From patchwork Sat Sep  5 16:39:51 2015
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Hector Marco-Gisbert <hecmargi@upv.es>
X-Patchwork-Id: 8586
Received: (qmail 93505 invoked by alias); 5 Sep 2015 16:40:18 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 92894 invoked by uid 89); 5 Sep 2015 16:40:17 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-0.0 required=5.0 tests=BAYES_20,
	RP_MATCHES_RCVD, SPF_HELO_PASS,
	SPF_PASS autolearn=ham version=3.3.2
X-HELO: smtpsalv.upv.es
From: Hector Marco-Gisbert <hecmargi@upv.es>
To: "Carlos O'Donell" <carlos@redhat.com>,
	GNU C Library <libc-alpha@sourceware.org>,
	"Joseph S. Myers" <joseph@codesourcery.com>,
	Siddhesh Poyarekar <siddhesh@redhat.com>, Andreas Jaeger <aj@suse.com>
Cc: Hector Marco-Gisbert <hecmargi@upv.es>,
	Ismael Ripoll Ripoll <iripoll@upv.es>
Subject: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID
	binaries.
Date: Sat,  5 Sep 2015 18:39:51 +0200
Message-Id: <1441471191-4683-1-git-send-email-hecmargi@upv.es>

Hello,

A weakness in the dynamic loader have been found, Glibc prior to
2.22.90 are affected. The issue is that the LD_POINTER_GUARD in the
environment is not sanitized allowing local attackers easily to bypass
the pointer guarding protection on set-user-ID and set-group-ID
programs. 

Details of the weakness:
http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html

This patch prevents to disable the pointer guarding protection for
set-user-ID/set-group-ID programs.

For example, executing "LD_POINTER_GUARD=0 /bin/ping" does not disable
the pointer guarding protection unless it is directly executed by root
(rUID==eUID).


Signed-off-by: Hector Marco-Gisbert <hecmargi@upv.es>
Signed-off-by: Ismael Ripoll Ripoll <iripoll@upv.es>
---
 ChangeLog                   | 11 +++++++++++
 elf/rtld.c                  |  3 ++-
 sysdeps/generic/unsecvars.h |  1 +
 3 files changed, 14 insertions(+), 1 deletion(-)

diff --git a/ChangeLog b/ChangeLog
index 53b6c24..3c799ec 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2015-08-31  Hector Marco-Gisbert  <hemcargi@upv.es>
+            Ismael Ripoll Ripoll <iripoll@upv.es>
+
+	* elf/rtld.c: Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID
+	binaries. Otherwise an attacker can disable the pointer guarding
+	protection when attacking set-user-ID/set-group-ID binaries
+	locally.
+	* sysdeps/generic/unsecvars.h: Added LD_POINTER_GUARD environment
+	variable to UNSECURE_ENVVARS list to remove it from environment of
+	SUID binaries.
+
 2015-09-04  Roland McGrath  <roland@hack.frob.com>
 
 	[BZ #18921]
diff --git a/elf/rtld.c b/elf/rtld.c
index 69873c2..abdc1a2 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2472,7 +2472,8 @@ process_envvars (enum mode *modep)
 	      break;
 	    }
 
-	  if (memcmp (envline, "POINTER_GUARD", 13) == 0)
+	  if (!__libc_enable_secure
+	      && memcmp (envline, "POINTER_GUARD", 13) == 0)
 	    GLRO(dl_pointer_guard) = envline[14] != '0';
 	  break;
 
diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
index d5b8119..9f1946a 100644
--- a/sysdeps/generic/unsecvars.h
+++ b/sysdeps/generic/unsecvars.h
@@ -11,6 +11,7 @@
   "LD_DYNAMIC_WEAK\0"							      \
   "LD_LIBRARY_PATH\0"							      \
   "LD_ORIGIN_PATH\0"							      \
+  "LD_POINTER_GUARD\0"							      \
   "LD_PRELOAD\0"							      \
   "LD_PROFILE\0"							      \
   "LD_SHOW_AUXV\0"							      \