Bug 25204 (CVE-2019-19126) - LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries (CVE-2019-19126)
Summary: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries (CVE-2019-19126)
Status: RESOLVED FIXED
Alias: CVE-2019-19126
Product: glibc
Classification: Unclassified
Component: dynamic-link (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: 2.31
Assignee: Florian Weimer
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2019-11-19 08:13 UTC by Marcin Kościelnicki
Modified: 2019-11-22 13:28 UTC (History)
2 users (show)

See Also:
Host:
Target:
Build:
Last reconfirmed: 2019-11-19 00:00:00
fweimer: security+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Kościelnicki 2019-11-19 08:13:27 UTC
The code using LD_PREFER_MAP_32BIT_EXEC is run before the code that removes security-sensitive variables from the environment, thus the latter is ineffective.  This means a local attacker can effectively weaken ASLR strength on setuid binaries.
Comment 1 Marcin Kościelnicki 2019-11-19 08:24:23 UTC
Patch pending: https://sourceware.org/ml/libc-alpha/2019-11/msg00649.html
Comment 2 Florian Weimer 2019-11-19 13:42:47 UTC
I think we should treat this as a security vulnerability because it is quite a significant regression for a system built with PIE-by-default (and slightly older binutils).
Comment 3 Florian Weimer 2019-11-20 16:43:46 UTC
Introduced in glibc 2.23:

commit b9eb92ab05204df772eb4929eccd018637c9f3e9
Author: H.J. Lu <hjl.tools@gmail.com>
Date:   Wed Oct 21 14:44:23 2015 -0700

    Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT
    
    According to Silvermont software optimization guide, for 64-bit
    applications, branch prediction performance can be negatively impacted
    when the target of a branch is more than 4GB away from the branch.  Add
    the Prefer_MAP_32BIT_EXEC bit so that mmap will try to map executable
    pages with MAP_32BIT first.  NB: MAP_32BIT will map to lower 2GB, not
    lower 4GB, address.  Prefer_MAP_32BIT_EXEC reduces bits available for
    address space layout randomization (ASLR), which is always disabled for
    SUID programs and can only be enabled by setting environment variable,
    LD_PREFER_MAP_32BIT_EXEC.
Comment 4 Marcin Kościelnicki 2019-11-20 23:23:02 UTC
Patch v2: https://sourceware.org/ml/libc-alpha/2019-11/msg00698.html
Comment 5 Sourceware Commits 2019-11-21 12:19:36 UTC
The master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5dfad4326fc683c813df1e37bbf5cf920591c8e

commit d5dfad4326fc683c813df1e37bbf5cf920591c8e
Author: Marcin Kościelnicki <mwk@0x04.net>
Date:   Thu Nov 21 00:20:15 2019 +0100

    rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
    
    The problem was introduced in glibc 2.23, in commit
    b9eb92ab05204df772eb4929eccd018637c9f3e9
    ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
Comment 6 Florian Weimer 2019-11-21 12:26:38 UTC
Fixed for glibc 2.31.
Comment 7 rschiron 2019-11-21 17:01:39 UTC
I believe this should be treated as a security hardening the same as other similar issues with weak ASLR have been treated (e.g. https://sourceware.org/bugzilla/show_bug.cgi?id=22852 , https://sourceware.org/bugzilla/show_bug.cgi?id=22853#c3 ).

I do see how this is easier to trigger and more common in setuid binaries than the other similar flaws, but it still requires another unrelated vulnerability to be of any use and ASLR is a post-exploitation mitigation.
Comment 8 Sourceware Commits 2019-11-22 12:28:35 UTC
The release/2.30/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37c90e117310728a4ad1eb998c0bbe7d79c4a398

commit 37c90e117310728a4ad1eb998c0bbe7d79c4a398
Author: Marcin Kościelnicki <mwk@0x04.net>
Date:   Thu Nov 21 00:20:15 2019 +0100

    rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
    
    The problem was introduced in glibc 2.23, in commit
    b9eb92ab05204df772eb4929eccd018637c9f3e9
    ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
    
    (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 9 Sourceware Commits 2019-11-22 12:35:33 UTC
The release/2.29/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2626b15e88e00b5e9c8cc3962cf4768a5344f07a

commit 2626b15e88e00b5e9c8cc3962cf4768a5344f07a
Author: Marcin Kościelnicki <mwk@0x04.net>
Date:   Thu Nov 21 00:20:15 2019 +0100

    rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
    
    The problem was introduced in glibc 2.23, in commit
    b9eb92ab05204df772eb4929eccd018637c9f3e9
    ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
    
    (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
    Change-Id: Ib782573b4623ee3edfa9f98ad62f69b9d8edcb27
Comment 10 Sourceware Commits 2019-11-22 12:59:08 UTC
The release/2.28/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7966ce07e89fa4ccc8fdba00d4439fc652862462

commit 7966ce07e89fa4ccc8fdba00d4439fc652862462
Author: Marcin Kościelnicki <mwk@0x04.net>
Date:   Thu Nov 21 00:20:15 2019 +0100

    rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
    
    The problem was introduced in glibc 2.23, in commit
    b9eb92ab05204df772eb4929eccd018637c9f3e9
    ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
    
    (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 11 Sourceware Commits 2019-11-22 13:00:57 UTC
The release/2.27/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4d5cfeb510125345cb41431afc9022492994cffa

commit 4d5cfeb510125345cb41431afc9022492994cffa
Author: Marcin Kościelnicki <mwk@0x04.net>
Date:   Thu Nov 21 00:20:15 2019 +0100

    rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
    
    The problem was introduced in glibc 2.23, in commit
    b9eb92ab05204df772eb4929eccd018637c9f3e9
    ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
    
    (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 12 Sourceware Commits 2019-11-22 13:04:45 UTC
The release/2.26/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc42e3bd44e7e9f616162d4550f1d35e04bddb5b

commit bc42e3bd44e7e9f616162d4550f1d35e04bddb5b
Author: Marcin Kościelnicki <mwk@0x04.net>
Date:   Thu Nov 21 00:20:15 2019 +0100

    rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
    
    The problem was introduced in glibc 2.23, in commit
    b9eb92ab05204df772eb4929eccd018637c9f3e9
    ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
    
    (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 13 Sourceware Commits 2019-11-22 13:15:17 UTC
The release/2.25/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e73ac9ce9098d36699231b435168a0a904500ed9

commit e73ac9ce9098d36699231b435168a0a904500ed9
Author: Marcin Kościelnicki <mwk@0x04.net>
Date:   Thu Nov 21 00:20:15 2019 +0100

    rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
    
    The problem was introduced in glibc 2.23, in commit
    b9eb92ab05204df772eb4929eccd018637c9f3e9
    ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
    
    (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 14 Sourceware Commits 2019-11-22 13:28:01 UTC
The release/2.24/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a7b9e4cb8ec069a4030b081ed7c40a65e0825f47

commit a7b9e4cb8ec069a4030b081ed7c40a65e0825f47
Author: Marcin Kościelnicki <mwk@0x04.net>
Date:   Thu Nov 21 00:20:15 2019 +0100

    rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
    
    The problem was introduced in glibc 2.23, in commit
    b9eb92ab05204df772eb4929eccd018637c9f3e9
    ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
    
    (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 15 Sourceware Commits 2019-11-22 13:28:35 UTC
The release/2.23/master branch has been updated by Florian Weimer <fw@sourceware.org>:

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b039fd85db0717aca309b61925d00a5a6547a649

commit b039fd85db0717aca309b61925d00a5a6547a649
Author: Marcin Kościelnicki <mwk@0x04.net>
Date:   Thu Nov 21 00:20:15 2019 +0100

    rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
    
    The problem was introduced in glibc 2.23, in commit
    b9eb92ab05204df772eb4929eccd018637c9f3e9
    ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
    
    (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)