|
||||
-@var{entry} points to a place to store the result.
|
||||
+This function is a version of @code{readdir} which performs internal
|
||||
+locking. Like @code{readdir} it returns the next entry from the
|
||||
+directory. To prevent conflicts between simultaneously running
|
||||
+threads the result is stored inside the @var{entry} object.
|
||||
+
|
||||
+@strong{Portability Note:} It is recommended to use @code{readdir}
|
||||
+instead of @code{readdir_r} for the following reasons:
|
||||
+
|
||||
+@itemize @bullet
|
||||
+@item
|
||||
+On systems which do not define @code{NAME_MAX}, it may not be possible
|
||||
+to use @code{readdir_r} safely because the caller does not specify the
|
||||
+length of the buffer for the directory entry.
|
||||
+
|
||||
+@item
|
||||
+On some systems, @code{readdir_r} cannot read directory entries with
|
||||
+very long names. If such a name is encountered, @theglibc{}
|
||||
+implementation of @code{readdir_r} returns with an error code of
|
||||
+@code{ENAMETOOLONG} after the final directory entry has been read. On
|
||||
+other systems, @code{readdir_r} may return successfully, but the
|
||||
+@code{d_name} member may not be NUL-terminated or may be truncated.
|
||||
+
|
||||
+@item
|
||||
+POSIX-1.2008 does not guarantee that @code{readdir} is thread-safe,
|
||||
+even when access to the same @var{dirstream} is serialized. But in
|
||||
+current implementations (including @theglibc{}), it is safe to call
|
||||
+@code{readdir} concurrently on different @var{dirstream}s, so there is
|
||||
+no need to use @code{readdir_r} in most multi-threaded programs. In
|
||||
+the rare case that multiple threads need to read from the same
|
||||
+@var{dirstream}, it is still better to use @code{readdir} and external
|
||||
+synchronization.
|
||||
+
|
||||
+@item
|
||||
+It is expected that future versions of POSIX will obsolete
|
||||
+@code{readdir_r} and mandate the level of thread safety for
|
||||
+@code{readdir} which is provided by @theglibc{} and other
|
||||
+implementations today.
|
||||
+@end itemize
|
||||
|
||||
Normally @code{readdir_r} returns zero and sets @code{*@var{result}}
|
||||
to @var{entry}. If there are no more entries in the directory or an
|
||||
@@ -481,15 +523,6 @@ error is detected, @code{readdir_r} sets @code{*@var{result}} to a
|
||||
null pointer and returns a nonzero error code, also stored in
|
||||
@code{errno}, as described for @code{readdir}.
|
||||
|
||||
-@strong{Portability Note:} On some systems @code{readdir_r} may not
|
||||
-return a NUL terminated string for the file name, even when there is no
|
||||
-@code{d_reclen} field in @code{struct dirent} and the file
|
||||
-name is the maximum allowed size. Modern systems all have the
|
||||
-@code{d_reclen} field, and on old systems multi-threading is not
|
||||
-critical. In any case there is no such problem with the @code{readdir}
|
||||
-function, so that even on systems without the @code{d_reclen} member one
|
||||
-could use multiple threads by using external locking.
|
||||
-
|
||||
It is also important to look at the definition of the @code{struct
|
||||
dirent} type. Simply passing a pointer to an object of this type for
|
||||
the second parameter of @code{readdir_r} might not be enough. Some
|
||||
diff --git a/sysdeps/posix/dirstream.h b/sysdeps/posix/dirstream.h
|
||||
index a7a074d..8e8570d 100644
|
||||
--- a/sysdeps/posix/dirstream.h
|
||||
+++ b/sysdeps/posix/dirstream.h
|
||||
@@ -39,6 +39,8 @@ struct __dirstream
|
||||
|
||||
off_t filepos; /* Position of next entry to read. */
|
||||
|
||||
+ int errcode; /* Delayed error code. */
|
||||
+
|
||||
/* Directory block. */
|
||||
char data[0] __attribute__ ((aligned (__alignof__ (void*))));
|
||||
};
|
||||
diff --git a/sysdeps/posix/opendir.c b/sysdeps/posix/opendir.c
|
||||
index ddfc3a7..fc05b0f 100644
|
||||
--- a/sysdeps/posix/opendir.c
|
||||
+++ b/sysdeps/posix/opendir.c
|
||||
@@ -231,6 +231,7 @@ __alloc_dir (int fd, bool close_fd, int flags, const struct stat64 *statp)
|
||||
dirp->size = 0;
|
||||
dirp->offset = 0;
|
||||
dirp->filepos = 0;
|
||||
+ dirp->errcode = 0;
|
||||
|
||||
return dirp;
|
||||
}
|
||||
diff --git a/sysdeps/posix/readdir_r.c b/sysdeps/posix/readdir_r.c
|
||||
index b5a8e2e..8ed5c3f 100644
|
||||
--- a/sysdeps/posix/readdir_r.c
|
||||
+++ b/sysdeps/posix/readdir_r.c
|
||||
@@ -40,6 +40,7 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
|
||||
DIRENT_TYPE *dp;
|
||||
size_t reclen;
|
||||
const int saved_errno = errno;
|
||||
+ int ret;
|
||||
|
||||
__libc_lock_lock (dirp->lock);
|
||||
|
||||
@@ -70,10 +71,10 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
|
||||
bytes = 0;
|
||||
__set_errno (saved_errno);
|
||||
}
|
||||
+ if (bytes < 0)
|
||||
+ dirp->errcode = errno;
|
||||
|
||||
dp = NULL;
|
||||
- /* Reclen != 0 signals that an error occurred. */
|
||||
- reclen = bytes != 0;
|
||||
break;
|
||||
}
|
||||
dirp->size = (size_t) bytes;
|
||||
@@ -106,29 +107,46 @@ __READDIR_R (DIR *dirp, DIRENT_TYPE *entry, DIRENT_TYPE **result)
|
||||
dirp->filepos += reclen;
|
||||
#endif
|
||||
|
||||
- /* Skip deleted files. */
|
||||
+#ifdef NAME_MAX
|
||||
+ if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1)
|
||||
+ {
|
||||
+ /* The record is very long. It could still fit into the
|
||||
+ caller-supplied buffer if we can skip padding at the
|
||||
+ end. */
|
||||
+ size_t namelen = _D_EXACT_NAMLEN (dp);
|
||||
+ if (namelen <= NAME_MAX)
|
||||
+ reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1;
|
||||
+ else
|
||||
+ {
|
||||
+ /* The name is too long. Ignore this file. */
|
||||
+ dirp->errcode = ENAMETOOLONG;
|
||||
+ dp->d_ino = 0;
|
||||
+ continue;
|
||||
+ }
|
||||
+ }
|
||||
+#endif
|
||||
+
|
||||
+ /* Skip deleted and ignored files. */
|
||||
}
|
||||
while (dp->d_ino == 0);
|
||||
|
||||
if (dp != NULL)
|
||||
{
|
||||
-#ifdef GETDENTS_64BIT_ALIGNED
|
||||
- /* The d_reclen value might include padding which is not part of
|
||||
- the DIRENT_TYPE data structure. */
|
||||
- reclen = MIN (reclen,
|
||||
- offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
|
||||
-#endif
|
||||
*result = memcpy (entry, dp, reclen);
|
||||
-#ifdef GETDENTS_64BIT_ALIGNED
|
||||
+#ifdef _DIRENT_HAVE_D_RECLEN
|
||||
entry->d_reclen = reclen;
|
||||
#endif
|
||||
+ ret = 0;
|
||||
}
|
||||
else
|
||||
- *result = NULL;
|
||||
+ {
|
||||
+ *result = NULL;
|
||||
+ ret = dirp->errcode;
|
||||
+ }
|
||||
|
||||
__libc_lock_unlock (dirp->lock);
|
||||
|
||||
- return dp != NULL ? 0 : reclen ? errno : 0;
|
||||
+ return ret;
|
||||
}
|
||||
|
||||
#ifdef __READDIR_R_ALIAS
|
||||
diff --git a/sysdeps/posix/rewinddir.c b/sysdeps/posix/rewinddir.c
|
||||
index 2935a8e..d4991ad 100644
|
||||
--- a/sysdeps/posix/rewinddir.c
|
||||
+++ b/sysdeps/posix/rewinddir.c
|
||||
@@ -33,6 +33,7 @@ rewinddir (dirp)
|
||||
dirp->filepos = 0;
|
||||
dirp->offset = 0;
|
||||
dirp->size = 0;
|
||||
+ dirp->errcode = 0;
|
||||
#ifndef NOT_IN_libc
|
||||
__libc_lock_unlock (dirp->lock);
|
||||
#endif
|
||||
diff --git a/sysdeps/unix/sysv/linux/i386/readdir64_r.c b/sysdeps/unix/sysv/linux/i386/readdir64_r.c
|
||||
index 8ebbcfd..a7d114e 100644
|
||||
--- a/sysdeps/unix/sysv/linux/i386/readdir64_r.c
|
||||
+++ b/sysdeps/unix/sysv/linux/i386/readdir64_r.c
|
||||
@@ -18,7 +18,6 @@
|
||||
#define __READDIR_R __readdir64_r
|
||||
#define __GETDENTS __getdents64
|
||||
#define DIRENT_TYPE struct dirent64
|
||||
-#define GETDENTS_64BIT_ALIGNED 1
|
||||
|
||||
#include <sysdeps/posix/readdir_r.c>
|
||||
|
||||
diff --git a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
|
||||
index 5ed8e95..290f2c8 100644
|
||||
--- a/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
|
||||
+++ b/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c
|
||||
@@ -1,5 +1,4 @@
|
||||
#define readdir64_r __no_readdir64_r_decl
|
||||
-#define GETDENTS_64BIT_ALIGNED 1
|
||||
#include <sysdeps/posix/readdir_r.c>
|
||||
#undef readdir64_r
|
||||
weak_alias (__readdir_r, readdir64_r)
|
56
pkgs/development/libraries/glibc/2.18/cve-2013-4332.patch
Normal file
56
pkgs/development/libraries/glibc/2.18/cve-2013-4332.patch
Normal file
|
@ -0,0 +1,56 @@
|
|||
https://projects.archlinux.org/svntogit/packages.git/tree/trunk/glibc-2.18-malloc-corrupt-CVE-2013-4332.patch?h=packages/glibc
|
||||
|
||||
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
||||
index dd295f5..7f43ba3 100644
|
||||
--- a/malloc/malloc.c
|
||||
+++ b/malloc/malloc.c
|
||||
@@ -3082,6 +3082,13 @@ __libc_pvalloc(size_t bytes)
|
||||
size_t page_mask = GLRO(dl_pagesize) - 1;
|
||||
size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
|
||||
|
||||
+ /* Check for overflow. */
|
||||
+ if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
|
||||
+ {
|
||||
+ __set_errno (ENOMEM);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
void *(*hook) (size_t, size_t, const void *) =
|
||||
force_reg (__memalign_hook);
|
||||
if (__builtin_expect (hook != NULL, 0))
|
||||
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
||||
index 7f43ba3..3148c5f 100644
|
||||
--- a/malloc/malloc.c
|
||||
+++ b/malloc/malloc.c
|
||||
@@ -3046,6 +3046,13 @@ __libc_valloc(size_t bytes)
|
||||
|
||||
size_t pagesz = GLRO(dl_pagesize);
|
||||
|
||||
+ /* Check for overflow. */
|
||||
+ if (bytes > SIZE_MAX - pagesz - MINSIZE)
|
||||
+ {
|
||||
+ __set_errno (ENOMEM);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
void *(*hook) (size_t, size_t, const void *) =
|
||||
force_reg (__memalign_hook);
|
||||
if (__builtin_expect (hook != NULL, 0))
|
||||
diff --git a/malloc/malloc.c b/malloc/malloc.c
|
||||
index 3148c5f..f7718a9 100644
|
||||
--- a/malloc/malloc.c
|
||||
+++ b/malloc/malloc.c
|
||||
@@ -3015,6 +3015,13 @@ __libc_memalign(size_t alignment, size_t bytes)
|
||||
/* Otherwise, ensure that it is at least a minimum chunk size */
|
||||
if (alignment < MINSIZE) alignment = MINSIZE;
|
||||
|
||||
+ /* Check for overflow. */
|
||||
+ if (bytes > SIZE_MAX - alignment - MINSIZE)
|
||||
+ {
|
||||
+ __set_errno (ENOMEM);
|
||||
+ return 0;
|
||||
+ }
|
||||
+
|
||||
arena_get(ar_ptr, bytes + alignment + MINSIZE);
|
||||
if(!ar_ptr)
|
||||
return 0;
|
50
pkgs/development/libraries/glibc/2.18/cve-2013-4458.patch
Normal file
50
pkgs/development/libraries/glibc/2.18/cve-2013-4458.patch
Normal file
|
@ -0,0 +1,50 @@
|
|||
commit 7cbcdb3699584db8913ca90f705d6337633ee10f
|
||||
Author: Siddhesh Poyarekar <siddhesh@redhat.com>
|
||||
Date: Fri Oct 25 10:22:12 2013 +0530
|
||||
|
||||
Fix stack overflow due to large AF_INET6 requests
|
||||
|
||||
Resolves #16072 (CVE-2013-4458).
|
||||
|
||||
This patch fixes another stack overflow in getaddrinfo when it is
|
||||
called with AF_INET6. The AF_UNSPEC case was fixed as CVE-2013-1914,
|
||||
but the AF_INET6 case went undetected back then.
|
||||
|
||||
diff --git a/sysdeps/posix/getaddrinfo.c b/sysdeps/posix/getaddrinfo.c
|
||||
index e6ce4cf..8ff74b4 100644
|
||||
--- a/sysdeps/posix/getaddrinfo.c
|
||||
+++ b/sysdeps/posix/getaddrinfo.c
|
||||
@@ -197,7 +197,22 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
|
||||
&rc, &herrno, NULL, &localcanon)); \
|
||||
if (rc != ERANGE || herrno != NETDB_INTERNAL) \
|
||||
break; \
|
||||
- tmpbuf = extend_alloca (tmpbuf, tmpbuflen, 2 * tmpbuflen); \
|
||||
+ if (!malloc_tmpbuf && __libc_use_alloca (alloca_used + 2 * tmpbuflen)) \
|
||||
+ tmpbuf = extend_alloca_account (tmpbuf, tmpbuflen, 2 * tmpbuflen, \
|
||||
+ alloca_used); \
|
||||
+ else \
|
||||
+ { \
|
||||
+ char *newp = realloc (malloc_tmpbuf ? tmpbuf : NULL, \
|
||||
+ 2 * tmpbuflen); \
|
||||
+ if (newp == NULL) \
|
||||
+ { \
|
||||
+ result = -EAI_MEMORY; \
|
||||
+ goto free_and_return; \
|
||||
+ } \
|
||||
+ tmpbuf = newp; \
|
||||
+ malloc_tmpbuf = true; \
|
||||
+ tmpbuflen = 2 * tmpbuflen; \
|
||||
+ } \
|
||||
} \
|
||||
if (status == NSS_STATUS_SUCCESS && rc == 0) \
|
||||
h = &th; \
|
||||
@@ -209,7 +224,8 @@ gaih_inet_serv (const char *servicename, const struct gaih_typeproto *tp,
|
||||
{ \
|
||||
__set_h_errno (herrno); \
|
||||
_res.options |= old_res_options & RES_USE_INET6; \
|
||||
- return -EAI_SYSTEM; \
|
||||
+ result = -EAI_SYSTEM; \
|
||||
+ goto free_and_return; \
|
||||
} \
|
||||
if (herrno == TRY_AGAIN) \
|
||||
no_data = EAI_AGAIN; \
|
222
pkgs/development/libraries/glibc/2.18/cve-2013-4788.patch
Normal file
222
pkgs/development/libraries/glibc/2.18/cve-2013-4788.patch
Normal file
|
@ -0,0 +1,222 @@
|
|||
commit c61b4d41c9647a54a329aa021341c0eb032b793e
|
||||
Author: Carlos O'Donell <carlos@redhat.com>
|
||||
Date: Mon Sep 23 00:52:09 2013 -0400
|
||||
|
||||
BZ #15754: CVE-2013-4788
|
||||
|
||||
The pointer guard used for pointer mangling was not initialized for
|
||||
static applications resulting in the security feature being disabled.
|
||||
The pointer guard is now correctly initialized to a random value for
|
||||
static applications. Existing static applications need to be
|
||||
recompiled to take advantage of the fix.
|
||||
|
||||
The test tst-ptrguard1-static and tst-ptrguard1 add regression
|
||||
coverage to ensure the pointer guards are sufficiently random
|
||||
and initialized to a default value.
|
||||
|
||||
diff --git a/csu/libc-start.c b/csu/libc-start.c
|
||||
index e5da3ef..c898d06 100644
|
||||
--- a/csu/libc-start.c
|
||||
+++ b/csu/libc-start.c
|
||||
@@ -37,6 +37,12 @@ extern void __pthread_initialize_minimal (void);
|
||||
in thread local area. */
|
||||
uintptr_t __stack_chk_guard attribute_relro;
|
||||
# endif
|
||||
+# ifndef THREAD_SET_POINTER_GUARD
|
||||
+/* Only exported for architectures that don't store the pointer guard
|
||||
+ value in thread local area. */
|
||||
+uintptr_t __pointer_chk_guard_local
|
||||
+ attribute_relro attribute_hidden __attribute__ ((nocommon));
|
||||
+# endif
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_PTR_NTHREADS
|
||||
@@ -195,6 +201,16 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
|
||||
# else
|
||||
__stack_chk_guard = stack_chk_guard;
|
||||
# endif
|
||||
+
|
||||
+ /* Set up the pointer guard value. */
|
||||
+ uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
|
||||
+ stack_chk_guard);
|
||||
+# ifdef THREAD_SET_POINTER_GUARD
|
||||
+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
|
||||
+# else
|
||||
+ __pointer_chk_guard_local = pointer_chk_guard;
|
||||
+# endif
|
||||
+
|
||||
#endif
|
||||
|
||||
/* Register the destructor of the dynamic linker if there is any. */
|
||||
diff --git a/ports/sysdeps/ia64/stackguard-macros.h b/ports/sysdeps/ia64/stackguard-macros.h
|
||||
index dc683c2..3907293 100644
|
||||
--- a/ports/sysdeps/ia64/stackguard-macros.h
|
||||
+++ b/ports/sysdeps/ia64/stackguard-macros.h
|
||||
@@ -2,3 +2,6 @@
|
||||
|
||||
#define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
|
||||
+
|
||||
+#define POINTER_CHK_GUARD \
|
||||
+ ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
|
||||
diff --git a/ports/sysdeps/tile/stackguard-macros.h b/ports/sysdeps/tile/stackguard-macros.h
|
||||
index 589ea2b..f2e041b 100644
|
||||
--- a/ports/sysdeps/tile/stackguard-macros.h
|
||||
+++ b/ports/sysdeps/tile/stackguard-macros.h
|
||||
@@ -4,11 +4,17 @@
|
||||
# if __WORDSIZE == 64
|
||||
# define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; })
|
||||
+# define POINTER_CHK_GUARD \
|
||||
+ ({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; })
|
||||
# else
|
||||
# define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; })
|
||||
+# define POINTER_CHK_GUARD \
|
||||
+ ({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; })
|
||||
# endif
|
||||
#else
|
||||
# define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; })
|
||||
+# define POINTER_CHK_GUARD \
|
||||
+ ({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; })
|
||||
#endif
|
||||
diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h
|
||||
index ababf65..4fa3d96 100644
|
||||
--- a/sysdeps/generic/stackguard-macros.h
|
||||
+++ b/sysdeps/generic/stackguard-macros.h
|
||||
@@ -2,3 +2,6 @@
|
||||
|
||||
extern uintptr_t __stack_chk_guard;
|
||||
#define STACK_CHK_GUARD __stack_chk_guard
|
||||
+
|
||||
+extern uintptr_t __pointer_chk_guard_local;
|
||||
+#define POINTER_CHK_GUARD __pointer_chk_guard_local
|
||||
diff --git a/sysdeps/i386/stackguard-macros.h b/sysdeps/i386/stackguard-macros.h
|
||||
index 8c31e19..0397629 100644
|
||||
--- a/sysdeps/i386/stackguard-macros.h
|
||||
+++ b/sysdeps/i386/stackguard-macros.h
|
||||
@@ -2,3 +2,11 @@
|
||||
|
||||
#define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; })
|
||||
+
|
||||
+#define POINTER_CHK_GUARD \
|
||||
+ ({ \
|
||||
+ uintptr_t x; \
|
||||
+ asm ("movl %%gs:%c1, %0" : "=r" (x) \
|
||||
+ : "i" (offsetof (tcbhead_t, pointer_guard))); \
|
||||
+ x; \
|
||||
+ })
|
||||
diff --git a/sysdeps/powerpc/powerpc32/stackguard-macros.h b/sysdeps/powerpc/powerpc32/stackguard-macros.h
|
||||
index 839f6a4..b3d0af8 100644
|
||||
--- a/sysdeps/powerpc/powerpc32/stackguard-macros.h
|
||||
+++ b/sysdeps/powerpc/powerpc32/stackguard-macros.h
|
||||
@@ -2,3 +2,13 @@
|
||||
|
||||
#define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })
|
||||
+
|
||||
+#define POINTER_CHK_GUARD \
|
||||
+ ({ \
|
||||
+ uintptr_t x; \
|
||||
+ asm ("lwz %0,%1(2)" \
|
||||
+ : "=r" (x) \
|
||||
+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
|
||||
+ ); \
|
||||
+ x; \
|
||||
+ })
|
||||
diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h
|
||||
index 9da879c..4620f96 100644
|
||||
--- a/sysdeps/powerpc/powerpc64/stackguard-macros.h
|
||||
+++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h
|
||||
@@ -2,3 +2,13 @@
|
||||
|
||||
#define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })
|
||||
+
|
||||
+#define POINTER_CHK_GUARD \
|
||||
+ ({ \
|
||||
+ uintptr_t x; \
|
||||
+ asm ("ld %0,%1(2)" \
|
||||
+ : "=r" (x) \
|
||||
+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
|
||||
+ ); \
|
||||
+ x; \
|
||||
+ })
|
||||
diff --git a/sysdeps/s390/s390-32/stackguard-macros.h b/sysdeps/s390/s390-32/stackguard-macros.h
|
||||
index b74c579..449e8d4 100644
|
||||
--- a/sysdeps/s390/s390-32/stackguard-macros.h
|
||||
+++ b/sysdeps/s390/s390-32/stackguard-macros.h
|
||||
@@ -2,3 +2,14 @@
|
||||
|
||||
#define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })
|
||||
+
|
||||
+/* On s390/s390x there is no unique pointer guard, instead we use the
|
||||
+ same value as the stack guard. */
|
||||
+#define POINTER_CHK_GUARD \
|
||||
+ ({ \
|
||||
+ uintptr_t x; \
|
||||
+ asm ("ear %0,%%a0; l %0,%1(%0)" \
|
||||
+ : "=a" (x) \
|
||||
+ : "i" (offsetof (tcbhead_t, stack_guard))); \
|
||||
+ x; \
|
||||
+ })
|
||||
diff --git a/sysdeps/s390/s390-64/stackguard-macros.h b/sysdeps/s390/s390-64/stackguard-macros.h
|
||||
index 0cebb5f..c8270fb 100644
|
||||
--- a/sysdeps/s390/s390-64/stackguard-macros.h
|
||||
+++ b/sysdeps/s390/s390-64/stackguard-macros.h
|
||||
@@ -2,3 +2,17 @@
|
||||
|
||||
#define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })
|
||||
+
|
||||
+/* On s390/s390x there is no unique pointer guard, instead we use the
|
||||
+ same value as the stack guard. */
|
||||
+#define POINTER_CHK_GUARD \
|
||||
+ ({ \
|
||||
+ uintptr_t x; \
|
||||
+ asm ("ear %0,%%a0;" \
|
||||
+ "sllg %0,%0,32;" \
|
||||
+ "ear %0,%%a1;" \
|
||||
+ "lg %0,%1(%0)" \
|
||||
+ : "=a" (x) \
|
||||
+ : "i" (offsetof (tcbhead_t, stack_guard))); \
|
||||
+ x; \
|
||||
+ })
|
||||
diff --git a/sysdeps/sparc/sparc32/stackguard-macros.h b/sysdeps/sparc/sparc32/stackguard-macros.h
|
||||
index c0b02b0..1eef0f1 100644
|
||||
--- a/sysdeps/sparc/sparc32/stackguard-macros.h
|
||||
+++ b/sysdeps/sparc/sparc32/stackguard-macros.h
|
||||
@@ -2,3 +2,6 @@
|
||||
|
||||
#define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; })
|
||||
+
|
||||
+#define POINTER_CHK_GUARD \
|
||||
+ ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; })
|
||||
diff --git a/sysdeps/sparc/sparc64/stackguard-macros.h b/sysdeps/sparc/sparc64/stackguard-macros.h
|
||||
index 80f0635..cc0c12c 100644
|
||||
--- a/sysdeps/sparc/sparc64/stackguard-macros.h
|
||||
+++ b/sysdeps/sparc/sparc64/stackguard-macros.h
|
||||
@@ -2,3 +2,6 @@
|
||||
|
||||
#define STACK_CHK_GUARD \
|
||||
({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; })
|
||||
+
|
||||
+#define POINTER_CHK_GUARD \
|
||||
+ ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; })
|
||||
diff --git a/sysdeps/x86_64/stackguard-macros.h b/sysdeps/x86_64/stackguard-macros.h
|
||||
index d7fedb3..1948800 100644
|
||||
--- a/sysdeps/x86_64/stackguard-macros.h
|
||||
+++ b/sysdeps/x86_64/stackguard-macros.h
|
||||
@@ -4,3 +4,8 @@
|
||||
({ uintptr_t x; \
|
||||
asm ("mov %%fs:%c1, %0" : "=r" (x) \
|
||||
: "i" (offsetof (tcbhead_t, stack_guard))); x; })
|
||||
+
|
||||
+#define POINTER_CHK_GUARD \
|
||||
+ ({ uintptr_t x; \
|
||||
+ asm ("mov %%fs:%c1, %0" : "=r" (x) \
|
||||
+ : "i" (offsetof (tcbhead_t, pointer_guard))); x; })
|
Loading…
Reference in a new issue