This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/22625] RPATH $ORIGIN replaced by PWD for AT_SECURE/SUID binaries or if /proc is not mounted (CVE-2017-16997)


https://sourceware.org/bugzilla/show_bug.cgi?id=22625

--- Comment #3 from Aurelien Jarno <aurelien at aurel32 dot net> ---
(In reply to Dmitry V. Levin from comment #2)
> (In reply to Aurelien Jarno from comment #1)
> > The fillin_rpath function in elf/dl-load.c loops over each RPATH or RUNPATH
> > tokens and interpret empty tokens as the current directory ("./"). In
> > practice the check for empty token is done *after* the dynamic string token
> > expansion. The expansion process can return an empty string for the $ORIGIN
> > token if __libc_enable_secure is set or if the path of the binary can not be
> > determined (/proc not mounted).
> > 
> > In short it means that the dynamic linker can load libraries (including
> > libc.so.6) from the current directory for AT_SECURE and SUID binaries that
> > have an RPATH or RUNPATH starting with $ORIGIN.
> 
> Yes.
> 
> > Libraries with a $ORIGIN RPATH are handled correctly.
> 
> Sorry, did you mean "without $ORIGIN"?

I used the wrong term "binary" in the above descriptions. I meant executables
are affected, but libraries are not. If it was also affected $ORIGIN in
libraries, the bug would have been much more serious, as they are much more
using $ORIGIN.

> > The bug exists since glibc 2.19.
> > 
> > The test is as simple as:
> > - echo 'int main() {}' > test.c
> > - gcc test.c -Wl,-rpath,'$ORIGIN' -Wl,-z,origin
> > - change the binary to SUID root
> > - run it under strace to see it tries to load libc.so.6 from the current
> >   directory (try from different paths).
> 
> Invoking a SUID executable under strace effectively strips SUID unless
> strace itself is SUID, which is unlikely.
> 
> Here is a simpler test:
> $ ln -snf /dev/null libc.so.6 && rm -rf d && mkdir -m0700 d && cd d && echo
> 'int main(){}' |gcc -xc - -Wl,-rpath,'$ORIGIN' && chgrp -h another_group
> a.out && chmod 02710 a.out && cd .. && d/a.out
> d/a.out: error while loading shared libraries: libc.so.6: file too short

Indeed, thanks for the better test.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]