This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH v2] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
- From: Aurelien Jarno <aurelien at aurel32 dot net>
- To: libc-alpha at sourceware dot org
- Cc: "Dmitry V . Levin" <ldv at altlinux dot org>, Aurelien Jarno <aurelien at aurel32 dot net>
- Date: Mon, 18 Dec 2017 21:42:13 +0100
- Subject: [PATCH v2] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
- Authentication-results: sourceware.org; auth=none
The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and intepret empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).
To fix that, move the check for empty tokens before the dynamic string
token expansion. Change expand_dynamic_string_token to return NULL
instead of an empty string, and check for NULL pointer returned by
expand_dynamic_string_token.
The above changed highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath path
level, but by using a -1 pointer in decompose_rpath and other functions.
Changelog:
[BZ #22625]
* elf/dl-load.c (expand_dynamic_string_token): Return NULL instead
of an empty string.
(fillin_rpath): Check for empty tokens before dynamic string token
expansion. Check for NULL pointer possibly returned by
expand_dynamic_string_token.
(decompose_rpath): Check for empty path after dynamic string
token expansion.
---
ChangeLog | 12 ++++++++++++
NEWS | 4 ++++
elf/dl-load.c | 43 ++++++++++++++++++++++++++++++++++++-------
3 files changed, 52 insertions(+), 7 deletions(-)
This new version includes the suggestions done by Dmitry. It would be
nice if it could be reviewed by at least one more person, especially
the part modifying expand_dynamic_string_token.
diff --git a/ChangeLog b/ChangeLog
index 4a7164354f..24a5223485 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,15 @@
+2017-12-17 Aurelien Jarno <aurelien@aurel32.net>
+ Dmitry V. Levin <ldv@altlinux.org>
+
+ [BZ #22625]
+ * elf/dl-load.c (expand_dynamic_string_token): Return NULL instead
+ of an empty string.
+ (fillin_rpath): Check for empty tokens before dynamic string token
+ expansion. Check for NULL pointer possibly returned by
+ expand_dynamic_string_token.
+ (decompose_rpath): Check for empty path after dynamic string
+ token expansion.
+
2017-12-18 Sergei Trofimovich <slyfox@gentoo.org>
[BZ #22624]
diff --git a/NEWS b/NEWS
index a43ff26e83..0d43e93a17 100644
--- a/NEWS
+++ b/NEWS
@@ -149,6 +149,10 @@ Security related changes:
CVE-2017-1000366 has been applied, but it is mentioned here only because
of the CVE assignment.) Reported by Qualys.
+ CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+ for AT_SECURE or SUID binaries could be used to load libraries from the
+ current directory.
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
diff --git a/elf/dl-load.c b/elf/dl-load.c
index e7d97dcc56..827ec1c491 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -384,7 +384,17 @@ expand_dynamic_string_token (struct link_map *l, const char *s, int is_path)
if (result == NULL)
return NULL;
- return _dl_dst_substitute (l, s, result, is_path);
+ char *retval = _dl_dst_substitute (l, s, result, is_path);
+
+ /* If substitution of dynamic string tokens resulted to an empty string,
+ return NULL as in case of insufficient memory. */
+ if (__glibc_unlikely (*retval == '\0'))
+ {
+ free (result);
+ return NULL;
+ }
+
+ return retval;
}
@@ -433,22 +443,33 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
{
char *cp;
size_t nelems = 0;
- char *to_free;
while ((cp = __strsep (&rpath, sep)) != NULL)
{
struct r_search_path_elem *dirp;
-
- to_free = cp = expand_dynamic_string_token (l, cp, 1);
-
- size_t len = strlen (cp);
+ char *to_free = NULL;
+ size_t len;
/* `strsep' can pass an empty string. This has to be
interpreted as `use the current directory'. */
- if (len == 0)
+ if (*cp == '\0')
{
static const char curwd[] = "./";
cp = (char *) curwd;
+ len = 0;
+ }
+ else
+ {
+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
+
+ /* expand_dynamic_string_token can return NULL in case of empty
+ path or memory allocation failure. */
+ if (cp == NULL)
+ continue;
+
+ /* Recompute the length after dynamic string token expansion
+ and ignore empty paths. */
+ len = strlen (cp);
}
/* Remove trailing slashes (except for "/"). */
@@ -620,6 +641,14 @@ decompose_rpath (struct r_search_path_struct *sps,
necessary. */
free (copy);
+ /* There is no path after expansion. */
+ if (result[0] == NULL)
+ {
+ free (result);
+ sps->dirs = (struct r_search_path_elem **) -1;
+ return false;
+ }
+
sps->dirs = result;
/* The caller will change this value if we haven't used a real malloc. */
sps->malloced = 1;
--
2.15.1