[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
bug#27429: Stack clash (CVE-2017-1000366 etc)
From: |
Efraim Flashner |
Subject: |
bug#27429: Stack clash (CVE-2017-1000366 etc) |
Date: |
Wed, 21 Jun 2017 11:41:34 +0300 |
User-agent: |
Mutt/1.8.3 (2017-05-23) |
On Tue, Jun 20, 2017 at 05:44:42PM -0400, Mark H Weaver wrote:
> Hi Efraim,
>
> Thanks so much for working on this!
>
> Grafting glibc is something we haven't done before to my knowledge, and
> it is a bit tricky because of all of the inherited versions of glibc.
> At present, those inherited versions are not expressed in such a way to
> make grafting work.
>
> One important tool is the 'package/inherit' macro, which I added to
> (guix packages) in early May to facilitate another graft. In order to
> graft 'glibc' properly, we'll first need to use 'package/inherit' in a
> couple of places, I think.
>
I like your optimism :)
> Efraim Flashner <address@hidden> writes:
>
> > From 2a83d2a8265314af3d8b16f86187897223567d6e Mon Sep 17 00:00:00 2001
> > From: Efraim Flashner <address@hidden>
> > Date: Mon, 19 Jun 2017 23:13:53 +0300
> > Subject: [PATCH] gnu: glibc: Patch CVE-2017-1000366.
> >
> > * gnu/packages/base.scm (glibc)[replacement]: New field.
>
> Please write (glibc/linux) instead of (glibc) above, since that's the
> variable whose definition is being changed.
noted
>
> See below for more comments.
>
> > (glibc-2.25-fixed): New variable.
> > (address@hidden, address@hidden, address@hidden, address@hidden)[source]:
> > Add patch.
> > [replacement]: New field.
> > (glibc-locales)[replacement]: New field.
> > * gnu/packages/commencement.scm (glibc-final-with-bootstrap-bash,
> > cross-gcc-wrapper, glibc-final)[replacement]: New field.
> > * gnu/packages/patches/glibc-CVE-2017-1000366.patch: New file.
> > * gnu/local.mk (dist_patch_DATA): Add it.
> > ---
> > gnu/local.mk | 1 +
> > gnu/packages/base.scm | 39
> > +++++++++++++++++++----
> > gnu/packages/commencement.scm | 4 +++
> > gnu/packages/patches/glibc-CVE-2017-1000366.patch | 33 +++++++++++++++++++
> > 4 files changed, 71 insertions(+), 6 deletions(-)
> > create mode 100644 gnu/packages/patches/glibc-CVE-2017-1000366.patch
> >
> > diff --git a/gnu/local.mk b/gnu/local.mk
> > index ae4a59af0..6b598335b 100644
> > --- a/gnu/local.mk
> > +++ b/gnu/local.mk
> > @@ -632,6 +632,7 @@ dist_patch_DATA =
> > \
> > %D%/packages/patches/ghostscript-runpath.patch \
> > %D%/packages/patches/glib-networking-ssl-cert-file.patch \
> > %D%/packages/patches/glib-tests-timer.patch \
> > + %D%/packages/patches/glibc-CVE-2017-1000366.patch \
> > %D%/packages/patches/glibc-bootstrap-system.patch \
> > %D%/packages/patches/glibc-ldd-x86_64.patch \
> > %D%/packages/patches/glibc-locales.patch \
>
> Your changes to (gnu packages base) look good to me, so I've omitted
> them. In particular, you are right to add (replacement #f) in the
> places where you've done so.
>
> > diff --git a/gnu/packages/commencement.scm b/gnu/packages/commencement.scm
> > index 1b41feac1..42892bbe8 100644
> > --- a/gnu/packages/commencement.scm
> > +++ b/gnu/packages/commencement.scm
> > @@ -3,6 +3,7 @@
> > ;;; Copyright © 2014 Andreas Enge <address@hidden>
> > ;;; Copyright © 2012 Nikita Karetnikov <address@hidden>
> > ;;; Copyright © 2014, 2015 Mark H Weaver <address@hidden>
> > +;;; Copyright © 2017 Efraim Flashner <address@hidden>
> > ;;;
> > ;;; This file is part of GNU Guix.
> > ;;;
> > @@ -469,6 +470,7 @@ the bootstrap environment."
> > (package-with-bootstrap-guile
> > (package (inherit glibc)
> > (name "glibc-intermediate")
> > + (replacement #f)
> > (arguments
> > `(#:guile ,%bootstrap-guile
> > #:implicit-inputs? #f
> > @@ -540,6 +542,7 @@ the bootstrap environment."
> > that makes it available under the native tool names."
> > (package (inherit gcc)
> > (name (string-append (package-name gcc) "-wrapped"))
> > + (replacement #f)
> > (source #f)
> > (build-system trivial-build-system)
> > (outputs '("out"))
> > @@ -642,6 +645,7 @@ exec ~a/bin/~a-~a -B~a/lib -Wl,-dynamic-linker
> > -Wl,~a/~a \"address@hidden"~%"
> > ;; The final glibc, which embeds the statically-linked Bash built above.
> > (package (inherit glibc-final-with-bootstrap-bash)
> > (name "glibc")
> > + (replacement #f)
> > (inputs `(("static-bash" ,static-bash-for-glibc)
> > ,@(alist-delete
> > "static-bash"
>
> The problem here is that almost all of the software in Guix is linked
> against glibc-final, and you've suppressed the replacement for it. This
> is where the 'package/inherit' macro becomes useful.
>
> I think we need to enable grafting for both
> 'glibc-final-with-bootstrap-bash' and 'glibc-final', by replacing
>
> (package (inherit GLIBC-FOO)
> ...)
>
> with:
>
> (package/inherit GLIBC-FOO
> ...)
>
> and remove the (replacement #f) override from those two packages,
> because 'package/inherit' will implicitly override 'replacement' as
> appropriate.
>
> Would you like to try this?
I haven't looked closely at this part of the code yet so its like magic
to me still.
>
> > diff --git a/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> > b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> > new file mode 100644
> > index 000000000..106e81d91
> > --- /dev/null
> > +++ b/gnu/packages/patches/glibc-CVE-2017-1000366.patch
> > @@ -0,0 +1,33 @@
> > +From f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d Mon Sep 17 00:00:00 2001
> > +From: Florian Weimer <address@hidden>
> > +Date: Mon, 19 Jun 2017 17:09:55 +0200
> > +Subject: [PATCH] CVE-2017-1000366: Ignore LD_LIBRARY_PATH for AT_SECURE=1
> > + programs [BZ #21624]
> > +
> > +LD_LIBRARY_PATH can only be used to reorder system search paths, which
> > +is not useful functionality.
> > +
> > +This makes an exploitable unbounded alloca in _dl_init_paths unreachable
> > +for AT_SECURE=1 programs.
> > +---
> > + ChangeLog | 7 +++++++
> > + elf/rtld.c | 3 ++-
> > + 2 files changed, 9 insertions(+), 1 deletion(-)
> > +
> > +diff --git a/elf/rtld.c b/elf/rtld.c
> > +index 2446a87..2269dbe 100644
> > +--- a/elf/rtld.c
> > ++++ b/elf/rtld.c
> > +@@ -2422,7 +2422,8 @@ process_envvars (enum mode *modep)
> > +
> > + case 12:
> > + /* The library search path. */
> > +- if (memcmp (envline, "LIBRARY_PATH", 12) == 0)
> > ++ if (!__libc_enable_secure
> > ++ && memcmp (envline, "LIBRARY_PATH", 12) == 0)
> > + {
> > + library_path = &envline[13];
> > + break;
> > +--
> > +2.9.3
> > +
>
> What about the other two patches? Namely, quoting Leo:
>
> > ld.so: Reject overly long LD_PRELOAD path elements
> > https://sourceware.org/git/?p=glibc.git;a=commit;h=6d0ba622891bed9d8394eef1935add53003b12e8
> >
> > ld.so: Reject overly long LD_AUDIT path elements:
> > https://sourceware.org/git/?p=glibc.git;a=commit;h=81b82fb966ffbd94353f793ad17116c6088dedd9
now added
>
> One more thing: since this grafting of 'glibc' is unprecedented and has
> the potential for breakage, I think it should be tested as follows:
> someone running GuixSD should reconfigure their entire system using the
> grafted 'glibc', and they should boot into it to make sure nothing
> obvious is broken, before we commit.
>
> Also, we should check the references and make sure that the fixed glibc
> is actually being used.
>
> Thank you!
>
> Mark
After making the changes I built glibc, by which I mean I built at least
gettext-boot0, glibc-final, perl, glibc, expat, and probably a bit more.
On my 10 year old laptop it took about 2 hours.
@ build-succeeded /gnu/store/974hryqa5fprrymyjkmcfrzn3qmv0dgq-glibc-2.25.drv -
/gnu/store/kczijfli8cb0qjyrfzbrd06bdrpic7lx-glibc-2.25-debug
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
real 125m16.297s
user 0m32.896s
sys 0m3.840s
address@hidden:~/workspace/guix$ guix gc --references
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25/
/gnu/store/7gqx6nd64hn9wdqmppp8h42ncfx246c0-glibc-2.25
/gnu/store/946hwcxnd9w13gyqprs0fzkmyyz4hdar-bash-static-4.4.12
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25o
This doubling of glibc, bash and bash-static is the same as I got from
'guix gc --references $(./pre-inst-env guix build glibc)' on another machine
address@hidden:~/workspace/guix$ guix gc --references
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25/
/gnu/store/02426nwiy32cscm4h83729vn5ws1gs2i-bash-static-4.4.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
address@hidden:~/workspace/guix$ ./pre-inst-env guix build --fallback -e '(@@
(gnu packages commencement) glibc-final)'
;;; note: source file /home/efraim/workspace/guix/gnu/packages/commencement.scm
;;; newer than compiled
/home/efraim/workspace/guix/gnu/packages/commencement.go
;;; note: source file /home/efraim/workspace/guix/gnu/packages/base.scm
;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/base.go
/gnu/store/kbp13s4y4mbzww7vvld33di28im94xfi-glibc-2.25-debug
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
address@hidden:~/workspace/guix$ ./pre-inst-env guix build --fallback python
...snip...
grafting '/gnu/store/3aw9x28la9nh8fzkm665d7fywxzbl15j-python-3.5.3' ->
'/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3'...
grafting '/gnu/store/9bv7jbk734bsk5zacq23wzp60xz06xs6-python-3.5.3-tk' ->
'/gnu/store/7hgx1fw4kyc41c5dj963z2d1nsmdli6z-python-3.5.3-tk'...
@ build-succeeded /gnu/store/pymxw6dzibylr5qwhdxzc7il0h07kk9z-python-3.5.3.drv -
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/7hgx1fw4kyc41c5dj963z2d1nsmdli6z-python-3.5.3-tk
address@hidden:~/workspace/guix$ guix gc --references $(./pre-inst-env guix
build python)
;;; note: source file /home/efraim/workspace/guix/gnu/packages/base.scm
;;; newer than compiled /home/efraim/workspace/guix/gnu/packages/base.go
;;; note: source file /home/efraim/workspace/guix/gnu/packages/commencement.scm
;;; newer than compiled
/home/efraim/workspace/guix/gnu/packages/commencement.go
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/7v66jlv8y005p2z5754jc1c6xf3rqybh-tk-8.6.6
/gnu/store/hiaxc08awfb6ygpssmlki8sjsxjcak5z-tcl-8.6.6
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/smddwh4gb0bf50js321vm88pvjlcfx04-libx11-1.6.5
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
/gnu/store/328cimicdjz4w6hr0z7fzvcr9j6ijjvg-readline-7.0
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/8zhlrp7mq6ibmda8n530xn3ym6l3zhyq-openssl-1.0.2k
/gnu/store/alygmq7pjlrwchpyi4ycxx0w6qgg8kfx-ncurses-6.0
/gnu/store/fd8d47zyhv6m0adv9w2lawhajav3s3ww-xz-5.2.2
/gnu/store/mmmv339r8ymx4fabffzwadjasfc0a5lx-zlib-1.2.11
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/nk2f8advrn50jmx0gx24lkqqjswgy0bj-coreutils-8.26
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/pwhhnz4mjky9l3mdswybsgsgl74k7qb9-sqlite-3.17.0
/gnu/store/wcrf85ndv977kky8fazvgbjaybgz758j-libffi-3.2.1
/gnu/store/y6mlqxch93asizcni9f50y4r1y48wbgj-gdbm-1.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
address@hidden:~/workspace/guix$ guix gc --references
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3/
/gnu/store/328cimicdjz4w6hr0z7fzvcr9j6ijjvg-readline-7.0
/gnu/store/66bdsmrgxjgr76f192fsqklzj76g33pf-python-3.5.3
/gnu/store/8zhlrp7mq6ibmda8n530xn3ym6l3zhyq-openssl-1.0.2k
/gnu/store/alygmq7pjlrwchpyi4ycxx0w6qgg8kfx-ncurses-6.0
/gnu/store/fd8d47zyhv6m0adv9w2lawhajav3s3ww-xz-5.2.2
/gnu/store/mmmv339r8ymx4fabffzwadjasfc0a5lx-zlib-1.2.11
/gnu/store/n4fmp3fj1yam5ijwa64irg7glvzsq4i1-bash-4.4.12
/gnu/store/nk2f8advrn50jmx0gx24lkqqjswgy0bj-coreutils-8.26
/gnu/store/p8k2id55pynzjmaixlns94phvr7mz5ls-gcc-5.4.0-lib
/gnu/store/pwhhnz4mjky9l3mdswybsgsgl74k7qb9-sqlite-3.17.0
/gnu/store/wcrf85ndv977kky8fazvgbjaybgz758j-libffi-3.2.1
/gnu/store/y6mlqxch93asizcni9f50y4r1y48wbgj-gdbm-1.12
/gnu/store/zfcrz72znwk4arq03vbbczxgw5i7lsp9-glibc-2.25
So to me it looks like its working.
Anyone want to try reconfiguring their system to make sure it doesn't
break GuixSD? :)
--
Efraim Flashner <address@hidden> אפרים פלשנר
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
0001-gnu-glibc-Patch-CVE-2017-1000366.patch
Description: Text document
signature.asc
Description: PGP signature
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/19
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/19
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/19
- bug#27429: Stack clash (CVE-2017-1000366 etc), Efraim Flashner, 2017/06/20
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/20
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/20
- bug#27429: Stack clash (CVE-2017-1000366 etc),
Efraim Flashner <=
- bug#27429: Stack clash (CVE-2017-1000366 etc), Efraim Flashner, 2017/06/21
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/21
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/21
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/22
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/22
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/22
- bug#27429: Stack clash (CVE-2017-1000366 etc), Leo Famulari, 2017/06/22
- bug#27429: Stack clash (CVE-2017-1000366 etc), Ludovic Courtès, 2017/06/29
- bug#27429: Stack clash (CVE-2017-1000366 etc), Mark H Weaver, 2017/06/29
- bug#27429: Stack clash (CVE-2017-1000366 etc), Ludovic Courtès, 2017/06/29