This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH v2] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]

On Mon, Dec 18, 2017 at 09:42:13PM +0100, Aurelien Jarno wrote:
> The fillin_rpath function in elf/dl-load.c loops over each RPATH or
> RUNPATH tokens and intepret empty tokens as the current directory
> ("./"). In practice the check for empty token is done *after* the
> dynamic string token expansion. The expansion process can return an
> empty string for the $ORIGIN token if __libc_enable_secure is set
> or if the path of the binary can not be determined (/proc not mounted).
> 
> To fix that, move the check for empty tokens before the dynamic string
> token expansion. Change expand_dynamic_string_token to return NULL
> instead of an empty string, and check for NULL pointer returned by
> expand_dynamic_string_token.
> 
> The above changed highlighted a bug in decompose_rpath, an empty array
> is represented by the first element being NULL at the fillin_rpath path
> level, but by using a -1 pointer in decompose_rpath and other functions.
> 
> Changelog:
> 	[BZ #22625]
> 	* elf/dl-load.c (expand_dynamic_string_token): Return NULL instead
> 	of an empty string.
> 	(fillin_rpath): Check for empty tokens before dynamic string token
> 	expansion. Check for NULL pointer possibly returned by
> 	expand_dynamic_string_token.
> 	(decompose_rpath): Check for empty path after dynamic string
> 	token expansion.
> ---
>  ChangeLog     | 12 ++++++++++++
>  NEWS          |  4 ++++
>  elf/dl-load.c | 43 ++++++++++++++++++++++++++++++++++++-------
>  3 files changed, 52 insertions(+), 7 deletions(-)
> 
> 
> This new version includes the suggestions done by Dmitry. It would be
> nice if it could be reviewed by at least one more person, especially 
> the part modifying expand_dynamic_string_token.
> 
> diff --git a/ChangeLog b/ChangeLog
> index 4a7164354f..24a5223485 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,15 @@
> +2017-12-17  Aurelien Jarno  <aurelien@aurel32.net>
> +	    Dmitry V. Levin  <ldv@altlinux.org>
> +
> +	[BZ #22625]
> +	* elf/dl-load.c (expand_dynamic_string_token): Return NULL instead
> +	of an empty string.
> +	(fillin_rpath): Check for empty tokens before dynamic string token
> +	expansion. Check for NULL pointer possibly returned by
> +	expand_dynamic_string_token.
> +	(decompose_rpath): Check for empty path after dynamic string
> +	token expansion.
> +
>  2017-12-18  Sergei Trofimovich  <slyfox@gentoo.org>
>  
>  	[BZ #22624]
> diff --git a/NEWS b/NEWS
> index a43ff26e83..0d43e93a17 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -149,6 +149,10 @@ Security related changes:
>    CVE-2017-1000366 has been applied, but it is mentioned here only because
>    of the CVE assignment.)  Reported by Qualys.
>  
> +  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
> +  for AT_SECURE or SUID binaries could be used to load libraries from the
> +  current directory.
> +
>  The following bugs are resolved with this release:
>  
>    [The release manager will add the list generated by
> diff --git a/elf/dl-load.c b/elf/dl-load.c
> index e7d97dcc56..827ec1c491 100644
> --- a/elf/dl-load.c
> +++ b/elf/dl-load.c
> @@ -384,7 +384,17 @@ expand_dynamic_string_token (struct link_map *l, const char *s, int is_path)
>    if (result == NULL)
>      return NULL;
>  
> -  return _dl_dst_substitute (l, s, result, is_path);
> +  char *retval = _dl_dst_substitute (l, s, result, is_path);
> +
> +  /* If substitution of dynamic string tokens resulted to an empty string,
> +     return NULL as in case of insufficient memory.  */
> +  if (__glibc_unlikely (*retval == '\0'))
> +    {
> +      free (result);
> +      return NULL;
> +    }
> +
> +  return retval;
>  }
>  
>  
> @@ -433,22 +443,33 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
>  {
>    char *cp;
>    size_t nelems = 0;
> -  char *to_free;
>  
>    while ((cp = __strsep (&rpath, sep)) != NULL)
>      {
>        struct r_search_path_elem *dirp;
> -
> -      to_free = cp = expand_dynamic_string_token (l, cp, 1);
> -
> -      size_t len = strlen (cp);
> +      char *to_free = NULL;
> +      size_t len;
>  
>        /* `strsep' can pass an empty string.  This has to be
>  	 interpreted as `use the current directory'. */
> -      if (len == 0)
> +      if (*cp == '\0')
>  	{
>  	  static const char curwd[] = "./";
>  	  cp = (char *) curwd;
> +	  len = 0;
> +	}
> +      else
> +	{
> +	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
> +
> +	  /* expand_dynamic_string_token can return NULL in case of empty
> +	     path or memory allocation failure.  */
> +	  if (cp == NULL)
> +	    continue;
> +
> +	  /* Recompute the length after dynamic string token expansion
> +	     and ignore empty paths.  */

Just /* Compute the length after dynamic string token expansion.  */

> +	  len = strlen (cp);
>  	}
>  
>        /* Remove trailing slashes (except for "/").  */
> @@ -620,6 +641,14 @@ decompose_rpath (struct r_search_path_struct *sps,
>       necessary.  */
>    free (copy);
>  
> +  /* There is no path after expansion.  */
> +  if (result[0] == NULL)
> +    {
> +      free (result);
> +      sps->dirs = (struct r_search_path_elem **) -1;
> +      return false;
> +    }
> +
>    sps->dirs = result;
>    /* The caller will change this value if we haven't used a real malloc.  */
>    sps->malloced = 1;

I think the patch is fine.


-- 
ldv

Attachment: signature.asc
Description: PGP signature

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]