This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[PATCH] elf: Count components of the expanded path in _dl_init_path [BZ #22607]
- From: fweimer at redhat dot com (Florian Weimer)
- To: libc-alpha at sourceware dot org
- Date: Thu, 14 Dec 2017 14:31:25 +0100
- Subject: [PATCH] elf: Count components of the expanded path in _dl_init_path [BZ #22607]
- Authentication-results: sourceware.org; auth=none
2017-12-14 Florian Weimer <fweimer@redhat.com>
[BZ #22607]
CVE-2017-1000409
* elf/dl-load.c (_dl_init_paths): Compute number of components in
the expanded path string.
diff --git a/NEWS b/NEWS
index eef51b65a6..c5607c855f 100644
--- a/NEWS
+++ b/NEWS
@@ -130,6 +130,12 @@ Security related changes:
it is mentioned here only because of the CVE assignment.) Reported by
Qualys.
+ CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
+ of the number of search path components. (This is not a security
+ vulnerability per se because no trust boundary is crossed if the fix for
+ CVE-2017-1000366 has been applied, but it is mentioned here only because
+ of the CVE assignment.) Reported by Qualys.
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 82c9f46050..540f91f9d6 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -773,8 +773,6 @@ _dl_init_paths (const char *llp)
if (llp != NULL && *llp != '\0')
{
- size_t nllp;
- const char *cp = llp;
char *llp_tmp;
#ifdef SHARED
@@ -797,13 +795,16 @@ _dl_init_paths (const char *llp)
/* Decompose the LD_LIBRARY_PATH contents. First determine how many
elements it has. */
- nllp = 1;
- while (*cp)
- {
- if (*cp == ':' || *cp == ';')
- ++nllp;
- ++cp;
- }
+ size_t nllp = 1;
+ {
+ const char *cp = llp_tmp;
+ while (*cp)
+ {
+ if (*cp == ':' || *cp == ';')
+ ++nllp;
+ ++cp;
+ }
+ }
env_path_list.dirs = (struct r_search_path_elem **)
malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));