From: Mark H Weaver <mhw@netris.org>
To: Efraim Flashner <efraim@flashner.co.il>
Cc: 27429@debbugs.gnu.org
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Tue, 20 Jun 2017 17:44:42 -0400 [thread overview]
Message-ID: <87shiumj05.fsf@netris.org> (raw)
In-Reply-To: <20170620071857.GA2768@macbook42.flashner.co.il> (Efraim Flashner's message of "Tue, 20 Jun 2017 10:18:57 +0300")
Hi Efraim,
Thanks so much for working on this!
Grafting glibc is something we haven't done before to my knowledge, and
it is a bit tricky because of all of the inherited versions of glibc.
At present, those inherited versions are not expressed in such a way to
make grafting work.
One important tool is the 'package/inherit' macro, which I added to
(guix packages) in early May to facilitate another graft. In order to
graft 'glibc' properly, we'll first need to use 'package/inherit' in a
couple of places, I think.
Efraim Flashner <efraim@flashner.co.il> writes:
> From 2a83d2a8265314af3d8b16f86187897223567d6e Mon Sep 17 00:00:00 2001
> From: Efraim Flashner <efraim@flashner.co.il>
> Date: Mon, 19 Jun 2017 23:13:53 +0300
> Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
>
> * gnu/packages/base.scm (glibc)[replacement]: New field.
Please write (glibc/linux) instead of (glibc) above, since that's the
variable whose definition is being changed.
See below for more comments.
> (glibc-2.25-fixed): New variable.
> (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch.
> [replacement]: New field.
> (glibc-locales)[replacement]: New field.
> * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash,
> cross-gcc-wrapper, glibc-final)[replacement]: New field.
> * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file.
> * gnu/local.mk (dist_patch_DATA): Add it.
> ---
> gnu/local.mk | 1 +
> gnu/packages/base.scm | 39 +++++++++++++++++++----
> gnu/packages/commencement.scm | 4 +++
> gnu/packages/patches/glibc-CVE-2017-1000366.patch | 33 +++++++++++++++++++
> 4 files changed, 71 insertions(+), 6 deletions(-)
> create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch
>
> diff --git a/gnu/local.mk b/gnu/local.mk
> index ae4a59af0..6b598335b 100644
> --- a/gnu/local.mk
> +++ b/gnu/local.mk
> @@ -632,6 +632,7 @@ dist_patch_DATA = \
> %D%/packages/patches/ghostscript-runpath.patch \
> %D%/packages/patches/glib-networking-ssl-cert-file.patch \
> %D%/packages/patches/glib-tests-timer.patch \
> + %D%/packages/patches/glibc-CVE-2017-1000366.patch \
> %D%/packages/patches/glibc-bootstrap-system.patch \
> %D%/packages/patches/glibc-ldd-x86_64.patch \
> %D%/packages/patches/glibc-locales.patch \
Your changes to (gnu packages base) look good to me, so I've omitted
them. In particular, you are right to add (replacement #f) in the
places where you've done so.
> diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
> index 1b41feac1..42892bbe8 100644
> --- a/gnu/packages/commencement.scm
> +++ b/gnu/packages/commencement.scm
> @@ -3,6 +3,7 @@
> ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
> ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
> ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
> +;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
> ;;;
> ;;; This file is part of GNU Guix.
> ;;;
> @@ -469,6 +470,7 @@ the bootstrap environment."
> (package-with-bootstrap-guile
> (package (inherit glibc)
> (name "glibc-intermediate")
> + (replacement #f)
> (arguments
> `(#:guile ,%bootstrap-guile
> #:implicit-inputs? #f
> @@ -540,6 +542,7 @@ the bootstrap environment."
> that makes it available under the native tool names."
> (package (inherit gcc)
> (name (string-append (package-name gcc) "-wrapped"))
> + (replacement #f)
> (source #f)
> (build-system trivial-build-system)
> (outputs '("out"))
> @@ -642,6 +645,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
> ;; The final glibc, which embeds the statically-linked Bash built above.
> (package (inherit glibc-final-with-bootstrap-bash)
> (name "glibc")
> + (replacement #f)
> (inputs `(("static-bash" ,static-bash-for-glibc)
> ,@(alist-delete
> "static-bash"
The problem here is that almost all of the software in Guix is linked
against glibc-final, and you've suppressed the replacement for it. This
is where the 'package/inherit' macro becomes useful.
I think we need to enable grafting for both
'glibc-final-with-bootstrap-bash' and 'glibc-final', by replacing
(package (inherit GLIBC-FOO)
...)
with:
(package/inherit GLIBC-FOO
...)
and remove the (replacement #f) override from those two packages,
because 'package/inherit' will implicitly override 'replacement' as
appropriate.
Would you like to try this?
> diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> new file mode 100644
> index 000000000..106e81d91
> --- /dev/null
> +++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> @@ -0,0 +1,33 @@
> +From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
> +From: Florian Weimer <fweimer@redhat.com>
> +Date: Mon, 19 Jun 2017 17:09:55 +0200
> +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
> + programs [BZ #21624]
> +
> +LD_LIBRARY_PATH can only be used to reorder system search paths, which
> +is not useful functionality.
> +
> +This makes an exploitable unbounded alloca in _dl_init_paths unreachable
> +for AT_SECURE=1 programs.
> +---
> + ChangeLog | 7 +++++++
> + elf/rtld.c | 3 ++-
> + 2 files changed, 9 insertions(+), 1 deletion(-)
> +
> +diff --git a/elf/rtld.c b/elf/rtld.c
> +index 2446a87..2269dbe 100644
> +--- a/elf/rtld.c
> ++++ b/elf/rtld.c
> +@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
> +
> + case 12:
> + /* The library search path. */
> +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
> ++ if (!__libc_enable_secure
> ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
> + {
> + library_path = &envline[13];
> + break;
> +--
> +2.9.3
> +
What about the other two patches? Namely, quoting Leo:
> ld.so: Reject overly long LD_PRELOAD path elements
> https://sourceware.org/git/?p=glibc.git;a=commit;h=6d0ba622891bed9d8394eef1935add53003b12e8
>
> ld.so: Reject overly long LD_AUDIT path elements:
> https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
One more thing: since this grafting of 'glibc' is unprecedented and has
the potential for breakage, I think it should be tested as follows:
someone running GuixSD should reconfigure their entire system using the
grafted 'glibc', and they should boot into it to make sure nothing
obvious is broken, before we commit.
Also, we should check the references and make sure that the fixed glibc
is actually being used.
Thank you!
Mark
next prev parent reply other threads:[~2017-06-20 21:46 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 22:25 bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-19 23:05 ` Leo Famulari
2017-06-20 0:42 ` Leo Famulari
2017-06-20 0:49 ` Leo Famulari
2017-06-20 7:18 ` Efraim Flashner
2017-06-20 13:16 ` Leo Famulari
2017-06-20 21:44 ` Mark H Weaver [this message]
2017-06-21 8:41 ` Efraim Flashner
2017-06-21 9:50 ` Efraim Flashner
2017-06-21 23:52 ` Leo Famulari
2017-06-22 0:03 ` Leo Famulari
2017-06-22 6:44 ` Mark H Weaver
2017-06-22 16:17 ` Leo Famulari
2017-06-22 18:34 ` Leo Famulari
2017-06-22 19:25 ` Leo Famulari
2017-06-29 10:58 ` Ludovic Courtès
2017-06-29 15:49 ` Mark H Weaver
2017-06-29 20:06 ` Ludovic Courtès
2017-06-29 21:03 ` bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)] Leo Famulari
2017-06-29 22:27 ` Ludovic Courtès
2017-06-30 6:47 ` Leo Famulari
2017-06-30 12:59 ` Ludovic Courtès
2017-06-23 17:20 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-23 18:36 ` Mark H Weaver
2017-06-23 18:54 ` Leo Famulari
2017-06-23 20:03 ` Mark H Weaver
2017-06-24 7:11 ` Mark H Weaver
2017-06-26 8:41 ` Ludovic Courtès
2017-06-26 11:19 ` Mark H Weaver
2017-06-27 13:57 ` Ludovic Courtès
2017-06-28 21:55 ` Leo Famulari
2017-06-20 3:31 ` Mark H Weaver
2017-06-25 9:38 ` bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check Danny Milosavljevic
2017-06-25 10:41 ` Marius Bakke
2017-06-25 13:19 ` Leo Famulari
2017-07-20 15:54 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Ludovic Courtès
2017-07-20 19:13 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://guix.gnu.org/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87shiumj05.fsf@netris.org \
--to=mhw@netris.org \
--cc=27429@debbugs.gnu.org \
--cc=efraim@flashner.co.il \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.savannah.gnu.org/cgit/guix.git
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).