This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch release/2.24/master updated. glibc-2.24-85-gc5b38f2
- From: aurel32 at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 16 Dec 2017 20:24:46 -0000
- Subject: GNU C Library master sources branch release/2.24/master updated. glibc-2.24-85-gc5b38f2
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.24/master has been updated
via c5b38f2ecec6facf818e3c50ad014be05b52c179 (commit)
via 28aa53341abbc5843fc78f283c397d11d74a33db (commit)
via a4fc3a0ceb2f2d30a2d358a81fdecbe51681a3ab (commit)
from d81254d2efcb839fd11df2960df5bba579193808 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=c5b38f2ecec6facf818e3c50ad014be05b52c179
commit c5b38f2ecec6facf818e3c50ad014be05b52c179
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Dec 14 15:05:57 2017 +0100
elf: Count components of the expanded path in _dl_init_path [BZ #22607]
(cherry picked from commit 3ff3dfa5af313a6ea33f3393916f30eece4f0171)
diff --git a/ChangeLog b/ChangeLog
index 90e4444..2c2e9d5 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2017-12-14 Florian Weimer <fweimer@redhat.com>
+ [BZ #22607]
+ CVE-2017-1000409
+ * elf/dl-load.c (_dl_init_paths): Compute number of components in
+ the expanded path string.
+
+2017-12-14 Florian Weimer <fweimer@redhat.com>
+
[BZ #22606]
CVE-2017-1000408
* elf/dl-load.c (system_dirs): Update comment.
diff --git a/NEWS b/NEWS
index 9de14ff..9e20117 100644
--- a/NEWS
+++ b/NEWS
@@ -39,6 +39,12 @@ Security related changes:
it is mentioned here only because of the CVE assignment.) Reported by
Qualys.
+* CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
+ of the number of search path components. (This is not a security
+ vulnerability per se because no trust boundary is crossed if the fix for
+ CVE-2017-1000366 has been applied, but it is mentioned here only because
+ of the CVE assignment.) Reported by Qualys.
+
The following bugs are resolved with this release:
[20790] Fix rpcgen buffer overrun
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 0d46c16..64f5514 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -776,8 +776,6 @@ _dl_init_paths (const char *llp)
if (llp != NULL && *llp != '\0')
{
- size_t nllp;
- const char *cp = llp;
char *llp_tmp;
#ifdef SHARED
@@ -800,13 +798,10 @@ _dl_init_paths (const char *llp)
/* Decompose the LD_LIBRARY_PATH contents. First determine how many
elements it has. */
- nllp = 1;
- while (*cp)
- {
- if (*cp == ':' || *cp == ';')
- ++nllp;
- ++cp;
- }
+ size_t nllp = 1;
+ for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
+ if (*cp == ':' || *cp == ';')
+ ++nllp;
env_path_list.dirs = (struct r_search_path_elem **)
malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=28aa53341abbc5843fc78f283c397d11d74a33db
commit 28aa53341abbc5843fc78f283c397d11d74a33db
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Dec 14 15:18:38 2017 +0100
elf: Compute correct array size in _dl_init_paths [BZ #22606]
(cherry picked from commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e)
diff --git a/ChangeLog b/ChangeLog
index 6e648c3..90e4444 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-12-14 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #22606]
+ CVE-2017-1000408
+ * elf/dl-load.c (system_dirs): Update comment.
+ (nsystem_dirs_len): Use array_length.
+ (_dl_init_paths): Use nsystem_dirs_len to compute the array size.
+
2017-11-02 Florian Weimer <fweimer@redhat.com>
Add array_length and array_end macros.
diff --git a/NEWS b/NEWS
index bc32643..9de14ff 100644
--- a/NEWS
+++ b/NEWS
@@ -34,6 +34,11 @@ Security related changes:
without GLOB_NOESCAPE, could write past the end of a buffer while
unescaping user names. Reported by Tim Rühsen.
+* CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
+ to the allocation of too much memory. (This is not a security bug per se,
+ it is mentioned here only because of the CVE assignment.) Reported by
+ Qualys.
+
The following bugs are resolved with this release:
[20790] Fix rpcgen buffer overrun
diff --git a/elf/dl-load.c b/elf/dl-load.c
index c0d6249..0d46c16 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -37,6 +37,7 @@
#include <sysdep.h>
#include <stap-probe.h>
#include <libc-internal.h>
+#include <array_length.h>
#include <dl-dst.h>
#include <dl-load.h>
@@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro;
static size_t max_capstrlen attribute_relro;
-/* Get the generated information about the trusted directories. */
+/* Get the generated information about the trusted directories. Use
+ an array of concatenated strings to avoid relocations. See
+ gen-trusted-dirs.awk. */
#include "trusted-dirs.h"
static const char system_dirs[] = SYSTEM_DIRS;
@@ -111,9 +114,7 @@ static const size_t system_dirs_len[] =
{
SYSTEM_DIRS_LEN
};
-#define nsystem_dirs_len \
- (sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
-
+#define nsystem_dirs_len array_length (system_dirs_len)
static bool
is_trusted_path (const char *path, size_t len)
@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp)
+ ncapstr * sizeof (enum r_dir_status))
/ sizeof (struct r_search_path_elem));
- rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
- malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
- * round_size * sizeof (struct r_search_path_elem));
+ rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
+ * sizeof (*rtld_search_dirs.dirs[0]));
if (rtld_search_dirs.dirs[0] == NULL)
{
errstring = N_("cannot create cache for search path");
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a4fc3a0ceb2f2d30a2d358a81fdecbe51681a3ab
commit a4fc3a0ceb2f2d30a2d358a81fdecbe51681a3ab
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Nov 2 12:14:01 2017 +0100
<array_length.h>: New array_length and array_end macros
(cherry picked from commit c94a5688fb1228a862b2d4a3f1239cdc0e3349e5)
diff --git a/ChangeLog b/ChangeLog
index 172df43..6e648c3 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,10 @@
2017-11-02 Florian Weimer <fweimer@redhat.com>
+ Add array_length and array_end macros.
+ * include/array_length.h: New file.
+
+2017-11-02 Florian Weimer <fweimer@redhat.com>
+
[BZ #22332]
* posix/tst-glob-tilde.c (do_noescape): New variable.
(one_test): Process it.
diff --git a/include/array_length.h b/include/array_length.h
new file mode 100644
index 0000000..cb4a8b2
--- /dev/null
+++ b/include/array_length.h
@@ -0,0 +1,36 @@
+/* The array_length and array_end macros.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#ifndef _ARRAY_LENGTH_H
+#define _ARRAY_LENGTH_H
+
+/* array_length (VAR) is the number of elements in the array VAR. VAR
+ must evaluate to an array, not a pointer. */
+#define array_length(var) \
+ __extension__ ({ \
+ _Static_assert (!__builtin_types_compatible_p \
+ (__typeof (var), __typeof (&(var)[0])), \
+ "argument must be an array"); \
+ sizeof (var) / sizeof ((var)[0]); \
+ })
+
+/* array_end (VAR) is a pointer one past the end of the array VAR.
+ VAR must evaluate to an array, not a pointer. */
+#define array_end(var) (&(var)[array_length (var)])
+
+#endif /* _ARRAY_LENGTH_H */
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 20 ++++++++++++++++++++
NEWS | 11 +++++++++++
elf/dl-load.c | 27 +++++++++++----------------
include/array_length.h | 36 ++++++++++++++++++++++++++++++++++++
4 files changed, 78 insertions(+), 16 deletions(-)
create mode 100644 include/array_length.h
hooks/post-receive
--
GNU C Library master sources