commit c61b4d41c9647a54a329aa021341c0eb032b793e Author: Carlos O'Donell Date: Mon Sep 23 00:52:09 2013 -0400 BZ #15754: CVE-2013-4788 The pointer guard used for pointer mangling was not initialized for static applications resulting in the security feature being disabled. The pointer guard is now correctly initialized to a random value for static applications. Existing static applications need to be recompiled to take advantage of the fix. The test tst-ptrguard1-static and tst-ptrguard1 add regression coverage to ensure the pointer guards are sufficiently random and initialized to a default value. diff --git a/csu/libc-start.c b/csu/libc-start.c index e5da3ef..c898d06 100644 --- a/csu/libc-start.c +++ b/csu/libc-start.c @@ -37,6 +37,12 @@ extern void __pthread_initialize_minimal (void); in thread local area. */ uintptr_t __stack_chk_guard attribute_relro; # endif +# ifndef THREAD_SET_POINTER_GUARD +/* Only exported for architectures that don't store the pointer guard + value in thread local area. */ +uintptr_t __pointer_chk_guard_local + attribute_relro attribute_hidden __attribute__ ((nocommon)); +# endif #endif #ifdef HAVE_PTR_NTHREADS @@ -195,6 +201,16 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL), # else __stack_chk_guard = stack_chk_guard; # endif + + /* Set up the pointer guard value. */ + uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, + stack_chk_guard); +# ifdef THREAD_SET_POINTER_GUARD + THREAD_SET_POINTER_GUARD (pointer_chk_guard); +# else + __pointer_chk_guard_local = pointer_chk_guard; +# endif + #endif /* Register the destructor of the dynamic linker if there is any. */ diff --git a/ports/sysdeps/ia64/stackguard-macros.h b/ports/sysdeps/ia64/stackguard-macros.h index dc683c2..3907293 100644 --- a/ports/sysdeps/ia64/stackguard-macros.h +++ b/ports/sysdeps/ia64/stackguard-macros.h @@ -2,3 +2,6 @@ #define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) + +#define POINTER_CHK_GUARD \ + ({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; }) diff --git a/ports/sysdeps/tile/stackguard-macros.h b/ports/sysdeps/tile/stackguard-macros.h index 589ea2b..f2e041b 100644 --- a/ports/sysdeps/tile/stackguard-macros.h +++ b/ports/sysdeps/tile/stackguard-macros.h @@ -4,11 +4,17 @@ # if __WORDSIZE == 64 # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; }) +# define POINTER_CHK_GUARD \ + ({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; }) # else # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; }) +# define POINTER_CHK_GUARD \ + ({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; }) # endif #else # define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; }) +# define POINTER_CHK_GUARD \ + ({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; }) #endif diff --git a/sysdeps/generic/stackguard-macros.h b/sysdeps/generic/stackguard-macros.h index ababf65..4fa3d96 100644 --- a/sysdeps/generic/stackguard-macros.h +++ b/sysdeps/generic/stackguard-macros.h @@ -2,3 +2,6 @@ extern uintptr_t __stack_chk_guard; #define STACK_CHK_GUARD __stack_chk_guard + +extern uintptr_t __pointer_chk_guard_local; +#define POINTER_CHK_GUARD __pointer_chk_guard_local diff --git a/sysdeps/i386/stackguard-macros.h b/sysdeps/i386/stackguard-macros.h index 8c31e19..0397629 100644 --- a/sysdeps/i386/stackguard-macros.h +++ b/sysdeps/i386/stackguard-macros.h @@ -2,3 +2,11 @@ #define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; }) + +#define POINTER_CHK_GUARD \ + ({ \ + uintptr_t x; \ + asm ("movl %%gs:%c1, %0" : "=r" (x) \ + : "i" (offsetof (tcbhead_t, pointer_guard))); \ + x; \ + }) diff --git a/sysdeps/powerpc/powerpc32/stackguard-macros.h b/sysdeps/powerpc/powerpc32/stackguard-macros.h index 839f6a4..b3d0af8 100644 --- a/sysdeps/powerpc/powerpc32/stackguard-macros.h +++ b/sysdeps/powerpc/powerpc32/stackguard-macros.h @@ -2,3 +2,13 @@ #define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; }) + +#define POINTER_CHK_GUARD \ + ({ \ + uintptr_t x; \ + asm ("lwz %0,%1(2)" \ + : "=r" (x) \ + : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ + ); \ + x; \ + }) diff --git a/sysdeps/powerpc/powerpc64/stackguard-macros.h b/sysdeps/powerpc/powerpc64/stackguard-macros.h index 9da879c..4620f96 100644 --- a/sysdeps/powerpc/powerpc64/stackguard-macros.h +++ b/sysdeps/powerpc/powerpc64/stackguard-macros.h @@ -2,3 +2,13 @@ #define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; }) + +#define POINTER_CHK_GUARD \ + ({ \ + uintptr_t x; \ + asm ("ld %0,%1(2)" \ + : "=r" (x) \ + : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \ + ); \ + x; \ + }) diff --git a/sysdeps/s390/s390-32/stackguard-macros.h b/sysdeps/s390/s390-32/stackguard-macros.h index b74c579..449e8d4 100644 --- a/sysdeps/s390/s390-32/stackguard-macros.h +++ b/sysdeps/s390/s390-32/stackguard-macros.h @@ -2,3 +2,14 @@ #define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; }) + +/* On s390/s390x there is no unique pointer guard, instead we use the + same value as the stack guard. */ +#define POINTER_CHK_GUARD \ + ({ \ + uintptr_t x; \ + asm ("ear %0,%%a0; l %0,%1(%0)" \ + : "=a" (x) \ + : "i" (offsetof (tcbhead_t, stack_guard))); \ + x; \ + }) diff --git a/sysdeps/s390/s390-64/stackguard-macros.h b/sysdeps/s390/s390-64/stackguard-macros.h index 0cebb5f..c8270fb 100644 --- a/sysdeps/s390/s390-64/stackguard-macros.h +++ b/sysdeps/s390/s390-64/stackguard-macros.h @@ -2,3 +2,17 @@ #define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; }) + +/* On s390/s390x there is no unique pointer guard, instead we use the + same value as the stack guard. */ +#define POINTER_CHK_GUARD \ + ({ \ + uintptr_t x; \ + asm ("ear %0,%%a0;" \ + "sllg %0,%0,32;" \ + "ear %0,%%a1;" \ + "lg %0,%1(%0)" \ + : "=a" (x) \ + : "i" (offsetof (tcbhead_t, stack_guard))); \ + x; \ + }) diff --git a/sysdeps/sparc/sparc32/stackguard-macros.h b/sysdeps/sparc/sparc32/stackguard-macros.h index c0b02b0..1eef0f1 100644 --- a/sysdeps/sparc/sparc32/stackguard-macros.h +++ b/sysdeps/sparc/sparc32/stackguard-macros.h @@ -2,3 +2,6 @@ #define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; }) + +#define POINTER_CHK_GUARD \ + ({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; }) diff --git a/sysdeps/sparc/sparc64/stackguard-macros.h b/sysdeps/sparc/sparc64/stackguard-macros.h index 80f0635..cc0c12c 100644 --- a/sysdeps/sparc/sparc64/stackguard-macros.h +++ b/sysdeps/sparc/sparc64/stackguard-macros.h @@ -2,3 +2,6 @@ #define STACK_CHK_GUARD \ ({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; }) + +#define POINTER_CHK_GUARD \ + ({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; }) diff --git a/sysdeps/x86_64/stackguard-macros.h b/sysdeps/x86_64/stackguard-macros.h index d7fedb3..1948800 100644 --- a/sysdeps/x86_64/stackguard-macros.h +++ b/sysdeps/x86_64/stackguard-macros.h @@ -4,3 +4,8 @@ ({ uintptr_t x; \ asm ("mov %%fs:%c1, %0" : "=r" (x) \ : "i" (offsetof (tcbhead_t, stack_guard))); x; }) + +#define POINTER_CHK_GUARD \ + ({ uintptr_t x; \ + asm ("mov %%fs:%c1, %0" : "=r" (x) \ + : "i" (offsetof (tcbhead_t, pointer_guard))); x; })