This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).

From: Andreas Schwab <schwab at suse dot de>
To: Carlos O'Donell <carlos at redhat dot com>
Cc: GNU C Library <libc-alpha at sourceware dot org>, "Dmitry V. Levin" <ldv at altlinux dot org>, Florian Weimer <fweimer at redhat dot com>
Date: Wed, 06 Jun 2018 17:47:22 +0200
Subject: Re: [PATCH] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).
References: <9cf43cb6-511c-ec6c-9a87-e89a467238d9@redhat.com>

On Jun 06 2018, Carlos O'Donell <carlos@redhat.com> wrote:

> diff --git a/elf/dl-load.c b/elf/dl-load.c
> index 431236920f..13263212d5 100644
> --- a/elf/dl-load.c
> +++ b/elf/dl-load.c
> @@ -177,63 +177,89 @@ is_trusted_path_normalize (const char *path, size_t len)
>    return false;
>  }
>  
> +/* Given a substring starting at NAME, just after the DST '$' start
> +   token, determine if NAME contains dynamic string token STR,
> +   following the ELF gABI rules for dynamic string tokens:
>  
> +   * Longest possible sequence using the rules (greedy).
> +
> +   * Must start with a $ (enforced by caller).
> +
> +   * Must follow $ with one underscore or ASCII [A-Za-z] (enforced by
> +     caller via STR comparison) or '{' (start curly quoted name).
> +
> +   * Must follow first two characters with zero or more [A-Za-z0-9_]
> +     (enforced by caller) or '}' (end curly quoted name).
> +
> +   If the sequence is a dynamic string token matching STR then
> +   the length of the DST is returned, otherwise 0.  */
>  static size_t
> -is_dst (const char *start, const char *name, const char *str, int secure)
> +is_dst (const char *name, const char *str)
>  {
> -  size_t len;
> +  size_t nlen, slen;
>    bool is_curly = false;
>  
> +  /* Is a ${...} name sequence?  */
>    if (name[0] == '{')
>      {
>        is_curly = true;
>        ++name;
>      }
>  
> -  len = 0;
> -  while (name[len] == str[len] && name[len] != '\0')
> -    ++len;
> +  /* Find longest valid name sequence.  */
> +  nlen = 0;
> +  while ((name[nlen] >= 'A' && name[nlen] <= 'Z')
> +	 || (name[nlen] >= 'a' && name[nlen] <= 'z')
> +	 || (name[nlen] >= '0' && name[nlen] <= '9')
> +	 || (name[nlen] == '_'))
> +    ++nlen;
> +
> +  slen = strlen (str);

You are completely ignoring the contents of str now.  That doesn't make
sense.

Andreas.

-- 
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE  1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."

Follow-Ups:
- Re: [PATCH] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).
  - From: Carlos O'Donell

References:
- [PATCH] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).
  - From: Carlos O'Donell

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]