This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug dynamic-link/23259] New: Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE

From: "carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Tue, 05 Jun 2018 04:09:30 +0000
Subject: [Bug dynamic-link/23259] New: Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=23259

            Bug ID: 23259
           Summary: Unsubstituted ${ORIGIN} remains in DT_NEEDED for
                    AT_SECURE
           Product: glibc
           Version: 2.29
            Status: NEW
          Severity: normal
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: carlos at redhat dot com
  Target Milestone: ---

In Fedora we carry a patch to handle unsubstituted $ORIGIN from DT_NEEDED entry
for AT_SECURE.

Without the patch the present glibc handling can result in an unsubstituted
$ORIGIN being used in path lookup:

From my own test cases:
~~~
Test 16 [SUID]: Verify ${ORIGIN} without / in DT_NEEDED discards the DT_NEEDED.
origin: Function called.
FAIL: Incorrectly allowed DT_NEEDED with ${ORIGIN}.
~~~

~~~
function test16 {
    local soname='/bad/${ORIGIN}liborigin.so'
    local testdir="test16dir"
    local ret

    rm -rf $testdir
    echo "Test 16 [SUID]: Verify \${ORIGIN} without / in DT_NEEDED discards the
DT_NEEDED."
    startup_sysroot "./$testdir" "$BUILD"
    gcc -shared -fPIC -Wl,-soname="$soname" -o liborigin.so origin.c
    gcc -g3 -O0 -L. -o test16 ./need_origin.c -lorigin
    mkdir -p "./$testdir/bad"
    cp liborigin.so "./$testdir/bad/\${ORIGIN}liborigin.so"
    rm liborigin.so
    mv test16 ./$testdir/root/
    sudo chown root.root ./$testdir/root/test16
    sudo chmod u+s ./$testdir/root/test16
    run_in_sysroot ./$testdir /root/test16
    ret=$?
    if [ $ret -ne 0 ]; then
        echo "PASS: Failed to execute binary with \${ORIGIN} in DT_NEEDED."
    else
        echo "FAIL: Incorrectly allowed DT_NEEDED with \${ORIGIN}."
    fi
    shutdown_sysroot "./$testdir"
}
~~~

Just to give an idea of what is done here, we generate a binary with a
DT_NEEDED of '/bad/${ORIGIN}liborigin.so', perhaps a mistake, but the
unprocessed ${ORIGIN} means the entry is eventually searched as a literal
entry.

This should result in an error, since ${ORIGIN} should not be allowed.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Follow-Ups:
- [Bug dynamic-link/23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
  - From: carlos at redhat dot com
- [Bug dynamic-link/23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
  - From: ldv at sourceware dot org
- [Bug dynamic-link/23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
  - From: carlos at redhat dot com
- [Bug dynamic-link/23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
  - From: fweimer at redhat dot com
- [Bug dynamic-link/23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
  - From: cvs-commit at gcc dot gnu.org
- [Bug dynamic-link/23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
  - From: carlos at redhat dot com
- [Bug dynamic-link/23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
  - From: carlos at redhat dot com
- [Bug dynamic-link/23259] Unsubstituted ${ORIGIN} remains in DT_NEEDED for AT_SECURE
  - From: cvs-commit at gcc dot gnu.org

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]