The code using LD_PREFER_MAP_32BIT_EXEC is run before the code that removes security-sensitive variables from the environment, thus the latter is ineffective. This means a local attacker can effectively weaken ASLR strength on setuid binaries.
Patch pending: https://sourceware.org/ml/libc-alpha/2019-11/msg00649.html
I think we should treat this as a security vulnerability because it is quite a significant regression for a system built with PIE-by-default (and slightly older binutils).
Introduced in glibc 2.23: commit b9eb92ab05204df772eb4929eccd018637c9f3e9 Author: H.J. Lu <hjl.tools@gmail.com> Date: Wed Oct 21 14:44:23 2015 -0700 Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT According to Silvermont software optimization guide, for 64-bit applications, branch prediction performance can be negatively impacted when the target of a branch is more than 4GB away from the branch. Add the Prefer_MAP_32BIT_EXEC bit so that mmap will try to map executable pages with MAP_32BIT first. NB: MAP_32BIT will map to lower 2GB, not lower 4GB, address. Prefer_MAP_32BIT_EXEC reduces bits available for address space layout randomization (ASLR), which is always disabled for SUID programs and can only be enabled by setting environment variable, LD_PREFER_MAP_32BIT_EXEC.
Patch v2: https://sourceware.org/ml/libc-alpha/2019-11/msg00698.html
The master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5dfad4326fc683c813df1e37bbf5cf920591c8e commit d5dfad4326fc683c813df1e37bbf5cf920591c8e Author: Marcin Kościelnicki <mwk@0x04.net> Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").
Fixed for glibc 2.31.
I believe this should be treated as a security hardening the same as other similar issues with weak ASLR have been treated (e.g. https://sourceware.org/bugzilla/show_bug.cgi?id=22852 , https://sourceware.org/bugzilla/show_bug.cgi?id=22853#c3 ). I do see how this is easier to trigger and more common in setuid binaries than the other similar flaws, but it still requires another unrelated vulnerability to be of any use and ASLR is a post-exploitation mitigation.
The release/2.30/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37c90e117310728a4ad1eb998c0bbe7d79c4a398 commit 37c90e117310728a4ad1eb998c0bbe7d79c4a398 Author: Marcin Kościelnicki <mwk@0x04.net> Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
The release/2.29/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2626b15e88e00b5e9c8cc3962cf4768a5344f07a commit 2626b15e88e00b5e9c8cc3962cf4768a5344f07a Author: Marcin Kościelnicki <mwk@0x04.net> Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e) Change-Id: Ib782573b4623ee3edfa9f98ad62f69b9d8edcb27
The release/2.28/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7966ce07e89fa4ccc8fdba00d4439fc652862462 commit 7966ce07e89fa4ccc8fdba00d4439fc652862462 Author: Marcin Kościelnicki <mwk@0x04.net> Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
The release/2.27/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4d5cfeb510125345cb41431afc9022492994cffa commit 4d5cfeb510125345cb41431afc9022492994cffa Author: Marcin Kościelnicki <mwk@0x04.net> Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
The release/2.26/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc42e3bd44e7e9f616162d4550f1d35e04bddb5b commit bc42e3bd44e7e9f616162d4550f1d35e04bddb5b Author: Marcin Kościelnicki <mwk@0x04.net> Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
The release/2.25/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e73ac9ce9098d36699231b435168a0a904500ed9 commit e73ac9ce9098d36699231b435168a0a904500ed9 Author: Marcin Kościelnicki <mwk@0x04.net> Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
The release/2.24/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a7b9e4cb8ec069a4030b081ed7c40a65e0825f47 commit a7b9e4cb8ec069a4030b081ed7c40a65e0825f47 Author: Marcin Kościelnicki <mwk@0x04.net> Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
The release/2.23/master branch has been updated by Florian Weimer <fw@sourceware.org>: https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b039fd85db0717aca309b61925d00a5a6547a649 commit b039fd85db0717aca309b61925d00a5a6547a649 Author: Marcin Kościelnicki <mwk@0x04.net> Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)