summaryrefslogtreecommitdiffstats
path: root/patches/source/glibc/glibc.CVE-2010-3856.diff
diff options
context:
space:
mode:
Diffstat (limited to 'patches/source/glibc/glibc.CVE-2010-3856.diff')
-rw-r--r--patches/source/glibc/glibc.CVE-2010-3856.diff188
1 files changed, 188 insertions, 0 deletions
diff --git a/patches/source/glibc/glibc.CVE-2010-3856.diff b/patches/source/glibc/glibc.CVE-2010-3856.diff
new file mode 100644
index 000000000..49b452962
--- /dev/null
+++ b/patches/source/glibc/glibc.CVE-2010-3856.diff
@@ -0,0 +1,188 @@
+--- ./include/dlfcn.h.orig 2005-06-12 11:23:41.000000000 -0500
++++ ./include/dlfcn.h 2010-10-28 12:16:36.000000000 -0500
+@@ -9,6 +9,7 @@
+ #define __RTLD_OPENEXEC 0x20000000
+ #define __RTLD_CALLMAP 0x10000000
+ #define __RTLD_AUDIT 0x08000000
++#define __RTLD_SECURE 0x04000000 /* Apply additional security checks. */
+
+ #define __LM_ID_CALLER -2
+
+--- ./elf/dl-deps.c.orig 2006-06-17 11:51:56.000000000 -0500
++++ ./elf/dl-deps.c 2010-10-28 12:16:36.000000000 -0500
+@@ -60,7 +60,7 @@
+ {
+ struct openaux_args *args = (struct openaux_args *) a;
+
+- args->aux = _dl_map_object (args->map, args->name, 0,
++ args->aux = _dl_map_object (args->map, args->name,
+ (args->map->l_type == lt_executable
+ ? lt_library : args->map->l_type),
+ args->trace_mode, args->open_mode,
+--- ./elf/dl-open.c.orig 2006-08-28 17:56:50.000000000 -0500
++++ ./elf/dl-open.c 2010-10-28 12:17:30.000000000 -0500
+@@ -245,7 +245,7 @@
+ }
+
+ /* Load the named object. */
+- args->map = new = _dl_map_object (call_map, file, 0, lt_loaded, 0,
++ args->map = new = _dl_map_object (call_map, file, lt_loaded, 0,
+ mode | __RTLD_CALLMAP, args->nsid);
+
+ /* If the pointer returned is NULL this means the RTLD_NOLOAD flag is
+--- ./elf/rtld.c.orig 2006-09-29 11:56:15.000000000 -0500
++++ ./elf/rtld.c 2010-10-28 12:16:36.000000000 -0500
+@@ -578,7 +578,6 @@
+ /* Argument to map_doit. */
+ char *str;
+ struct link_map *loader;
+- int is_preloaded;
+ int mode;
+ /* Return value of map_doit. */
+ struct link_map *map;
+@@ -616,16 +615,17 @@
+ map_doit (void *a)
+ {
+ struct map_args *args = (struct map_args *) a;
+- args->map = _dl_map_object (args->loader, args->str,
+- args->is_preloaded, lt_library, 0, args->mode,
+- LM_ID_BASE);
++ args->map = _dl_map_object (args->loader, args->str, lt_library, 0,
++ args->mode, LM_ID_BASE);
+ }
+
+ static void
+ dlmopen_doit (void *a)
+ {
+ struct dlmopen_args *args = (struct dlmopen_args *) a;
+- args->map = _dl_open (args->fname, RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT,
++ args->map = _dl_open (args->fname,
++ (RTLD_LAZY | __RTLD_DLOPEN | __RTLD_AUDIT
++ | __RTLD_SECURE),
+ dl_main, LM_ID_NEWLM, _dl_argc, INTUSE(_dl_argv),
+ __environ);
+ }
+@@ -797,8 +797,7 @@
+
+ args.str = fname;
+ args.loader = main_map;
+- args.is_preloaded = 1;
+- args.mode = 0;
++ args.mode = __RTLD_SECURE;
+
+ unsigned int old_nloaded = GL(dl_ns)[LM_ID_BASE]._ns_nloaded;
+
+@@ -1018,7 +1017,6 @@
+
+ args.str = rtld_progname;
+ args.loader = NULL;
+- args.is_preloaded = 0;
+ args.mode = __RTLD_OPENEXEC;
+ (void) _dl_catch_error (&objname, &err_str, &malloced, map_doit,
+ &args);
+@@ -1030,7 +1028,7 @@
+ else
+ {
+ HP_TIMING_NOW (start);
+- _dl_map_object (NULL, rtld_progname, 0, lt_library, 0,
++ _dl_map_object (NULL, rtld_progname, lt_library, 0,
+ __RTLD_OPENEXEC, LM_ID_BASE);
+ HP_TIMING_NOW (stop);
+
+--- ./elf/dl-load.c.orig 2010-10-28 12:16:14.000000000 -0500
++++ ./elf/dl-load.c 2010-10-28 12:16:36.000000000 -0500
+@@ -1798,7 +1798,7 @@
+ if MAY_FREE_DIRS is true. */
+
+ static int
+-open_path (const char *name, size_t namelen, int preloaded,
++open_path (const char *name, size_t namelen, int secure,
+ struct r_search_path_struct *sps, char **realname,
+ struct filebuf *fbp, struct link_map *loader, int whatcode,
+ bool *found_other_class)
+@@ -1880,7 +1880,7 @@
+ /* Remember whether we found any existing directory. */
+ here_any |= this_dir->status[cnt] != nonexisting;
+
+- if (fd != -1 && __builtin_expect (preloaded, 0)
++ if (fd != -1 && __builtin_expect (secure, 0)
+ && INTUSE(__libc_enable_secure))
+ {
+ /* This is an extra security effort to make sure nobody can
+@@ -1950,7 +1950,7 @@
+
+ struct link_map *
+ internal_function
+-_dl_map_object (struct link_map *loader, const char *name, int preloaded,
++_dl_map_object (struct link_map *loader, const char *name,
+ int type, int trace_mode, int mode, Lmid_t nsid)
+ {
+ int fd;
+@@ -2054,7 +2054,8 @@
+ for (l = loader; l; l = l->l_loader)
+ if (cache_rpath (l, &l->l_rpath_dirs, DT_RPATH, "RPATH"))
+ {
+- fd = open_path (name, namelen, preloaded, &l->l_rpath_dirs,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE,
++ &l->l_rpath_dirs,
+ &realname, &fb, loader, LA_SER_RUNPATH,
+ &found_other_class);
+ if (fd != -1)
+@@ -2069,14 +2070,15 @@
+ && main_map != NULL && main_map->l_type != lt_loaded
+ && cache_rpath (main_map, &main_map->l_rpath_dirs, DT_RPATH,
+ "RPATH"))
+- fd = open_path (name, namelen, preloaded, &main_map->l_rpath_dirs,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE,
++ &main_map->l_rpath_dirs,
+ &realname, &fb, loader ?: main_map, LA_SER_RUNPATH,
+ &found_other_class);
+ }
+
+ /* Try the LD_LIBRARY_PATH environment variable. */
+ if (fd == -1 && env_path_list.dirs != (void *) -1)
+- fd = open_path (name, namelen, preloaded, &env_path_list,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE, &env_path_list,
+ &realname, &fb,
+ loader ?: GL(dl_ns)[LM_ID_BASE]._ns_loaded,
+ LA_SER_LIBPATH, &found_other_class);
+@@ -2085,12 +2087,12 @@
+ if (fd == -1 && loader != NULL
+ && cache_rpath (loader, &loader->l_runpath_dirs,
+ DT_RUNPATH, "RUNPATH"))
+- fd = open_path (name, namelen, preloaded,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE,
+ &loader->l_runpath_dirs, &realname, &fb, loader,
+ LA_SER_RUNPATH, &found_other_class);
+
+ if (fd == -1
+- && (__builtin_expect (! preloaded, 1)
++ && (__builtin_expect (! (mode & __RTLD_SECURE), 1)
+ || ! INTUSE(__libc_enable_secure)))
+ {
+ /* Check the list of libraries in the file /etc/ld.so.cache,
+@@ -2156,7 +2158,7 @@
+ && ((l = loader ?: GL(dl_ns)[nsid]._ns_loaded) == NULL
+ || __builtin_expect (!(l->l_flags_1 & DF_1_NODEFLIB), 1))
+ && rtld_search_dirs.dirs != (void *) -1)
+- fd = open_path (name, namelen, preloaded, &rtld_search_dirs,
++ fd = open_path (name, namelen, mode & __RTLD_SECURE, &rtld_search_dirs,
+ &realname, &fb, l, LA_SER_DEFAULT, &found_other_class);
+
+ /* Add another newline when we are tracing the library loading. */
+--- ./sysdeps/generic/ldsodefs.h.orig 2006-08-24 15:27:05.000000000 -0500
++++ ./sysdeps/generic/ldsodefs.h 2010-10-28 12:16:36.000000000 -0500
+@@ -804,11 +804,9 @@
+
+ /* Open the shared object NAME and map in its segments.
+ LOADER's DT_RPATH is used in searching for NAME.
+- If the object is already opened, returns its existing map.
+- For preloaded shared objects PRELOADED is set to a non-zero
+- value to allow additional security checks. */
++ If the object is already opened, returns its existing map. */
+ extern struct link_map *_dl_map_object (struct link_map *loader,
+- const char *name, int preloaded,
++ const char *name,
+ int type, int trace_mode, int mode,
+ Lmid_t nsid)
+ internal_function attribute_hidden;