Always enable pointer guard [BZ #18928]

Honoring the LD_POINTER_GUARD environment variable in AT_SECURE mode
has security implications.  This commit enables pointer guard
unconditionally, and the environment variable is now ignored.

        [BZ #18928]
        * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
        _dl_pointer_guard member.
        * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
        initializer.
        (security_init): Always set up pointer guard.
        (process_envvars): Do not process LD_POINTER_GUARD.

(cherry picked from commit a014cecd82b71b70a6a843e250e06b541ad524f7)

Conflicts:
	NEWS

diff --git a/ChangeLog b/ChangeLog
index d9cbce76d5b61181b768ac46b76171348929b46e..32f9e4a62f040272a8a3011074733470ec3809f2 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2016-02-25  Florian Weimer  <fweimer@redhat.com>
+
+       [BZ #18928]
+       * sysdeps/generic/ldsodefs.h (struct rtld_global_ro): Remove
+       _dl_pointer_guard member.
+       * elf/rtld.c (_rtld_global_ro): Remove _dl_pointer_guard
+       initializer.
+       (security_init): Always set up pointer guard.
+       (process_envvars): Do not process LD_POINTER_GUARD.
+
 2015-07-21  Mike Frysinger  <vapier@gentoo.org>
 
        [BZ #18694]

diff --git a/NEWS b/NEWS
index b469ad2b501c0992a98d98cbcb23749a9e953dd1..34daa0366178dc4e63c85bcb9cf77537582e5a5f 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,7 +10,10 @@ Version 2.20.1
 * The following bugs are resolved with this release:
 
   16009, 16617, 16618, 17266, 17370, 17371, 17460, 17485, 17555, 17625,
-  17630, 17801, 18694.
+  17630, 17801, 18694, 18928.
+
+* The LD_POINTER_GUARD environment variable can no longer be used to
+  disable the pointer guard feature.  It is always enabled.
 
 * CVE-2015-1472 Under certain conditions wscanf can allocate too little
   memory for the to-be-scanned arguments and overflow the allocated

diff --git a/elf/rtld.c b/elf/rtld.c
index d5cace868b218b9966cb7c684bf9d8e382e9ecb5..39d3ae2b03f8c95fc3ce3e4f75a4c56cb0673397 100644 (file)
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -162,7 +162,6 @@ struct rtld_global_ro _rtld_global_ro attribute_relro =
     ._dl_hwcap_mask = HWCAP_IMPORTANT,
     ._dl_lazy = 1,
     ._dl_fpu_control = _FPU_DEFAULT,
-    ._dl_pointer_guard = 1,
     ._dl_pagesize = EXEC_PAGESIZE,
     ._dl_inhibit_cache = 0,
 
@@ -709,15 +708,12 @@ security_init (void)
 #endif
 
   /* Set up the pointer guard as well, if necessary.  */
-  if (GLRO(dl_pointer_guard))
-    {
-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
-                                                            stack_chk_guard);
+  uintptr_t pointer_chk_guard
+    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
 #ifdef THREAD_SET_POINTER_GUARD
-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
 #endif
-      __pointer_chk_guard_local = pointer_chk_guard;
-    }
+  __pointer_chk_guard_local = pointer_chk_guard;
 
   /* We do not need the _dl_random value anymore.  The less
      information we leave behind, the better, so clear the
@@ -2471,9 +2467,6 @@ process_envvars (enum mode *modep)
              GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
              break;
            }
-
-         if (memcmp (envline, "POINTER_GUARD", 13) == 0)
-           GLRO(dl_pointer_guard) = envline[14] != '0';
          break;
 
        case 14:

diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index e01df84a994905414c205c843b6c460e18bde612..88383edc81da39482180f943c1bd069a444689ae 100644 (file)
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -582,9 +582,6 @@ struct rtld_global_ro
   /* List of auditing interfaces.  */
   struct audit_ifaces *_dl_audit;
   unsigned int _dl_naudit;
-
-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
-  EXTERN int _dl_pointer_guard;
 };
 # define __rtld_global_attribute__
 # ifdef IS_IN_rtld