This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH v2] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]

From: Aurelien Jarno <aurelien at aurel32 dot net>
To: Florian Weimer <fweimer at redhat dot com>
Cc: libc-alpha at sourceware dot org, "Dmitry V . Levin" <ldv at altlinux dot org>
Date: Tue, 19 Dec 2017 18:19:06 +0100
Subject: Re: [PATCH v2] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
Authentication-results: sourceware.org; auth=none
References: <20171218204213.26583-1-aurelien@aurel32.net> <323f748f-0258-c16d-fd04-80f6b845aa3e@redhat.com>

On 2017-12-19 14:16, Florian Weimer wrote:
> On 12/18/2017 09:42 PM, Aurelien Jarno wrote:
> > -  return _dl_dst_substitute (l, s, result, is_path);
> > +  char *retval = _dl_dst_substitute (l, s, result, is_path);
> > +
> > +  /* If substitution of dynamic string tokens resulted to an empty string,
> > +     return NULL as in case of insufficient memory.  */
> > +  if (__glibc_unlikely (*retval == '\0'))
> > +    {
> > +      free (result);
> > +      return NULL;
> > +    }
> > +
> > +  return retval;
> 
> I'm not really happy with this.  OOM and a zero-string expansion are very
> different things.  We seem to have other abuses in the existing code, but I
> don't think we should add further instances.

That's something changed from the first version. I can rollback that
change, and add back the check or empty string in fillin_rpath.

> Furthermore, I'm not sure if the fix is robust enough.  There is another bug
> in the $ORIGIN DST component skipping:  $ORIGIN eats the trailing colon.
> This is because this code:
> 
>       else
> 	{
> 	  *wp++ = *name++;
> 	  if (is_path && *name == ':')
> 
> happens when name is at the ':' after $ORIGIN processing, so only the next
> ':' after that (or the end of the string) terminates this component, and the
> call to the is_trusted_path_normalize covers two components mushed together
> instead of one.  So the check likely fails, and both path elements are
> skipped.  In some cases, this results in an empty string where it would not
> usually be non-empty.

While this is indeed a problem in _dl_dst_substitute, it's not an issue
in this case as expand_dynamic_string_token and thus _dl_dst_substitute
do not get called from fillin_rpath with a colon. Indeed since commit
b75891075bec (which introduced this bug), expand_dynamic_string_token
is called after the split of the path by colons instead of before.

Aurelien

-- 
Aurelien Jarno                          GPG: 4096R/1DDD8C9B
aurelien@aurel32.net                 http://www.aurel32.net

Attachment: signature.asc
Description: PGP signature

Follow-Ups:
- Re: [PATCH v2] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
  - From: Dmitry V. Levin

References:
- [PATCH v2] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
  - From: Aurelien Jarno
- Re: [PATCH v2] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]