This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/22787] _dl_check_caller returns false when libc is linked through an absolute DT_NEEDED path
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 21 Feb 2018 09:42:57 +0000
- Subject: [Bug dynamic-link/22787] _dl_check_caller returns false when libc is linked through an absolute DT_NEEDED path
- Auto-submitted: auto-generated
- References: <bug-22787-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=22787
--- Comment #2 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 52a01100ad011293197637e42b5be1a479a2f4ae (commit)
from b5bf62e40c5ff4e3906572f257dcda77b393ffa0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=52a01100ad011293197637e42b5be1a479a2f4ae
commit 52a01100ad011293197637e42b5be1a479a2f4ae
Author: Florian Weimer <fweimer@redhat.com>
Date: Wed Feb 21 10:37:22 2018 +0100
elf: Remove ad-hoc restrictions on dlopen callers [BZ #22787]
This looks like a post-exploitation hardening measure: If an attacker is
able to redirect execution flow, they could use that to load a DSO which
contains additional code (or perhaps make the stack executable).
However, the checks are not in the correct place to be effective: If
they are performed before the critical operation, an attacker with
sufficient control over execution flow could simply jump directly to
the code which performs the operation, bypassing the check. The check
would have to be executed unconditionally after the operation and
terminate the process in case a caller violation was detected.
Furthermore, in _dl_check_caller, there was a fallback reading global
writable data (GL(dl_rtld_map).l_map_start and
GL(dl_rtld_map).l_text_end), which could conceivably be targeted by an
attacker to disable the check, too.
Other critical functions (such as system) remain completely
unprotected, so the value of these additional checks does not appear
that large. Therefore this commit removes this functionality.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 21 ++++++++
elf/Makefile | 3 +-
elf/dl-caller.c | 86 --------------------------------
elf/dl-load.c | 7 ---
elf/dl-open.c | 9 ---
elf/rtld.c | 1 -
include/caller.h | 31 -----------
sysdeps/generic/ldsodefs.h | 5 --
sysdeps/unix/sysv/linux/dl-execstack.c | 7 ---
9 files changed, 22 insertions(+), 148 deletions(-)
delete mode 100644 elf/dl-caller.c
delete mode 100644 include/caller.h
--
You are receiving this mail because:
You are on the CC list for the bug.