[Bug dynamic-link/18018] Additional $ORIGIN handling issues (CVE-2011-0536)

["carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>]

https://sourceware.org/bugzilla/show_bug.cgi?id=18018

--- Comment #2 from Carlos O'Donell <carlos at redhat dot com> ---
(In reply to Carlos O'Donell from comment #1)
> (In reply to Florian Weimer from comment #0)
> > Most downstream fixes for CVE-2010-3847 were incomplete.  One of the
> > follow-up fixes was never applied to glibc, namely this part:
> > 
> > Index: glibc-2.12-2-gc4ccff1/elf/dl-object.c
> > ===================================================================
> > --- glibc-2.12-2-gc4ccff1.orig/elf/dl-object.c
> > +++ glibc-2.12-2-gc4ccff1/elf/dl-object.c
> > @@ -214,6 +214,9 @@ _dl_new_object (char *realname, const ch
> >      out:
> >        new->l_origin = origin;
> >      }
> > +  else if (INTUSE(__libc_enable_secure) && type == lt_executable)
> > +    /* The origin of a privileged program cannot be trusted.  */
> > +    new->l_origin = (char *) -1;
> >  
> >    return new;
> >  }
> > 
> > We need to figure out if this patch is still needed.
> 
> I believe this is not needed.

So I'm going to mark this bug resolved by my changes to this code because the
intent of setting l_origin to -1 for lt_executable && AT_SECURE is wrong. We
can trust the l_origin in one case, the case where it comes first in the list
and is rooted in a trusted directory.

We use calloc to allocate the link_map and so l_origin is NULL if we don't
initialize it, and this causes later calls to _dl_get_origin() to initialize
origin once we can do more complex operations (read /proc/self/exe or read
LD_ORIGIN_PATH).

-- 
You are receiving this mail because:
You are on the CC list for the bug.