From b95393ecb5cca3d72fe5d886d5326dba4595ff72 Mon Sep 17 00:00:00 2001
From: Stan Shebs <stanshebs@google.com>
Date: Wed, 18 Jan 2017 07:43:43 -0800
Subject: [PATCH] Always enable pointer guard

---
 README.google              |  6 ++++++
 elf/rtld.c                 | 15 ++++-----------
 sysdeps/generic/ldsodefs.h |  2 +-
 3 files changed, 11 insertions(+), 12 deletions(-)

diff --git a/README.google b/README.google
index a8153886b9..2d28310602 100644
--- a/README.google
+++ b/README.google
@@ -635,3 +635,9 @@ time/tst-strftime.c
   Fix where out of range data to strftime() causes a segfault (BZ18985, CVE-2015-8776)
   https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d36c75fc0d44deec29635dd239b0fbd206ca49b7
   (stanshebs, backport)
+
+elf/rtld.c
+sysdeps/generic/ldsodefs.h
+  Always enable pointer guard (BZ18928, CVE-2015-8777)
+  https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a014cecd82b71b70a6a843e250e06b541ad524f7
+  (stanshebs, backport)
diff --git a/elf/rtld.c b/elf/rtld.c
index 8c225cdf4f..b23d72209f 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -171,7 +171,6 @@ struct rtld_global_ro _rtld_global_ro attribute_relro =
     ._dl_hwcap_mask = HWCAP_IMPORTANT,
     ._dl_lazy = 1,
     ._dl_fpu_control = _FPU_DEFAULT,
-    ._dl_pointer_guard = 1,
     ._dl_pagesize = EXEC_PAGESIZE,
     ._dl_inhibit_cache = 0,
 
@@ -868,15 +867,12 @@ security_init (void)
 #endif
 
   /* Set up the pointer guard as well, if necessary.  */
-  if (GLRO(dl_pointer_guard))
-    {
-      uintptr_t pointer_chk_guard = _dl_setup_pointer_guard (_dl_random,
-							     stack_chk_guard);
+  uintptr_t pointer_chk_guard
+    = _dl_setup_pointer_guard (_dl_random, stack_chk_guard);
 #ifdef THREAD_SET_POINTER_GUARD
-      THREAD_SET_POINTER_GUARD (pointer_chk_guard);
+  THREAD_SET_POINTER_GUARD (pointer_chk_guard);
 #endif
-      __pointer_chk_guard_local = pointer_chk_guard;
-    }
+  __pointer_chk_guard_local = pointer_chk_guard;
 
   /* We do not need the _dl_random value anymore.  The less
      information we leave behind, the better, so clear the
@@ -2635,9 +2631,6 @@ process_envvars (enum mode *modep)
 	      GLRO(dl_use_load_bias) = envline[14] == '1' ? -1 : 0;
 	      break;
 	    }
-
-	  if (memcmp (envline, "POINTER_GUARD", 13) == 0)
-	    GLRO(dl_pointer_guard) = envline[14] != '0';
 	  break;
 
 	case 14:
diff --git a/sysdeps/generic/ldsodefs.h b/sysdeps/generic/ldsodefs.h
index f3c67ee8ae..2294d5de75 100644
--- a/sysdeps/generic/ldsodefs.h
+++ b/sysdeps/generic/ldsodefs.h
@@ -637,7 +637,7 @@ struct rtld_global_ro
   struct audit_ifaces *_dl_audit;
   unsigned int _dl_naudit;
 
-  /* 0 if internal pointer values should not be guarded, 1 if they should.  */
+  /* Google local: retain this no-longer-used field for binary compat.  */
   EXTERN int _dl_pointer_guard;
 };
 # define __rtld_global_attribute__