Fixed building on Linux, against musl.

[dimkr]

No description provided.

[bob-beck]

Sorry, no this introduces a rather massive reduction in security. No. You
need that fuction.

On Fri, Jul 11, 2014 at 2:01 PM, Dima Krasner notifications@github.com
wrote:

---

You can merge this Pull Request by running

git pull https://github.com/iguleder/portable master

Or view, comment on, or merge it at:

#1
Commit Summary

• Fixed building on Linux, against musl.

File Changes

• M crypto/compat/issetugid_linux.c
  https://github.com/libressl-portable/portable/pull/1/files#diff-0
  (6)

Patch Links:

• https://github.com/libressl-portable/portable/pull/1.patch
• https://github.com/libressl-portable/portable/pull/1.diff

—
Reply to this email directly or view it on GitHub
#1.

[dimkr]

No reduction - getauxval() is called, but without the glibc version check.

[busterb]

Because historical implementations of getauxval() in glibc did not set errno on failure, we currently whitelist this specific version currently.

While it appears that musl's implementation (http://git.musl-libc.org/cgit/musl/tree/src/misc/getauxval.c) has not released a vulnerable version that returns '0' on failure, it does not seem practical to whitelist every other embedded linux libc individually (bionic, uclibc, etc.)

A nicer patch would be one that implements a portable (between different libcs and their versions) way of reading the aux vector without relying on a particular libc getting it right.

[bob-beck]

On Fri, Jul 11, 2014 at 3:32 PM, busterb notifications@github.com wrote:

A nicer patch would be one that implements a portable (between different
libcs and their versions) way of reading the aux vector without relying on
a particular libc getting it right.

Indeed.

[dimkr]

Makes sense. It seems uClibc doesn't have getauxval() and Bionic's one doesn't change errno (https://android.googlesource.com/platform/bionic/+/android-4.4.4_r1/libc/bionic/getauxval.cpp). Since Bionic seems to be the only problematic implementation except the old glibc one, I think adding #ifdef BIONIC and #error is the right thing to do. What do you think?

[busterb]

Another concern would be building on a non-vulnerable libc, then running against a vulnerable one. This is why this is currently a run-time check than a compile-time check.

Is the ABI differences between all of these libcs's so great such that a this is not a concern? I believe we still would prefer a more bullet-proof solution.

[dimkr]

musl's getauxval() isn't vulnerable and hasn't changed since its introduction, so it's fine. All versions Bionic or uClibc are problematic. I don't see a need for a runtime check for these C libraries, because the only problematic scenario I can think of is building against musl and running against a vulnerable glibc. In this case, musl doesn't provide a version querying function similar to glibc's.

[busterb]

Please implement issetugid(), and the musl libc should work properly without issues.

[bob-beck]

Yeah, if you guys provided a version of that, you'd be one up on glibc, and
we wouldn't have to use that file at all when linking with you.

Just make sure you do it right - I think it was completely busted in glibc
;)

On Sat, Jul 12, 2014 at 10:26 AM, busterb notifications@github.com wrote:

Please implement issetugid(), and the musl libc should work properly
without issues.

—
Reply to this email directly or view it on GitHub
#1 (comment)
.

[busterb]

I forwarded a patch to the musl mailing list and built against the latest HEAD for musl.

I had to copy over some include/linux and include/asm headers to /usr/local/musl/include, but it worked. Let me know what you think.