This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- From: Florian Weimer <fweimer at redhat dot com>
- To: Hector Marco-Gisbert <hecmargi at upv dot es>, "Carlos O'Donell" <carlos at redhat dot com>, GNU C Library <libc-alpha at sourceware dot org>, "Joseph S. Myers" <joseph at codesourcery dot com>, Siddhesh Poyarekar <siddhesh at redhat dot com>, Andreas Jaeger <aj at suse dot com>
- Cc: Ismael Ripoll Ripoll <iripoll at upv dot es>
- Date: Thu, 8 Oct 2015 10:44:00 +0200
- Subject: Re: [PATCH] Ignore LD_POINTER_GUARD for set-user-ID/set-group-ID binaries.
- Authentication-results: sourceware.org; auth=none
- References: <1441471191-4683-1-git-send-email-hecmargi at upv dot es>
On 09/05/2015 06:39 PM, Hector Marco-Gisbert wrote:
> A weakness in the dynamic loader have been found, Glibc prior to
> 2.22.90 are affected. The issue is that the LD_POINTER_GUARD in the
> environment is not sanitized allowing local attackers easily to bypass
> the pointer guarding protection on set-user-ID and set-group-ID
> programs.
>
> Details of the weakness:
> http://hmarco.org/bugs/glibc_ptr_mangle_weakness.html
>
> This patch prevents to disable the pointer guarding protection for
> set-user-ID/set-group-ID programs.
>
> For example, executing "LD_POINTER_GUARD=0 /bin/ping" does not disable
> the pointer guarding protection unless it is directly executed by root
> (rUID==eUID).
Does anyone actually use LD_POINTER_GUARD for debugging? Maybe we can
simply retire the environment variable instead.
Florian