This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

Re: [PATCH] elf: Count components of the expanded path in _dl_init_path [BZ #22607]

From: "Dmitry V. Levin" <ldv at altlinux dot org>
To: libc-alpha at sourceware dot org
Date: Thu, 14 Dec 2017 16:53:44 +0300
Subject: Re: [PATCH] elf: Count components of the expanded path in _dl_init_path [BZ #22607]
Authentication-results: sourceware.org; auth=none
References: <20171214133125.72E16439942EA@oldenburg.str.redhat.com>

On Thu, Dec 14, 2017 at 02:31:25PM +0100, Florian Weimer wrote:
> 2017-12-14  Florian Weimer  <fweimer@redhat.com>
> 
> 	[BZ #22607]
> 	CVE-2017-1000409
> 	* elf/dl-load.c (_dl_init_paths): Compute number of components in
> 	the expanded path string.
> 
> diff --git a/NEWS b/NEWS
> index eef51b65a6..c5607c855f 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -130,6 +130,12 @@ Security related changes:
>    it is mentioned here only because of the CVE assignment.)  Reported by
>    Qualys.
>  
> +  CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
> +  of the number of search path components.  (This is not a security
> +  vulnerability per se because no trust boundary is crossed if the fix for
> +  CVE-2017-1000366 has been applied, but it is mentioned here only because
> +  of the CVE assignment.)  Reported by Qualys.
> +
>  The following bugs are resolved with this release:
>  
>    [The release manager will add the list generated by
> diff --git a/elf/dl-load.c b/elf/dl-load.c
> index 82c9f46050..540f91f9d6 100644
> --- a/elf/dl-load.c
> +++ b/elf/dl-load.c
> @@ -773,8 +773,6 @@ _dl_init_paths (const char *llp)
>  
>    if (llp != NULL && *llp != '\0')
>      {
> -      size_t nllp;
> -      const char *cp = llp;
>        char *llp_tmp;
>  
>  #ifdef SHARED
> @@ -797,13 +795,16 @@ _dl_init_paths (const char *llp)
>  
>        /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
>  	 elements it has.  */
> -      nllp = 1;
> -      while (*cp)
> -	{
> -	  if (*cp == ':' || *cp == ';')
> -	    ++nllp;
> -	  ++cp;
> -	}
> +      size_t nllp = 1;
> +      {
> +	const char *cp = llp_tmp;
> +	while (*cp)
> +	  {
> +	    if (*cp == ':' || *cp == ';')
> +	      ++nllp;
> +	    ++cp;
> +	  }
> +      }

I'd really prefer to see a "for" statement here, e.g.

+      size_t nllp = 1;
+      {
+	const char *cp;
+	for (cp = llp_tmp; *cp; ++cp)
+	  {
+	    if (*cp == ':' || *cp == ';')
+	      ++nllp;
+	  }
+      }
	

-- 
ldv

Attachment: signature.asc
Description: PGP signature

References:
- [PATCH] elf: Count components of the expanded path in _dl_init_path [BZ #22607]
  - From: Florian Weimer

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]