This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]
GNU C Library master sources branch release/2.26/master updated. glibc-2.26-115-g633e2f7

From: aurel32 at sourceware dot org
To: glibc-cvs at sourceware dot org
Date: 16 Dec 2017 13:42:48 -0000
Subject: GNU C Library master sources branch release/2.26/master updated. glibc-2.26-115-g633e2f7
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.26/master has been updated
       via  633e2f7f3d88df6427aa3a7a984d3a6b796d9611 (commit)
       via  43b3cb59b2288953efc26e70fe7c6eb437513b1f (commit)
       via  bda48606ee93a29d9dfd8d797839a777344de5c8 (commit)
      from  5a2779f9bc829bdd804e68d54c14ec61d07d0295 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=633e2f7f3d88df6427aa3a7a984d3a6b796d9611

commit 633e2f7f3d88df6427aa3a7a984d3a6b796d9611
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Dec 14 15:05:57 2017 +0100

    elf: Count components of the expanded path in _dl_init_path [BZ #22607]
    
    (cherry picked from commit 3ff3dfa5af313a6ea33f3393916f30eece4f0171)

diff --git a/ChangeLog b/ChangeLog
index 772b96e..55a1741 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2017-12-14  Florian Weimer  <fweimer@redhat.com>
 
+	[BZ #22607]
+	CVE-2017-1000409
+	* elf/dl-load.c (_dl_init_paths): Compute number of components in
+	the expanded path string.
+
+2017-12-14  Florian Weimer  <fweimer@redhat.com>
+
 	[BZ #22606]
 	CVE-2017-1000408
 	* elf/dl-load.c (system_dirs): Update comment.
diff --git a/NEWS b/NEWS
index 437b9ee..2c49212 100644
--- a/NEWS
+++ b/NEWS
@@ -49,6 +49,12 @@ Security related changes:
   it is mentioned here only because of the CVE assignment.)  Reported by
   Qualys.
 
+  CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
+  of the number of search path components.  (This is not a security
+  vulnerability per se because no trust boundary is crossed if the fix for
+  CVE-2017-1000366 has been applied, but it is mentioned here only because
+  of the CVE assignment.)  Reported by Qualys.
+
 The following bugs are resolved with this release:
 
   [16750] ldd: Never run file directly.
diff --git a/elf/dl-load.c b/elf/dl-load.c
index b3b0b37..621403c 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -776,8 +776,6 @@ _dl_init_paths (const char *llp)
 
   if (llp != NULL && *llp != '\0')
     {
-      size_t nllp;
-      const char *cp = llp;
       char *llp_tmp;
 
 #ifdef SHARED
@@ -800,13 +798,10 @@ _dl_init_paths (const char *llp)
 
       /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
 	 elements it has.  */
-      nllp = 1;
-      while (*cp)
-	{
-	  if (*cp == ':' || *cp == ';')
-	    ++nllp;
-	  ++cp;
-	}
+      size_t nllp = 1;
+      for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
+	if (*cp == ':' || *cp == ';')
+	  ++nllp;
 
       env_path_list.dirs = (struct r_search_path_elem **)
 	malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=43b3cb59b2288953efc26e70fe7c6eb437513b1f

commit 43b3cb59b2288953efc26e70fe7c6eb437513b1f
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Dec 14 15:18:38 2017 +0100

    elf: Compute correct array size in _dl_init_paths [BZ #22606]
    
    (cherry picked from commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e)

diff --git a/ChangeLog b/ChangeLog
index 90ea985..772b96e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-12-14  Florian Weimer  <fweimer@redhat.com>
+
+	[BZ #22606]
+	CVE-2017-1000408
+	* elf/dl-load.c (system_dirs): Update comment.
+	(nsystem_dirs_len): Use array_length.
+	(_dl_init_paths): Use nsystem_dirs_len to compute the array size.
+
 2017-11-02  Florian Weimer  <fweimer@redhat.com>
 
 	Add array_length and array_end macros.
diff --git a/NEWS b/NEWS
index 8810b57..437b9ee 100644
--- a/NEWS
+++ b/NEWS
@@ -44,6 +44,11 @@ Security related changes:
   instead of NULL.  This was a regression introduced with the new malloc
   thread cache in glibc 2.26.  Reported by Iain Buclaw.
 
+  CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
+  to the allocation of too much memory.  (This is not a security bug per se,
+  it is mentioned here only because of the CVE assignment.)  Reported by
+  Qualys.
+
 The following bugs are resolved with this release:
 
   [16750] ldd: Never run file directly.
diff --git a/elf/dl-load.c b/elf/dl-load.c
index c1b6d4b..b3b0b37 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -37,6 +37,7 @@
 #include <sysdep.h>
 #include <stap-probe.h>
 #include <libc-pointer-arith.h>
+#include <array_length.h>
 
 #include <dl-dst.h>
 #include <dl-load.h>
@@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro;
 static size_t max_capstrlen attribute_relro;
 
 
-/* Get the generated information about the trusted directories.  */
+/* Get the generated information about the trusted directories.  Use
+   an array of concatenated strings to avoid relocations.  See
+   gen-trusted-dirs.awk.  */
 #include "trusted-dirs.h"
 
 static const char system_dirs[] = SYSTEM_DIRS;
@@ -111,9 +114,7 @@ static const size_t system_dirs_len[] =
 {
   SYSTEM_DIRS_LEN
 };
-#define nsystem_dirs_len \
-  (sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
-
+#define nsystem_dirs_len array_length (system_dirs_len)
 
 static bool
 is_trusted_path (const char *path, size_t len)
@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp)
 		 + ncapstr * sizeof (enum r_dir_status))
 		/ sizeof (struct r_search_path_elem));
 
-  rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
-    malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
-	    * round_size * sizeof (struct r_search_path_elem));
+  rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
+				     * sizeof (*rtld_search_dirs.dirs[0]));
   if (rtld_search_dirs.dirs[0] == NULL)
     {
       errstring = N_("cannot create cache for search path");

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=bda48606ee93a29d9dfd8d797839a777344de5c8

commit bda48606ee93a29d9dfd8d797839a777344de5c8
Author: Florian Weimer <fweimer@redhat.com>
Date:   Thu Nov 2 12:14:01 2017 +0100

    <array_length.h>: New array_length and array_end macros
    
    (cherry picked from commit c94a5688fb1228a862b2d4a3f1239cdc0e3349e5)

diff --git a/ChangeLog b/ChangeLog
index 1bf692a..90ea985 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-11-02  Florian Weimer  <fweimer@redhat.com>
+
+	Add array_length and array_end macros.
+	* include/array_length.h: New file.
+
 2017-10-27  H.J. Lu  <hongjiu.lu@intel.com>
 
 	* sysdeps/i386/fpu/libm-test-ulps: Regenerated for GCC 7 with
diff --git a/include/array_length.h b/include/array_length.h
new file mode 100644
index 0000000..cb4a8b2
--- /dev/null
+++ b/include/array_length.h
@@ -0,0 +1,36 @@
+/* The array_length and array_end macros.
+   Copyright (C) 2017 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <http://www.gnu.org/licenses/>.  */
+
+#ifndef _ARRAY_LENGTH_H
+#define _ARRAY_LENGTH_H
+
+/* array_length (VAR) is the number of elements in the array VAR.  VAR
+   must evaluate to an array, not a pointer.  */
+#define array_length(var)                                               \
+  __extension__ ({                                                      \
+    _Static_assert (!__builtin_types_compatible_p                       \
+                    (__typeof (var), __typeof (&(var)[0])),             \
+                    "argument must be an array");                       \
+    sizeof (var) / sizeof ((var)[0]);                                   \
+  })
+
+/* array_end (VAR) is a pointer one past the end of the array VAR.
+   VAR must evaluate to an array, not a pointer.  */
+#define array_end(var) (&(var)[array_length (var)])
+
+#endif /* _ARRAY_LENGTH_H */

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog                                          |   20 ++++++++++++
 NEWS                                               |   11 +++++++
 elf/dl-load.c                                      |   27 +++++++----------
 .../array_length.h                                 |   32 ++++++++++---------
 4 files changed, 59 insertions(+), 31 deletions(-)
 copy malloc/alloc_buffer_copy_bytes.c => include/array_length.h (51%)


hooks/post-receive
-- 
GNU C Library master sources
Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]