diff --git a/SOURCES/glibc-rh1452720-1.patch b/SOURCES/glibc-rh1452720-1.patch new file mode 100644 index 0000000..95e615a --- /dev/null +++ b/SOURCES/glibc-rh1452720-1.patch @@ -0,0 +1,23 @@ +commit TBD +Author: Florian Weimer +Date: Fri May 19 17:46:47 2017 +0200 + + rtld: Completely ignore LD_LIBRARY_PATH for AT_SECURE=1 programs + +LD_LIBRARY_PATH can only be used to reorder system search paths, which +is not useful functionality. + +Index: glibc-2.17-c758a686/elf/rtld.c +=================================================================== +--- glibc-2.17-c758a686.orig/elf/rtld.c ++++ glibc-2.17-c758a686/elf/rtld.c +@@ -2580,7 +2701,8 @@ process_envvars (enum mode *modep) + + case 12: + /* The library search path. */ +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0) ++ if (!__libc_enable_secure ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0) + { + library_path = &envline[13]; + break; diff --git a/SOURCES/glibc-rh1452720-2.patch b/SOURCES/glibc-rh1452720-2.patch new file mode 100644 index 0000000..ca74956 --- /dev/null +++ b/SOURCES/glibc-rh1452720-2.patch @@ -0,0 +1,103 @@ +commit TBD +Author: Florian Weimer +Date: Fri May 19 17:46:47 2017 +0200 + + rtld: Reject overly long LD_PRELOAD path elements + +Index: b/elf/rtld.c +=================================================================== +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -99,6 +99,22 @@ uintptr_t __pointer_chk_guard_local + strong_alias (__pointer_chk_guard_local, __pointer_chk_guard) + #endif + ++/* Check that AT_SECURE=0, or that the passed name does not contain ++ directories and is not overly long. Reject empty names ++ unconditionally. */ ++static bool ++dso_name_valid_for_suid (const char *p) ++{ ++ if (__builtin_expect (INTUSE(__libc_enable_secure), 0)) ++ { ++ /* Ignore pathnames with directories for AT_SECURE=1 ++ programs, and also skip overlong names. */ ++ size_t len = strlen (p); ++ if (len >= NAME_MAX || memchr (p, '/', len) != NULL) ++ return false; ++ } ++ return *p != '\0'; ++} + + /* List of auditing DSOs. */ + static struct audit_list +@@ -880,6 +896,44 @@ static const char *preloadlist attribute + /* Nonzero if information about versions has to be printed. */ + static int version_info attribute_relro; + ++/* The LD_PRELOAD environment variable gives list of libraries ++ separated by white space or colons that are loaded before the ++ executable's dependencies and prepended to the global scope list. ++ (If the binary is running setuid all elements containing a '/' are ++ ignored since it is insecure.) Return the number of preloads ++ performed. */ ++unsigned int ++handle_ld_preload (const char *preloadlist, struct link_map *main_map) ++{ ++ unsigned int npreloads = 0; ++ const char *p = preloadlist; ++ char fname[PATH_MAX]; ++ ++ while (*p != '\0') ++ { ++ /* Split preload list at space/colon. */ ++ size_t len = strcspn (p, " :"); ++ if (len > 0 && len < PATH_MAX) ++ { ++ memcpy (fname, p, len); ++ fname[len] = '\0'; ++ } ++ else ++ fname[0] = '\0'; ++ ++ /* Skip over the substring and the following delimiter. */ ++ p += len; ++ if (*p == ' ' || *p == ':') ++ ++p; ++ ++ if (dso_name_valid_for_suid (fname)) ++ npreloads += do_preload (fname, main_map, "LD_PRELOAD"); ++ } ++ return npreloads; ++} ++ ++ ++ + static void + dl_main (const ElfW(Phdr) *phdr, + ElfW(Word) phnum, +@@ -1611,23 +1665,8 @@ ERROR: ld.so: object '%s' cannot be load + + if (__builtin_expect (preloadlist != NULL, 0)) + { +- /* The LD_PRELOAD environment variable gives list of libraries +- separated by white space or colons that are loaded before the +- executable's dependencies and prepended to the global scope +- list. If the binary is running setuid all elements +- containing a '/' are ignored since it is insecure. */ +- char *list = strdupa (preloadlist); +- char *p; +- + HP_TIMING_NOW (start); +- +- /* Prevent optimizing strsep. Speed is not important here. */ +- while ((p = (strsep) (&list, " :")) != NULL) +- if (p[0] != '\0' +- && (__builtin_expect (! INTUSE(__libc_enable_secure), 1) +- || strchr (p, '/') == NULL)) +- npreloads += do_preload (p, main_map, "LD_PRELOAD"); +- ++ npreloads += handle_ld_preload (preloadlist, main_map); + HP_TIMING_NOW (stop); + HP_TIMING_DIFF (diff, start, stop); + HP_TIMING_ACCUM_NT (load_time, diff); diff --git a/SOURCES/glibc-rh1452720-3.patch b/SOURCES/glibc-rh1452720-3.patch new file mode 100644 index 0000000..135ee52 --- /dev/null +++ b/SOURCES/glibc-rh1452720-3.patch @@ -0,0 +1,196 @@ +commit TBD +Author: Florian Weimer +Date: Fri May 19 17:46:47 2017 +0200 + + rtld: Reject overly long LD_AUDIT path elements + +Also only process the last LD_AUDIT entry. + +Index: b/elf/rtld.c +=================================================================== +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -116,13 +116,91 @@ dso_name_valid_for_suid (const char *p) + return *p != '\0'; + } + +-/* List of auditing DSOs. */ ++/* LD_AUDIT variable contents. Must be processed before the ++ audit_list below. */ ++const char *audit_list_string; ++ ++/* Cyclic list of auditing DSOs. audit_list->next is the first ++ element. */ + static struct audit_list + { + const char *name; + struct audit_list *next; + } *audit_list; + ++/* Iterator for audit_list_string followed by audit_list. */ ++struct audit_list_iter ++{ ++ /* Tail of audit_list_string still needing processing, or NULL. */ ++ const char *audit_list_tail; ++ ++ /* The list element returned in the previous iteration. NULL before ++ the first element. */ ++ struct audit_list *previous; ++ ++ /* Scratch buffer for returning a name which is part of ++ audit_list_string. */ ++ char fname[PATH_MAX]; ++}; ++ ++/* Initialize an audit list iterator. */ ++static void ++audit_list_iter_init (struct audit_list_iter *iter) ++{ ++ iter->audit_list_tail = audit_list_string; ++ iter->previous = NULL; ++} ++ ++/* Iterate through both audit_list_string and audit_list. */ ++static const char * ++audit_list_iter_next (struct audit_list_iter *iter) ++{ ++ if (iter->audit_list_tail != NULL) ++ { ++ /* First iterate over audit_list_string. */ ++ while (*iter->audit_list_tail != '\0') ++ { ++ /* Split audit list at colon. */ ++ size_t len = strcspn (iter->audit_list_tail, ":"); ++ if (len > 0 && len < PATH_MAX) ++ { ++ memcpy (iter->fname, iter->audit_list_tail, len); ++ iter->fname[len] = '\0'; ++ } ++ else ++ /* Do not return this name to the caller. */ ++ iter->fname[0] = '\0'; ++ ++ /* Skip over the substring and the following delimiter. */ ++ iter->audit_list_tail += len; ++ if (*iter->audit_list_tail == ':') ++ ++iter->audit_list_tail; ++ ++ /* If the name is valid, return it. */ ++ if (dso_name_valid_for_suid (iter->fname)) ++ return iter->fname; ++ /* Otherwise, wrap around and try the next name. */ ++ } ++ /* Fall through to the procesing of audit_list. */ ++ } ++ ++ if (iter->previous == NULL) ++ { ++ if (audit_list == NULL) ++ /* No pre-parsed audit list. */ ++ return NULL; ++ /* Start of audit list. The first list element is at ++ audit_list->next (cyclic list). */ ++ iter->previous = audit_list->next; ++ return iter->previous->name; ++ } ++ if (iter->previous == audit_list) ++ /* Cyclic list wrap-around. */ ++ return NULL; ++ iter->previous = iter->previous->next; ++ return iter->previous->name; ++} ++ + /* Set nonzero during loading and initialization of executable and + libraries, cleared before the executable's entry point runs. This + must not be initialized to nonzero, because the unused dynamic +@@ -1441,11 +1519,13 @@ of this helper program; chances are you + GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid (); + + /* If we have auditing DSOs to load, do it now. */ +- if (__builtin_expect (audit_list != NULL, 0)) ++ bool need_security_init = true; ++ if (__builtin_expect (audit_list != NULL, 0) ++ || __builtin_expect (audit_list_string != NULL, 0)) + { +- /* Iterate over all entries in the list. The order is important. */ + struct audit_ifaces *last_audit = NULL; +- struct audit_list *al = audit_list->next; ++ struct audit_list_iter al_iter; ++ audit_list_iter_init (&al_iter); + + /* Since we start using the auditing DSOs right away we need to + initialize the data structures now. */ +@@ -1456,9 +1536,14 @@ of this helper program; chances are you + use different values (especially the pointer guard) and will + fail later on. */ + security_init (); ++ need_security_init = false; + +- do ++ while (true) + { ++ const char *name = audit_list_iter_next (&al_iter); ++ if (name == NULL) ++ break; ++ + int tls_idx = GL(dl_tls_max_dtv_idx); + + /* Now it is time to determine the layout of the static TLS +@@ -1467,7 +1552,7 @@ of this helper program; chances are you + no DF_STATIC_TLS bit is set. The reason is that we know + glibc will use the static model. */ + struct dlmopen_args dlmargs; +- dlmargs.fname = al->name; ++ dlmargs.fname = name; + dlmargs.map = NULL; + + const char *objname; +@@ -1480,7 +1565,7 @@ of this helper program; chances are you + not_loaded: + _dl_error_printf ("\ + ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", +- al->name, err_str); ++ name, err_str); + if (malloced) + free ((char *) err_str); + } +@@ -1584,10 +1669,7 @@ ERROR: ld.so: object '%s' cannot be load + goto not_loaded; + } + } +- +- al = al->next; + } +- while (al != audit_list->next); + + /* If we have any auditing modules, announce that we already + have two objects loaded. */ +@@ -1851,7 +1933,7 @@ ERROR: ld.so: object '%s' cannot be load + if (tcbp == NULL) + tcbp = init_tls (); + +- if (__builtin_expect (audit_list == NULL, 1)) ++ if (need_security_init) + /* Initialize security features. But only if we have not done it + earlier. */ + security_init (); +@@ -2495,9 +2577,7 @@ process_dl_audit (char *str) + char *p; + + while ((p = (strsep) (&str, ":")) != NULL) +- if (p[0] != '\0' +- && (__builtin_expect (! INTUSE(__libc_enable_secure), 1) +- || strchr (p, '/') == NULL)) ++ if (dso_name_valid_for_suid (p)) + { + /* This is using the local malloc, not the system malloc. The + memory can never be freed. */ +@@ -2561,7 +2641,7 @@ process_envvars (enum mode *modep) + break; + } + if (memcmp (envline, "AUDIT", 5) == 0) +- process_dl_audit (&envline[6]); ++ audit_list_string = &envline[6]; + break; + + case 7: diff --git a/SOURCES/glibc-rh1452720-4.patch b/SOURCES/glibc-rh1452720-4.patch new file mode 100644 index 0000000..5b4d5ea --- /dev/null +++ b/SOURCES/glibc-rh1452720-4.patch @@ -0,0 +1,51 @@ +Partial backport (without the test) of: + +commit 1c1243b6fc33c029488add276e56570a07803bfd +Author: Siddhesh Poyarekar +Date: Tue Mar 7 20:52:04 2017 +0530 + + Ignore and remove LD_HWCAP_MASK for AT_SECURE programs (bug #21209) + + The LD_HWCAP_MASK environment variable may alter the selection of + function variants for some architectures. For AT_SECURE process it + means that if an outdated routine has a bug that would otherwise not + affect newer platforms by default, LD_HWCAP_MASK will allow that bug + to be exploited. + + To be on the safe side, ignore and disable LD_HWCAP_MASK for setuid + binaries. + + [BZ #21209] + * elf/rtld.c (process_envvars): Ignore LD_HWCAP_MASK for + AT_SECURE processes. + * sysdeps/generic/unsecvars.h: Add LD_HWCAP_MASK. + * elf/tst-env-setuid.c (test_parent): Test LD_HWCAP_MASK. + (test_child): Likewise. + * elf/Makefile (tst-env-setuid-ENV): Add LD_HWCAP_MASK. + +Index: b/elf/rtld.c +=================================================================== +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -2688,7 +2688,8 @@ process_envvars (enum mode *modep) + + case 10: + /* Mask for the important hardware capabilities. */ +- if (memcmp (envline, "HWCAP_MASK", 10) == 0) ++ if (!__libc_enable_secure ++ && memcmp (envline, "HWCAP_MASK", 10) == 0) + GLRO(dl_hwcap_mask) = __strtoul_internal (&envline[11], NULL, + 0, 0); + break; +Index: b/sysdeps/generic/unsecvars.h +=================================================================== +--- a/sysdeps/generic/unsecvars.h ++++ b/sysdeps/generic/unsecvars.h +@@ -9,6 +9,7 @@ + "LD_DEBUG\0" \ + "LD_DEBUG_OUTPUT\0" \ + "LD_DYNAMIC_WEAK\0" \ ++ "LD_HWCAP_MASK\0" \ + "LD_LIBRARY_PATH\0" \ + "LD_ORIGIN_PATH\0" \ + "LD_PRELOAD\0" \ diff --git a/SPECS/glibc.spec b/SPECS/glibc.spec index 51d4a3a..a069c89 100644 --- a/SPECS/glibc.spec +++ b/SPECS/glibc.spec @@ -1,6 +1,6 @@ %define glibcsrcdir glibc-2.17-c758a686 %define glibcversion 2.17 -%define glibcrelease 157%{?dist}.2 +%define glibcrelease 157%{?dist}.4 ############################################################################## # We support the following options: # --with/--without, @@ -1008,6 +1008,10 @@ Patch2077: glibc-rh1370630.patch # getaddrinfo with nscd fixes Patch2078: glibc-rh1436312.patch +Patch2079: glibc-rh1452720-1.patch +Patch2080: glibc-rh1452720-2.patch +Patch2081: glibc-rh1452720-3.patch +Patch2082: glibc-rh1452720-4.patch ############################################################################## # End of glibc patches. @@ -1622,6 +1626,11 @@ package or when debugging this package. %patch2076 -p1 %patch2077 -p1 %patch2078 -p1 +%patch2079 -p1 +%patch2080 -p1 +%patch2081 -p1 +%patch2082 -p1 + # Rebase of microbenchmarks. %patch1607 -p1 %patch1609 -p1 @@ -2956,6 +2965,9 @@ rm -f *.filelist* %endif %changelog +* Fri May 26 2017 Florian Weimer - 2.17-157.4 +- Avoid large allocas in the dynamic linker (#1452720) + * Tue Mar 28 2017 DJ Delorie - 2.17-157.2 - Fix use of uninitialized data in getaddrinfo with nscd (#1436312)