diff options
author | Carlos O'Donell <carlos@redhat.com> | 2013-09-23 00:52:09 -0400 |
---|---|---|
committer | Carlos O'Donell <carlos@redhat.com> | 2013-09-23 00:52:09 -0400 |
commit | c61b4d41c9647a54a329aa021341c0eb032b793e (patch) | |
tree | c4a665c232a7d37786a6f3b5e3f56d0ae11480e8 /csu | |
parent | 58a96064d193317236b740998e134b652d3d62ad (diff) | |
download | glibc-c61b4d41c9647a54a329aa021341c0eb032b793e.tar.gz glibc-c61b4d41c9647a54a329aa021341c0eb032b793e.tar.xz glibc-c61b4d41c9647a54a329aa021341c0eb032b793e.zip |
BZ #15754: CVE-2013-4788
The pointer guard used for pointer mangling was not initialized for static applications resulting in the security feature being disabled. The pointer guard is now correctly initialized to a random value for static applications. Existing static applications need to be recompiled to take advantage of the fix. The test tst-ptrguard1-static and tst-ptrguard1 add regression coverage to ensure the pointer guards are sufficiently random and initialized to a default value.
Diffstat (limited to 'csu')
-rw-r--r-- | csu/libc-start.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/csu/libc-start.c b/csu/libc-start.c index e5da3efd06..c898d06b03 100644 --- a/csu/libc-start.c +++ b/csu/libc-start.c @@ -37,6 +37,12 @@ extern void __pthread_initialize_minimal (void); in thread local area. */ uintptr_t __stack_chk_guard attribute_relro; # endif +# ifndef THREAD_SET_POINTER_GUARD +/* Only exported for architectures that don't store the pointer guard + value in thread local area. */ +uintptr_t __pointer_chk_guard_local + attribute_relro attribute_hidden __attribute__ ((nocommon)); +# endif #endif #ifdef HAVE_PTR_NTHREADS @@ -195,6 +201,16 @@ LIBC_START_MAIN (int (*main) (int, char **, char ** MAIN_AUXVEC_DECL), # else __stack_chk_guard = stack_chk_guard; # endif + + /* Set up the pointer guard value. */ + uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random, + stack_chk_guard); +# ifdef THREAD_SET_POINTER_GUARD + THREAD_SET_POINTER_GUARD (pointer_chk_guard); +# else + __pointer_chk_guard_local = pointer_chk_guard; +# endif + #endif /* Register the destructor of the dynamic linker if there is any. */ |