From: Efraim Flashner <efraim@flashner.co.il>
To: Mark H Weaver <mhw@netris.org>
Cc: 27429@debbugs.gnu.org
Subject: bug#27429: Stack clash (CVE-2017-1000366 etc)
Date: Wed, 21 Jun 2017 11:41:34 +0300 [thread overview]
Message-ID: <20170621084134.GA2870@macbook42.flashner.co.il> (raw)
In-Reply-To: <87shiumj05.fsf@netris.org>
[-- Attachment #1.1: Type: text/plain, Size: 12494 bytes --]
On Tue, Jun 20, 2017 at 05:44:42PM -0400, Mark H Weaver wrote:
> Hi Efraim,
>
> Thanks so much for working on this!
>
> Grafting glibc is something we haven't done before to my knowledge, and
> it is a bit tricky because of all of the inherited versions of glibc.
> At present, those inherited versions are not expressed in such a way to
> make grafting work.
>
> One important tool is the 'package/inherit' macro, which I added to
> (guix packages) in early May to facilitate another graft. In order to
> graft 'glibc' properly, we'll first need to use 'package/inherit' in a
> couple of places, I think.
>
I like your optimism :)
> Efraim Flashner <efraim@flashner.co.il> writes:
>
> > From 2a83d2a8265314af3d8b16f86187897223567d6e Mon Sep 17 00:00:00 2001
> > From: Efraim Flashner <efraim@flashner.co.il>
> > Date: Mon, 19 Jun 2017 23:13:53 +0300
> > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
> >
> > * gnu/packages/base.scm (glibc)[replacement]: New field.
>
> Please write (glibc/linux) instead of (glibc) above, since that's the
> variable whose definition is being changed.
noted
>
> See below for more comments.
>
> > (glibc-2.25-fixed): New variable.
> > (glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patch.
> > [replacement]: New field.
> > (glibc-locales)[replacement]: New field.
> > * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash,
> > cross-gcc-wrapper, glibc-final)[replacement]: New field.
> > * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > ---
> > gnu/local.mk | 1 +
> > gnu/packages/base.scm | 39 +++++++++++++++++++----
> > gnu/packages/commencement.scm | 4 +++
> > gnu/packages/patches/glibc-CVE-2017-1000366.patch | 33 +++++++++++++++++++
> > 4 files changed, 71 insertions(+), 6 deletions(-)
> > create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch
> >
> > diff --git a/gnu/local.mk b/gnu/local.mk
> > index ae4a59af0..6b598335b 100644
> > --- a/gnu/local.mk
> > +++ b/gnu/local.mk
> > @@ -632,6 +632,7 @@ dist_patch_DATA = \
> > %D%/packages/patches/ghostscript-runpath.patch \
> > %D%/packages/patches/glib-networking-ssl-cert-file.patch \
> > %D%/packages/patches/glib-tests-timer.patch \
> > + %D%/packages/patches/glibc-CVE-2017-1000366.patch \
> > %D%/packages/patches/glibc-bootstrap-system.patch \
> > %D%/packages/patches/glibc-ldd-x86_64.patch \
> > %D%/packages/patches/glibc-locales.patch \
>
> Your changes to (gnu packages base) look good to me, so I've omitted
> them. In particular, you are right to add (replacement #f) in the
> places where you've done so.
>
> > diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
> > index 1b41feac1..42892bbe8 100644
> > --- a/gnu/packages/commencement.scm
> > +++ b/gnu/packages/commencement.scm
> > @@ -3,6 +3,7 @@
> > ;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
> > ;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
> > ;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
> > +;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
> > ;;;
> > ;;; This file is part of GNU Guix.
> > ;;;
> > @@ -469,6 +470,7 @@ the bootstrap environment."
> > (package-with-bootstrap-guile
> > (package (inherit glibc)
> > (name "glibc-intermediate")
> > + (replacement #f)
> > (arguments
> > `(#:guile ,%bootstrap-guile
> > #:implicit-inputs? #f
> > @@ -540,6 +542,7 @@ the bootstrap environment."
> > that makes it available under the native tool names."
> > (package (inherit gcc)
> > (name (string-append (package-name gcc) "-wrapped"))
> > + (replacement #f)
> > (source #f)
> > (build-system trivial-build-system)
> > (outputs '("out"))
> > @@ -642,6 +645,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
> > ;; The final glibc, which embeds the statically-linked Bash built above.
> > (package (inherit glibc-final-with-bootstrap-bash)
> > (name "glibc")
> > + (replacement #f)
> > (inputs `(("static-bash" ,static-bash-for-glibc)
> > ,@(alist-delete
> > "static-bash"
>
> The problem here is that almost all of the software in Guix is linked
> against glibc-final, and you've suppressed the replacement for it. This
> is where the 'package/inherit' macro becomes useful.
>
> I think we need to enable grafting for both
> 'glibc-final-with-bootstrap-bash' and 'glibc-final', by replacing
>
> (package (inherit GLIBC-FOO)
> ...)
>
> with:
>
> (package/inherit GLIBC-FOO
> ...)
>
> and remove the (replacement #f) override from those two packages,
> because 'package/inherit' will implicitly override 'replacement' as
> appropriate.
>
> Would you like to try this?
I haven't looked closely at this part of the code yet so its like magic
to me still.
>
> > diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> > new file mode 100644
> > index 000000000..106e81d91
> > --- /dev/null
> > +++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> > @@ -0,0 +1,33 @@
> > +From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
> > +From: Florian Weimer <fweimer@redhat.com>
> > +Date: Mon, 19 Jun 2017 17:09:55 +0200
> > +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
> > + programs [BZ #21624]
> > +
> > +LD_LIBRARY_PATH can only be used to reorder system search paths, which
> > +is not useful functionality.
> > +
> > +This makes an exploitable unbounded alloca in _dl_init_paths unreachable
> > +for AT_SECURE=1 programs.
> > +---
> > + ChangeLog | 7 +++++++
> > + elf/rtld.c | 3 ++-
> > + 2 files changed, 9 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/elf/rtld.c b/elf/rtld.c
> > +index 2446a87..2269dbe 100644
> > +--- a/elf/rtld.c
> > ++++ b/elf/rtld.c
> > +@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
> > +
> > + case 12:
> > + /* The library search path. */
> > +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
> > ++ if (!__libc_enable_secure
> > ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
> > + {
> > + library_path = &envline[13];
> > + break;
> > +--
> > +2.9.3
> > +
>
> What about the other two patches? Namely, quoting Leo:
>
> > ld.so: Reject overly long LD_PRELOAD path elements
> > https://sourceware.org/git/?p=glibc.git;a=commit;h=6d0ba622891bed9d8394eef1935add53003b12e8
> >
> > ld.so: Reject overly long LD_AUDIT path elements:
> > https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
now added
>
> One more thing: since this grafting of 'glibc' is unprecedented and has
> the potential for breakage, I think it should be tested as follows:
> someone running GuixSD should reconfigure their entire system using the
> grafted 'glibc', and they should boot into it to make sure nothing
> obvious is broken, before we commit.
>
> Also, we should check the references and make sure that the fixed glibc
> is actually being used.
>
> Thank you!
>
> Mark
After making the changes I built glibc, by which I mean I built at least
gettext-boot0, glibc-final, perl, glibc, expat, and probably a bit more.
On my 10 year old laptop it took about 2 hours.
@ build-succeeded /gnu/store/974hryqa5fprrymyjkmcfrzn3qmv0dgq-glibc-2.25.drv -
/gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
real 125m16.297s
user 0m32.896s
sys 0m3.840s
efraim@macbook42:~/workspace/guix$ guix gc --references /gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25/
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
/gnu/store/946hwcxnd9w13gyqprs0fzkmyyz4hdar-bash-static-4.4.12
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25o
This doubling of glibc, bash and bash-static is the same as I got from
'guix gc --references $(./pre-inst-env guix build glibc)' on another machine
efraim@macbook42:~/workspace/guix$ guix gc --references /gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25/
/gnu/store/02426nwiy32cscm4h83729vn5ws1gs2i-bash-static-4.4.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
efraim@macbook42:~/workspace/guix$ ./pre-inst-env guix build --fallback -e '(@@ (gnu packages commencement) glibc-final)'
;;; note: source file /home/efraim/workspace/guix/gnu/packages/commencement.scm
;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/commencement.go
;;; note: source file /home/efraim/workspace/guix/gnu/packages/base.scm
;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/base.go
/gnu/store/kbp13s4y4mbzww7vvld33di28im94xfi-glibc-2.25-debug
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
efraim@macbook42:~/workspace/guix$ ./pre-inst-env guix build --fallback python
...snip...
grafting '/gnu/store/3aw9x28la9nh8fzkm665d7fywxzbl15j-python-3.5.3' -> '/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3'...
grafting '/gnu/store/9bv7jbk734bsk5zacq23wzp60xz06xs6-python-3.5.3-tk' -> '/gnu/store/7hgx1fw4kyc41c5dj963z2d1nsmdli6z-python-3.5.3-tk'...
@ build-succeeded /gnu/store/pymxw6dzibylr5qwhdxzc7il0h07kk9z-python-3.5.3.drv -
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/7hgx1fw4kyc41c5dj963z2d1nsmdli6z-python-3.5.3-tk
efraim@macbook42:~/workspace/guix$ guix gc --references $(./pre-inst-env guix build python)
;;; note: source file /home/efraim/workspace/guix/gnu/packages/base.scm
;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/base.go
;;; note: source file /home/efraim/workspace/guix/gnu/packages/commencement.scm
;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/commencement.go
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/7v66jlv8y005p2z5754jc1c6xf3rqybh-tk-8.6.6
/gnu/store/hiaxc08awfb6ygpssmlki8sjsxjcak5z-tcl-8.6.6
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/smddwh4gb0bf50js321vm88pvjlcfx04-libx11-1.6.5
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
/gnu/store/328cimicdjz4w6hr0z7fzvcr9j6ijjvg-readline-7.0
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/8zhlrp7mq6ibmda8n530xn3ym6l3zhyq-openssl-1.0.2k
/gnu/store/alygmq7pjlrwchpyi4ycxx0w6qgg8kfx-ncurses-6.0
/gnu/store/fd8d47zyhv6m0adv9w2lawhajav3s3ww-xz-5.2.2
/gnu/store/mmmv339r8ymx4fabffzwadjasfc0a5lx-zlib-1.2.11
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/nk2f8advrn50jmx0gx24lkqqjswgy0bj-coreutils-8.26
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/pwhhnz4mjky9l3mdswybsgsgl74k7qb9-sqlite-3.17.0
/gnu/store/wcrf85ndv977kky8fazvgbjaybgz758j-libffi-3.2.1
/gnu/store/y6mlqxch93asizcni9f50y4r1y48wbgj-gdbm-1.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
efraim@macbook42:~/workspace/guix$ guix gc --references /gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3/
/gnu/store/328cimicdjz4w6hr0z7fzvcr9j6ijjvg-readline-7.0
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/8zhlrp7mq6ibmda8n530xn3ym6l3zhyq-openssl-1.0.2k
/gnu/store/alygmq7pjlrwchpyi4ycxx0w6qgg8kfx-ncurses-6.0
/gnu/store/fd8d47zyhv6m0adv9w2lawhajav3s3ww-xz-5.2.2
/gnu/store/mmmv339r8ymx4fabffzwadjasfc0a5lx-zlib-1.2.11
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/nk2f8advrn50jmx0gx24lkqqjswgy0bj-coreutils-8.26
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/pwhhnz4mjky9l3mdswybsgsgl74k7qb9-sqlite-3.17.0
/gnu/store/wcrf85ndv977kky8fazvgbjaybgz758j-libffi-3.2.1
/gnu/store/y6mlqxch93asizcni9f50y4r1y48wbgj-gdbm-1.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
So to me it looks like its working.
Anyone want to try reconfiguring their system to make sure it doesn't
break GuixSD? :)
--
Efraim Flashner <efraim@flashner.co.il> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
[-- Attachment #1.2: 0001-gnu-glibc-Patch-CVE-2017-1000366.patch --]
[-- Type: text/plain, Size: 23103 bytes --]
From 3ca1693715648ac23fd35f8246a3f1d5afd6ce34 Mon Sep 17 00:00:00 2001
From: Efraim Flashner <efraim@flashner.co.il>
Date: Mon, 19 Jun 2017 23:13:53 +0300
Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
* gnu/packages/base.scm (glibc/linux)[replacement]: New field.
(glibc-2.25-fixed): New variable.
(glibc@2.24, glibc@2.23, glibc@2.22, glibc@2.21)[source]: Add patches.
[replacement]: New field.
(glibc-locales)[replacement]: New field.
* gnu/packages/commencement.scm (cross-gcc-wrapper)[replacement]: New field.
* gnu/packages/patches/glibc-CVE-2017-1000366.patch,
gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch,
gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch: New files.
* gnu/local.mk (dist_patch_DATA): Add them.
---
gnu/local.mk | 5 +-
gnu/packages/base.scm | 47 ++++-
gnu/packages/commencement.scm | 6 +-
gnu/packages/patches/glibc-CVE-2017-1000366.patch | 36 ++++
.../patches/glibc-reject-long-LD-AUDIT.patch | 206 +++++++++++++++++++++
.../patches/glibc-reject-long-LD-PRELOAD.patch | 124 +++++++++++++
6 files changed, 414 insertions(+), 10 deletions(-)
create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch
create mode 100644 gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch
create mode 100644 gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch
diff --git a/gnu/local.mk b/gnu/local.mk
index f0eed694d..d4d6c1c25 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -631,11 +631,14 @@ dist_patch_DATA = \
%D%/packages/patches/ghostscript-runpath.patch \
%D%/packages/patches/glib-networking-ssl-cert-file.patch \
%D%/packages/patches/glib-tests-timer.patch \
+ %D%/packages/patches/glibc-CVE-2017-1000366.patch \
%D%/packages/patches/glibc-bootstrap-system.patch \
%D%/packages/patches/glibc-ldd-x86_64.patch \
%D%/packages/patches/glibc-locales.patch \
%D%/packages/patches/glibc-memchr-overflow-i686.patch \
%D%/packages/patches/glibc-o-largefile.patch \
+ %D%/packages/patches/glibc-reject-long-LD-AUDIT.patch \
+ %D%/packages/patches/glibc-reject-long-LD-PRELOAD.patch \
%D%/packages/patches/glibc-versioned-locpath.patch \
%D%/packages/patches/glog-gcc-5-demangling.patch \
%D%/packages/patches/gmp-arm-asm-nothumb.patch \
@@ -657,7 +660,7 @@ dist_patch_DATA = \
%D%/packages/patches/guile-present-coding.patch \
%D%/packages/patches/guile-relocatable.patch \
%D%/packages/patches/guile-rsvg-pkgconfig.patch \
- gnu/packages/patches/guile-ssh-channel-finalization.patch \
+ %D%/packages/patches/guile-ssh-channel-finalization.patch \
%D%/packages/patches/guile-ssh-double-free.patch \
%D%/packages/patches/guile-ssh-rexec-bug.patch \
%D%/packages/patches/gtk2-respect-GUIX_GTK2_PATH.patch \
diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm
index d135a18bf..47838d89b 100644
--- a/gnu/packages/base.scm
+++ b/gnu/packages/base.scm
@@ -5,7 +5,7 @@
;;; Copyright © 2014, 2015, 2016 Mark H Weaver <mhw@netris.org>
;;; Copyright © 2014 Alex Kost <alezost@gmail.com>
;;; Copyright © 2014, 2015 Manolis Fragkiskos Ragkousis <manolis837@gmail.com>
-;;; Copyright © 2016 Efraim Flashner <efraim@flashner.co.il>
+;;; Copyright © 2016, 2017 Efraim Flashner <efraim@flashner.co.il>
;;; Copyright © 2016 Jan Nieuwenhuizen <janneke@gnu.org>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
@@ -558,6 +558,7 @@ store.")
(package
(name "glibc")
(version "2.25")
+ (replacement glibc-2.25-patched)
(source (origin
(method url-fetch)
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -904,34 +905,62 @@ GLIBC/HURD for a Hurd host"
;; Below are old libc versions, which we use mostly to build locale data in
;; the old format (which the new libc cannot cope with.)
+(define glibc-2.25-patched
+ (package
+ (inherit glibc)
+ (replacement #f)
+ (source (origin
+ (inherit (package-source glibc))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))))
+
(define-public glibc-2.24
(package
(inherit glibc)
(version "2.24")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
version ".tar.xz"))
(sha256
(base32
- "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))))))
+ "1lxmprg9gm73gvafxd503x70z32phwjzcy74i0adfi6ixzla7m4r"))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))))
(define-public glibc-2.23
(package
(inherit glibc)
(version "2.23")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
version ".tar.xz"))
(sha256
(base32
- "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))))))
+ "1s8krs3y2n6pzav7ic59dz41alqalphv7vww4138ag30wh0fpvwl"))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-versioned-locpath.patch"
+ "glibc-o-largefile.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))))
(define-public glibc-2.22
(package
(inherit glibc)
(version "2.22")
+ (replacement #f)
(source (origin
(inherit (package-source glibc))
(uri (string-append "mirror://gnu/glibc/glibc-"
@@ -939,7 +968,10 @@ GLIBC/HURD for a Hurd host"
(sha256
(base32
"0j49682pm2nh4qbdw35bas82p1pgfnz4d2l7iwfyzvrvj0318wzb"))
- (patches (search-patches "glibc-ldd-x86_64.patch"))))
+ (patches (search-patches "glibc-CVE-2017-1000366.patch"
+ "glibc-ldd-x86_64.patch"
+ "glibc-reject-long-LD-AUDIT.patch"
+ "glibc-reject-long-LD-PRELOAD.patch"))))
(arguments
(substitute-keyword-arguments (package-arguments glibc)
((#:phases phases)
@@ -948,7 +980,8 @@ GLIBC/HURD for a Hurd host"
(lambda _
;; Use `pwd' instead of `/bin/pwd' for glibc-2.21
(substitute* "configure"
- (("/bin/pwd") "pwd"))))))))))
+ (("/bin/pwd") "pwd"))
+ #t))))))))
(define-public glibc-2.21
(package
@@ -960,13 +993,13 @@ GLIBC/HURD for a Hurd host"
version ".tar.xz"))
(sha256
(base32
- "1f135546j34s9bfkydmx2nhh9vwxlx60jldi80zmsnln6wj3dsxf"))
- (patches (search-patches "glibc-ldd-x86_64.patch"))))))
+ "1f135546j34s9bfkydmx2nhh9vwxlx60jldi80zmsnln6wj3dsxf"))))))
(define-public glibc-locales
(package
(inherit glibc)
(name "glibc-locales")
+ (replacement #f)
(source (origin (inherit (package-source glibc))
(patches (cons (search-patch "glibc-locales.patch")
(origin-patches (package-source glibc))))))
diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
index 1b41feac1..eea246756 100644
--- a/gnu/packages/commencement.scm
+++ b/gnu/packages/commencement.scm
@@ -3,6 +3,7 @@
;;; Copyright © 2014 Andreas Enge <andreas@enge.fr>
;;; Copyright © 2012 Nikita Karetnikov <nikita@karetnikov.org>
;;; Copyright © 2014, 2015 Mark H Weaver <mhw@netris.org>
+;;; Copyright © 2017 Efraim Flashner <efraim@flashner.co.il>
;;;
;;; This file is part of GNU Guix.
;;;
@@ -467,7 +468,7 @@ the bootstrap environment."
;; built just below; the only difference is that this one uses the
;; bootstrap Bash.
(package-with-bootstrap-guile
- (package (inherit glibc)
+ (package/inherit glibc
(name "glibc-intermediate")
(arguments
`(#:guile ,%bootstrap-guile
@@ -540,6 +541,7 @@ the bootstrap environment."
that makes it available under the native tool names."
(package (inherit gcc)
(name (string-append (package-name gcc) "-wrapped"))
+ (replacement #f)
(source #f)
(build-system trivial-build-system)
(outputs '("out"))
@@ -640,7 +642,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker -Wl,~a/~a \"$@\"~%"
(define glibc-final
;; The final glibc, which embeds the statically-linked Bash built above.
- (package (inherit glibc-final-with-bootstrap-bash)
+ (package/inherit glibc-final-with-bootstrap-bash
(name "glibc")
(inputs `(("static-bash" ,static-bash-for-glibc)
,@(alist-delete
diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
new file mode 100644
index 000000000..71e80968b
--- /dev/null
+++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
@@ -0,0 +1,36 @@
+From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 17:09:55 +0200
+Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
+ programs [BZ #21624]
+
+LD_LIBRARY_PATH can only be used to reorder system search paths, which
+is not useful functionality.
+
+This makes an exploitable unbounded alloca in _dl_init_paths unreachable
+for AT_SECURE=1 programs.
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=commit;h=f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d
+---
+ ChangeLog | 7 +++++++
+ elf/rtld.c | 3 ++-
+ 2 files changed, 9 insertions(+), 1 deletion(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 2446a87..2269dbe 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
+
+ case 12:
+ /* The library search path. */
+- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
++ if (!__libc_enable_secure
++ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
+ {
+ library_path = &envline[13];
+ break;
+--
+2.9.3
+
diff --git a/gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch b/gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch
new file mode 100644
index 000000000..3d8f6d2bf
--- /dev/null
+++ b/gnu/packages/patches/glibc-reject-long-LD-AUDIT.patch
@@ -0,0 +1,206 @@
+From 81b82fb966ffbd94353f793ad17116c6088dedd9 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 22:32:12 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_AUDIT path elements
+
+Also only process the last LD_AUDIT entry.
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
+
+---
+ ChangeLog | 11 +++++++
+ elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++---------
+ 2 files changed, 106 insertions(+), 15 deletions(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 86ae20c..65647fb 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -129,13 +129,91 @@ dso_name_valid_for_suid (const char *p)
+ return *p != '\0';
+ }
+
+-/* List of auditing DSOs. */
++/* LD_AUDIT variable contents. Must be processed before the
++ audit_list below. */
++const char *audit_list_string;
++
++/* Cyclic list of auditing DSOs. audit_list->next is the first
++ element. */
+ static struct audit_list
+ {
+ const char *name;
+ struct audit_list *next;
+ } *audit_list;
+
++/* Iterator for audit_list_string followed by audit_list. */
++struct audit_list_iter
++{
++ /* Tail of audit_list_string still needing processing, or NULL. */
++ const char *audit_list_tail;
++
++ /* The list element returned in the previous iteration. NULL before
++ the first element. */
++ struct audit_list *previous;
++
++ /* Scratch buffer for returning a name which is part of
++ audit_list_string. */
++ char fname[SECURE_NAME_LIMIT];
++};
++
++/* Initialize an audit list iterator. */
++static void
++audit_list_iter_init (struct audit_list_iter *iter)
++{
++ iter->audit_list_tail = audit_list_string;
++ iter->previous = NULL;
++}
++
++/* Iterate through both audit_list_string and audit_list. */
++static const char *
++audit_list_iter_next (struct audit_list_iter *iter)
++{
++ if (iter->audit_list_tail != NULL)
++ {
++ /* First iterate over audit_list_string. */
++ while (*iter->audit_list_tail != '\0')
++ {
++ /* Split audit list at colon. */
++ size_t len = strcspn (iter->audit_list_tail, ":");
++ if (len > 0 && len < sizeof (iter->fname))
++ {
++ memcpy (iter->fname, iter->audit_list_tail, len);
++ iter->fname[len] = '\0';
++ }
++ else
++ /* Do not return this name to the caller. */
++ iter->fname[0] = '\0';
++
++ /* Skip over the substring and the following delimiter. */
++ iter->audit_list_tail += len;
++ if (*iter->audit_list_tail == ':')
++ ++iter->audit_list_tail;
++
++ /* If the name is valid, return it. */
++ if (dso_name_valid_for_suid (iter->fname))
++ return iter->fname;
++ /* Otherwise, wrap around and try the next name. */
++ }
++ /* Fall through to the procesing of audit_list. */
++ }
++
++ if (iter->previous == NULL)
++ {
++ if (audit_list == NULL)
++ /* No pre-parsed audit list. */
++ return NULL;
++ /* Start of audit list. The first list element is at
++ audit_list->next (cyclic list). */
++ iter->previous = audit_list->next;
++ return iter->previous->name;
++ }
++ if (iter->previous == audit_list)
++ /* Cyclic list wrap-around. */
++ return NULL;
++ iter->previous = iter->previous->next;
++ return iter->previous->name;
++}
++
+ #ifndef HAVE_INLINED_SYSCALLS
+ /* Set nonzero during loading and initialization of executable and
+ libraries, cleared before the executable's entry point runs. This
+@@ -1305,11 +1383,13 @@ of this helper program; chances are you did not intend to run this program.\n\
+ GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid ();
+
+ /* If we have auditing DSOs to load, do it now. */
+- if (__glibc_unlikely (audit_list != NULL))
++ bool need_security_init = true;
++ if (__glibc_unlikely (audit_list != NULL)
++ || __glibc_unlikely (audit_list_string != NULL))
+ {
+- /* Iterate over all entries in the list. The order is important. */
+ struct audit_ifaces *last_audit = NULL;
+- struct audit_list *al = audit_list->next;
++ struct audit_list_iter al_iter;
++ audit_list_iter_init (&al_iter);
+
+ /* Since we start using the auditing DSOs right away we need to
+ initialize the data structures now. */
+@@ -1320,9 +1400,14 @@ of this helper program; chances are you did not intend to run this program.\n\
+ use different values (especially the pointer guard) and will
+ fail later on. */
+ security_init ();
++ need_security_init = false;
+
+- do
++ while (true)
+ {
++ const char *name = audit_list_iter_next (&al_iter);
++ if (name == NULL)
++ break;
++
+ int tls_idx = GL(dl_tls_max_dtv_idx);
+
+ /* Now it is time to determine the layout of the static TLS
+@@ -1331,7 +1416,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+ no DF_STATIC_TLS bit is set. The reason is that we know
+ glibc will use the static model. */
+ struct dlmopen_args dlmargs;
+- dlmargs.fname = al->name;
++ dlmargs.fname = name;
+ dlmargs.map = NULL;
+
+ const char *objname;
+@@ -1344,7 +1429,7 @@ of this helper program; chances are you did not intend to run this program.\n\
+ not_loaded:
+ _dl_error_printf ("\
+ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+- al->name, err_str);
++ name, err_str);
+ if (malloced)
+ free ((char *) err_str);
+ }
+@@ -1448,10 +1533,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+ goto not_loaded;
+ }
+ }
+-
+- al = al->next;
+ }
+- while (al != audit_list->next);
+
+ /* If we have any auditing modules, announce that we already
+ have two objects loaded. */
+@@ -1715,7 +1797,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+ if (tcbp == NULL)
+ tcbp = init_tls ();
+
+- if (__glibc_likely (audit_list == NULL))
++ if (__glibc_likely (need_security_init))
+ /* Initialize security features. But only if we have not done it
+ earlier. */
+ security_init ();
+@@ -2346,9 +2428,7 @@ process_dl_audit (char *str)
+ char *p;
+
+ while ((p = (strsep) (&str, ":")) != NULL)
+- if (p[0] != '\0'
+- && (__builtin_expect (! __libc_enable_secure, 1)
+- || strchr (p, '/') == NULL))
++ if (dso_name_valid_for_suid (p))
+ {
+ /* This is using the local malloc, not the system malloc. The
+ memory can never be freed. */
+@@ -2412,7 +2492,7 @@ process_envvars (enum mode *modep)
+ break;
+ }
+ if (memcmp (envline, "AUDIT", 5) == 0)
+- process_dl_audit (&envline[6]);
++ audit_list_string = &envline[6];
+ break;
+
+ case 7:
+--
+2.9.3
+
diff --git a/gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch b/gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch
new file mode 100644
index 000000000..4b859c4bf
--- /dev/null
+++ b/gnu/packages/patches/glibc-reject-long-LD-PRELOAD.patch
@@ -0,0 +1,124 @@
+From 6d0ba622891bed9d8394eef1935add53003b12e8 Mon Sep 17 00:00:00 2001
+From: Florian Weimer <fweimer@redhat.com>
+Date: Mon, 19 Jun 2017 22:31:04 +0200
+Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements
+
+patch from:
+https://sourceware.org/git/?p=glibc.git;a=patch;h=6d0ba622891bed9d8394eef1935add53003b12e8
+
+---
+ ChangeLog | 7 ++++++
+ elf/rtld.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++------------
+ 2 files changed, 73 insertions(+), 16 deletions(-)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 2269dbe..86ae20c 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -99,6 +99,35 @@ uintptr_t __pointer_chk_guard_local
+ strong_alias (__pointer_chk_guard_local, __pointer_chk_guard)
+ #endif
+
++/* Length limits for names and paths, to protect the dynamic linker,
++ particularly when __libc_enable_secure is active. */
++#ifdef NAME_MAX
++# define SECURE_NAME_LIMIT NAME_MAX
++#else
++# define SECURE_NAME_LIMIT 255
++#endif
++#ifdef PATH_MAX
++# define SECURE_PATH_LIMIT PATH_MAX
++#else
++# define SECURE_PATH_LIMIT 1024
++#endif
++
++/* Check that AT_SECURE=0, or that the passed name does not contain
++ directories and is not overly long. Reject empty names
++ unconditionally. */
++static bool
++dso_name_valid_for_suid (const char *p)
++{
++ if (__glibc_unlikely (__libc_enable_secure))
++ {
++ /* Ignore pathnames with directories for AT_SECURE=1
++ programs, and also skip overlong names. */
++ size_t len = strlen (p);
++ if (len >= SECURE_NAME_LIMIT || memchr (p, '/', len) != NULL)
++ return false;
++ }
++ return *p != '\0';
++}
+
+ /* List of auditing DSOs. */
+ static struct audit_list
+@@ -718,6 +747,42 @@ static const char *preloadlist attribute_relro;
+ /* Nonzero if information about versions has to be printed. */
+ static int version_info attribute_relro;
+
++/* The LD_PRELOAD environment variable gives list of libraries
++ separated by white space or colons that are loaded before the
++ executable's dependencies and prepended to the global scope list.
++ (If the binary is running setuid all elements containing a '/' are
++ ignored since it is insecure.) Return the number of preloads
++ performed. */
++unsigned int
++handle_ld_preload (const char *preloadlist, struct link_map *main_map)
++{
++ unsigned int npreloads = 0;
++ const char *p = preloadlist;
++ char fname[SECURE_PATH_LIMIT];
++
++ while (*p != '\0')
++ {
++ /* Split preload list at space/colon. */
++ size_t len = strcspn (p, " :");
++ if (len > 0 && len < sizeof (fname))
++ {
++ memcpy (fname, p, len);
++ fname[len] = '\0';
++ }
++ else
++ fname[0] = '\0';
++
++ /* Skip over the substring and the following delimiter. */
++ p += len;
++ if (*p != '\0')
++ ++p;
++
++ if (dso_name_valid_for_suid (fname))
++ npreloads += do_preload (fname, main_map, "LD_PRELOAD");
++ }
++ return npreloads;
++}
++
+ static void
+ dl_main (const ElfW(Phdr) *phdr,
+ ElfW(Word) phnum,
+@@ -1464,23 +1529,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
+
+ if (__glibc_unlikely (preloadlist != NULL))
+ {
+- /* The LD_PRELOAD environment variable gives list of libraries
+- separated by white space or colons that are loaded before the
+- executable's dependencies and prepended to the global scope
+- list. If the binary is running setuid all elements
+- containing a '/' are ignored since it is insecure. */
+- char *list = strdupa (preloadlist);
+- char *p;
+-
+ HP_TIMING_NOW (start);
+-
+- /* Prevent optimizing strsep. Speed is not important here. */
+- while ((p = (strsep) (&list, " :")) != NULL)
+- if (p[0] != '\0'
+- && (__builtin_expect (! __libc_enable_secure, 1)
+- || strchr (p, '/') == NULL))
+- npreloads += do_preload (p, main_map, "LD_PRELOAD");
+-
++ npreloads += handle_ld_preload (preloadlist, main_map);
+ HP_TIMING_NOW (stop);
+ HP_TIMING_DIFF (diff, start, stop);
+ HP_TIMING_ACCUM_NT (load_time, diff);
+--
+2.9.3
+
--
2.13.1
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]
next prev parent reply other threads:[~2017-06-21 8:42 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 22:25 bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-19 23:05 ` Leo Famulari
2017-06-20 0:42 ` Leo Famulari
2017-06-20 0:49 ` Leo Famulari
2017-06-20 7:18 ` Efraim Flashner
2017-06-20 13:16 ` Leo Famulari
2017-06-20 21:44 ` Mark H Weaver
2017-06-21 8:41 ` Efraim Flashner [this message]
2017-06-21 9:50 ` Efraim Flashner
2017-06-21 23:52 ` Leo Famulari
2017-06-22 0:03 ` Leo Famulari
2017-06-22 6:44 ` Mark H Weaver
2017-06-22 16:17 ` Leo Famulari
2017-06-22 18:34 ` Leo Famulari
2017-06-22 19:25 ` Leo Famulari
2017-06-29 10:58 ` Ludovic Courtès
2017-06-29 15:49 ` Mark H Weaver
2017-06-29 20:06 ` Ludovic Courtès
2017-06-29 21:03 ` bug#27429: core-updates and shishi [was Re: bug#27429: Stack clash (CVE-2017-1000366 etc)] Leo Famulari
2017-06-29 22:27 ` Ludovic Courtès
2017-06-30 6:47 ` Leo Famulari
2017-06-30 12:59 ` Ludovic Courtès
2017-06-23 17:20 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Leo Famulari
2017-06-23 18:36 ` Mark H Weaver
2017-06-23 18:54 ` Leo Famulari
2017-06-23 20:03 ` Mark H Weaver
2017-06-24 7:11 ` Mark H Weaver
2017-06-26 8:41 ` Ludovic Courtès
2017-06-26 11:19 ` Mark H Weaver
2017-06-27 13:57 ` Ludovic Courtès
2017-06-28 21:55 ` Leo Famulari
2017-06-20 3:31 ` Mark H Weaver
2017-06-25 9:38 ` bug#27429: Stack clash (CVE-2017-1000366 etc); -fstack-check Danny Milosavljevic
2017-06-25 10:41 ` Marius Bakke
2017-06-25 13:19 ` Leo Famulari
2017-07-20 15:54 ` bug#27429: Stack clash (CVE-2017-1000366 etc) Ludovic Courtès
2017-07-20 19:13 ` Leo Famulari
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170621084134.GA2870@macbook42.flashner.co.il \
--to=efraim@flashner.co.il \
--cc=27429@debbugs.gnu.org \
--cc=mhw@netris.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.