summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMichael Olbrich <m.olbrich@pengutronix.de>2019-12-04 12:28:56 +0100
committerMichael Olbrich <m.olbrich@pengutronix.de>2019-12-06 11:30:21 +0100
commit2b83031a9cf9b9dce8fb62e6afb464c3a07264e4 (patch)
treed41bd928fda0ea692ef882aa9cb50785ad9a14ee
parentb0fc8441bb218a78e4eed1fad689046d2f450bf5 (diff)
downloadOSELAS.Toolchain-2b83031a9cf9b9dce8fb62e6afb464c3a07264e4.tar.gz
glibc: add upstream fix for CVE-2019-19126
Signed-off-by: Michael Olbrich <m.olbrich@pengutronix.de>
-rw-r--r--patches/glibc-2.30/0001-rtld-Check-__libc_enable_secure-before-honoring-LD_P.patch50
-rw-r--r--patches/glibc-2.30/series3
2 files changed, 52 insertions, 1 deletions
diff --git a/patches/glibc-2.30/0001-rtld-Check-__libc_enable_secure-before-honoring-LD_P.patch b/patches/glibc-2.30/0001-rtld-Check-__libc_enable_secure-before-honoring-LD_P.patch
new file mode 100644
index 0000000..951849f
--- /dev/null
+++ b/patches/glibc-2.30/0001-rtld-Check-__libc_enable_secure-before-honoring-LD_P.patch
@@ -0,0 +1,50 @@
+From: =?UTF-8?q?Marcin=20Ko=C5=9Bcielnicki?= <mwk@0x04.net>
+Date: Thu, 21 Nov 2019 00:20:15 +0100
+Subject: [PATCH] rtld: Check __libc_enable_secure before honoring
+ LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
+
+The problem was introduced in glibc 2.23, in commit
+b9eb92ab05204df772eb4929eccd018637c9f3e9
+("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
+
+(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
+---
+ NEWS | 10 ++++++++++
+ sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++-
+ 2 files changed, 12 insertions(+), 1 deletion(-)
+
+diff --git a/NEWS b/NEWS
+index ee9ed4de5a3f..ea2dd3c68721 100644
+--- a/NEWS
++++ b/NEWS
+@@ -5,6 +5,16 @@ See the end for copying conditions.
+ Please send GNU C library bug reports via <https://sourceware.org/bugzilla/>
+ using `glibc' in the "product" field.
+
++Version 2.30.1
++
++Security related changes:
++
++CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC
++ environment variable during program execution after a security
++ transition, allowing local attackers to restrict the possible mapping
++ addresses for loaded libraries and thus bypass ASLR for a setuid
++ program. Reported by Marcin Koƛcielnicki.
++
+ Version 2.30
+
+ Major new features:
+diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+index 975cbe2950e2..df2cdfdb6b32 100644
+--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
++++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+@@ -31,7 +31,8 @@
+ environment variable, LD_PREFER_MAP_32BIT_EXEC. */
+ #define EXTRA_LD_ENVVARS \
+ case 21: \
+- if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \
++ if (!__libc_enable_secure \
++ && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \
+ GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \
+ |= bit_arch_Prefer_MAP_32BIT_EXEC; \
+ break;
diff --git a/patches/glibc-2.30/series b/patches/glibc-2.30/series
index da5b65b..5ae6822 100644
--- a/patches/glibc-2.30/series
+++ b/patches/glibc-2.30/series
@@ -1,9 +1,10 @@
# generated by git-ptx-patches
#tag:base --start-number 1
#tag:upstream --start-number 1
+0001-rtld-Check-__libc_enable_secure-before-honoring-LD_P.patch
#tag:build-system --start-number 100
0100-add-install-lib-all-target.patch
0101-don-t-regen-docs-if-perl-is-not-found.patch
#tag:hacks --start-number 200
0200-Hack-around-mips-args-to-host-gcc.patch
-# 093247f87c0e3ded1431e29c27443f99 - git-ptx-patches magic
+# a8c1bfa2c01be94508e22cf62d160585 - git-ptx-patches magic