Accepting request 505677 from home:Andreas_Schwab:Factory

- ld-hwcap-mask-suid.patch: Ignore and remove LD_HWCAP_MASK for AT_SECURE programs (BZ #21209) - ld-library-path-suid.patch: Completely ignore LD_LIBRARY_PATH for AT_SECURE=1 programs (CVE-2017-1000366, bsc#1039357, BZ #21624) - Remove glibc-cpusetsize.diff, no longer useful OBS-URL: https://build.opensuse.org/request/show/505677 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=458
2017-06-22 12:54:01 +00:00 · 2017-06-22 12:54:01 +00:00 · fede245d46
commit fede245d46
parent da08f55dc8
5 changed files with 211 additions and 30 deletions
--- a/glibc-cpusetsize.diff
+++ b/glibc-cpusetsize.diff
@ -1,26 +0,0 @@
-Index: glibc-2.17.90/bits/sched.h
-===================================================================
--- glibc-2.17.90.orig/bits/sched.h
-+++ glibc-2.17.90/bits/sched.h
-@@ -52,7 +52,7 @@ struct __sched_param
- #if defined _SCHED_H && !defined __cpu_set_t_defined
- # define __cpu_set_t_defined
- /* Size definition for CPU sets.  */
-# define __CPU_SETSIZE	1024
-+# define __CPU_SETSIZE	4096
- # define __NCPUBITS	(8 * sizeof (__cpu_mask))
- 
- /* Type for array elements in 'cpu_set_t'.  */
-Index: glibc-2.17.90/sysdeps/unix/sysv/linux/bits/sched.h
-===================================================================
--- glibc-2.17.90.orig/sysdeps/unix/sysv/linux/bits/sched.h
-+++ glibc-2.17.90/sysdeps/unix/sysv/linux/bits/sched.h
-@@ -111,7 +111,7 @@ struct __sched_param
- #if defined _SCHED_H && !defined __cpu_set_t_defined
- # define __cpu_set_t_defined
- /* Size definition for CPU sets.  */
-# define __CPU_SETSIZE	1024
-+# define __CPU_SETSIZE	4096
- # define __NCPUBITS	(8 * sizeof (__cpu_mask))
- 
- /* Type for array elements in 'cpu_set_t'.  */
--- a/glibc.changes
+++ b/glibc.changes
@ -1,3 +1,16 @@
+-------------------------------------------------------------------
+Wed Jun 21 15:15:12 UTC 2017 - schwab@suse.de
+
+- ld-hwcap-mask-suid.patch: Ignore and remove LD_HWCAP_MASK for AT_SECURE
+  programs (BZ #21209)
+- ld-library-path-suid.patch: Completely ignore LD_LIBRARY_PATH for
+  AT_SECURE=1 programs (CVE-2017-1000366, bsc#1039357, BZ #21624)
+
+-------------------------------------------------------------------
+Wed Jun 14 12:22:21 UTC 2017 - schwab@suse.de
+
+- Remove glibc-cpusetsize.diff, no longer useful
+
 -------------------------------------------------------------------
 Wed May 31 10:35:31 UTC 2017 - schwab@suse.de

--- a/glibc.spec
+++ b/glibc.spec
@ -228,8 +228,6 @@ Patch13:        glibc-2.3.2.no_archive.diff
 Patch14:        glibc-bindresvport-blacklist.diff
 # PATCH-FIX-OPENSUSE prefer -lang rpm packages
 Patch15:        glibc-2.3.90-langpackdir.diff
-# PATCH-FEATURE-SLE increase cpusetsize to 4096, needs to be kept for compatibility kukuk@suse.de (XXX: Review)
-Patch18:        glibc-cpusetsize.diff
 # PATCH-FEATURE-SLE Use nscd user for nscd
 Patch19:        nscd-server-user.patch
 # PATCH-FEATURE-SLE powerpc: enable TLE only if GLIBC_ELISION_ENABLE=yes is defined
@ -272,6 +270,10 @@ Patch1002:      sunrpc-use-after-free.patch
 Patch1003:      test-math-vector-sincos-aliasing.patch
 # PATCH-FIX-UPSTREAM Fix symbol redirect for fts_set (BZ #21289)
 Patch1004:      fts-symbol-redirect.patch
+# PATCH-FIX-UPSTREAM Ignore and remove LD_HWCAP_MASK for AT_SECURE programs (BZ #21209)
+Patch1005:      ld-hwcap-mask-suid.patch
+# PATCH-FIX-UPSTREAM rtld: Completely ignore LD_LIBRARY_PATH for AT_SECURE=1 programs (CVE-2017-1000366, BZ #21624)
+Patch1006:      ld-library-path-suid.patch

 ### 
 # Patches awaiting upstream approval
@ -488,7 +490,6 @@ rm nscd/s-stamp
 %patch13 -p1
 %patch14 -p1
 %patch15 -p1
-%patch18 -p1
 %patch19 -p1
 %patch21 -p1

@ -508,6 +509,8 @@ rm nscd/s-stamp
 %patch1002 -p1
 %patch1003 -p1
 %patch1004 -p1
+%patch1005 -p1
+%patch1006 -p1

 %patch2000 -p1
 %patch2001 -p1
@ -664,7 +667,7 @@ configure_and_build_glibc() {
 	        $profile $elision \
 		"$@" \
 		--build=%{target} --host=%{target} \
-%ifarch armv7hl ppc ppc64 ppc64le %{ix86} x86_64 sparc sparc64 s390 s390x
+%ifarch armv7hl ppc ppc64 ppc64le i686 x86_64 sparc sparc64 s390 s390x
 		--enable-multi-arch \
 %endif
 %ifarch mipsel
--- a/ld-hwcap-mask-suid.patch
+++ b/ld-hwcap-mask-suid.patch
@ -0,0 +1,33 @@
+2017-03-07  Siddhesh Poyarekar  <siddhesh@sourceware.org>
+
+	[BZ #21209]
+	* elf/rtld.c (process_envvars): Ignore LD_HWCAP_MASK for
+	AT_SECURE processes.
+	* sysdeps/generic/unsecvars.h: Add LD_HWCAP_MASK.
+
+Index: glibc-2.25/elf/rtld.c
+===================================================================
+--- glibc-2.25.orig/elf/rtld.c
+++ glibc-2.25/elf/rtld.c
+@@ -2450,7 +2450,8 @@ process_envvars (enum mode *modep)
+ 
+ 	case 10:
+ 	  /* Mask for the important hardware capabilities.  */
+-	  if (memcmp (envline, "HWCAP_MASK", 10) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "HWCAP_MASK", 10) == 0)
+ 	    GLRO(dl_hwcap_mask) = __strtoul_internal (&envline[11], NULL,
+ 						      0, 0);
+ 	  break;
+Index: glibc-2.25/sysdeps/generic/unsecvars.h
+===================================================================
+--- glibc-2.25.orig/sysdeps/generic/unsecvars.h
+++ glibc-2.25/sysdeps/generic/unsecvars.h
+@@ -16,6 +16,7 @@
+   "LD_DEBUG\0"								      \
+   "LD_DEBUG_OUTPUT\0"							      \
+   "LD_DYNAMIC_WEAK\0"							      \
+  "LD_HWCAP_MASK\0"							      \
+   "LD_LIBRARY_PATH\0"							      \
+   "LD_ORIGIN_PATH\0"							      \
+   "LD_PRELOAD\0"							      \
--- a/ld-library-path-suid.patch
+++ b/ld-library-path-suid.patch
@ -0,0 +1,158 @@
+Index: glibc-2.25/elf/rtld.c
+===================================================================
+--- glibc-2.25.orig/elf/rtld.c
+++ glibc-2.25/elf/rtld.c
+@@ -716,6 +716,57 @@ static const char *preloadlist attribute
+ /* Nonzero if information about versions has to be printed.  */
+ static int version_info attribute_relro;
+ 
+/* Check that AT_SECURE=0, or that the passed name does not contain
+   directories and is not overly long.  */
+static bool
+dso_name_valid_for_suid (const char *p)
+{
+  if (__builtin_expect (__libc_enable_secure, 0))
+    {
+      /* Ignore pathnames with directories for AT_SECURE=1
+	 programs, and also skip overlong names.  */
+      size_t len = strlen (p);
+      if (len >= NAME_MAX || memchr (p, '/', len) != NULL)
+	return false;
+    }
+  return true;
+}
+
+/* The LD_PRELOAD environment variable gives list of libraries
+   separated by white space or colons that are loaded before the
+   executable's dependencies and prepended to the global scope list.
+   (If the binary is running setuid all elements containing a '/' are
+   ignored since it is insecure.)  Return the number of preloads
+   performed.  */
+static unsigned int
+handle_ld_preload (const char *preloadlist, struct link_map *main_map)
+{
+  unsigned int npreloads = 0;
+  const char *p = preloadlist;
+  char fname[PATH_MAX];
+
+  while (*p != '\0')
+    {
+      /* Split preload list at space/colon.  */
+      size_t len = strcspn (p, " :");
+      if (len > 0 && len < PATH_MAX)
+	{
+	  memcpy (fname, p, len);
+	  fname[len] = '\0';
+	  if (dso_name_valid_for_suid (fname))
+	    npreloads += do_preload (fname, main_map, "LD_PRELOAD");
+	}
+
+      /* Skip over the substring and the following delimiter.  */
+      p += len;
+      if (*p != '\0')
+	++p;
+    }
+  return npreloads;
+}
+
+
+
+ static void
+ dl_main (const ElfW(Phdr) *phdr,
+ 	 ElfW(Word) phnum,
+@@ -1462,23 +1513,8 @@ ERROR: ld.so: object '%s' cannot be load
+ 
+   if (__glibc_unlikely (preloadlist != NULL))
+     {
+-      /* The LD_PRELOAD environment variable gives list of libraries
+-	 separated by white space or colons that are loaded before the
+-	 executable's dependencies and prepended to the global scope
+-	 list.  If the binary is running setuid all elements
+-	 containing a '/' are ignored since it is insecure.  */
+-      char *list = strdupa (preloadlist);
+-      char *p;
+-
+       HP_TIMING_NOW (start);
+-
+-      /* Prevent optimizing strsep.  Speed is not important here.  */
+-      while ((p = (strsep) (&list, " :")) != NULL)
+-	if (p[0] != '\0'
+-	    && (__builtin_expect (! __libc_enable_secure, 1)
+-		|| strchr (p, '/') == NULL))
+-	  npreloads += do_preload (p, main_map, "LD_PRELOAD");
+-
+      npreloads += handle_ld_preload (preloadlist, main_map);
+       HP_TIMING_NOW (stop);
+       HP_TIMING_DIFF (diff, start, stop);
+       HP_TIMING_ACCUM_NT (load_time, diff);
+@@ -2340,9 +2376,7 @@ process_dl_audit (char *str)
+   char *p;
+ 
+   while ((p = (strsep) (&str, ":")) != NULL)
+-    if (p[0] != '\0'
+-	&& (__builtin_expect (! __libc_enable_secure, 1)
+-	    || strchr (p, '/') == NULL))
+    if (p[0] != '\0' && dso_name_valid_for_suid (p))
+       {
+ 	/* This is using the local malloc, not the system malloc.  The
+ 	   memory can never be freed.  */
+@@ -2372,6 +2406,7 @@ process_envvars (enum mode *modep)
+   char *envline;
+   enum mode mode = normal;
+   char *debug_output = NULL;
+  char *ld_audit = NULL;
+ 
+   /* This is the default place for profiling data file.  */
+   GLRO(dl_profile_output)
+@@ -2406,7 +2441,7 @@ process_envvars (enum mode *modep)
+ 	      break;
+ 	    }
+ 	  if (memcmp (envline, "AUDIT", 5) == 0)
+-	    process_dl_audit (&envline[6]);
+	    ld_audit = &envline[6];
+ 	  break;
+ 
+ 	case 7:
+@@ -2465,7 +2500,8 @@ process_envvars (enum mode *modep)
+ 
+ 	case 12:
+ 	  /* The library search path.  */
+-	  if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "LIBRARY_PATH", 12) == 0)
+ 	    {
+ 	      library_path = &envline[13];
+ 	      break;
+@@ -2532,6 +2568,12 @@ process_envvars (enum mode *modep)
+ 	}
+     }
+ 
+  /* Even if LD_AUDIT occurs multiple times in the environment
+     process_dl_audit should only be called once to avoid polluting the
+     heap with unused copies of the value.  */
+  if (ld_audit != NULL)
+    process_dl_audit (ld_audit);
+
+   /* The caller wants this information.  */
+   *modep = mode;
+ 
+Index: glibc-2.25/sysdeps/i386/i686/multiarch/strcspn-c.c
+===================================================================
+--- glibc-2.25.orig/sysdeps/i386/i686/multiarch/strcspn-c.c
+++ glibc-2.25/sysdeps/i386/i686/multiarch/strcspn-c.c
+@@ -1,2 +1,4 @@
+-#define __strcspn_sse2 __strcspn_ia32
+-#include <sysdeps/x86_64/multiarch/strcspn-c.c>
+#if IS_IN (libc)
+# define __strcspn_sse2 __strcspn_ia32
+# include <sysdeps/x86_64/multiarch/strcspn-c.c>
+#endif
+Index: glibc-2.25/sysdeps/i386/i686/multiarch/varshift.c
+===================================================================
+--- glibc-2.25.orig/sysdeps/i386/i686/multiarch/varshift.c
+++ glibc-2.25/sysdeps/i386/i686/multiarch/varshift.c
+@@ -1 +1,3 @@
+-#include <sysdeps/x86_64/multiarch/varshift.c>
+#if IS_IN (libc)
+# include <sysdeps/x86_64/multiarch/varshift.c>
+#endif