This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/21942] _dl_dst_substitute incorrectly handles $ORIGIN: with AT_SECURE=1
- From: "carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Wed, 06 Jun 2018 03:40:17 +0000
- Subject: [Bug dynamic-link/21942] _dl_dst_substitute incorrectly handles $ORIGIN: with AT_SECURE=1
- Auto-submitted: auto-generated
- References: <bug-21942-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=21942
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |carlos at redhat dot com
--- Comment #1 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to Florian Weimer from comment #0)
> I'm not sure if there is a trivial fix for this. The execution flow is very
> complicated.
I can't reproduce this issue with my testcases for this, and the 'is_path' code
was removed by recent refactoring to simplify this code.
For example:
Test 5 [SUID]: Test that RPATH of $ORIGIN:./ ignores $ORIGIN and uses ./.
25758: expand_dynamic_string_token name=$ORIGIN, start=$ORIGIN
25758: _dl_dst_count $ORIGIN (7fbbbf87ad20)
25758: is_dst name=ORIGIN (begin)
25758: is_dst nlen=6 name=ORIGIN (7fbbbf87ad21) (str=ORIGIN)
25758: _dl_dst_count next
25758: _dl_dst_count cnt 1
25758: DL_DST_REQUIRED l_origin 7fbbbf87ad50
25758: _dl_dst_substitute name=$ORIGIN start=$ORIGIN
25758: is_dst name=ORIGIN (begin)
25758: is_dst nlen=6 name=ORIGIN (7fbbbf87ad21) (str=ORIGIN)
25758: _dl_dst_substitute 7fbbbf87ad50
25758: is_trusted_path_normalize: /root 5
25758: is_trusted_path_normalize: Transformed path /root/
25758: is_trusted_path_normalize: Path is NOT trusted.
25758: expand_dynamic_string_token name=./, start=$ORIGIN
25758: security = 1
25758: security = 1
25758: security = 1
25758: security = 1
PASS: Correct primary library.
You see that the RPATH splitting happens at expand_dynamic_string_token after
my fixes, and thus is_trusted_path_normalize is never passed multiple path
sequences.
I'm going to mark that my patches fix this also, and you can review upstream.
--
You are receiving this mail because:
You are on the CC list for the bug.