This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |
Other format: | [Raw text] |
On Mon, Dec 18, 2017 at 09:42:13PM +0100, Aurelien Jarno wrote: > The fillin_rpath function in elf/dl-load.c loops over each RPATH or > RUNPATH tokens and intepret empty tokens as the current directory > ("./"). In practice the check for empty token is done *after* the > dynamic string token expansion. The expansion process can return an > empty string for the $ORIGIN token if __libc_enable_secure is set > or if the path of the binary can not be determined (/proc not mounted). > > To fix that, move the check for empty tokens before the dynamic string > token expansion. Change expand_dynamic_string_token to return NULL > instead of an empty string, and check for NULL pointer returned by > expand_dynamic_string_token. > > The above changed highlighted a bug in decompose_rpath, an empty array > is represented by the first element being NULL at the fillin_rpath path > level, but by using a -1 pointer in decompose_rpath and other functions. > > Changelog: > [BZ #22625] > * elf/dl-load.c (expand_dynamic_string_token): Return NULL instead > of an empty string. > (fillin_rpath): Check for empty tokens before dynamic string token > expansion. Check for NULL pointer possibly returned by > expand_dynamic_string_token. > (decompose_rpath): Check for empty path after dynamic string > token expansion. > --- > ChangeLog | 12 ++++++++++++ > NEWS | 4 ++++ > elf/dl-load.c | 43 ++++++++++++++++++++++++++++++++++++------- > 3 files changed, 52 insertions(+), 7 deletions(-) > > > This new version includes the suggestions done by Dmitry. It would be > nice if it could be reviewed by at least one more person, especially > the part modifying expand_dynamic_string_token. > > diff --git a/ChangeLog b/ChangeLog > index 4a7164354f..24a5223485 100644 > --- a/ChangeLog > +++ b/ChangeLog > @@ -1,3 +1,15 @@ > +2017-12-17 Aurelien Jarno <aurelien@aurel32.net> > + Dmitry V. Levin <ldv@altlinux.org> > + > + [BZ #22625] > + * elf/dl-load.c (expand_dynamic_string_token): Return NULL instead > + of an empty string. > + (fillin_rpath): Check for empty tokens before dynamic string token > + expansion. Check for NULL pointer possibly returned by > + expand_dynamic_string_token. > + (decompose_rpath): Check for empty path after dynamic string > + token expansion. > + > 2017-12-18 Sergei Trofimovich <slyfox@gentoo.org> > > [BZ #22624] > diff --git a/NEWS b/NEWS > index a43ff26e83..0d43e93a17 100644 > --- a/NEWS > +++ b/NEWS > @@ -149,6 +149,10 @@ Security related changes: > CVE-2017-1000366 has been applied, but it is mentioned here only because > of the CVE assignment.) Reported by Qualys. > > + CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN > + for AT_SECURE or SUID binaries could be used to load libraries from the > + current directory. > + > The following bugs are resolved with this release: > > [The release manager will add the list generated by > diff --git a/elf/dl-load.c b/elf/dl-load.c > index e7d97dcc56..827ec1c491 100644 > --- a/elf/dl-load.c > +++ b/elf/dl-load.c > @@ -384,7 +384,17 @@ expand_dynamic_string_token (struct link_map *l, const char *s, int is_path) > if (result == NULL) > return NULL; > > - return _dl_dst_substitute (l, s, result, is_path); > + char *retval = _dl_dst_substitute (l, s, result, is_path); > + > + /* If substitution of dynamic string tokens resulted to an empty string, > + return NULL as in case of insufficient memory. */ > + if (__glibc_unlikely (*retval == '\0')) > + { > + free (result); > + return NULL; > + } > + > + return retval; > } > > > @@ -433,22 +443,33 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, > { > char *cp; > size_t nelems = 0; > - char *to_free; > > while ((cp = __strsep (&rpath, sep)) != NULL) > { > struct r_search_path_elem *dirp; > - > - to_free = cp = expand_dynamic_string_token (l, cp, 1); > - > - size_t len = strlen (cp); > + char *to_free = NULL; > + size_t len; > > /* `strsep' can pass an empty string. This has to be > interpreted as `use the current directory'. */ > - if (len == 0) > + if (*cp == '\0') > { > static const char curwd[] = "./"; > cp = (char *) curwd; > + len = 0; > + } > + else > + { > + to_free = cp = expand_dynamic_string_token (l, cp, 1); > + > + /* expand_dynamic_string_token can return NULL in case of empty > + path or memory allocation failure. */ > + if (cp == NULL) > + continue; > + > + /* Recompute the length after dynamic string token expansion > + and ignore empty paths. */ Just /* Compute the length after dynamic string token expansion. */ > + len = strlen (cp); > } > > /* Remove trailing slashes (except for "/"). */ > @@ -620,6 +641,14 @@ decompose_rpath (struct r_search_path_struct *sps, > necessary. */ > free (copy); > > + /* There is no path after expansion. */ > + if (result[0] == NULL) > + { > + free (result); > + sps->dirs = (struct r_search_path_elem **) -1; > + return false; > + } > + > sps->dirs = result; > /* The caller will change this value if we haven't used a real malloc. */ > sps->malloced = 1; I think the patch is fine. -- ldv
Attachment:
signature.asc
Description: PGP signature
Index Nav: | [Date Index] [Subject Index] [Author Index] [Thread Index] | |
---|---|---|
Message Nav: | [Date Prev] [Date Next] | [Thread Prev] [Thread Next] |