This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.

From: Hector Marco-Gisbert <hecmargi at upv dot es>
To: "Carlos O'Donell" <carlos at redhat dot com>, Florian Weimer <fweimer at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>, "Joseph S. Myers" <joseph at codesourcery dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, Andreas Jaeger <aj at suse dot com>, Ismael Ripoll Ripoll <iripoll at upv dot es>
Date: Wed, 14 Oct 2015 10:34:00 +0200
Subject: Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
Authentication-results: sourceware.org; auth=none
References: <1441471191-4683-1-git-send-email-hecmargi at upv dot es> <56162CD0 dot 4070902 at redhat dot com> <5618710F dot 6060406 at redhat dot com> <20151011001054 dot GC4119 at vapier dot lan>

I see your point. Unless the "rol" asm operation is also "removed" from manglingI cannot see any utility of disabling pointer guard when debugging.

So, let's remove it.


-- Hector.


El 11/10/15 a las 02:10, Mike Frysinger escribiÃ:

On 09 Oct 2015 21:59, Carlos O'Donell wrote:

On 10/08/2015 04:44 AM, Florian Weimer wrote:

On 09/05/2015 06:39 PM, Hector Marco-Gisbert wrote:

A weakness in the dynamic loader have been found, Glibc prior to
2.22.90 are affected. The issue is that the LD_POINTER_GUARD in the
environment is not sanitized allowing local attackers easily to bypass
the pointer guarding protection on set-user-ID and set-group-ID
programs.

Details of the weakness:
http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html

This patch prevents to disable the pointer guarding protection for
set-user-ID/set-group-ID programs.

For example, executing "LD_POINTER_GUARD=0 /bin/ping" does not disable
the pointer guarding protection unless it is directly executed by root
(rUID==eUID).


Does anyone actually use LD_POINTER_GUARD for debugging?  Maybe we can
simply retire the environment variable instead.


I vote we remove it. It has long since passed the point of usefullness.
With a proper tunables infrastructure we would have added it in one
release while we tested things, and then removed it one or two releases
later.


sounds fine to me.  punt it and be done. -mike


--
Hector Marco-Gisbert @ http://hmarco.org/
Cyber Security Researcher @ http://cybersecurity.upv.es
Universitat PolitÃcnica de ValÃncia (Spain)

References:
- Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
  - From: Florian Weimer
- Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
  - From: Carlos O'Donell
- Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
  - From: Mike Frysinger

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]