Re: All machines: Pointer guard testing update (Bug 15754, CVE-2013-4788).

[Will Newton <will dot newton at linaro dot org>]

On 26 September 2013 15:52, Carlos O'Donell <carlos@redhat.com> wrote:

Hi Carlos,

> The fix for CVE-2013-4788 (bug 15754) contains a regression
> test to ensure that the pointer guard is both random and
> changes between processes.
>
> In order to create the test it was necessary to add a new
> accessor macro POINTER_CHK_GUARD to allow the regression
> test to locate and read the pointer guard value from outside
> of the library.
>
> I have added a POINTER_CHK_GUARD implementation for *all*
> machines. You need not do any work at this point. However,
> for some machines I wrote the implementation without testing
> it e.g. stack guard was just before pointer guard so
> POINTER_CHK_GUARD is the same code with a different offset.
>
> My request is that you run the testsuite and verify that
> tst-ptrguard1 and tst-ptrguard1-static pass. If they don't
> pass please email me and we can work out what might be
> wrong with your POINTER_CHK_GUARD implementation.

I noticed that alpha does something strange in this regard.

ports/sysdeps/unix/alpha/sysdep.h:

/* There exists generic C code that assumes that PTR_MANGLE is always
   defined.  When generating code for the static libc, we don't have
   __pointer_chk_guard defined.  Nor is there any place that would
   initialize it if it were defined, so there's little point in doing
   anything more than nothing.  */
# ifndef __ASSEMBLER__
#  define PTR_MANGLE(var)
#  define PTR_DEMANGLE(var)
# endif

This looks like in the static case alpha will not benefit from the new
fix. I don't have an alpha toolchain or any particular knowledge of
alpha to verify that though.

-- 
Will Newton
Toolchain Working Group, Linaro