This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/21942] _dl_dst_substitute incorrectly handles $ORIGIN: with AT_SECURE=1
- From: "cvs-commit at gcc dot gnu.org" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 18 Jun 2018 11:52:28 +0000
- Subject: [Bug dynamic-link/21942] _dl_dst_substitute incorrectly handles $ORIGIN: with AT_SECURE=1
- Auto-submitted: auto-generated
- References: <bug-21942-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=21942
--- Comment #4 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.27/master has been updated
via 80c83e91140d429c73f79092fdb75eed0fb71da0 (commit)
from b25e5e3c09a086d516627544e48635354870c72f (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=80c83e91140d429c73f79092fdb75eed0fb71da0
commit 80c83e91140d429c73f79092fdb75eed0fb71da0
Author: Carlos O'Donell <carlos@redhat.com>
Date: Tue Jun 5 23:55:17 2018 -0400
Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug 23259).
This commit improves DST handling significantly in the following
ways: firstly is_dst () is overhauled to correctly process DST
sequences that would be accepted given the ELF gABI. This means that
we actually now accept slightly more sequences than before. Now we
accept $ORIGIN$ORIGIN, but in the past we accepted only $ORIGIN\0 or
$ORIGIN/..., but this kind of behaviour results in unexpected
and uninterpreted DST sequences being used as literal search paths
leading to security defects. Therefore the first step in correcting
this defect is making is_dst () properly account for all DSTs
and making the function context free in the sense that it counts
DSTs without knowledge of path, or AT_SECURE. Next, _dl_dst_count ()
is also simplified to count all DSTs regardless of context.
Then in _dl_dst_substitute () we reintroduce context-dependent
processing for such things as AT_SECURE handling. At the level of
_dl_dst_substitute we can have access to things like the true start
of the string sequence to validate $ORIGIN-based paths rooted in
trusted directories. Lastly, we tighten up the accepted sequences
in AT_SECURE, and avoid leaving known unexpanded DSTs, this is
noted in the NEWS entry.
Verified with a sequence of 68 tests on x86_64 that cover
non-AT_SECURE and AT_SECURE testing using a sysroot (requires root
to run). The tests cover cases for bug 23102, bug 21942, bug 18018,
and bug 23259. These tests are not yet appropriate for the glibc
regression testsuite, but with the upcoming test-in-container testing
framework it should be possible to include these tests upstream soon.
See the mailing list for the tests:
https://www.sourceware.org/ml/libc-alpha/2018-06/msg00251.html
(cherry picked from commit 5aad5f617892e75d91d4c8fb7594ff35b610c042)
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 19 +++++
NEWS | 15 ++++
elf/dl-deps.c | 2 +-
elf/dl-dst.h | 13 ----
elf/dl-load.c | 213 ++++++++++++++++++++++++++++++++++++---------------------
5 files changed, 169 insertions(+), 93 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.