Bug 22625 (CVE-2017-16997) - RPATH $ORIGIN replaced by PWD for AT_SECURE/SUID binaries or if /proc is not mounted (CVE-2017-16997)
Summary: RPATH $ORIGIN replaced by PWD for AT_SECURE/SUID binaries or if /proc is not ...
Status: RESOLVED FIXED
Alias: CVE-2017-16997
Product: glibc
Classification: Unclassified
Component: dynamic-link (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: 2.27
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-12-17 17:07 UTC by Aurelien Jarno
Modified: 2019-08-24 02:20 UTC (History)
4 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
aurelien: security+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Aurelien Jarno 2017-12-17 17:07:11 UTC

    
Comment 1 Aurelien Jarno 2017-12-17 17:08:57 UTC
The fillin_rpath function in elf/dl-load.c loops over each RPATH or RUNPATH tokens and interpret empty tokens as the current directory ("./"). In practice the check for empty token is done *after* the dynamic string token expansion. The expansion process can return an empty string for the $ORIGIN token if __libc_enable_secure is set or if the path of the binary can not be determined (/proc not mounted).

In short it means that the dynamic linker can load libraries (including libc.so.6) from the current directory for AT_SECURE and SUID binaries that have an RPATH or RUNPATH starting with $ORIGIN. Libraries with a $ORIGIN RPATH are handled correctly. The bug exists since glibc 2.19.

The test is as simple as:
- echo 'int main() {}' > test.c
- gcc test.c -Wl,-rpath,'$ORIGIN' -Wl,-z,origin
- change the binary to SUID root
- run it under strace to see it tries to load libc.so.6 from the current
  directory (try from different paths).

Fortunately I haven not found any binary with both SUID bit set and with an RPATH or RUNPATH containing $ORIGIN on distributions. I checked the full Debian Stretch archive, and a standard installation of openSUSE and Fedora. The path specified by $ORIGIN is ignored for SUID binaries despite the bug, that is probably the reason why such binaries do not exist. Therefore it is only a theoretical issue.

Note: the /proc part is Debian bug#787227. I found the AT_SECURE/SUID issue while investigating.
Comment 2 Dmitry V. Levin 2017-12-17 20:23:45 UTC
(In reply to Aurelien Jarno from comment #1)
> The fillin_rpath function in elf/dl-load.c loops over each RPATH or RUNPATH
> tokens and interpret empty tokens as the current directory ("./"). In
> practice the check for empty token is done *after* the dynamic string token
> expansion. The expansion process can return an empty string for the $ORIGIN
> token if __libc_enable_secure is set or if the path of the binary can not be
> determined (/proc not mounted).
> 
> In short it means that the dynamic linker can load libraries (including
> libc.so.6) from the current directory for AT_SECURE and SUID binaries that
> have an RPATH or RUNPATH starting with $ORIGIN.

Yes.

> Libraries with a $ORIGIN RPATH are handled correctly.

Sorry, did you mean "without $ORIGIN"?

> The bug exists since glibc 2.19.
> 
> The test is as simple as:
> - echo 'int main() {}' > test.c
> - gcc test.c -Wl,-rpath,'$ORIGIN' -Wl,-z,origin
> - change the binary to SUID root
> - run it under strace to see it tries to load libc.so.6 from the current
>   directory (try from different paths).

Invoking a SUID executable under strace effectively strips SUID unless strace itself is SUID, which is unlikely.

Here is a simpler test:
$ ln -snf /dev/null libc.so.6 && rm -rf d && mkdir -m0700 d && cd d && echo 'int main(){}' |gcc -xc - -Wl,-rpath,'$ORIGIN' && chgrp -h another_group a.out && chmod 02710 a.out && cd .. && d/a.out
d/a.out: error while loading shared libraries: libc.so.6: file too short
Comment 3 Aurelien Jarno 2017-12-17 21:14:09 UTC
(In reply to Dmitry V. Levin from comment #2)
> (In reply to Aurelien Jarno from comment #1)
> > The fillin_rpath function in elf/dl-load.c loops over each RPATH or RUNPATH
> > tokens and interpret empty tokens as the current directory ("./"). In
> > practice the check for empty token is done *after* the dynamic string token
> > expansion. The expansion process can return an empty string for the $ORIGIN
> > token if __libc_enable_secure is set or if the path of the binary can not be
> > determined (/proc not mounted).
> > 
> > In short it means that the dynamic linker can load libraries (including
> > libc.so.6) from the current directory for AT_SECURE and SUID binaries that
> > have an RPATH or RUNPATH starting with $ORIGIN.
> 
> Yes.
> 
> > Libraries with a $ORIGIN RPATH are handled correctly.
> 
> Sorry, did you mean "without $ORIGIN"?

I used the wrong term "binary" in the above descriptions. I meant executables are affected, but libraries are not. If it was also affected $ORIGIN in libraries, the bug would have been much more serious, as they are much more using $ORIGIN.

> > The bug exists since glibc 2.19.
> > 
> > The test is as simple as:
> > - echo 'int main() {}' > test.c
> > - gcc test.c -Wl,-rpath,'$ORIGIN' -Wl,-z,origin
> > - change the binary to SUID root
> > - run it under strace to see it tries to load libc.so.6 from the current
> >   directory (try from different paths).
> 
> Invoking a SUID executable under strace effectively strips SUID unless
> strace itself is SUID, which is unlikely.
> 
> Here is a simpler test:
> $ ln -snf /dev/null libc.so.6 && rm -rf d && mkdir -m0700 d && cd d && echo
> 'int main(){}' |gcc -xc - -Wl,-rpath,'$ORIGIN' && chgrp -h another_group
> a.out && chmod 02710 a.out && cd .. && d/a.out
> d/a.out: error while loading shared libraries: libc.so.6: file too short

Indeed, thanks for the better test.
Comment 4 Florian Weimer 2017-12-18 07:29:11 UTC
Note that Fedora and downstreams carry glibc-fedora-elf-ORIGIN.patch:

From 207e77fd3f0a94acdf0557608dd4f10ce0e0f22f Mon Sep 17 00:00:00 2001
From: Andreas Schwab <schwab@redhat.com>
Date: Mon, 9 May 2011 10:55:58 +0200
Subject: [PATCH] Never leave $ORIGIN unexpanded

https://git.centos.org/blob/rpms!!glibc.git/29e4443724024b0dd84b837f6b3ec2191b49179f/SOURCES!glibc-fedora-elf-ORIGIN.patch

There was another attempt to upstream it here:

https://sourceware.org/ml/libc-alpha/2015-12/msg00581.html
Comment 5 Sourceware Commits 2017-12-30 21:03:34 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, master has been updated
       via  3e3c904daef69b8bf7d5cc07f793c9f07c3553ef (commit)
      from  c48831d0eebf876d986919baf2d9240a79192837 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=3e3c904daef69b8bf7d5cc07f793c9f07c3553ef

commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Dec 30 10:54:23 2017 +0100

    elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
    
    The fillin_rpath function in elf/dl-load.c loops over each RPATH or
    RUNPATH tokens and interprets empty tokens as the current directory
    ("./"). In practice the check for empty token is done *after* the
    dynamic string token expansion. The expansion process can return an
    empty string for the $ORIGIN token if __libc_enable_secure is set
    or if the path of the binary can not be determined (/proc not mounted).
    
    Fix that by moving the check for empty tokens before the dynamic string
    token expansion. In addition, check for NULL pointer or empty strings
    return by expand_dynamic_string_token.
    
    The above changes highlighted a bug in decompose_rpath, an empty array
    is represented by the first element being NULL at the fillin_rpath
    level, but by using a -1 pointer in decompose_rpath and other functions.
    
    Changelog:
    	[BZ #22625]
    	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
    	string token expansion. Check for NULL pointer or empty string possibly
    	returned by expand_dynamic_string_token.
    	(decompose_rpath): Check for empty path after dynamic string
    	token expansion.

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog     |   10 ++++++++++
 NEWS          |    4 ++++
 elf/dl-load.c |   49 +++++++++++++++++++++++++++++++++----------------
 3 files changed, 47 insertions(+), 16 deletions(-)
Comment 6 Aurelien Jarno 2017-12-30 21:04:05 UTC
Fixed by commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef.
Comment 7 Sourceware Commits 2017-12-31 11:54:54 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb (commit)
      from  98f244e2456712778d91fcbdf99b1dd78b89c9f6 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb

commit 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Dec 30 10:54:23 2017 +0100

    elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
    
    The fillin_rpath function in elf/dl-load.c loops over each RPATH or
    RUNPATH tokens and interprets empty tokens as the current directory
    ("./"). In practice the check for empty token is done *after* the
    dynamic string token expansion. The expansion process can return an
    empty string for the $ORIGIN token if __libc_enable_secure is set
    or if the path of the binary can not be determined (/proc not mounted).
    
    Fix that by moving the check for empty tokens before the dynamic string
    token expansion. In addition, check for NULL pointer or empty strings
    return by expand_dynamic_string_token.
    
    The above changes highlighted a bug in decompose_rpath, an empty array
    is represented by the first element being NULL at the fillin_rpath
    level, but by using a -1 pointer in decompose_rpath and other functions.
    
    Changelog:
    	[BZ #22625]
    	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
    	string token expansion. Check for NULL pointer or empty string possibly
    	returned by expand_dynamic_string_token.
    	(decompose_rpath): Check for empty path after dynamic string
    	token expansion.
    (cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog     |   10 ++++++++++
 NEWS          |    4 ++++
 elf/dl-load.c |   49 +++++++++++++++++++++++++++++++++----------------
 3 files changed, 47 insertions(+), 16 deletions(-)
Comment 8 Sourceware Commits 2017-12-31 11:55:44 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.25/master has been updated
       via  1998843fb78d9b3ebc0216757042ce4b00dd08a1 (commit)
      from  26748a28ca36dd0bf8a92e3432cffad3bef43688 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1998843fb78d9b3ebc0216757042ce4b00dd08a1

commit 1998843fb78d9b3ebc0216757042ce4b00dd08a1
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Dec 30 10:54:23 2017 +0100

    elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
    
    The fillin_rpath function in elf/dl-load.c loops over each RPATH or
    RUNPATH tokens and interprets empty tokens as the current directory
    ("./"). In practice the check for empty token is done *after* the
    dynamic string token expansion. The expansion process can return an
    empty string for the $ORIGIN token if __libc_enable_secure is set
    or if the path of the binary can not be determined (/proc not mounted).
    
    Fix that by moving the check for empty tokens before the dynamic string
    token expansion. In addition, check for NULL pointer or empty strings
    return by expand_dynamic_string_token.
    
    The above changes highlighted a bug in decompose_rpath, an empty array
    is represented by the first element being NULL at the fillin_rpath
    level, but by using a -1 pointer in decompose_rpath and other functions.
    
    Changelog:
    	[BZ #22625]
    	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
    	string token expansion. Check for NULL pointer or empty string possibly
    	returned by expand_dynamic_string_token.
    	(decompose_rpath): Check for empty path after dynamic string
    	token expansion.
    (cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog     |   10 ++++++++++
 NEWS          |    4 ++++
 elf/dl-load.c |   49 +++++++++++++++++++++++++++++++++----------------
 3 files changed, 47 insertions(+), 16 deletions(-)
Comment 9 Sourceware Commits 2017-12-31 14:11:26 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.24/master has been updated
       via  f24c345bf5486cc8d659f7a17463adcae402ec8e (commit)
       via  248475457e40d44b12f1f69c889765bba4571add (commit)
      from  c5b38f2ecec6facf818e3c50ad014be05b52c179 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f24c345bf5486cc8d659f7a17463adcae402ec8e

commit f24c345bf5486cc8d659f7a17463adcae402ec8e
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Dec 30 10:54:23 2017 +0100

    elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
    
    The fillin_rpath function in elf/dl-load.c loops over each RPATH or
    RUNPATH tokens and interprets empty tokens as the current directory
    ("./"). In practice the check for empty token is done *after* the
    dynamic string token expansion. The expansion process can return an
    empty string for the $ORIGIN token if __libc_enable_secure is set
    or if the path of the binary can not be determined (/proc not mounted).
    
    Fix that by moving the check for empty tokens before the dynamic string
    token expansion. In addition, check for NULL pointer or empty strings
    return by expand_dynamic_string_token.
    
    The above changes highlighted a bug in decompose_rpath, an empty array
    is represented by the first element being NULL at the fillin_rpath
    level, but by using a -1 pointer in decompose_rpath and other functions.
    
    Changelog:
    	[BZ #22625]
    	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
    	string token expansion. Check for NULL pointer or empty string possibly
    	returned by expand_dynamic_string_token.
    	(decompose_rpath): Check for empty path after dynamic string
    	token expansion.
    (cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=248475457e40d44b12f1f69c889765bba4571add

commit 248475457e40d44b12f1f69c889765bba4571add
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Sun Dec 17 23:49:46 2017 +0000

    elf: do not substitute dst in $LD_LIBRARY_PATH twice [BZ #22627]
    
    Starting with commit
    glibc-2.18.90-470-g2a939a7e6d81f109d49306bc2e10b4ac9ceed8f9 that
    introduced substitution of dynamic string tokens in fillin_rpath,
    _dl_init_paths invokes _dl_dst_substitute for $LD_LIBRARY_PATH twice:
    the first time it's called directly, the second time the result
    is passed on to fillin_rpath which calls expand_dynamic_string_token
    which in turn calls _dl_dst_substitute, leading to the following
    behaviour:
    
    $ mkdir -p /tmp/'$ORIGIN' && cd /tmp/'$ORIGIN' &&
      echo 'int main(){}' |gcc -xc - &&
      strace -qq -E LD_LIBRARY_PATH='$ORIGIN' -e /open ./a.out
    open("/tmp//tmp/$ORIGIN/tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/tmp//tmp/$ORIGIN/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/tmp//tmp/$ORIGIN/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/tmp//tmp/$ORIGIN/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
    open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
    
    Fix this by removing the direct _dl_dst_substitute invocation.
    
    * elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
    code and invocation.
    
    (cherry picked from commit bb195224acc14724e9fc2dbaa8d0b20b72ace79b)

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog     |   16 +++++++++++++
 NEWS          |    4 +++
 elf/dl-load.c |   69 ++++++++++++++++++++++++++++-----------------------------
 3 files changed, 54 insertions(+), 35 deletions(-)
Comment 10 Sourceware Commits 2018-04-06 20:17:36 UTC
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.22/master has been updated
       via  017d97cd2ec0f626f8afb8c73ea3d612d8e844c3 (commit)
       via  436359fd41343c1db0616bd90e8a05bf188f237c (commit)
       via  407ec876262f0e6f55635ea0783f1f4a6c5d127f (commit)
       via  d2450a97c3df5527ea0fd49743bc354c979c185f (commit)
       via  c64d6bc3da8e61feab4117bcad53bd97e7a111cd (commit)
       via  d9c54360ca92a92ee8ee587f15a3cfc64fe4cb37 (commit)
       via  f87adbcaa47de2109e1c4561a2badf8aa82bc349 (commit)
       via  21c5d14bfb4e08bee86f94fd815535d3be2c3869 (commit)
       via  9d0aec236891576c7f12e935128364669b785233 (commit)
       via  89dc0372bb497b7d51bcf9999ce3f9684d450959 (commit)
       via  1be1845b280cfadff0cbd09170af554549849ffb (commit)
      from  771fb81f98a2be9e96f2a09056617ad93d64959f (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=017d97cd2ec0f626f8afb8c73ea3d612d8e844c3

commit 017d97cd2ec0f626f8afb8c73ea3d612d8e844c3
Author: Florian Weimer <fweimer@redhat.com>
Date:   Tue Feb 6 09:19:03 2018 +0100

    Record CVE-2018-6551 in NEWS and ChangeLog [BZ #22774]
    
    (cherry picked from commit 71aa429b029fdb6f9e65d44050388b51eca460d6)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=436359fd41343c1db0616bd90e8a05bf188f237c

commit 436359fd41343c1db0616bd90e8a05bf188f237c
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Feb 1 15:00:44 2018 +0100

    Record CVE-2018-6485 in ChangeLog and NEWS [BZ #22343]
    
    (cherry picked from commit 4590634fd65162568b9f52fb4beb60aa25da37f2)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=407ec876262f0e6f55635ea0783f1f4a6c5d127f

commit 407ec876262f0e6f55635ea0783f1f4a6c5d127f
Author: Florian Weimer <fweimer@redhat.com>
Date:   Wed Aug 16 16:47:20 2017 +0200

    Add ChangeLog reference to bug 16750/CVE-2009-5064
    
    (cherry picked from commit 403143e1df85dadd374f304bd891be0cd7573e3b)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d2450a97c3df5527ea0fd49743bc354c979c185f

commit d2450a97c3df5527ea0fd49743bc354c979c185f
Author: Arjun Shankar <arjun.is@lostca.se>
Date:   Thu Jan 18 16:47:06 2018 +0000

    Fix integer overflows in internal memalign and malloc functions [BZ #22343]
    
    When posix_memalign is called with an alignment less than MALLOC_ALIGNMENT
    and a requested size close to SIZE_MAX, it falls back to malloc code
    (because the alignment of a block returned by malloc is sufficient to
    satisfy the call).  In this case, an integer overflow in _int_malloc leads
    to posix_memalign incorrectly returning successfully.
    
    Upon fixing this and writing a somewhat thorough regression test, it was
    discovered that when posix_memalign is called with an alignment larger than
    MALLOC_ALIGNMENT (so it uses _int_memalign instead) and a requested size
    close to SIZE_MAX, a different integer overflow in _int_memalign leads to
    posix_memalign incorrectly returning successfully.
    
    Both integer overflows affect other memory allocation functions that use
    _int_malloc (one affected malloc in x86) or _int_memalign as well.
    
    This commit fixes both integer overflows.  In addition to this, it adds a
    regression test to guard against false successful allocations by the
    following memory allocation functions when called with too-large allocation
    sizes and, where relevant, various valid alignments:
    malloc, realloc, calloc, reallocarray, memalign, posix_memalign,
    aligned_alloc, valloc, and pvalloc.
    
    (cherry picked from commit 8e448310d74b283c5cd02b9ed7fb997b47bf9b22)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=c64d6bc3da8e61feab4117bcad53bd97e7a111cd

commit c64d6bc3da8e61feab4117bcad53bd97e7a111cd
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Dec 14 15:18:38 2017 +0100

    elf: Compute correct array size in _dl_init_paths [BZ #22606]
    
    (cherry picked from commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d9c54360ca92a92ee8ee587f15a3cfc64fe4cb37

commit d9c54360ca92a92ee8ee587f15a3cfc64fe4cb37
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Nov 2 12:14:01 2017 +0100

    <array_length.h>: New array_length and array_end macros
    
    (cherry picked from commit c94a5688fb1228a862b2d4a3f1239cdc0e3349e5)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=f87adbcaa47de2109e1c4561a2badf8aa82bc349

commit f87adbcaa47de2109e1c4561a2badf8aa82bc349
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Dec 14 15:05:57 2017 +0100

    elf: Count components of the expanded path in _dl_init_path [BZ #22607]
    
    (cherry picked from commit 3ff3dfa5af313a6ea33f3393916f30eece4f0171)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=21c5d14bfb4e08bee86f94fd815535d3be2c3869

commit 21c5d14bfb4e08bee86f94fd815535d3be2c3869
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Dec 30 10:54:23 2017 +0100

    elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
    
    The fillin_rpath function in elf/dl-load.c loops over each RPATH or
    RUNPATH tokens and interprets empty tokens as the current directory
    ("./"). In practice the check for empty token is done *after* the
    dynamic string token expansion. The expansion process can return an
    empty string for the $ORIGIN token if __libc_enable_secure is set
    or if the path of the binary can not be determined (/proc not mounted).
    
    Fix that by moving the check for empty tokens before the dynamic string
    token expansion. In addition, check for NULL pointer or empty strings
    return by expand_dynamic_string_token.
    
    The above changes highlighted a bug in decompose_rpath, an empty array
    is represented by the first element being NULL at the fillin_rpath
    level, but by using a -1 pointer in decompose_rpath and other functions.
    
    Changelog:
    	[BZ #22625]
    	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
    	string token expansion. Check for NULL pointer or empty string possibly
    	returned by expand_dynamic_string_token.
    	(decompose_rpath): Check for empty path after dynamic string
    	token expansion.
    
    (cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9d0aec236891576c7f12e935128364669b785233

commit 9d0aec236891576c7f12e935128364669b785233
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Apr 13 13:09:38 2017 +0200

    sunrpc: Avoid use-after-free read access in clntudp_call [BZ #21115]
    
    After commit bc779a1a5b3035133024b21e2f339fe4219fb11c
    (CVE-2016-4429: sunrpc: Do not use alloca in clntudp_call
    [BZ #20112]), ancillary data is stored on the heap,
    but it is accessed after it has been freed.
    
    The test case must be run under a heap debugger such as valgrind
    to observe the invalid access.  A malloc implementation which
    immediately calls munmap on free would catch this bug as well.
    
    (cherry picked from commit d42eed4a044e5e10dfb885cf9891c2518a72a491)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=89dc0372bb497b7d51bcf9999ce3f9684d450959

commit 89dc0372bb497b7d51bcf9999ce3f9684d450959
Author: Andreas Schwab <schwab@suse.de>
Date:   Wed Aug 16 15:59:55 2017 +0200

    ldd: never run file directly
    
    (cherry picked from commit eedca9772e99c72ab4c3c34e43cc764250aa3e3c)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1be1845b280cfadff0cbd09170af554549849ffb

commit 1be1845b280cfadff0cbd09170af554549849ffb
Author: Arjun Shankar <arjun.is@lostca.se>
Date:   Wed Jun 7 11:46:24 2017 +0200

    Synchronize support/ infrastructure with master
    
    This commit updates the support/ subdirectory to
    commit 2714c5f3c95f90977167c1d21326d907fb76b419
    on the master branch and modifies Makeconfig,
    Rules, and extra-lib.mk accordingly.
    
    (cherry picked from commit 4c5785aa129a5d195fc1cd5c7fcd6f62c2b0ff0c)
    
    Reviewed-by: Carlos O'Donell <carlos@redhat.com>

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                  |   57 ++
 Makeconfig                                 |   15 +-
 NEWS                                       |   32 +
 Rules                                      |    3 +
 elf/dl-load.c                              |   76 +-
 elf/ldd.bash.in                            |   14 +-
 extra-lib.mk                               |    5 +
 include/array_length.h                     |   36 +
 malloc/Makefile                            |    3 +-
 malloc/malloc.c                            |   30 +-
 malloc/tst-malloc-too-large.c              |  237 ++++++
 scripts/backport-support.sh                |  110 +++
 sunrpc/Makefile                            |    3 +-
 sunrpc/clnt_udp.c                          |    2 +-
 sunrpc/tst-udp-error.c                     |   62 ++
 support/Makefile                           |  146 ++++
 support/README                             |   29 +
 support/README-testing.c                   |   19 +
 support/capture_subprocess.h               |   61 ++
 support/check.c                            |   57 ++
 support/check.h                            |   94 +++
 support/check_addrinfo.c                   |   42 +
 support/check_dns_packet.c                 |   42 +
 support/check_hostent.c                    |   42 +
 support/check_netent.c                     |   42 +
 support/check_nss.h                        |   42 +
 support/delayed_exit.c                     |   55 ++
 support/format_nss.h                       |   41 +
 support/ignore_stderr.c                    |   38 +
 support/namespace.h                        |   65 ++
 support/oom_error.c                        |   29 +
 support/resolv_test.c                      | 1202 ++++++++++++++++++++++++++++
 support/resolv_test.h                      |  180 +++++
 support/run_diff.h                         |   31 +
 support/set_fortify_handler.c              |   34 +
 support/support-xstat.c                    |   30 +
 support/support.h                          |   74 ++
 support/support_become_root.c              |   40 +
 support/support_can_chroot.c               |   65 ++
 support/support_capture_subprocess.c       |  108 +++
 support/support_capture_subprocess_check.c |   67 ++
 support/support_enter_network_namespace.c  |   75 ++
 support/support_format_address_family.c    |   35 +
 support/support_format_addrinfo.c          |  239 ++++++
 support/support_format_dns_packet.c        |  222 +++++
 support/support_format_herrno.c            |   45 +
 support/support_format_hostent.c           |   75 ++
 support/support_format_netent.c            |   52 ++
 support/support_isolate_in_subprocess.c    |   38 +
 support/support_record_failure.c           |  106 +++
 support/support_run_diff.c                 |   76 ++
 support/support_shared_allocate.c          |   59 ++
 support/support_test_main.c                |  423 ++++++++++
 support/support_test_verify_impl.c         |   33 +
 support/support_write_file_string.c        |   39 +
 support/temp_file-internal.h               |   31 +
 support/temp_file.c                        |  132 +++
 support/temp_file.h                        |   37 +
 support/test-driver.c                      |  156 ++++
 support/test-driver.h                      |   74 ++
 support/tst-support-namespace.c            |   34 +
 support/tst-support_capture_subprocess.c   |  188 +++++
 support/tst-support_format_dns_packet.c    |  101 +++
 support/tst-support_record_failure-2.sh    |   69 ++
 support/tst-support_record_failure.c       |  153 ++++
 support/write_message.c                    |   29 +
 support/xaccept.c                          |   32 +
 support/xaccept4.c                         |   32 +
 support/xasprintf.c                        |   36 +
 support/xbind.c                            |   30 +
 support/xcalloc.c                          |   34 +
 support/xchroot.c                          |   28 +
 support/xclose.c                           |   28 +
 support/xconnect.c                         |   30 +
 support/xdup2.c                            |   28 +
 support/xfclose.c                          |   33 +
 support/xfopen.c                           |   31 +
 support/xfork.c                            |   32 +
 support/xgetsockname.c                     |   30 +
 support/xlisten.c                          |   30 +
 support/xmalloc.c                          |   34 +
 support/xmemstream.c                       |   42 +
 support/xmemstream.h                       |   49 ++
 support/xmkdir.c                           |   28 +
 support/xmmap.c                            |   31 +
 support/xmunmap.c                          |   28 +
 support/xopen.c                            |   30 +
 support/xpipe.c                            |   28 +
 support/xpoll.c                            |   32 +
 support/xpthread_attr_destroy.c            |   26 +
 support/xpthread_attr_init.c               |   25 +
 support/xpthread_attr_setdetachstate.c     |   27 +
 support/xpthread_attr_setstacksize.c       |   26 +
 support/xpthread_barrier_destroy.c         |   26 +
 support/xpthread_barrier_init.c            |   27 +
 support/xpthread_barrier_wait.c            |   28 +
 support/xpthread_cancel.c                  |   25 +
 support/xpthread_check_return.c            |   34 +
 support/xpthread_cond_wait.c               |   26 +
 support/xpthread_create.c                  |   29 +
 support/xpthread_detach.c                  |   25 +
 support/xpthread_join.c                    |   27 +
 support/xpthread_mutex_consistent.c        |   26 +
 support/xpthread_mutex_destroy.c           |   26 +
 support/xpthread_mutex_init.c              |   26 +
 support/xpthread_mutex_lock.c              |   25 +
 support/xpthread_mutex_unlock.c            |   25 +
 support/xpthread_mutexattr_destroy.c       |   26 +
 support/xpthread_mutexattr_init.c          |   25 +
 support/xpthread_mutexattr_setprotocol.c   |   26 +
 support/xpthread_mutexattr_setpshared.c    |   26 +
 support/xpthread_mutexattr_setrobust.c     |   26 +
 support/xpthread_mutexattr_settype.c       |   26 +
 support/xpthread_once.c                    |   25 +
 support/xpthread_sigmask.c                 |   34 +
 support/xpthread_spin_lock.c               |   25 +
 support/xpthread_spin_unlock.c             |   25 +
 support/xrealloc.c                         |   32 +
 support/xrecvfrom.c                        |   33 +
 support/xsendto.c                          |   35 +
 support/xsetsockopt.c                      |   31 +
 support/xsignal.h                          |   34 +
 support/xsocket.c                          |   32 +
 support/xsocket.h                          |   39 +
 support/xstdio.h                           |   32 +
 support/xstrdup.c                          |   30 +
 support/xthread.h                          |   77 ++
 support/xunistd.h                          |   56 ++
 support/xwaitpid.c                         |   33 +
 support/xwrite.c                           |   39 +
 130 files changed, 7804 insertions(+), 59 deletions(-)
 create mode 100644 include/array_length.h
 create mode 100644 malloc/tst-malloc-too-large.c
 create mode 100644 scripts/backport-support.sh
 create mode 100644 sunrpc/tst-udp-error.c
 create mode 100644 support/Makefile
 create mode 100644 support/README
 create mode 100644 support/README-testing.c
 create mode 100644 support/capture_subprocess.h
 create mode 100644 support/check.c
 create mode 100644 support/check.h
 create mode 100644 support/check_addrinfo.c
 create mode 100644 support/check_dns_packet.c
 create mode 100644 support/check_hostent.c
 create mode 100644 support/check_netent.c
 create mode 100644 support/check_nss.h
 create mode 100644 support/delayed_exit.c
 create mode 100644 support/format_nss.h
 create mode 100644 support/ignore_stderr.c
 create mode 100644 support/namespace.h
 create mode 100644 support/oom_error.c
 create mode 100644 support/resolv_test.c
 create mode 100644 support/resolv_test.h
 create mode 100644 support/run_diff.h
 create mode 100644 support/set_fortify_handler.c
 create mode 100644 support/support-xstat.c
 create mode 100644 support/support.h
 create mode 100644 support/support_become_root.c
 create mode 100644 support/support_can_chroot.c
 create mode 100644 support/support_capture_subprocess.c
 create mode 100644 support/support_capture_subprocess_check.c
 create mode 100644 support/support_enter_network_namespace.c
 create mode 100644 support/support_format_address_family.c
 create mode 100644 support/support_format_addrinfo.c
 create mode 100644 support/support_format_dns_packet.c
 create mode 100644 support/support_format_herrno.c
 create mode 100644 support/support_format_hostent.c
 create mode 100644 support/support_format_netent.c
 create mode 100644 support/support_isolate_in_subprocess.c
 create mode 100644 support/support_record_failure.c
 create mode 100644 support/support_run_diff.c
 create mode 100644 support/support_shared_allocate.c
 create mode 100644 support/support_test_main.c
 create mode 100644 support/support_test_verify_impl.c
 create mode 100644 support/support_write_file_string.c
 create mode 100644 support/temp_file-internal.h
 create mode 100644 support/temp_file.c
 create mode 100644 support/temp_file.h
 create mode 100644 support/test-driver.c
 create mode 100644 support/test-driver.h
 create mode 100644 support/tst-support-namespace.c
 create mode 100644 support/tst-support_capture_subprocess.c
 create mode 100644 support/tst-support_format_dns_packet.c
 create mode 100644 support/tst-support_record_failure-2.sh
 create mode 100644 support/tst-support_record_failure.c
 create mode 100644 support/write_message.c
 create mode 100644 support/xaccept.c
 create mode 100644 support/xaccept4.c
 create mode 100644 support/xasprintf.c
 create mode 100644 support/xbind.c
 create mode 100644 support/xcalloc.c
 create mode 100644 support/xchroot.c
 create mode 100644 support/xclose.c
 create mode 100644 support/xconnect.c
 create mode 100644 support/xdup2.c
 create mode 100644 support/xfclose.c
 create mode 100644 support/xfopen.c
 create mode 100644 support/xfork.c
 create mode 100644 support/xgetsockname.c
 create mode 100644 support/xlisten.c
 create mode 100644 support/xmalloc.c
 create mode 100644 support/xmemstream.c
 create mode 100644 support/xmemstream.h
 create mode 100644 support/xmkdir.c
 create mode 100644 support/xmmap.c
 create mode 100644 support/xmunmap.c
 create mode 100644 support/xopen.c
 create mode 100644 support/xpipe.c
 create mode 100644 support/xpoll.c
 create mode 100644 support/xpthread_attr_destroy.c
 create mode 100644 support/xpthread_attr_init.c
 create mode 100644 support/xpthread_attr_setdetachstate.c
 create mode 100644 support/xpthread_attr_setstacksize.c
 create mode 100644 support/xpthread_barrier_destroy.c
 create mode 100644 support/xpthread_barrier_init.c
 create mode 100644 support/xpthread_barrier_wait.c
 create mode 100644 support/xpthread_cancel.c
 create mode 100644 support/xpthread_check_return.c
 create mode 100644 support/xpthread_cond_wait.c
 create mode 100644 support/xpthread_create.c
 create mode 100644 support/xpthread_detach.c
 create mode 100644 support/xpthread_join.c
 create mode 100644 support/xpthread_mutex_consistent.c
 create mode 100644 support/xpthread_mutex_destroy.c
 create mode 100644 support/xpthread_mutex_init.c
 create mode 100644 support/xpthread_mutex_lock.c
 create mode 100644 support/xpthread_mutex_unlock.c
 create mode 100644 support/xpthread_mutexattr_destroy.c
 create mode 100644 support/xpthread_mutexattr_init.c
 create mode 100644 support/xpthread_mutexattr_setprotocol.c
 create mode 100644 support/xpthread_mutexattr_setpshared.c
 create mode 100644 support/xpthread_mutexattr_setrobust.c
 create mode 100644 support/xpthread_mutexattr_settype.c
 create mode 100644 support/xpthread_once.c
 create mode 100644 support/xpthread_sigmask.c
 create mode 100644 support/xpthread_spin_lock.c
 create mode 100644 support/xpthread_spin_unlock.c
 create mode 100644 support/xrealloc.c
 create mode 100644 support/xrecvfrom.c
 create mode 100644 support/xsendto.c
 create mode 100644 support/xsetsockopt.c
 create mode 100644 support/xsignal.h
 create mode 100644 support/xsocket.c
 create mode 100644 support/xsocket.h
 create mode 100644 support/xstdio.h
 create mode 100644 support/xstrdup.c
 create mode 100644 support/xthread.h
 create mode 100644 support/xunistd.h
 create mode 100644 support/xwaitpid.c
 create mode 100644 support/xwrite.c