diff options
author | Carlos O'Donell <carlos@redhat.com> | 2013-09-23 00:52:09 -0400 |
---|---|---|
committer | Carlos O'Donell <carlos@redhat.com> | 2013-09-23 00:52:09 -0400 |
commit | c61b4d41c9647a54a329aa021341c0eb032b793e (patch) | |
tree | c4a665c232a7d37786a6f3b5e3f56d0ae11480e8 /elf | |
parent | 58a96064d193317236b740998e134b652d3d62ad (diff) | |
download | glibc-c61b4d41c9647a54a329aa021341c0eb032b793e.tar glibc-c61b4d41c9647a54a329aa021341c0eb032b793e.tar.gz glibc-c61b4d41c9647a54a329aa021341c0eb032b793e.tar.bz2 glibc-c61b4d41c9647a54a329aa021341c0eb032b793e.zip |
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for
static applications resulting in the security feature being disabled.
The pointer guard is now correctly initialized to a random value for
static applications. Existing static applications need to be
recompiled to take advantage of the fix.
The test tst-ptrguard1-static and tst-ptrguard1 add regression
coverage to ensure the pointer guards are sufficiently random
and initialized to a default value.
Diffstat (limited to 'elf')
-rw-r--r-- | elf/Makefile | 9 | ||||
-rw-r--r-- | elf/tst-ptrguard1-static.c | 1 | ||||
-rw-r--r-- | elf/tst-ptrguard1.c | 202 |
3 files changed, 210 insertions, 2 deletions
diff --git a/elf/Makefile b/elf/Makefile index aaa9534b2e..cb8da9398a 100644 --- a/elf/Makefile +++ b/elf/Makefile @@ -121,7 +121,8 @@ endif tests = tst-tls1 tst-tls2 tst-tls9 tst-leaks1 \ tst-array1 tst-array2 tst-array3 tst-array4 tst-array5 tests-static = tst-tls1-static tst-tls2-static tst-stackguard1-static \ - tst-leaks1-static tst-array1-static tst-array5-static + tst-leaks1-static tst-array1-static tst-array5-static \ + tst-ptrguard1-static ifeq (yes,$(build-shared)) tests-static += tst-tls9-static tst-tls9-static-ENV = \ @@ -145,7 +146,8 @@ tests += loadtest restest1 preloadtest loadfail multiload origtest resolvfail \ tst-audit1 tst-audit2 tst-audit8 \ tst-stackguard1 tst-addr1 tst-thrlock \ tst-unique1 tst-unique2 tst-unique3 tst-unique4 \ - tst-initorder tst-initorder2 tst-relsort1 tst-null-argv + tst-initorder tst-initorder2 tst-relsort1 tst-null-argv \ + tst-ptrguard1 # reldep9 test-srcs = tst-pathopt selinux-enabled := $(shell cat /selinux/enforce 2> /dev/null) @@ -1016,6 +1018,9 @@ LDFLAGS-order2mod2.so = $(no-as-needed) tst-stackguard1-ARGS = --command "$(host-test-program-cmd) --child" tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child" +tst-ptrguard1-ARGS = --command "$(host-test-program-cmd) --child" +tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child" + $(objpfx)tst-leaks1: $(libdl) $(objpfx)tst-leaks1-mem: $(objpfx)tst-leaks1.out $(common-objpfx)malloc/mtrace $(objpfx)tst-leaks1.mtrace > $@ diff --git a/elf/tst-ptrguard1-static.c b/elf/tst-ptrguard1-static.c new file mode 100644 index 0000000000..7aff3b7b5d --- /dev/null +++ b/elf/tst-ptrguard1-static.c @@ -0,0 +1 @@ +#include "tst-ptrguard1.c" diff --git a/elf/tst-ptrguard1.c b/elf/tst-ptrguard1.c new file mode 100644 index 0000000000..c344a04db1 --- /dev/null +++ b/elf/tst-ptrguard1.c @@ -0,0 +1,202 @@ +/* Copyright (C) 2013 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + <http://www.gnu.org/licenses/>. */ + +#include <errno.h> +#include <stdbool.h> +#include <stdio.h> +#include <stdlib.h> +#include <string.h> +#include <sys/wait.h> +#include <stackguard-macros.h> +#include <tls.h> +#include <unistd.h> + +#ifndef POINTER_CHK_GUARD +extern uintptr_t __pointer_chk_guard; +# define POINTER_CHK_GUARD __pointer_chk_guard +#endif + +static const char *command; +static bool child; +static uintptr_t ptr_chk_guard_copy; +static bool ptr_chk_guard_copy_set; +static int fds[2]; + +static void __attribute__ ((constructor)) +con (void) +{ + ptr_chk_guard_copy = POINTER_CHK_GUARD; + ptr_chk_guard_copy_set = true; +} + +static int +uintptr_t_cmp (const void *a, const void *b) +{ + if (*(uintptr_t *) a < *(uintptr_t *) b) + return 1; + if (*(uintptr_t *) a > *(uintptr_t *) b) + return -1; + return 0; +} + +static int +do_test (void) +{ + if (!ptr_chk_guard_copy_set) + { + puts ("constructor has not been run"); + return 1; + } + + if (ptr_chk_guard_copy != POINTER_CHK_GUARD) + { + puts ("POINTER_CHK_GUARD changed between constructor and do_test"); + return 1; + } + + if (child) + { + write (2, &ptr_chk_guard_copy, sizeof (ptr_chk_guard_copy)); + return 0; + } + + if (command == NULL) + { + puts ("missing --command or --child argument"); + return 1; + } + +#define N 16 + uintptr_t child_ptr_chk_guards[N + 1]; + child_ptr_chk_guards[N] = ptr_chk_guard_copy; + int i; + for (i = 0; i < N; ++i) + { + if (pipe (fds) < 0) + { + printf ("couldn't create pipe: %m\n"); + return 1; + } + + pid_t pid = fork (); + if (pid < 0) + { + printf ("fork failed: %m\n"); + return 1; + } + + if (!pid) + { + if (ptr_chk_guard_copy != POINTER_CHK_GUARD) + { + puts ("POINTER_CHK_GUARD changed after fork"); + exit (1); + } + + close (fds[0]); + close (2); + dup2 (fds[1], 2); + close (fds[1]); + + system (command); + exit (0); + } + + close (fds[1]); + + if (TEMP_FAILURE_RETRY (read (fds[0], &child_ptr_chk_guards[i], + sizeof (uintptr_t))) != sizeof (uintptr_t)) + { + puts ("could not read ptr_chk_guard value from child"); + return 1; + } + + close (fds[0]); + + pid_t termpid; + int status; + termpid = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0)); + if (termpid == -1) + { + printf ("waitpid failed: %m\n"); + return 1; + } + else if (termpid != pid) + { + printf ("waitpid returned %ld != %ld\n", + (long int) termpid, (long int) pid); + return 1; + } + else if (!WIFEXITED (status) || WEXITSTATUS (status)) + { + puts ("child hasn't exited with exit status 0"); + return 1; + } + } + + qsort (child_ptr_chk_guards, N + 1, sizeof (uintptr_t), uintptr_t_cmp); + + /* The default pointer guard is the same as the default stack guard. + They are only set to default if dl_random is NULL. */ + uintptr_t default_guard = 0; + unsigned char *p = (unsigned char *) &default_guard; + p[sizeof (uintptr_t) - 1] = 255; + p[sizeof (uintptr_t) - 2] = '\n'; + p[0] = 0; + + /* Test if the pointer guard canaries are either randomized, + or equal to the default pointer guard value. + Even with randomized pointer guards it might happen + that the random number generator generates the same + values, but if that happens in more than half from + the 16 runs, something is very wrong. */ + int ndifferences = 0; + int ndefaults = 0; + for (i = 0; i < N; ++i) + { + if (child_ptr_chk_guards[i] != child_ptr_chk_guards[i+1]) + ndifferences++; + else if (child_ptr_chk_guards[i] == default_guard) + ndefaults++; + } + + printf ("differences %d defaults %d\n", ndifferences, ndefaults); + + if (ndifferences < N / 2 && ndefaults < N / 2) + { + puts ("pointer guard values are not randomized enough"); + puts ("nor equal to the default value"); + return 1; + } + + return 0; +} + +#define OPT_COMMAND 10000 +#define OPT_CHILD 10001 +#define CMDLINE_OPTIONS \ + { "command", required_argument, NULL, OPT_COMMAND }, \ + { "child", no_argument, NULL, OPT_CHILD }, +#define CMDLINE_PROCESS \ + case OPT_COMMAND: \ + command = optarg; \ + break; \ + case OPT_CHILD: \ + child = true; \ + break; +#define TEST_FUNCTION do_test () +#include "../test-skeleton.c" |