Attachment #365468 for bug #494444

View | Details | Raw Unified | Return to bug 494444
Collapse All | Expand All




  /* Otherwise, ensure that it is at least a minimum chunk size */
  if (alignment <  MINSIZE) alignment = MINSIZE;

  /* Check for overflow.  */
  if (bytes > SIZE_MAX - alignment - MINSIZE)
    {
      __set_errno (ENOMEM);
      return 0;
    }

  arena_get(ar_ptr, bytes + alignment + MINSIZE);
  if(!ar_ptr)
    return 0;
   malloc: Check for integer overflow in pvalloc.
   
   A large bytes parameter to pvalloc could cause an integer overflow
   and corrupt allocator internals. Check the overflow does not occur
   before continuing with the allocation.
   
   ChangeLog:
   
   2013-09-11  Will Newton  <will.newton@linaro.org>
   
   	[BZ #15855]
   	* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
   	does not overflow.




  size_t page_mask = GLRO(dl_pagesize) - 1;
  size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);

  /* Check for overflow.  */
  if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
    {
      __set_errno (ENOMEM);
      return 0;
    }

  __malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
					const __malloc_ptr_t)) =
    force_reg (__memalign_hook);
   malloc: Check for integer overflow in valloc.
   
   A large bytes parameter to valloc could cause an integer overflow
   and corrupt allocator internals. Check the overflow does not occur
   before continuing with the allocation.
   
   ChangeLog:
   
   2013-09-11  Will Newton  <will.newton@linaro.org>
   
   	[BZ #15856]
   	* malloc/malloc.c (__libc_valloc): Check the value of bytes
   	does not overflow.

Lines 3046-3051 __libc_valloc(size_t bytes) Link Here

(-)a/malloc/malloc.c (+7 lines)
3046		3046
3047	size_t pagesz = GLRO(dl_pagesize);	3047	size_t pagesz = GLRO(dl_pagesize);
3048		3048
		3049	/* Check for overflow. */
		3050	if (bytes > SIZE_MAX - pagesz - MINSIZE)
		3051	{
		3052	__set_errno (ENOMEM);
		3053	return 0;
		3054	}
		3055
3049	__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,	3056	__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
3050	const __malloc_ptr_t)) =	3057	const __malloc_ptr_t)) =
3051	force_reg (__memalign_hook);	3058	force_reg (__memalign_hook);

Lines 39-44 Link Here

(-)eglibc-2.17.orig/sysdeps/posix/dirstream.h (+2 lines)
39		39
40	off_t filepos; /* Position of next entry to read. */	40	off_t filepos; /* Position of next entry to read. */
41		41
		42	int errcode; /* Delayed error code. */
		43
42	/* Directory block. */	44	/* Directory block. */
43	char data[0] __attribute__ ((aligned (__alignof__ (void*))));	45	char data[0] __attribute__ ((aligned (__alignof__ (void*))));
44	};	46	};

Lines 230-235 Link Here

(-)eglibc-2.17.orig/sysdeps/posix/opendir.c (+1 lines)
230	dirp->size = 0;	230	dirp->size = 0;
231	dirp->offset = 0;	231	dirp->offset = 0;
232	dirp->filepos = 0;	232	dirp->filepos = 0;
		233	dirp->errcode = 0;
233		234
234	return dirp;	235	return dirp;
235	}	236	}

Lines 41-46 Link Here

(-)eglibc-2.17.orig/sysdeps/posix/readdir_r.c (-12 / +30 lines)
41	DIRENT_TYPE *dp;	41	DIRENT_TYPE *dp;
42	size_t reclen;	42	size_t reclen;
43	const int saved_errno = errno;	43	const int saved_errno = errno;
		44	int ret;
44		45
45	__libc_lock_lock (dirp->lock);	46	__libc_lock_lock (dirp->lock);
46		47
Lines 71-80 Link Here
71	bytes = 0;	72	bytes = 0;
72	__set_errno (saved_errno);	73	__set_errno (saved_errno);
73	}	74	}
		75	if (bytes < 0)
		76	dirp->errcode = errno;
74		77
75	dp = NULL;	78	dp = NULL;
76	/* Reclen != 0 signals that an error occurred. */
77	reclen = bytes != 0;
78	break;	79	break;
79	}	80	}
80	dirp->size = (size_t) bytes;	81	dirp->size = (size_t) bytes;
Lines 107-135 Link Here
107	dirp->filepos += reclen;	108	dirp->filepos += reclen;
108	#endif	109	#endif
109		110
110	/* Skip deleted files. */	111	#ifdef NAME_MAX
		112	if (reclen > offsetof (DIRENT_TYPE, d_name) + NAME_MAX + 1)
		113	{
		114	/* The record is very long. It could still fit into the
		115	caller-supplied buffer if we can skip padding at the
		116	end. */
		117	size_t namelen = _D_EXACT_NAMLEN (dp);
		118	if (namelen <= NAME_MAX)
		119	reclen = offsetof (DIRENT_TYPE, d_name) + namelen + 1;
		120	else
		121	{
		122	/* The name is too long. Ignore this file. */
		123	dirp->errcode = ENAMETOOLONG;
		124	dp->d_ino = 0;
		125	continue;
		126	}
		127	}
		128	#endif
		129
		130	/* Skip deleted and ignored files. */
111	}	131	}
112	while (dp->d_ino == 0);	132	while (dp->d_ino == 0);
113		133
114	if (dp != NULL)	134	if (dp != NULL)
115	{	135	{
116	#ifdef GETDENTS_64BIT_ALIGNED
117	/* The d_reclen value might include padding which is not part of
118	the DIRENT_TYPE data structure. */
119	reclen = MIN (reclen,
120	offsetof (DIRENT_TYPE, d_name) + sizeof (dp->d_name));
121	#endif
122	*result = memcpy (entry, dp, reclen);	136	*result = memcpy (entry, dp, reclen);
123	#ifdef GETDENTS_64BIT_ALIGNED	137	#ifdef _DIRENT_HAVE_D_RECLEN
124	entry->d_reclen = reclen;	138	entry->d_reclen = reclen;
125	#endif	139	#endif
		140	ret = 0;
126	}	141	}
127	else	142	else
128	*result = NULL;	143	{
		144	*result = NULL;
		145	ret = dirp->errcode;
		146	}
129		147
130	__libc_lock_unlock (dirp->lock);	148	__libc_lock_unlock (dirp->lock);
131		149
132	return dp != NULL ? 0 : reclen ? errno : 0;	150	return ret;
133	}	151	}
134		152
135	#ifdef __READDIR_R_ALIAS	153	#ifdef __READDIR_R_ALIAS

Lines 33-38 Link Here

(-)eglibc-2.17.orig/sysdeps/posix/rewinddir.c (+1 lines)
33	dirp->filepos = 0;	33	dirp->filepos = 0;
34	dirp->offset = 0;	34	dirp->offset = 0;
35	dirp->size = 0;	35	dirp->size = 0;
		36	dirp->errcode = 0;
36	#ifndef NOT_IN_libc	37	#ifndef NOT_IN_libc
37	__libc_lock_unlock (dirp->lock);	38	__libc_lock_unlock (dirp->lock);
38	#endif	39	#endif

Lines 18-24 Link Here

(-)eglibc-2.17.orig/sysdeps/unix/sysv/linux/i386/readdir64_r.c (-1 lines)
18	#define __READDIR_R __readdir64_r	18	#define __READDIR_R __readdir64_r
19	#define __GETDENTS __getdents64	19	#define __GETDENTS __getdents64
20	#define DIRENT_TYPE struct dirent64	20	#define DIRENT_TYPE struct dirent64
21	#define GETDENTS_64BIT_ALIGNED 1
22		21
23	#include <sysdeps/posix/readdir_r.c>	22	#include <sysdeps/posix/readdir_r.c>
24		23




#define readdir64_r __no_readdir64_r_decl
#define GETDENTS_64BIT_ALIGNED 1
#include <sysdeps/posix/readdir_r.c>
#undef readdir64_r
weak_alias (__readdir_r, readdir64_r)
   BZ #15754: CVE-2013-4788
   
   The pointer guard used for pointer mangling was not initialized for
   static applications resulting in the security feature being disabled.
   The pointer guard is now correctly initialized to a random value for
   static applications. Existing static applications need to be
   recompiled to take advantage of the fix.
   
   The test tst-ptrguard1-static and tst-ptrguard1 add regression
   coverage to ensure the pointer guards are sufficiently random
   and initialized to a default value.


Lines 37-42 extern void __pthread_initialize_minimal (void); Link Here

(-)a/csu/libc-start.c (+16 lines)
37	in thread local area. */	37	in thread local area. */
38	uintptr_t __stack_chk_guard attribute_relro;	38	uintptr_t __stack_chk_guard attribute_relro;
39	# endif	39	# endif
		40	# ifndef THREAD_SET_POINTER_GUARD
		41	/* Only exported for architectures that don't store the pointer guard
		42	value in thread local area. */
		43	uintptr_t __pointer_chk_guard_local
		44	attribute_relro attribute_hidden __attribute__ ((nocommon));
		45	# endif
40	#endif	46	#endif
41		47
42	#ifdef HAVE_PTR_NTHREADS	48	#ifdef HAVE_PTR_NTHREADS
Lines 195-200 LIBC_START_MAIN (int (main) (int, char , char * MAIN_AUXVEC_DECL), Link Here
195	# else	201	# else
196	__stack_chk_guard = stack_chk_guard;	202	__stack_chk_guard = stack_chk_guard;
197	# endif	203	# endif
		204
		205	/* Set up the pointer guard value. */
		206	uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
		207	stack_chk_guard);
		208	# ifdef THREAD_SET_POINTER_GUARD
		209	THREAD_SET_POINTER_GUARD (pointer_chk_guard);
		210	# else
		211	__pointer_chk_guard_local = pointer_chk_guard;
		212	# endif
		213
198	#endif	214	#endif
199		215
200	/* Register the destructor of the dynamic linker if there is any. */	216	/* Register the destructor of the dynamic linker if there is any. */

Lines 121-127 endif Link Here

(-)a/elf/Makefile (-2 / +7 lines)
121	tests = tst-tls1 tst-tls2 tst-tls9 tst-leaks1 \	121	tests = tst-tls1 tst-tls2 tst-tls9 tst-leaks1 \
122	tst-array1 tst-array2 tst-array3 tst-array4 tst-array5	122	tst-array1 tst-array2 tst-array3 tst-array4 tst-array5
123	tests-static = tst-tls1-static tst-tls2-static tst-stackguard1-static \	123	tests-static = tst-tls1-static tst-tls2-static tst-stackguard1-static \
124	tst-leaks1-static tst-array1-static tst-array5-static	124	tst-leaks1-static tst-array1-static tst-array5-static \
		125	tst-ptrguard1-static
125	ifeq (yes,$(build-shared))	126	ifeq (yes,$(build-shared))
126	tests-static += tst-tls9-static	127	tests-static += tst-tls9-static
127	tst-tls9-static-ENV = \	128	tst-tls9-static-ENV = \
Lines 145-151 tests += loadtest restest1 preloadtest loadfail multiload origtest resolvfail \ Link Here
145	tst-audit1 tst-audit2 tst-audit8 \	146	tst-audit1 tst-audit2 tst-audit8 \
146	tst-stackguard1 tst-addr1 tst-thrlock \	147	tst-stackguard1 tst-addr1 tst-thrlock \
147	tst-unique1 tst-unique2 tst-unique3 tst-unique4 \	148	tst-unique1 tst-unique2 tst-unique3 tst-unique4 \
148	tst-initorder tst-initorder2 tst-relsort1	149	tst-initorder tst-initorder2 tst-relsort1 \
		150	tst-ptrguard1
149	# reldep9	151	# reldep9
150	test-srcs = tst-pathopt	152	test-srcs = tst-pathopt
151	selinux-enabled := $(shell cat /selinux/enforce 2> /dev/null)	153	selinux-enabled := $(shell cat /selinux/enforce 2> /dev/null)
Lines 1016-1021 LDFLAGS-order2mod2.so = $(no-as-needed) Link Here
1016	tst-stackguard1-ARGS = --command "$(host-built-program-cmd) --child"	1018	tst-stackguard1-ARGS = --command "$(host-built-program-cmd) --child"
1017	tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child"	1019	tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child"
1018		1020
		1021	tst-ptrguard1-ARGS = --command "$(host-built-program-cmd) --child"
		1022	tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child"
		1023
1019	$(objpfx)tst-leaks1: $(libdl)	1024	$(objpfx)tst-leaks1: $(libdl)
1020	$(objpfx)tst-leaks1-mem: $(objpfx)tst-leaks1.out	1025	$(objpfx)tst-leaks1-mem: $(objpfx)tst-leaks1.out
1021	$(common-objpfx)malloc/mtrace $(objpfx)tst-leaks1.mtrace > $@	1026	$(common-objpfx)malloc/mtrace $(objpfx)tst-leaks1.mtrace > $@

Line 0 Link Here

(-)a/elf/tst-ptrguard1-static.c (+1 lines)
	1	#include "tst-ptrguard1.c"




/* Copyright (C) 2013 Free Software Foundation, Inc.
   This file is part of the GNU C Library.

   The GNU C Library is free software; you can redistribute it and/or
   modify it under the terms of the GNU Lesser General Public
   License as published by the Free Software Foundation; either
   version 2.1 of the License, or (at your option) any later version.

   The GNU C Library is distributed in the hope that it will be useful,
   but WITHOUT ANY WARRANTY; without even the implied warranty of
   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
   Lesser General Public License for more details.

   You should have received a copy of the GNU Lesser General Public
   License along with the GNU C Library; if not, see
   <http://www.gnu.org/licenses/>.  */

#include <errno.h>
#include <stdbool.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/wait.h>
#include <stackguard-macros.h>
#include <tls.h>
#include <unistd.h>

#ifndef POINTER_CHK_GUARD
extern uintptr_t __pointer_chk_guard;
# define POINTER_CHK_GUARD __pointer_chk_guard
#endif

static const char *command;
static bool child;
static uintptr_t ptr_chk_guard_copy;
static bool ptr_chk_guard_copy_set;
static int fds[2];

static void __attribute__ ((constructor))
con (void)
{
  ptr_chk_guard_copy = POINTER_CHK_GUARD;
  ptr_chk_guard_copy_set = true;
}

static int
uintptr_t_cmp (const void *a, const void *b)
{
  if (*(uintptr_t *) a < *(uintptr_t *) b)
    return 1;
  if (*(uintptr_t *) a > *(uintptr_t *) b)
    return -1;
  return 0;
}

static int
do_test (void)
{
  if (!ptr_chk_guard_copy_set)
    {
      puts ("constructor has not been run");
      return 1;
    }

  if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
    {
      puts ("POINTER_CHK_GUARD changed between constructor and do_test");
      return 1;
    }

  if (child)
    {
      write (2, &ptr_chk_guard_copy, sizeof (ptr_chk_guard_copy));
      return 0;
    }

  if (command == NULL)
    {
      puts ("missing --command or --child argument");
      return 1;
    }

#define N 16
  uintptr_t child_ptr_chk_guards[N + 1];
  child_ptr_chk_guards[N] = ptr_chk_guard_copy;
  int i;
  for (i = 0; i < N; ++i)
    {
      if (pipe (fds) < 0)
	{
	  printf ("couldn't create pipe: %m\n");
	  return 1;
	}

      pid_t pid = fork ();
      if (pid < 0)
	{
	  printf ("fork failed: %m\n");
	  return 1;
	}

      if (!pid)
	{
	  if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
	    {
	      puts ("POINTER_CHK_GUARD changed after fork");
	      exit (1);
	    }

	  close (fds[0]);
	  close (2);
	  dup2 (fds[1], 2);
	  close (fds[1]);

	  system (command);
	  exit (0);
	}

      close (fds[1]);

      if (TEMP_FAILURE_RETRY (read (fds[0], &child_ptr_chk_guards[i],
				    sizeof (uintptr_t))) != sizeof (uintptr_t))
	{
	  puts ("could not read ptr_chk_guard value from child");
	  return 1;
	}

      close (fds[0]);

      pid_t termpid;
      int status;
      termpid = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0));
      if (termpid == -1)
	{
	  printf ("waitpid failed: %m\n");
	  return 1;
	}
      else if (termpid != pid)
	{
	  printf ("waitpid returned %ld != %ld\n",
		  (long int) termpid, (long int) pid);
	  return 1;
	}
      else if (!WIFEXITED (status) || WEXITSTATUS (status))
	{
	  puts ("child hasn't exited with exit status 0");
	  return 1;
	}
    }

  qsort (child_ptr_chk_guards, N + 1, sizeof (uintptr_t), uintptr_t_cmp);

  /* The default pointer guard is the same as the default stack guard.
     They are only set to default if dl_random is NULL.  */
  uintptr_t default_guard = 0;
  unsigned char *p = (unsigned char *) &default_guard;
  p[sizeof (uintptr_t) - 1] = 255;
  p[sizeof (uintptr_t) - 2] = '\n';
  p[0] = 0;

  /* Test if the pointer guard canaries are either randomized,
     or equal to the default pointer guard value.
     Even with randomized pointer guards it might happen
     that the random number generator generates the same
     values, but if that happens in more than half from
     the 16 runs, something is very wrong.  */
  int ndifferences = 0;
  int ndefaults = 0;
  for (i = 0; i < N; ++i)
    {
      if (child_ptr_chk_guards[i] != child_ptr_chk_guards[i+1])
	ndifferences++;
      else if (child_ptr_chk_guards[i] == default_guard)
	ndefaults++;
    }

  printf ("differences %d defaults %d\n", ndifferences, ndefaults);

  if (ndifferences < N / 2 && ndefaults < N / 2)
    {
      puts ("pointer guard values are not randomized enough");
      puts ("nor equal to the default value");
      return 1;
    }

  return 0;
}

#define OPT_COMMAND	10000
#define OPT_CHILD	10001
#define CMDLINE_OPTIONS	\
  { "command", required_argument, NULL, OPT_COMMAND },  \
  { "child", no_argument, NULL, OPT_CHILD },
#define CMDLINE_PROCESS	\
  case OPT_COMMAND:	\
    command = optarg;	\
    break;		\
  case OPT_CHILD:	\
    child = true;	\
    break;
#define TEST_FUNCTION do_test ()
#include "../test-skeleton.c"

Lines 2-4 Link Here

(-)a/ports/sysdeps/ia64/stackguard-macros.h (+3 lines)
2		2
3	#define STACK_CHK_GUARD \	3	#define STACK_CHK_GUARD \
4	({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })	4	({ uintptr_t x; asm ("adds %0 = -8, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })
		5
		6	#define POINTER_CHK_GUARD \
		7	({ uintptr_t x; asm ("adds %0 = -16, r13;; ld8 %0 = [%0]" : "=r" (x)); x; })

Lines 4-14 Link Here

(-)a/ports/sysdeps/tile/stackguard-macros.h (+6 lines)
4	# if __WORDSIZE == 64	4	# if __WORDSIZE == 64
5	# define STACK_CHK_GUARD \	5	# define STACK_CHK_GUARD \
6	({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; })	6	({ uintptr_t x; asm ("addi %0, tp, -16; ld %0, %0" : "=r" (x)); x; })
		7	# define POINTER_CHK_GUARD \
		8	({ uintptr_t x; asm ("addi %0, tp, -24; ld %0, %0" : "=r" (x)); x; })
7	# else	9	# else
8	# define STACK_CHK_GUARD \	10	# define STACK_CHK_GUARD \
9	({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; })	11	({ uintptr_t x; asm ("addi %0, tp, -8; ld4s %0, %0" : "=r" (x)); x; })
		12	# define POINTER_CHK_GUARD \
		13	({ uintptr_t x; asm ("addi %0, tp, -12; ld4s %0, %0" : "=r" (x)); x; })
10	# endif	14	# endif
11	#else	15	#else
12	# define STACK_CHK_GUARD \	16	# define STACK_CHK_GUARD \
13	({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; })	17	({ uintptr_t x; asm ("addi %0, tp, -8; lw %0, %0" : "=r" (x)); x; })
		18	# define POINTER_CHK_GUARD \
		19	({ uintptr_t x; asm ("addi %0, tp, -12; lw %0, %0" : "=r" (x)); x; })
14	#endif	20	#endif

Lines 2-4 Link Here

(-)a/sysdeps/generic/stackguard-macros.h (+3 lines)
2		2
3	extern uintptr_t __stack_chk_guard;	3	extern uintptr_t __stack_chk_guard;
4	#define STACK_CHK_GUARD __stack_chk_guard	4	#define STACK_CHK_GUARD __stack_chk_guard
		5
		6	extern uintptr_t __pointer_chk_guard_local;
		7	#define POINTER_CHK_GUARD __pointer_chk_guard_local

Lines 2-4 Link Here

(-)a/sysdeps/i386/stackguard-macros.h (+8 lines)
2		2
3	#define STACK_CHK_GUARD \	3	#define STACK_CHK_GUARD \
4	({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; })	4	({ uintptr_t x; asm ("movl %%gs:0x14, %0" : "=r" (x)); x; })
		5
		6	#define POINTER_CHK_GUARD \
		7	({ \
		8	uintptr_t x; \
		9	asm ("movl %%gs:%c1, %0" : "=r" (x) \
		10	: "i" (offsetof (tcbhead_t, pointer_guard))); \
		11	x; \
		12	})





#define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })

#define POINTER_CHK_GUARD \
  ({												\
     uintptr_t x;										\
     asm ("lwz %0,%1(2)"									\
	  : "=r" (x)										\
	  : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t))	\
         );											\
     x;												\
   })





#define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })

#define POINTER_CHK_GUARD \
  ({												\
     uintptr_t x;										\
     asm ("ld %0,%1(2)"										\
	  : "=r" (x)										\
	  : "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t))	\
         );											\
     x;												\
   })





#define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })

/* On s390/s390x there is no unique pointer guard, instead we use the
   same value as the stack guard.  */
#define POINTER_CHK_GUARD \
  ({							\
     uintptr_t x;					\
     asm ("ear %0,%%a0; l %0,%1(%0)"			\
	  : "=a" (x)					\
	  : "i" (offsetof (tcbhead_t, stack_guard)));	\
     x;							\
   })





#define STACK_CHK_GUARD \
  ({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })

/* On s390/s390x there is no unique pointer guard, instead we use the
   same value as the stack guard.  */
#define POINTER_CHK_GUARD \
  ({							\
     uintptr_t x;					\
     asm ("ear %0,%%a0;"				\
	  "sllg %0,%0,32;"				\
	  "ear %0,%%a1;"				\
	  "lg %0,%1(%0)"				\
	 : "=a" (x)					\
	 : "i" (offsetof (tcbhead_t, stack_guard)));	\
     x;							\
   })

Lines 2-4 Link Here

(-)a/sysdeps/sparc/sparc32/stackguard-macros.h (+3 lines)
2		2
3	#define STACK_CHK_GUARD \	3	#define STACK_CHK_GUARD \
4	({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; })	4	({ uintptr_t x; asm ("ld [%%g7+0x14], %0" : "=r" (x)); x; })
		5
		6	#define POINTER_CHK_GUARD \
		7	({ uintptr_t x; asm ("ld [%%g7+0x18], %0" : "=r" (x)); x; })

Lines 2-4 Link Here

(-)a/sysdeps/sparc/sparc64/stackguard-macros.h (+3 lines)
2		2
3	#define STACK_CHK_GUARD \	3	#define STACK_CHK_GUARD \
4	({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; })	4	({ uintptr_t x; asm ("ldx [%%g7+0x28], %0" : "=r" (x)); x; })
		5
		6	#define POINTER_CHK_GUARD \
		7	({ uintptr_t x; asm ("ldx [%%g7+0x30], %0" : "=r" (x)); x; })




  ({ uintptr_t x;						\
     asm ("mov %%fs:%c1, %0" : "=r" (x)				\
	  : "i" (offsetof (tcbhead_t, stack_guard))); x; })

#define POINTER_CHK_GUARD \
  ({ uintptr_t x;						\
     asm ("mov %%fs:%c1, %0" : "=r" (x)				\
	  : "i" (offsetof (tcbhead_t, pointer_guard))); x; })
   BZ #15754: Fix test case for ARM.
   
   Statically built binaries use __pointer_chk_guard_local,
   while dynamically built binaries use __pointer_chk_guard.
   Provide the right definition depending on the test case
   we are building.

	[BZ #15754]

Lines 1019-1024 tst-stackguard1-ARGS = --command "$(host-test-program-cmd) --child" Link Here

(-)a/elf/Makefile (+3 lines)
1019	tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child"	1019	tst-stackguard1-static-ARGS = --command "$(objpfx)tst-stackguard1-static --child"
1020		1020
1021	tst-ptrguard1-ARGS = --command "$(host-built-program-cmd) --child"	1021	tst-ptrguard1-ARGS = --command "$(host-built-program-cmd) --child"
		1022	# When built statically, the pointer guard interface uses
		1023	# __pointer_chk_guard_local.
		1024	CFLAGS-tst-ptrguard1-static.c = -DPTRGUARD_LOCAL
1022	tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child"	1025	tst-ptrguard1-static-ARGS = --command "$(objpfx)tst-ptrguard1-static --child"
1023		1026
1024	$(objpfx)tst-leaks1: $(libdl)	1027	$(objpfx)tst-leaks1: $(libdl)

Lines 3-7 Link Here

(-)a/sysdeps/generic/stackguard-macros.h (-1 / +6 lines)
3	extern uintptr_t __stack_chk_guard;	3	extern uintptr_t __stack_chk_guard;
4	#define STACK_CHK_GUARD __stack_chk_guard	4	#define STACK_CHK_GUARD __stack_chk_guard
5		5
		6	#ifdef PTRGUARD_LOCAL
6	extern uintptr_t __pointer_chk_guard_local;	7	extern uintptr_t __pointer_chk_guard_local;
7	#define POINTER_CHK_GUARD __pointer_chk_guard_local	8	# define POINTER_CHK_GUARD __pointer_chk_guard_local
		9	#else
		10	extern uintptr_t __pointer_chk_guard;
		11	# define POINTER_CHK_GUARD __pointer_chk_guard
		12	#endif
8	Fix readdir regressions on sparc 32-bit.	13	Fix readdir regressions on sparc 32-bit.
9		14
10	* sysdeps/posix/dirstream.h (struct __dirstream): Fix alignment of	15	* sysdeps/posix/dirstream.h (struct __dirstream): Fix alignment of
11	directory block.	16	directory block.





    int errcode;		/* Delayed error code.  */

    /* Directory block.  We must make sure that this block starts
       at an address that is aligned adequately enough to store
       dirent entries.  Using the alignment of "void *" is not
       sufficient because dirents on 32-bit platforms can require
       64-bit alignment.  We use "long double" here to be consistent
       with what malloc uses.  */
    char data[0] __attribute__ ((aligned (__alignof__ (long double))));
  };

#define _DIR_dirfd(dirp)	((dirp)->fd)
--
locale/loadarchive.c | 4 ++++
1 file changed, 4 insertions(+)

Lines 274-279 _nl_load_locale_from_archive (int category, const char **namep) Link Here

(-)a/locale/loadarchive.c (-1 / +4 lines)
274	namehashtab = (struct namehashent ) ((char ) head	274	namehashtab = (struct namehashent ) ((char ) head
275	+ head->namehash_offset);	275	+ head->namehash_offset);
276		276
		277	/* Avoid division by 0 if the file is corrupted. */
		278	if (__builtin_expect (head->namehash_size == 0, 0))
		279	goto close_and_out;
		280
277	idx = hval % head->namehash_size;	281	idx = hval % head->namehash_size;
278	incr = 1 + hval % (head->namehash_size - 2);	282	incr = 1 + hval % (head->namehash_size - 2);
279		283
280	-

Return to bug 494444

Lines 3015-3020 __libc_memalign(size_t alignment, size_t bytes) Link Here

(-)a/malloc/malloc.c (+7 lines)
3015	/* Otherwise, ensure that it is at least a minimum chunk size */	3015	/* Otherwise, ensure that it is at least a minimum chunk size */
3016	if (alignment < MINSIZE) alignment = MINSIZE;	3016	if (alignment < MINSIZE) alignment = MINSIZE;
3017		3017
		3018	/* Check for overflow. */
		3019	if (bytes > SIZE_MAX - alignment - MINSIZE)
		3020	{
		3021	__set_errno (ENOMEM);
		3022	return 0;
		3023	}
		3024
3018	arena_get(ar_ptr, bytes + alignment + MINSIZE);	3025	arena_get(ar_ptr, bytes + alignment + MINSIZE);
3019	if(!ar_ptr)	3026	if(!ar_ptr)
3020	return 0;	3027	return 0;
3021	malloc: Check for integer overflow in pvalloc.	3028	malloc: Check for integer overflow in pvalloc.
3022		3029
3023	A large bytes parameter to pvalloc could cause an integer overflow	3030	A large bytes parameter to pvalloc could cause an integer overflow
3024	and corrupt allocator internals. Check the overflow does not occur	3031	and corrupt allocator internals. Check the overflow does not occur
3025	before continuing with the allocation.	3032	before continuing with the allocation.
3026		3033
3027	ChangeLog:	3034	ChangeLog:
3028		3035
3029	2013-09-11 Will Newton <will.newton@linaro.org>	3036	2013-09-11 Will Newton <will.newton@linaro.org>
3030		3037
3031	[BZ #15855]	3038	[BZ #15855]
3032	* malloc/malloc.c (__libc_pvalloc): Check the value of bytes	3039	* malloc/malloc.c (__libc_pvalloc): Check the value of bytes
3033	does not overflow.	3040	does not overflow.

Lines 3082-3087 __libc_pvalloc(size_t bytes) Link Here

(-)a/malloc/malloc.c (+7 lines)
3082	size_t page_mask = GLRO(dl_pagesize) - 1;	3082	size_t page_mask = GLRO(dl_pagesize) - 1;
3083	size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);	3083	size_t rounded_bytes = (bytes + page_mask) & ~(page_mask);
3084		3084
		3085	/* Check for overflow. */
		3086	if (bytes > SIZE_MAX - 2*pagesz - MINSIZE)
		3087	{
		3088	__set_errno (ENOMEM);
		3089	return 0;
		3090	}
		3091
3085	__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,	3092	__malloc_ptr_t (*hook) __MALLOC_PMT ((size_t, size_t,
3086	const __malloc_ptr_t)) =	3093	const __malloc_ptr_t)) =
3087	force_reg (__memalign_hook);	3094	force_reg (__memalign_hook);
3088	malloc: Check for integer overflow in valloc.	3095	malloc: Check for integer overflow in valloc.
3089		3096
3090	A large bytes parameter to valloc could cause an integer overflow	3097	A large bytes parameter to valloc could cause an integer overflow
3091	and corrupt allocator internals. Check the overflow does not occur	3098	and corrupt allocator internals. Check the overflow does not occur
3092	before continuing with the allocation.	3099	before continuing with the allocation.
3093		3100
3094	ChangeLog:	3101	ChangeLog:
3095		3102
3096	2013-09-11 Will Newton <will.newton@linaro.org>	3103	2013-09-11 Will Newton <will.newton@linaro.org>
3097		3104
3098	[BZ #15856]	3105	[BZ #15856]
3099	* malloc/malloc.c (__libc_valloc): Check the value of bytes	3106	* malloc/malloc.c (__libc_valloc): Check the value of bytes
3100	does not overflow.	3107	does not overflow.

Lines 1-5 Link Here

(-)eglibc-2.17.orig/sysdeps/unix/sysv/linux/wordsize-64/readdir_r.c (-1 lines)
1	#define readdir64_r __no_readdir64_r_decl	1	#define readdir64_r __no_readdir64_r_decl
2	#define GETDENTS_64BIT_ALIGNED 1
3	#include <sysdeps/posix/readdir_r.c>	2	#include <sysdeps/posix/readdir_r.c>
4	#undef readdir64_r	3	#undef readdir64_r
5	weak_alias (__readdir_r, readdir64_r)	4	weak_alias (__readdir_r, readdir64_r)
6	BZ #15754: CVE-2013-4788	5	BZ #15754: CVE-2013-4788
7		6
8	The pointer guard used for pointer mangling was not initialized for	7	The pointer guard used for pointer mangling was not initialized for
9	static applications resulting in the security feature being disabled.	8	static applications resulting in the security feature being disabled.
10	The pointer guard is now correctly initialized to a random value for	9	The pointer guard is now correctly initialized to a random value for
11	static applications. Existing static applications need to be	10	static applications. Existing static applications need to be
12	recompiled to take advantage of the fix.	11	recompiled to take advantage of the fix.
13		12
14	The test tst-ptrguard1-static and tst-ptrguard1 add regression	13	The test tst-ptrguard1-static and tst-ptrguard1 add regression
15	coverage to ensure the pointer guards are sufficiently random	14	coverage to ensure the pointer guards are sufficiently random
16	and initialized to a default value.	15	and initialized to a default value.
17		16

Line 0 Link Here

(-)a/elf/tst-ptrguard1.c (+202 lines)
		1	/* Copyright (C) 2013 Free Software Foundation, Inc.
		2	This file is part of the GNU C Library.
		3
		4	The GNU C Library is free software; you can redistribute it and/or
		5	modify it under the terms of the GNU Lesser General Public
		6	License as published by the Free Software Foundation; either
		7	version 2.1 of the License, or (at your option) any later version.
		8
		9	The GNU C Library is distributed in the hope that it will be useful,
		10	but WITHOUT ANY WARRANTY; without even the implied warranty of
		11	MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		12	Lesser General Public License for more details.
		13
		14	You should have received a copy of the GNU Lesser General Public
		15	License along with the GNU C Library; if not, see
		16	<http://www.gnu.org/licenses/>. */
		17
		18	#include <errno.h>
		19	#include <stdbool.h>
		20	#include <stdio.h>
		21	#include <stdlib.h>
		22	#include <string.h>
		23	#include <sys/wait.h>
		24	#include <stackguard-macros.h>
		25	#include <tls.h>
		26	#include <unistd.h>
		27
		28	#ifndef POINTER_CHK_GUARD
		29	extern uintptr_t __pointer_chk_guard;
		30	# define POINTER_CHK_GUARD __pointer_chk_guard
		31	#endif
		32
		33	static const char *command;
		34	static bool child;
		35	static uintptr_t ptr_chk_guard_copy;
		36	static bool ptr_chk_guard_copy_set;
		37	static int fds[2];
		38
		39	static void __attribute__ ((constructor))
		40	con (void)
		41	{
		42	ptr_chk_guard_copy = POINTER_CHK_GUARD;
		43	ptr_chk_guard_copy_set = true;
		44	}
		45
		46	static int
		47	uintptr_t_cmp (const void a, const void b)
		48	{
		49	if ((uintptr_t ) a < (uintptr_t ) b)
		50	return 1;
		51	if ((uintptr_t ) a > (uintptr_t ) b)
		52	return -1;
		53	return 0;
		54	}
		55
		56	static int
		57	do_test (void)
		58	{
		59	if (!ptr_chk_guard_copy_set)
		60	{
		61	puts ("constructor has not been run");
		62	return 1;
		63	}
		64
65	if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
66	{
67	puts ("POINTER_CHK_GUARD changed between constructor and do_test");
68	return 1;
69	}
70
71	if (child)
72	{
73	write (2, &ptr_chk_guard_copy, sizeof (ptr_chk_guard_copy));
74	return 0;
75	}
76
77	if (command == NULL)
78	{
79	puts ("missing --command or --child argument");
80	return 1;
81	}
82
83	#define N 16
84	uintptr_t child_ptr_chk_guards[N + 1];
85	child_ptr_chk_guards[N] = ptr_chk_guard_copy;
86	int i;
87	for (i = 0; i < N; ++i)
88	{
89	if (pipe (fds) < 0)
90	{
91	printf ("couldn't create pipe: %m\n");
92	return 1;
93	}
94
95	pid_t pid = fork ();
96	if (pid < 0)
97	{
98	printf ("fork failed: %m\n");
99	return 1;
100	}
101
102	if (!pid)
103	{
104	if (ptr_chk_guard_copy != POINTER_CHK_GUARD)
105	{
106	puts ("POINTER_CHK_GUARD changed after fork");
107	exit (1);
108	}
109
110	close (fds[0]);
111	close (2);
112	dup2 (fds[1], 2);
113	close (fds[1]);
114
115	system (command);
116	exit (0);
117	}
118
119	close (fds[1]);
120
121	if (TEMP_FAILURE_RETRY (read (fds[0], &child_ptr_chk_guards[i],
122	sizeof (uintptr_t))) != sizeof (uintptr_t))
123	{
124	puts ("could not read ptr_chk_guard value from child");
125	return 1;
126	}
127
128	close (fds[0]);
129
130	pid_t termpid;
131	int status;
132	termpid = TEMP_FAILURE_RETRY (waitpid (pid, &status, 0));
133	if (termpid == -1)
134	{
135	printf ("waitpid failed: %m\n");
136	return 1;
137	}
138	else if (termpid != pid)
139	{
140	printf ("waitpid returned %ld != %ld\n",
141	(long int) termpid, (long int) pid);
142	return 1;
143	}
144	else if (!WIFEXITED (status) \|\| WEXITSTATUS (status))
145	{
146	puts ("child hasn't exited with exit status 0");
147	return 1;
148	}
149	}
150
151	qsort (child_ptr_chk_guards, N + 1, sizeof (uintptr_t), uintptr_t_cmp);
152
153	/* The default pointer guard is the same as the default stack guard.
154	They are only set to default if dl_random is NULL. */
155	uintptr_t default_guard = 0;
156	unsigned char p = (unsigned char ) &default_guard;
157	p[sizeof (uintptr_t) - 1] = 255;
158	p[sizeof (uintptr_t) - 2] = '\n';
159	p[0] = 0;
160
161	/* Test if the pointer guard canaries are either randomized,
162	or equal to the default pointer guard value.
163	Even with randomized pointer guards it might happen
164	that the random number generator generates the same
165	values, but if that happens in more than half from
166	the 16 runs, something is very wrong. */
167	int ndifferences = 0;
168	int ndefaults = 0;
169	for (i = 0; i < N; ++i)
170	{
171	if (child_ptr_chk_guards[i] != child_ptr_chk_guards[i+1])
172	ndifferences++;
173	else if (child_ptr_chk_guards[i] == default_guard)
174	ndefaults++;
175	}
176
177	printf ("differences %d defaults %d\n", ndifferences, ndefaults);
178
179	if (ndifferences < N / 2 && ndefaults < N / 2)
180	{
181	puts ("pointer guard values are not randomized enough");
182	puts ("nor equal to the default value");
183	return 1;
184	}
185
186	return 0;
187	}
188
189	#define OPT_COMMAND 10000
190	#define OPT_CHILD 10001
191	#define CMDLINE_OPTIONS \
192	{ "command", required_argument, NULL, OPT_COMMAND }, \
193	{ "child", no_argument, NULL, OPT_CHILD },
194	#define CMDLINE_PROCESS \
195	case OPT_COMMAND: \
196	command = optarg; \
197	break; \
198	case OPT_CHILD: \
199	child = true; \
200	break;
201	#define TEST_FUNCTION do_test ()
202	#include "../test-skeleton.c"

Lines 2-4 Link Here

(-)a/sysdeps/powerpc/powerpc32/stackguard-macros.h (+10 lines)
2		2
3	#define STACK_CHK_GUARD \	3	#define STACK_CHK_GUARD \
4	({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })	4	({ uintptr_t x; asm ("lwz %0,-28680(2)" : "=r" (x)); x; })
		5
		6	#define POINTER_CHK_GUARD \
		7	({ \
		8	uintptr_t x; \
		9	asm ("lwz %0,%1(2)" \
		10	: "=r" (x) \
		11	: "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
		12	); \
		13	x; \
		14	})

Lines 2-4 Link Here

(-)a/sysdeps/powerpc/powerpc64/stackguard-macros.h (+10 lines)
2		2
3	#define STACK_CHK_GUARD \	3	#define STACK_CHK_GUARD \
4	({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })	4	({ uintptr_t x; asm ("ld %0,-28688(13)" : "=r" (x)); x; })
		5
		6	#define POINTER_CHK_GUARD \
		7	({ \
		8	uintptr_t x; \
		9	asm ("ld %0,%1(2)" \
		10	: "=r" (x) \
		11	: "i" (offsetof (tcbhead_t, pointer_guard) - TLS_TCB_OFFSET - sizeof (tcbhead_t)) \
		12	); \
		13	x; \
		14	})

Lines 2-4 Link Here

(-)a/sysdeps/s390/s390-32/stackguard-macros.h (+11 lines)
2		2
3	#define STACK_CHK_GUARD \	3	#define STACK_CHK_GUARD \
4	({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })	4	({ uintptr_t x; asm ("ear %0,%%a0; l %0,0x14(%0)" : "=a" (x)); x; })
		5
		6	/* On s390/s390x there is no unique pointer guard, instead we use the
		7	same value as the stack guard. */
		8	#define POINTER_CHK_GUARD \
		9	({ \
		10	uintptr_t x; \
		11	asm ("ear %0,%%a0; l %0,%1(%0)" \
		12	: "=a" (x) \
		13	: "i" (offsetof (tcbhead_t, stack_guard))); \
		14	x; \
		15	})

Lines 2-4 Link Here

(-)a/sysdeps/s390/s390-64/stackguard-macros.h (+14 lines)
2		2
3	#define STACK_CHK_GUARD \	3	#define STACK_CHK_GUARD \
4	({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })	4	({ uintptr_t x; asm ("ear %0,%%a0; sllg %0,%0,32; ear %0,%%a1; lg %0,0x28(%0)" : "=a" (x)); x; })
		5
		6	/* On s390/s390x there is no unique pointer guard, instead we use the
		7	same value as the stack guard. */
		8	#define POINTER_CHK_GUARD \
		9	({ \
		10	uintptr_t x; \
		11	asm ("ear %0,%%a0;" \
		12	"sllg %0,%0,32;" \
		13	"ear %0,%%a1;" \
		14	"lg %0,%1(%0)" \
		15	: "=a" (x) \
		16	: "i" (offsetof (tcbhead_t, stack_guard))); \
		17	x; \
		18	})

Lines 4-6 Link Here

(-)a/sysdeps/x86_64/stackguard-macros.h (+5 lines)
4	({ uintptr_t x; \	4	({ uintptr_t x; \
5	asm ("mov %%fs:%c1, %0" : "=r" (x) \	5	asm ("mov %%fs:%c1, %0" : "=r" (x) \
6	: "i" (offsetof (tcbhead_t, stack_guard))); x; })	6	: "i" (offsetof (tcbhead_t, stack_guard))); x; })
		7
		8	#define POINTER_CHK_GUARD \
		9	({ uintptr_t x; \
		10	asm ("mov %%fs:%c1, %0" : "=r" (x) \
		11	: "i" (offsetof (tcbhead_t, pointer_guard))); x; })
7	BZ #15754: Fix test case for ARM.	12	BZ #15754: Fix test case for ARM.
8		13
9	Statically built binaries use __pointer_chk_guard_local,	14	Statically built binaries use __pointer_chk_guard_local,
10	while dynamically built binaries use __pointer_chk_guard.	15	while dynamically built binaries use __pointer_chk_guard.
11	Provide the right definition depending on the test case	16	Provide the right definition depending on the test case
12	we are building.	17	we are building.
13		18
14	[BZ #15754]	19	[BZ #15754]

Lines 41-48 struct __dirstream Link Here

(-)a/sysdeps/posix/dirstream.h (-3 / +7 lines)
41		41
42	int errcode; /* Delayed error code. */	42	int errcode; /* Delayed error code. */
43		43
44	/* Directory block. */	44	/* Directory block. We must make sure that this block starts
45	char data[0] __attribute__ ((aligned (__alignof__ (void*))));	45	at an address that is aligned adequately enough to store
		46	dirent entries. Using the alignment of "void *" is not
		47	sufficient because dirents on 32-bit platforms can require
		48	64-bit alignment. We use "long double" here to be consistent
		49	with what malloc uses. */
		50	char data[0] __attribute__ ((aligned (__alignof__ (long double))));
46	};	51	};
47		52
48	#define _DIR_dirfd(dirp) ((dirp)->fd)	53	#define _DIR_dirfd(dirp) ((dirp)->fd)
49	--
50	locale/loadarchive.c \| 4 ++++	54	locale/loadarchive.c \| 4 ++++
51	1 file changed, 4 insertions(+)	55	1 file changed, 4 insertions(+)