This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] elf: Remove ad-hoc restrictions on dlopen callers [BZ #22787]
- From: Florian Weimer <fweimer at redhat dot com>
- To: libc-alpha at sourceware dot org
- Date: Tue, 20 Feb 2018 15:00:54 +0100
- Subject: Re: [PATCH] elf: Remove ad-hoc restrictions on dlopen callers [BZ #22787]
- Authentication-results: sourceware.org; auth=none
- References: <20180205140121.440E240137CD1@oldenburg.str.redhat.com>
On 02/05/2018 03:01 PM, Florian Weimer wrote:
This looks like a post-exploitation hardening measure: If an attacker is
able to redirect execution flow, they could use that to load a DSO which
contains additional code (or perhaps make the stack executable).
However, the checks are not in the correct place to be effective: If
they are performed before the critical operation, an attacker with
sufficient control over execution flow could simply jump directly to
the code which performs the operation, bypassing the check. The check
would have to be executed unconditionally after the operation and
terminate the process in case a caller violation was detected.
Furthermore, in _dl_check_caller, there was a fallback reading global
writable data (GL(dl_rtld_map).l_map_start and
GL(dl_rtld_map).l_text_end), which could conceivably be targeted by an
attacker to disable the check, too.
Other critical functions (such as system) remain completely
unprotected, so the value of these additional checks does not appear
that large. Therefore this commit removes this functionality.