From ffc015bea26f24d862e7e877d907fbe1ab9a9967 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Sun, 25 Jun 2017 20:58:17 -0400 Subject: gnu: glibc: Fix replacement on i686. This is followup to 665d6a59161769e10b52ffcbcd5cd2db22f32681. Fixes . * gnu/packages/base.scm (glibc-2.25-patched, glibc-2.24, glibc-2.23) (glibc-2.22): Add glibc-vectorized-strcspn-guards.patch to patches. Move a comment where it belongs. * gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch: Swap with ... * gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch: ... this. * gnu/packages/patches/glibc-vectorized-strcspn-guards.patch: New file. * gnu/local.mk (dist_patch_DATA): Add it. Fix formatting. --- gnu/local.mk | 7 +- gnu/packages/base.scm | 10 +- .../patches/glibc-CVE-2017-1000366-pt2.patch | 274 ++++++++------------- .../patches/glibc-CVE-2017-1000366-pt3.patch | 274 +++++++++++++-------- .../patches/glibc-vectorized-strcspn-guards.patch | 23 ++ 5 files changed, 308 insertions(+), 280 deletions(-) create mode 100644 gnu/packages/patches/glibc-vectorized-strcspn-guards.patch (limited to 'gnu') diff --git a/gnu/local.mk b/gnu/local.mk index 102fe98e60..5d024de07e 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -630,14 +630,15 @@ dist_patch_DATA = \ %D%/packages/patches/ghostscript-runpath.patch \ %D%/packages/patches/glib-networking-ssl-cert-file.patch \ %D%/packages/patches/glib-tests-timer.patch \ - %D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \ - %D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \ - %D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \ + %D%/packages/patches/glibc-CVE-2017-1000366-pt1.patch \ + %D%/packages/patches/glibc-CVE-2017-1000366-pt2.patch \ + %D%/packages/patches/glibc-CVE-2017-1000366-pt3.patch \ %D%/packages/patches/glibc-bootstrap-system.patch \ %D%/packages/patches/glibc-ldd-x86_64.patch \ %D%/packages/patches/glibc-locales.patch \ %D%/packages/patches/glibc-memchr-overflow-i686.patch \ %D%/packages/patches/glibc-o-largefile.patch \ + %D%/packages/patches/glibc-vectorized-strcspn-guards.patch \ %D%/packages/patches/glibc-versioned-locpath.patch \ %D%/packages/patches/glog-gcc-5-demangling.patch \ %D%/packages/patches/gmp-arm-asm-nothumb.patch \ diff --git a/gnu/packages/base.scm b/gnu/packages/base.scm index 2767909805..979d657957 100644 --- a/gnu/packages/base.scm +++ b/gnu/packages/base.scm @@ -902,9 +902,6 @@ GLIBC/HURD for a Hurd host" (define-syntax glibc (identifier-syntax (glibc-for-target))) -;; Below are old libc versions, which we use mostly to build locale data in -;; the old format (which the new libc cannot cope with.) - (define glibc-2.25-patched (package (inherit glibc) @@ -914,10 +911,14 @@ GLIBC/HURD for a Hurd host" (patches (search-patches "glibc-ldd-x86_64.patch" "glibc-versioned-locpath.patch" "glibc-o-largefile.patch" + "glibc-vectorized-strcspn-guards.patch" "glibc-CVE-2017-1000366-pt1.patch" "glibc-CVE-2017-1000366-pt2.patch" "glibc-CVE-2017-1000366-pt3.patch")))))) +;; Below are old libc versions, which we use mostly to build locale data in +;; the old format (which the new libc cannot cope with.) + (define-public glibc-2.24 (package (inherit glibc) @@ -933,6 +934,7 @@ GLIBC/HURD for a Hurd host" (patches (search-patches "glibc-ldd-x86_64.patch" "glibc-versioned-locpath.patch" "glibc-o-largefile.patch" + "glibc-vectorized-strcspn-guards.patch" "glibc-CVE-2017-1000366-pt1.patch" "glibc-CVE-2017-1000366-pt2.patch" "glibc-CVE-2017-1000366-pt3.patch")))))) @@ -952,6 +954,7 @@ GLIBC/HURD for a Hurd host" (patches (search-patches "glibc-ldd-x86_64.patch" "glibc-versioned-locpath.patch" "glibc-o-largefile.patch" + "glibc-vectorized-strcspn-guards.patch" "glibc-CVE-2017-1000366-pt1.patch" "glibc-CVE-2017-1000366-pt2.patch" "glibc-CVE-2017-1000366-pt3.patch")))))) @@ -969,6 +972,7 @@ GLIBC/HURD for a Hurd host" (base32 "0j49682pm2nh4qbdw35bas82p1pgfnz4d2l7iwfyzvrvj0318wzb")) (patches (search-patches "glibc-ldd-x86_64.patch" + "glibc-vectorized-strcspn-guards.patch" "glibc-CVE-2017-1000366-pt1.patch" "glibc-CVE-2017-1000366-pt2.patch" "glibc-CVE-2017-1000366-pt3.patch")))) diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch b/gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch index 3d8f6d2bf8..4b859c4bfd 100644 --- a/gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch +++ b/gnu/packages/patches/glibc-CVE-2017-1000366-pt2.patch @@ -1,206 +1,124 @@ -From 81b82fb966ffbd94353f793ad17116c6088dedd9 Mon Sep 17 00:00:00 2001 +From 6d0ba622891bed9d8394eef1935add53003b12e8 Mon Sep 17 00:00:00 2001 From: Florian Weimer -Date: Mon, 19 Jun 2017 22:32:12 +0200 -Subject: [PATCH] ld.so: Reject overly long LD_AUDIT path elements - -Also only process the last LD_AUDIT entry. +Date: Mon, 19 Jun 2017 22:31:04 +0200 +Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements patch from: -https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9 +https://sourceware.org/git/?p=glibc.git;a=patch;h=6d0ba622891bed9d8394eef1935add53003b12e8 --- - ChangeLog | 11 +++++++ - elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------- - 2 files changed, 106 insertions(+), 15 deletions(-) + ChangeLog | 7 ++++++ + elf/rtld.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++------------ + 2 files changed, 73 insertions(+), 16 deletions(-) diff --git a/elf/rtld.c b/elf/rtld.c -index 86ae20c..65647fb 100644 +index 2269dbe..86ae20c 100644 --- a/elf/rtld.c +++ b/elf/rtld.c -@@ -129,13 +129,91 @@ dso_name_valid_for_suid (const char *p) - return *p != '\0'; - } +@@ -99,6 +99,35 @@ uintptr_t __pointer_chk_guard_local + strong_alias (__pointer_chk_guard_local, __pointer_chk_guard) + #endif --/* List of auditing DSOs. */ -+/* LD_AUDIT variable contents. Must be processed before the -+ audit_list below. */ -+const char *audit_list_string; ++/* Length limits for names and paths, to protect the dynamic linker, ++ particularly when __libc_enable_secure is active. */ ++#ifdef NAME_MAX ++# define SECURE_NAME_LIMIT NAME_MAX ++#else ++# define SECURE_NAME_LIMIT 255 ++#endif ++#ifdef PATH_MAX ++# define SECURE_PATH_LIMIT PATH_MAX ++#else ++# define SECURE_PATH_LIMIT 1024 ++#endif + -+/* Cyclic list of auditing DSOs. audit_list->next is the first -+ element. */ ++/* Check that AT_SECURE=0, or that the passed name does not contain ++ directories and is not overly long. Reject empty names ++ unconditionally. */ ++static bool ++dso_name_valid_for_suid (const char *p) ++{ ++ if (__glibc_unlikely (__libc_enable_secure)) ++ { ++ /* Ignore pathnames with directories for AT_SECURE=1 ++ programs, and also skip overlong names. */ ++ size_t len = strlen (p); ++ if (len >= SECURE_NAME_LIMIT || memchr (p, '/', len) != NULL) ++ return false; ++ } ++ return *p != '\0'; ++} + + /* List of auditing DSOs. */ static struct audit_list - { - const char *name; - struct audit_list *next; - } *audit_list; +@@ -718,6 +747,42 @@ static const char *preloadlist attribute_relro; + /* Nonzero if information about versions has to be printed. */ + static int version_info attribute_relro; -+/* Iterator for audit_list_string followed by audit_list. */ -+struct audit_list_iter -+{ -+ /* Tail of audit_list_string still needing processing, or NULL. */ -+ const char *audit_list_tail; -+ -+ /* The list element returned in the previous iteration. NULL before -+ the first element. */ -+ struct audit_list *previous; -+ -+ /* Scratch buffer for returning a name which is part of -+ audit_list_string. */ -+ char fname[SECURE_NAME_LIMIT]; -+}; -+ -+/* Initialize an audit list iterator. */ -+static void -+audit_list_iter_init (struct audit_list_iter *iter) ++/* The LD_PRELOAD environment variable gives list of libraries ++ separated by white space or colons that are loaded before the ++ executable's dependencies and prepended to the global scope list. ++ (If the binary is running setuid all elements containing a '/' are ++ ignored since it is insecure.) Return the number of preloads ++ performed. */ ++unsigned int ++handle_ld_preload (const char *preloadlist, struct link_map *main_map) +{ -+ iter->audit_list_tail = audit_list_string; -+ iter->previous = NULL; -+} ++ unsigned int npreloads = 0; ++ const char *p = preloadlist; ++ char fname[SECURE_PATH_LIMIT]; + -+/* Iterate through both audit_list_string and audit_list. */ -+static const char * -+audit_list_iter_next (struct audit_list_iter *iter) -+{ -+ if (iter->audit_list_tail != NULL) ++ while (*p != '\0') + { -+ /* First iterate over audit_list_string. */ -+ while (*iter->audit_list_tail != '\0') ++ /* Split preload list at space/colon. */ ++ size_t len = strcspn (p, " :"); ++ if (len > 0 && len < sizeof (fname)) + { -+ /* Split audit list at colon. */ -+ size_t len = strcspn (iter->audit_list_tail, ":"); -+ if (len > 0 && len < sizeof (iter->fname)) -+ { -+ memcpy (iter->fname, iter->audit_list_tail, len); -+ iter->fname[len] = '\0'; -+ } -+ else -+ /* Do not return this name to the caller. */ -+ iter->fname[0] = '\0'; -+ -+ /* Skip over the substring and the following delimiter. */ -+ iter->audit_list_tail += len; -+ if (*iter->audit_list_tail == ':') -+ ++iter->audit_list_tail; -+ -+ /* If the name is valid, return it. */ -+ if (dso_name_valid_for_suid (iter->fname)) -+ return iter->fname; -+ /* Otherwise, wrap around and try the next name. */ ++ memcpy (fname, p, len); ++ fname[len] = '\0'; + } -+ /* Fall through to the procesing of audit_list. */ -+ } ++ else ++ fname[0] = '\0'; + -+ if (iter->previous == NULL) -+ { -+ if (audit_list == NULL) -+ /* No pre-parsed audit list. */ -+ return NULL; -+ /* Start of audit list. The first list element is at -+ audit_list->next (cyclic list). */ -+ iter->previous = audit_list->next; -+ return iter->previous->name; ++ /* Skip over the substring and the following delimiter. */ ++ p += len; ++ if (*p != '\0') ++ ++p; ++ ++ if (dso_name_valid_for_suid (fname)) ++ npreloads += do_preload (fname, main_map, "LD_PRELOAD"); + } -+ if (iter->previous == audit_list) -+ /* Cyclic list wrap-around. */ -+ return NULL; -+ iter->previous = iter->previous->next; -+ return iter->previous->name; ++ return npreloads; +} + - #ifndef HAVE_INLINED_SYSCALLS - /* Set nonzero during loading and initialization of executable and - libraries, cleared before the executable's entry point runs. This -@@ -1305,11 +1383,13 @@ of this helper program; chances are you did not intend to run this program.\n\ - GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid (); + static void + dl_main (const ElfW(Phdr) *phdr, + ElfW(Word) phnum, +@@ -1464,23 +1529,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", - /* If we have auditing DSOs to load, do it now. */ -- if (__glibc_unlikely (audit_list != NULL)) -+ bool need_security_init = true; -+ if (__glibc_unlikely (audit_list != NULL) -+ || __glibc_unlikely (audit_list_string != NULL)) + if (__glibc_unlikely (preloadlist != NULL)) { -- /* Iterate over all entries in the list. The order is important. */ - struct audit_ifaces *last_audit = NULL; -- struct audit_list *al = audit_list->next; -+ struct audit_list_iter al_iter; -+ audit_list_iter_init (&al_iter); - - /* Since we start using the auditing DSOs right away we need to - initialize the data structures now. */ -@@ -1320,9 +1400,14 @@ of this helper program; chances are you did not intend to run this program.\n\ - use different values (especially the pointer guard) and will - fail later on. */ - security_init (); -+ need_security_init = false; - -- do -+ while (true) - { -+ const char *name = audit_list_iter_next (&al_iter); -+ if (name == NULL) -+ break; -+ - int tls_idx = GL(dl_tls_max_dtv_idx); - - /* Now it is time to determine the layout of the static TLS -@@ -1331,7 +1416,7 @@ of this helper program; chances are you did not intend to run this program.\n\ - no DF_STATIC_TLS bit is set. The reason is that we know - glibc will use the static model. */ - struct dlmopen_args dlmargs; -- dlmargs.fname = al->name; -+ dlmargs.fname = name; - dlmargs.map = NULL; - - const char *objname; -@@ -1344,7 +1429,7 @@ of this helper program; chances are you did not intend to run this program.\n\ - not_loaded: - _dl_error_printf ("\ - ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", -- al->name, err_str); -+ name, err_str); - if (malloced) - free ((char *) err_str); - } -@@ -1448,10 +1533,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", - goto not_loaded; - } - } +- /* The LD_PRELOAD environment variable gives list of libraries +- separated by white space or colons that are loaded before the +- executable's dependencies and prepended to the global scope +- list. If the binary is running setuid all elements +- containing a '/' are ignored since it is insecure. */ +- char *list = strdupa (preloadlist); +- char *p; - -- al = al->next; - } -- while (al != audit_list->next); - - /* If we have any auditing modules, announce that we already - have two objects loaded. */ -@@ -1715,7 +1797,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", - if (tcbp == NULL) - tcbp = init_tls (); - -- if (__glibc_likely (audit_list == NULL)) -+ if (__glibc_likely (need_security_init)) - /* Initialize security features. But only if we have not done it - earlier. */ - security_init (); -@@ -2346,9 +2428,7 @@ process_dl_audit (char *str) - char *p; - - while ((p = (strsep) (&str, ":")) != NULL) -- if (p[0] != '\0' -- && (__builtin_expect (! __libc_enable_secure, 1) -- || strchr (p, '/') == NULL)) -+ if (dso_name_valid_for_suid (p)) - { - /* This is using the local malloc, not the system malloc. The - memory can never be freed. */ -@@ -2412,7 +2492,7 @@ process_envvars (enum mode *modep) - break; - } - if (memcmp (envline, "AUDIT", 5) == 0) -- process_dl_audit (&envline[6]); -+ audit_list_string = &envline[6]; - break; - - case 7: + HP_TIMING_NOW (start); +- +- /* Prevent optimizing strsep. Speed is not important here. */ +- while ((p = (strsep) (&list, " :")) != NULL) +- if (p[0] != '\0' +- && (__builtin_expect (! __libc_enable_secure, 1) +- || strchr (p, '/') == NULL)) +- npreloads += do_preload (p, main_map, "LD_PRELOAD"); +- ++ npreloads += handle_ld_preload (preloadlist, main_map); + HP_TIMING_NOW (stop); + HP_TIMING_DIFF (diff, start, stop); + HP_TIMING_ACCUM_NT (load_time, diff); -- 2.9.3 diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch b/gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch index 4b859c4bfd..3d8f6d2bf8 100644 --- a/gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch +++ b/gnu/packages/patches/glibc-CVE-2017-1000366-pt3.patch @@ -1,124 +1,206 @@ -From 6d0ba622891bed9d8394eef1935add53003b12e8 Mon Sep 17 00:00:00 2001 +From 81b82fb966ffbd94353f793ad17116c6088dedd9 Mon Sep 17 00:00:00 2001 From: Florian Weimer -Date: Mon, 19 Jun 2017 22:31:04 +0200 -Subject: [PATCH] ld.so: Reject overly long LD_PRELOAD path elements +Date: Mon, 19 Jun 2017 22:32:12 +0200 +Subject: [PATCH] ld.so: Reject overly long LD_AUDIT path elements + +Also only process the last LD_AUDIT entry. patch from: -https://sourceware.org/git/?p=glibc.git;a=patch;h=6d0ba622891bed9d8394eef1935add53003b12e8 +https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9 --- - ChangeLog | 7 ++++++ - elf/rtld.c | 82 ++++++++++++++++++++++++++++++++++++++++++++++++++------------ - 2 files changed, 73 insertions(+), 16 deletions(-) + ChangeLog | 11 +++++++ + elf/rtld.c | 110 ++++++++++++++++++++++++++++++++++++++++++++++++++++--------- + 2 files changed, 106 insertions(+), 15 deletions(-) diff --git a/elf/rtld.c b/elf/rtld.c -index 2269dbe..86ae20c 100644 +index 86ae20c..65647fb 100644 --- a/elf/rtld.c +++ b/elf/rtld.c -@@ -99,6 +99,35 @@ uintptr_t __pointer_chk_guard_local - strong_alias (__pointer_chk_guard_local, __pointer_chk_guard) - #endif +@@ -129,13 +129,91 @@ dso_name_valid_for_suid (const char *p) + return *p != '\0'; + } -+/* Length limits for names and paths, to protect the dynamic linker, -+ particularly when __libc_enable_secure is active. */ -+#ifdef NAME_MAX -+# define SECURE_NAME_LIMIT NAME_MAX -+#else -+# define SECURE_NAME_LIMIT 255 -+#endif -+#ifdef PATH_MAX -+# define SECURE_PATH_LIMIT PATH_MAX -+#else -+# define SECURE_PATH_LIMIT 1024 -+#endif +-/* List of auditing DSOs. */ ++/* LD_AUDIT variable contents. Must be processed before the ++ audit_list below. */ ++const char *audit_list_string; + -+/* Check that AT_SECURE=0, or that the passed name does not contain -+ directories and is not overly long. Reject empty names -+ unconditionally. */ -+static bool -+dso_name_valid_for_suid (const char *p) -+{ -+ if (__glibc_unlikely (__libc_enable_secure)) -+ { -+ /* Ignore pathnames with directories for AT_SECURE=1 -+ programs, and also skip overlong names. */ -+ size_t len = strlen (p); -+ if (len >= SECURE_NAME_LIMIT || memchr (p, '/', len) != NULL) -+ return false; -+ } -+ return *p != '\0'; -+} - - /* List of auditing DSOs. */ ++/* Cyclic list of auditing DSOs. audit_list->next is the first ++ element. */ static struct audit_list -@@ -718,6 +747,42 @@ static const char *preloadlist attribute_relro; - /* Nonzero if information about versions has to be printed. */ - static int version_info attribute_relro; + { + const char *name; + struct audit_list *next; + } *audit_list; -+/* The LD_PRELOAD environment variable gives list of libraries -+ separated by white space or colons that are loaded before the -+ executable's dependencies and prepended to the global scope list. -+ (If the binary is running setuid all elements containing a '/' are -+ ignored since it is insecure.) Return the number of preloads -+ performed. */ -+unsigned int -+handle_ld_preload (const char *preloadlist, struct link_map *main_map) ++/* Iterator for audit_list_string followed by audit_list. */ ++struct audit_list_iter ++{ ++ /* Tail of audit_list_string still needing processing, or NULL. */ ++ const char *audit_list_tail; ++ ++ /* The list element returned in the previous iteration. NULL before ++ the first element. */ ++ struct audit_list *previous; ++ ++ /* Scratch buffer for returning a name which is part of ++ audit_list_string. */ ++ char fname[SECURE_NAME_LIMIT]; ++}; ++ ++/* Initialize an audit list iterator. */ ++static void ++audit_list_iter_init (struct audit_list_iter *iter) +{ -+ unsigned int npreloads = 0; -+ const char *p = preloadlist; -+ char fname[SECURE_PATH_LIMIT]; ++ iter->audit_list_tail = audit_list_string; ++ iter->previous = NULL; ++} + -+ while (*p != '\0') ++/* Iterate through both audit_list_string and audit_list. */ ++static const char * ++audit_list_iter_next (struct audit_list_iter *iter) ++{ ++ if (iter->audit_list_tail != NULL) + { -+ /* Split preload list at space/colon. */ -+ size_t len = strcspn (p, " :"); -+ if (len > 0 && len < sizeof (fname)) ++ /* First iterate over audit_list_string. */ ++ while (*iter->audit_list_tail != '\0') + { -+ memcpy (fname, p, len); -+ fname[len] = '\0'; -+ } -+ else -+ fname[0] = '\0'; ++ /* Split audit list at colon. */ ++ size_t len = strcspn (iter->audit_list_tail, ":"); ++ if (len > 0 && len < sizeof (iter->fname)) ++ { ++ memcpy (iter->fname, iter->audit_list_tail, len); ++ iter->fname[len] = '\0'; ++ } ++ else ++ /* Do not return this name to the caller. */ ++ iter->fname[0] = '\0'; ++ ++ /* Skip over the substring and the following delimiter. */ ++ iter->audit_list_tail += len; ++ if (*iter->audit_list_tail == ':') ++ ++iter->audit_list_tail; + -+ /* Skip over the substring and the following delimiter. */ -+ p += len; -+ if (*p != '\0') -+ ++p; ++ /* If the name is valid, return it. */ ++ if (dso_name_valid_for_suid (iter->fname)) ++ return iter->fname; ++ /* Otherwise, wrap around and try the next name. */ ++ } ++ /* Fall through to the procesing of audit_list. */ ++ } + -+ if (dso_name_valid_for_suid (fname)) -+ npreloads += do_preload (fname, main_map, "LD_PRELOAD"); ++ if (iter->previous == NULL) ++ { ++ if (audit_list == NULL) ++ /* No pre-parsed audit list. */ ++ return NULL; ++ /* Start of audit list. The first list element is at ++ audit_list->next (cyclic list). */ ++ iter->previous = audit_list->next; ++ return iter->previous->name; + } -+ return npreloads; ++ if (iter->previous == audit_list) ++ /* Cyclic list wrap-around. */ ++ return NULL; ++ iter->previous = iter->previous->next; ++ return iter->previous->name; +} + - static void - dl_main (const ElfW(Phdr) *phdr, - ElfW(Word) phnum, -@@ -1464,23 +1529,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", + #ifndef HAVE_INLINED_SYSCALLS + /* Set nonzero during loading and initialization of executable and + libraries, cleared before the executable's entry point runs. This +@@ -1305,11 +1383,13 @@ of this helper program; chances are you did not intend to run this program.\n\ + GL(dl_rtld_map).l_tls_modid = _dl_next_tls_modid (); - if (__glibc_unlikely (preloadlist != NULL)) + /* If we have auditing DSOs to load, do it now. */ +- if (__glibc_unlikely (audit_list != NULL)) ++ bool need_security_init = true; ++ if (__glibc_unlikely (audit_list != NULL) ++ || __glibc_unlikely (audit_list_string != NULL)) { -- /* The LD_PRELOAD environment variable gives list of libraries -- separated by white space or colons that are loaded before the -- executable's dependencies and prepended to the global scope -- list. If the binary is running setuid all elements -- containing a '/' are ignored since it is insecure. */ -- char *list = strdupa (preloadlist); -- char *p; -- - HP_TIMING_NOW (start); -- -- /* Prevent optimizing strsep. Speed is not important here. */ -- while ((p = (strsep) (&list, " :")) != NULL) -- if (p[0] != '\0' -- && (__builtin_expect (! __libc_enable_secure, 1) -- || strchr (p, '/') == NULL)) -- npreloads += do_preload (p, main_map, "LD_PRELOAD"); +- /* Iterate over all entries in the list. The order is important. */ + struct audit_ifaces *last_audit = NULL; +- struct audit_list *al = audit_list->next; ++ struct audit_list_iter al_iter; ++ audit_list_iter_init (&al_iter); + + /* Since we start using the auditing DSOs right away we need to + initialize the data structures now. */ +@@ -1320,9 +1400,14 @@ of this helper program; chances are you did not intend to run this program.\n\ + use different values (especially the pointer guard) and will + fail later on. */ + security_init (); ++ need_security_init = false; + +- do ++ while (true) + { ++ const char *name = audit_list_iter_next (&al_iter); ++ if (name == NULL) ++ break; ++ + int tls_idx = GL(dl_tls_max_dtv_idx); + + /* Now it is time to determine the layout of the static TLS +@@ -1331,7 +1416,7 @@ of this helper program; chances are you did not intend to run this program.\n\ + no DF_STATIC_TLS bit is set. The reason is that we know + glibc will use the static model. */ + struct dlmopen_args dlmargs; +- dlmargs.fname = al->name; ++ dlmargs.fname = name; + dlmargs.map = NULL; + + const char *objname; +@@ -1344,7 +1429,7 @@ of this helper program; chances are you did not intend to run this program.\n\ + not_loaded: + _dl_error_printf ("\ + ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", +- al->name, err_str); ++ name, err_str); + if (malloced) + free ((char *) err_str); + } +@@ -1448,10 +1533,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", + goto not_loaded; + } + } - -+ npreloads += handle_ld_preload (preloadlist, main_map); - HP_TIMING_NOW (stop); - HP_TIMING_DIFF (diff, start, stop); - HP_TIMING_ACCUM_NT (load_time, diff); +- al = al->next; + } +- while (al != audit_list->next); + + /* If we have any auditing modules, announce that we already + have two objects loaded. */ +@@ -1715,7 +1797,7 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", + if (tcbp == NULL) + tcbp = init_tls (); + +- if (__glibc_likely (audit_list == NULL)) ++ if (__glibc_likely (need_security_init)) + /* Initialize security features. But only if we have not done it + earlier. */ + security_init (); +@@ -2346,9 +2428,7 @@ process_dl_audit (char *str) + char *p; + + while ((p = (strsep) (&str, ":")) != NULL) +- if (p[0] != '\0' +- && (__builtin_expect (! __libc_enable_secure, 1) +- || strchr (p, '/') == NULL)) ++ if (dso_name_valid_for_suid (p)) + { + /* This is using the local malloc, not the system malloc. The + memory can never be freed. */ +@@ -2412,7 +2492,7 @@ process_envvars (enum mode *modep) + break; + } + if (memcmp (envline, "AUDIT", 5) == 0) +- process_dl_audit (&envline[6]); ++ audit_list_string = &envline[6]; + break; + + case 7: -- 2.9.3 diff --git a/gnu/packages/patches/glibc-vectorized-strcspn-guards.patch b/gnu/packages/patches/glibc-vectorized-strcspn-guards.patch new file mode 100644 index 0000000000..3d6c7749d4 --- /dev/null +++ b/gnu/packages/patches/glibc-vectorized-strcspn-guards.patch @@ -0,0 +1,23 @@ +Copied from Debian. + +2017-06-14 Florian Weimer + + * sysdeps/i386/i686/multiarch/strcspn-c.c: Add IS_IN (libc) guard. + * sysdeps/i386/i686/multiarch/varshift.c: Likewise. + +--- a/sysdeps/i386/i686/multiarch/strcspn-c.c ++++ b/sysdeps/i386/i686/multiarch/strcspn-c.c +@@ -1,2 +1,4 @@ +-#define __strcspn_sse2 __strcspn_ia32 +-#include ++#if IS_IN (libc) ++# define __strcspn_sse2 __strcspn_ia32 ++# include ++#endif +--- a/sysdeps/i386/i686/multiarch/varshift.c ++++ b/sysdeps/i386/i686/multiarch/varshift.c +@@ -1 +1,3 @@ +-#include ++#if IS_IN (libc) ++# include ++#endif -- cgit v1.2.3