This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug dynamic-link/23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE

From: "carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Tue, 12 Jun 2018 15:24:02 +0000
Subject: [Bug dynamic-link/23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
Auto-submitted: auto-generated
References: <bug-23259-131@http.sourceware.org/bugzilla/>

https://sourceware.org/bugzilla/show_bug.cgi?id=23259

--- Comment #7 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to Florian Weimer from comment #4)
> (In reply to Carlos O'Donell from comment #3)
> > The unsubstituted path is used directly to load the DT_NEEDED requirement.
> > It's only a security issue in the case that a defect in your SUID/GUID
> > application caused a malformed DT_NEEDED e.g. /bad/${ORIGIN}lib.so.
> 
> 
> Can this also happen for $ORIGIN/lib.so if $ORIGIN cannot be determined?

I will speak only about the new code right now.

In the new implementation this results in a load failure because DT_NEEDED
cannot have a DST in it for SUID/SGID.

For non-SUID/SGID it is not a load failure, but the DT_NEEDED entry will be
discarded because $ORIGIN has no replacement value, so the load might still
fail.

e.g.

 326           else if (len != 0)
 327             {
 328               /* We found a valid DST that we know about, but we could
 329                  not find a replacement value for it, therefore we
 330                  cannot use this path and discard it.  */
 331               *result = '\0';
 332               return result;
 333             }

In the old code if $ORIGIN could not be determined we should have fallen
through to this case:

e.g.

 317           else if (len > 1)
 318             {
 319               /* We cannot use this path element, the value of the
 320                  replacement is unknown.  */
 321               wp = last_elem;
 322               name += len;
 323               while (*name != '\0' && (!is_path || *name != ':'))
 324                 ++name;
 325               /* Also skip following colon if this is the first rpath
 326                  element, but keep an empty element at the end.  */
 327               if (wp == result && is_path && *name == ':' && name[1] !=
'\0')
 328                 ++name;
 329             }

Which has similar behaviour in that 'wp = last_elem', we jump back to the last
known good path in the colon separated path list, and skip 'name' forward to
the next path in the list, and work on the next path.

So I don't think it should be a problem.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

References:
- [Bug dynamic-link/23259] New: Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
  - From: carlos at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]