101f62ad33
CVE-2012-4412, CVE-2012-4424, CVE-2013-4237, CVE-2013-4332, CVE-2013-4458, CVE-2013-4788.
223 lines
7.8 KiB
Diff
223 lines
7.8 KiB
Diff
commit c61b4d41c9647a54a329aa021341c0eb032b793e
|
|
Author: Carlos O'Donell <carlos@redhat.com>
|
|
Date: Mon Sep 23 00:52:09 2013 -0400
|
|
|
|
BZ #15754: CVE-2013-4788
|
|
|
|
The pointer guard used for pointer mangling was not initialized for
|
|
static applications resulting in the security feature being disabled.
|
|
The pointer guard is now correctly initialized to a random value for
|
|
static applications. Existing static applications need to be
|
|
recompiled to take advantage of the fix.
|
|
|
|
The test tst-ptrguard1-static and tst-ptrguard1 add regression
|
|
coverage to ensure the pointer guards are sufficiently random
|
|
and initialized to a default value.
|
|
|
|
diff --git a/csu/libc-start.c b/csu/libc-start.c
|
|
index e5da3ef..c898d06 100644
|
|
--- a/csu/libc-start.c
|
|
+++ b/csu/libc-start.c
|
|
@@ -37,6 +37,12 @@ extern void __pthread_initialize_minimal (void);
|
|
in thread local area. */
|
|
uintptr_t __stack_chk_guard attribute_relro;
|
|
# endif
|
|
+# ifndef THREAD_SET_POINTER_GUARD
|
|
+/* Only exported for architectures that don't store the pointer guard
|
|
+ value in thread local area. */
|
|
+uintptr_t __pointer_chk_guard_local
|
|
+ attribute_relro attribute_hidden __attribute__ ((nocommon));
|
|
+# endif
|
|
#endif
|
|
|
|
#ifdef HAVE_PTR_NTHREADS
|
|
@@ -195,6 +201,16 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL),
|
|
# else
|
|
__stack_chk_guard = stack_chk_guard;
|
|
# endif
|
|
+
|
|
+ /* Set up the pointer guard value. */
|
|
+ uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
|
|
+ stack_chk_guard);
|
|
+# ifdef THREAD_SET_POINTER_GUARD
|
|
+ THREAD_SET_POINTER_GUARD (pointer_chk_guard);
|
|
+# else
|
|
+ __pointer_chk_guard_local = pointer_chk_guard;
|
|
+# endif
|
|
+
|
|
#endif
|
|
|
|
/* Register the destructor of the dynamic linker if there is any. */
|
|
diff --git a/ports/sysdeps/ia64/stackguard-macros.h b/ports/sysdeps/ia64/stackguard-macros.h
|
|
index dc683c2..3907293 100644
|
|
--- a/ports/sysdeps/ia64/stackguard-macros.h
|
|
+++ b/ports/sysdeps/ia64/stackguard-macros.h
|
|
@@ -2,3 +2,6 @@
|
|
|
|
#define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
|
|
+
|
|
+#define POINTER_CHK_GUARD \
|
|
+ ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
|
|
diff --git a/ports/sysdeps/tile/stackguard-macros.h b/ports/sysdeps/tile/stackguard-macros.h
|
|
index 589ea2b..f2e041b 100644
|
|
--- a/ports/sysdeps/tile/stackguard-macros.h
|
|
+++ b/ports/sysdeps/tile/stackguard-macros.h
|
|
@@ -4,11 +4,17 @@
|
|
# if __WORDSIZE == 64
|
|
# define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; })
|
|
+# define POINTER_CHK_GUARD \
|
|
+ ({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; })
|
|
# else
|
|
# define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; })
|
|
+# define POINTER_CHK_GUARD \
|
|
+ ({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; })
|
|
# endif
|
|
#else
|
|
# define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; })
|
|
+# define POINTER_CHK_GUARD \
|
|
+ ({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; })
|
|
#endif
|
|
diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h
|
|
index ababf65..4fa3d96 100644
|
|
--- a/sysdeps/generic/stackguard-macros.h
|
|
+++ b/sysdeps/generic/stackguard-macros.h
|
|
@@ -2,3 +2,6 @@
|
|
|
|
extern uintptr_t __stack_chk_guard;
|
|
#define STACK_CHK_GUARD __stack_chk_guard
|
|
+
|
|
+extern uintptr_t __pointer_chk_guard_local;
|
|
+#define POINTER_CHK_GUARD __pointer_chk_guard_local
|
|
diff --git a/sysdeps/i386/stackguard-macros.h b/sysdeps/i386/stackguard-macros.h
|
|
index 8c31e19..0397629 100644
|
|
--- a/sysdeps/i386/stackguard-macros.h
|
|
+++ b/sysdeps/i386/stackguard-macros.h
|
|
@@ -2,3 +2,11 @@
|
|
|
|
#define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; })
|
|
+
|
|
+#define POINTER_CHK_GUARD \
|
|
+ ({ \
|
|
+ uintptr_t x; \
|
|
+ asm ("movl %%gs:%c1, %0" : "=r" (x) \
|
|
+ : "i" (offsetof (tcbhead_t, pointer_guard))); \
|
|
+ x; \
|
|
+ })
|
|
diff --git a/sysdeps/powerpc/powerpc32/stackguard-macros.h b/sysdeps/powerpc/powerpc32/stackguard-macros.h
|
|
index 839f6a4..b3d0af8 100644
|
|
--- a/sysdeps/powerpc/powerpc32/stackguard-macros.h
|
|
+++ b/sysdeps/powerpc/powerpc32/stackguard-macros.h
|
|
@@ -2,3 +2,13 @@
|
|
|
|
#define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })
|
|
+
|
|
+#define POINTER_CHK_GUARD \
|
|
+ ({ \
|
|
+ uintptr_t x; \
|
|
+ asm ("lwz %0,%1(2)" \
|
|
+ : "=r" (x) \
|
|
+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
|
|
+ ); \
|
|
+ x; \
|
|
+ })
|
|
diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h
|
|
index 9da879c..4620f96 100644
|
|
--- a/sysdeps/powerpc/powerpc64/stackguard-macros.h
|
|
+++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h
|
|
@@ -2,3 +2,13 @@
|
|
|
|
#define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })
|
|
+
|
|
+#define POINTER_CHK_GUARD \
|
|
+ ({ \
|
|
+ uintptr_t x; \
|
|
+ asm ("ld %0,%1(2)" \
|
|
+ : "=r" (x) \
|
|
+ : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
|
|
+ ); \
|
|
+ x; \
|
|
+ })
|
|
diff --git a/sysdeps/s390/s390-32/stackguard-macros.h b/sysdeps/s390/s390-32/stackguard-macros.h
|
|
index b74c579..449e8d4 100644
|
|
--- a/sysdeps/s390/s390-32/stackguard-macros.h
|
|
+++ b/sysdeps/s390/s390-32/stackguard-macros.h
|
|
@@ -2,3 +2,14 @@
|
|
|
|
#define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })
|
|
+
|
|
+/* On s390/s390x there is no unique pointer guard, instead we use the
|
|
+ same value as the stack guard. */
|
|
+#define POINTER_CHK_GUARD \
|
|
+ ({ \
|
|
+ uintptr_t x; \
|
|
+ asm ("ear %0,%%a0; l %0,%1(%0)" \
|
|
+ : "=a" (x) \
|
|
+ : "i" (offsetof (tcbhead_t, stack_guard))); \
|
|
+ x; \
|
|
+ })
|
|
diff --git a/sysdeps/s390/s390-64/stackguard-macros.h b/sysdeps/s390/s390-64/stackguard-macros.h
|
|
index 0cebb5f..c8270fb 100644
|
|
--- a/sysdeps/s390/s390-64/stackguard-macros.h
|
|
+++ b/sysdeps/s390/s390-64/stackguard-macros.h
|
|
@@ -2,3 +2,17 @@
|
|
|
|
#define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })
|
|
+
|
|
+/* On s390/s390x there is no unique pointer guard, instead we use the
|
|
+ same value as the stack guard. */
|
|
+#define POINTER_CHK_GUARD \
|
|
+ ({ \
|
|
+ uintptr_t x; \
|
|
+ asm ("ear %0,%%a0;" \
|
|
+ "sllg %0,%0,32;" \
|
|
+ "ear %0,%%a1;" \
|
|
+ "lg %0,%1(%0)" \
|
|
+ : "=a" (x) \
|
|
+ : "i" (offsetof (tcbhead_t, stack_guard))); \
|
|
+ x; \
|
|
+ })
|
|
diff --git a/sysdeps/sparc/sparc32/stackguard-macros.h b/sysdeps/sparc/sparc32/stackguard-macros.h
|
|
index c0b02b0..1eef0f1 100644
|
|
--- a/sysdeps/sparc/sparc32/stackguard-macros.h
|
|
+++ b/sysdeps/sparc/sparc32/stackguard-macros.h
|
|
@@ -2,3 +2,6 @@
|
|
|
|
#define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; })
|
|
+
|
|
+#define POINTER_CHK_GUARD \
|
|
+ ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; })
|
|
diff --git a/sysdeps/sparc/sparc64/stackguard-macros.h b/sysdeps/sparc/sparc64/stackguard-macros.h
|
|
index 80f0635..cc0c12c 100644
|
|
--- a/sysdeps/sparc/sparc64/stackguard-macros.h
|
|
+++ b/sysdeps/sparc/sparc64/stackguard-macros.h
|
|
@@ -2,3 +2,6 @@
|
|
|
|
#define STACK_CHK_GUARD \
|
|
({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; })
|
|
+
|
|
+#define POINTER_CHK_GUARD \
|
|
+ ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; })
|
|
diff --git a/sysdeps/x86_64/stackguard-macros.h b/sysdeps/x86_64/stackguard-macros.h
|
|
index d7fedb3..1948800 100644
|
|
--- a/sysdeps/x86_64/stackguard-macros.h
|
|
+++ b/sysdeps/x86_64/stackguard-macros.h
|
|
@@ -4,3 +4,8 @@
|
|
({ uintptr_t x; \
|
|
asm ("mov %%fs:%c1, %0" : "=r" (x) \
|
|
: "i" (offsetof (tcbhead_t, stack_guard))); x; })
|
|
+
|
|
+#define POINTER_CHK_GUARD \
|
|
+ ({ uintptr_t x; \
|
|
+ asm ("mov %%fs:%c1, %0" : "=r" (x) \
|
|
+ : "i" (offsetof (tcbhead_t, pointer_guard))); x; })
|