about summary refs log tree commit diff
path: root/elf/Makefile
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2018-02-21 10:37:22 +0100
committerFlorian Weimer <fweimer@redhat.com>2018-02-21 10:37:22 +0100
commit52a01100ad011293197637e42b5be1a479a2f4ae (patch)
tree8bfbd570b7eda10ee7de5fcb8ce430c1043af0f0 /elf/Makefile
parentb5bf62e40c5ff4e3906572f257dcda77b393ffa0 (diff)
downloadglibc-52a01100ad011293197637e42b5be1a479a2f4ae.tar.gz
glibc-52a01100ad011293197637e42b5be1a479a2f4ae.tar.xz
glibc-52a01100ad011293197637e42b5be1a479a2f4ae.zip
elf: Remove ad-hoc restrictions on dlopen callers [BZ #22787]
This looks like a post-exploitation hardening measure: If an attacker is
able to redirect execution flow, they could use that to load a DSO which
contains additional code (or perhaps make the stack executable).

However, the checks are not in the correct place to be effective: If
they are performed before the critical operation, an attacker with
sufficient control over execution flow could simply jump directly to
the code which performs the operation, bypassing the check.  The check
would have to be executed unconditionally after the operation and
terminate the process in case a caller violation was detected.

Furthermore, in _dl_check_caller, there was a fallback reading global
writable data (GL(dl_rtld_map).l_map_start and
GL(dl_rtld_map).l_text_end), which could conceivably be targeted by an
attacker to disable the check, too.

Other critical functions (such as system) remain completely
unprotected, so the value of these additional checks does not appear
that large.  Therefore this commit removes this functionality.
Diffstat (limited to 'elf/Makefile')
-rw-r--r--elf/Makefile3
1 files changed, 1 insertions, 2 deletions
diff --git a/elf/Makefile b/elf/Makefile
index 2a432d8bee..9bdb9220c7 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -32,7 +32,7 @@ routines	= $(all-dl-routines) dl-support dl-iteratephdr \
 dl-routines	= $(addprefix dl-,load lookup object reloc deps hwcaps \
 				  runtime init fini debug misc \
 				  version profile tls origin scope \
-				  execstack caller open close trampoline \
+				  execstack open close trampoline \
 				  exception sort-maps)
 ifeq (yes,$(use-ldconfig))
 dl-routines += dl-cache
@@ -54,7 +54,6 @@ all-dl-routines = $(dl-routines) $(sysdep-dl-routines)
 # But they are absent from the shared libc, because that code is in ld.so.
 elide-routines.os = $(all-dl-routines) dl-support enbl-secure dl-origin \
 		    dl-sysdep dl-exception dl-reloc-static-pie
-shared-only-routines += dl-caller
 
 # ld.so uses those routines, plus some special stuff for being the program
 # interpreter and operating independent of libc.