1 files changed, 52 insertions, 0 deletions

diff --git a/patches/source/glibc/glibc.3776f38f.diff b/patches/source/glibc/glibc.3776f38f.diff
new file mode 100644
index 00000000..d2b787a4
--- /dev/null
+++ b/patches/source/glibc/glibc.3776f38f.diff
@@ -0,0 +1,52 @@
+From 3776f38fcd267c127ba5eb222e2c614c191744aa Mon Sep 17 00:00:00 2001
+From: Siddhesh Poyarekar <siddhesh@sourceware.org>
+Date: Tue, 20 Jun 2017 05:59:17 +0200
+Subject: [PATCH] Ignore and remove LD_HWCAP_MASK for AT_SECURE programs (bug
+ #21209)
+
+The LD_HWCAP_MASK environment variable may alter the selection of
+function variants for some architectures.  For AT_SECURE process it
+means that if an outdated routine has a bug that would otherwise not
+affect newer platforms by default, LD_HWCAP_MASK will allow that bug
+to be exploited.
+
+To be on the safe side, ignore and disable LD_HWCAP_MASK for setuid
+binaries.
+
+	[BZ #21209]
+	* elf/rtld.c (process_envvars): Ignore LD_HWCAP_MASK for
+	AT_SECURE processes.
+	* sysdeps/generic/unsecvars.h: Add LD_HWCAP_MASK.
+
+(cherry picked from commit 1c1243b6fc33c029488add276e56570a07803bfd)
+
+diff --git a/elf/rtld.c b/elf/rtld.c
+index 369724b..9362a21 100644
+--- a/elf/rtld.c
++++ b/elf/rtld.c
+@@ -2534,7 +2534,8 @@ process_envvars (enum mode *modep)
+ 
+ 	case 10:
+ 	  /* Mask for the important hardware capabilities.  */
+-	  if (memcmp (envline, "HWCAP_MASK", 10) == 0)
++	  if (!__libc_enable_secure
++	      && memcmp (envline, "HWCAP_MASK", 10) == 0)
+ 	    GLRO(dl_hwcap_mask) = __strtoul_internal (&envline[11], NULL,
+ 						      0, 0);
+ 	  break;
+diff --git a/sysdeps/generic/unsecvars.h b/sysdeps/generic/unsecvars.h
+index a740837..5ea8a4a 100644
+--- a/sysdeps/generic/unsecvars.h
++++ b/sysdeps/generic/unsecvars.h
+@@ -16,6 +16,7 @@
+   "LD_DEBUG\0"								      \
+   "LD_DEBUG_OUTPUT\0"							      \
+   "LD_DYNAMIC_WEAK\0"							      \
++  "LD_HWCAP_MASK\0"							      \
+   "LD_LIBRARY_PATH\0"							      \
+   "LD_ORIGIN_PATH\0"							      \
+   "LD_PRELOAD\0"							      \
+-- 
+2.9.3
+
+