Package: eglibc
Version: 2.10.2-3
Severity: normal
Tags: patch
User: ubuntu-de...@lists.ubuntu.com
Usertags: origin-ubuntu lucid ubuntu-patch
Hello!
As more packages (perhaps all!) start using either hardening-wrapper
or the hardening-includes packages to gain the -D_FORTIFY_SOURCE=2 and
-fstack-protector compiler flags, it starts becoming important to handle
a number of special cases that upstream glibc either hasn't acted on or
has inappropriately rejected.
I would like to include the following patches that Ubuntu has carried for
several releases now. (Note that submitted-leading-zero-stack-guard.diff
will need to be adjusted slightly if stack-guard-quick-randomization.diff
is not applied.)
no-sprintf-pre-truncate.diff
The sprintf function used when -D_FORTIFY_SOURCE=2 is used incorrectly
pre-truncates the destination buffer; this changes the long-standing
expectation of sprintf(foo,"%sbaz",foo) to work. See the patch for
further discussion.
local-fwrite-no-attr-unused.diff
Again, patch contains discussion, but basically, this disables a
useless and noisy warning that -D_FORTIFY_SOURCE=2 triggers.
stack-guard-quick-randomization.diff
For applications built with -fstack-protector, this adds the
"poor man's" randomization for when AT_RANDOM is not available.
Since AT_RANDOM is in 2.6.31 and later, it may not be useful to
carry any longer and may not be kfreebsd friendly.
submitted-leading-zero-stack-guard.diff
This is important as the recent glibc fails to keep the first byte
of the stack guard a NULL when constructing the stack guard for use
with -fstack-protector. Without this, it is possible to potentially
read and write beyond the stack guard value using NULL-terminated
string overflows.
Thanks!
-Kees
--
Kees Cook@debian.org
Description: when a program is compiled with -D_FORTIFY_SOURCE=2, the
vsprintf_chk function is called to handle sprintf/snprintf, but it
needlessly pretruncates the destination which changes the results of
sprintf(foo, "%sbar", baz).
Bug: http://sourceware.org/bugzilla/show_bug.cgi?id=7075
Bug-Ubuntu: https://launchpad.net/bugs/305901
Author: Kees Cook
Index: glibc-2.9/debug/vsprintf_chk.c
===
--- glibc-2.9.orig/debug/vsprintf_chk.c 2008-12-23 21:30:07.0 -0800
+++ glibc-2.9/debug/vsprintf_chk.c 2008-12-23 21:30:19.0 -0800
@@ -76,7 +76,6 @@
_IO_no_init (&f._sbf._f, _IO_USER_LOCK, -1, NULL, NULL);
_IO_JUMPS (&f._sbf) = &_IO_str_chk_jumps;
- s[0] = '\0';
_IO_str_init_static_internal (&f, s, slen - 1, s);
/* For flags > 0 (i.e. __USE_FORTIFY_LEVEL > 1) request that %n
Description: when compiling with -D_FORTIFY_SOURCE=2, the compiler will
generate warn-unused-results notifications for several functions. It
is not sensible to do this for fwrite() since it is frequently unchecked
and may not fail until fclose() which is not marked with __wur, making
the fwrite() check noisy and pointless.
Author: Matthias Klose
--- ./libio/stdio.h~ 2008-05-24 20:14:36.0 +0200
+++ ./libio/stdio.h 2009-03-27 20:59:20.0 +0100
@@ -682,7 +682,7 @@
This function is a possible cancellation points and therefore not
marked with __THROW. */
extern size_t fwrite (__const void *__restrict __ptr, size_t __size,
- size_t __n, FILE *__restrict __s) __wur;
+ size_t __n, FILE *__restrict __s);
__END_NAMESPACE_STD
#ifdef __USE_GNU
@@ -706,7 +706,7 @@
extern size_t fread_unlocked (void *__restrict __ptr, size_t __size,
size_t __n, FILE *__restrict __stream) __wur;
extern size_t fwrite_unlocked (__const void *__restrict __ptr, size_t __size,
- size_t __n, FILE *__restrict __stream) __wur;
+ size_t __n, FILE *__restrict __stream);
#endif
Description: when AT_RANDOM is not available, attempt to build randomization
of stack guard value from the ASLR of stack and heap locations, and finally
the hp_timing_t value. Upstream glibc does not want this patch, as they
feel AT_RANDOM is sufficient.
Author: Jakub Jelinek
Origin: http://cvs.fedora.redhat.com/viewvc/devel/glibc/
Forwarded: not-needed
---
elf/tst-stackguard1.c |8 ++--
nptl/tst-stackguard1.c |8 ++--
sysdeps/unix/sysv/linux/dl-osinfo.h | 29 +
3 files changed, 41 insertions(+), 4 deletions(-)
Index: b/sysdeps/unix/sysv/linux/dl-osinfo.h
===
--- a/sysdeps/unix/sysv/linux/dl-osinfo.h
+++ b/sysdeps/unix/sysv/linux/dl-osinfo.h
@@ -17,10 +17,13 @@
Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
02111-1307 USA. */
+#include
#include
#include
#include
#include
+#include
+#include
#ifndef MIN
# define MIN(a,b) (((a)&l