This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[PATCH v3] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG

From: Alex Dowad <alexinbeijing at gmail dot com>
To: libc-alpha at sourceware dot org
Date: Mon, 10 Aug 2015 16:15:32 +0200
Subject: [PATCH v3] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
Authentication-results: sourceware.org; auth=none

C programs which use uninitialized stack variables can be exploited if an attacker
can control the contents of memory where the buggy function's stack frame lands.
If the buggy function is called very early in the program's execution, that memory
might still hold values written by ld.so, so manipulation of ld.so is one way to
carry out such an exploit.

But how can an unprivileged user, running a set-UID program, cause ld.so to write arbitrary data onto the stack? One way is to assign it to LD_DEBUG. When printing the
resulting warning message, ld.so uses alloca to create a buffer on the stack, and
copies the entire contents of LD_DEBUG into it (even if it is dozens of kilobytes long).

Of course, people shouldn't write programs which use uninitialized variables, but it
is easy enough to plug this hole if they do. Simply avoid copying the string onto the
stack. Because the string may not be null-terminated, we need to provide a string
length to _dl_error_printf.
---

Thanks to Andreas Schwab for feedback on the v2. I think just adding a cast to "int"
when calling _dl_error_printf should be sufficient...

 elf/dl-misc.c | 7 ++++---
 elf/rtld.c    | 3 +--
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/elf/dl-misc.c b/elf/dl-misc.c
index 8fd6710..81b332c 100644
--- a/elf/dl-misc.c
+++ b/elf/dl-misc.c
@@ -143,7 +143,7 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg)
 	      ++fmt;
 	    }
 
-	  /* See whether with comes from a parameter.  Note that no other
+	  /* See whether width comes from a parameter.  Note that no other
 	     way to specify the width is implemented.  */
 	  if (*fmt == '*')
 	    {
@@ -205,9 +205,10 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg)
 	    case 's':
 	      /* Get the string argument.  */
 	      iov[niov].iov_base = va_arg (arg, char *);
-	      iov[niov].iov_len = strlen (iov[niov].iov_base);
 	      if (prec != -1)
-		iov[niov].iov_len = MIN ((size_t) prec, iov[niov].iov_len);
+	        iov[niov].iov_len = strnlen (iov[niov].iov_base, (size_t) prec);
+	      else
+	        iov[niov].iov_len = strlen (iov[niov].iov_base);
 	      ++niov;
 	      break;
 
diff --git a/elf/rtld.c b/elf/rtld.c
index 6dcbabc..dc1431a 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2405,9 +2405,8 @@ process_dl_debug (const char *dl_debug)
 	    {
 	      /* Display a warning and skip everything until next
 		 separator.  */
-	      char *copy = strndupa (dl_debug, len);
 	      _dl_error_printf ("\
-warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy);
+warning: debug option `%.*s' unknown; try LD_DEBUG=help\n", (int)len, dl_debug);
 	    }
 
 	  dl_debug += len;
-- 
2.0.0.GIT

Follow-Ups:
- Re: [PATCH v3] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
  - From: Paul Eggert

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]