This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch release/2.25/master updated. glibc-2.25-80-ga8920e6
- From: aurel32 at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 16 Dec 2017 14:36:24 -0000
- Subject: GNU C Library master sources branch release/2.25/master updated. glibc-2.25-80-ga8920e6
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, release/2.25/master has been updated
via a8920e694ab23f25435329b2365efa5ca7ac64bd (commit)
via 778a7c1825abe6273562617836c49b9573c394e8 (commit)
via 6474863dcb277eaeeff47a5f53de424ec49dd03d (commit)
from 17357d93cbf8d71a12530e91ea405cea4adb5ab0 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=a8920e694ab23f25435329b2365efa5ca7ac64bd
commit a8920e694ab23f25435329b2365efa5ca7ac64bd
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Dec 14 15:05:57 2017 +0100
elf: Count components of the expanded path in _dl_init_path [BZ #22607]
(cherry picked from commit 3ff3dfa5af313a6ea33f3393916f30eece4f0171)
diff --git a/ChangeLog b/ChangeLog
index c16512b..1868c7a 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
2017-12-14 Florian Weimer <fweimer@redhat.com>
+ [BZ #22607]
+ CVE-2017-1000409
+ * elf/dl-load.c (_dl_init_paths): Compute number of components in
+ the expanded path string.
+
+2017-12-14 Florian Weimer <fweimer@redhat.com>
+
[BZ #22606]
CVE-2017-1000408
* elf/dl-load.c (system_dirs): Update comment.
diff --git a/NEWS b/NEWS
index c0596ae..2c4c9d6 100644
--- a/NEWS
+++ b/NEWS
@@ -30,6 +30,12 @@ Security related changes:
it is mentioned here only because of the CVE assignment.) Reported by
Qualys.
+ CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
+ of the number of search path components. (This is not a security
+ vulnerability per se because no trust boundary is crossed if the fix for
+ CVE-2017-1000366 has been applied, but it is mentioned here only because
+ of the CVE assignment.) Reported by Qualys.
+
The following bugs are resolved with this release:
[20257] sunrpc: clntudp_call does not enforce timeout when receiving data
diff --git a/elf/dl-load.c b/elf/dl-load.c
index c8cf96e..92303b0 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -776,8 +776,6 @@ _dl_init_paths (const char *llp)
if (llp != NULL && *llp != '\0')
{
- size_t nllp;
- const char *cp = llp;
char *llp_tmp;
#ifdef SHARED
@@ -800,13 +798,10 @@ _dl_init_paths (const char *llp)
/* Decompose the LD_LIBRARY_PATH contents. First determine how many
elements it has. */
- nllp = 1;
- while (*cp)
- {
- if (*cp == ':' || *cp == ';')
- ++nllp;
- ++cp;
- }
+ size_t nllp = 1;
+ for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
+ if (*cp == ':' || *cp == ';')
+ ++nllp;
env_path_list.dirs = (struct r_search_path_elem **)
malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=778a7c1825abe6273562617836c49b9573c394e8
commit 778a7c1825abe6273562617836c49b9573c394e8
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Dec 14 15:18:38 2017 +0100
elf: Compute correct array size in _dl_init_paths [BZ #22606]
(cherry picked from commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e)
diff --git a/ChangeLog b/ChangeLog
index 4334e6e..c16512b 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-12-14 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #22606]
+ CVE-2017-1000408
+ * elf/dl-load.c (system_dirs): Update comment.
+ (nsystem_dirs_len): Use array_length.
+ (_dl_init_paths): Use nsystem_dirs_len to compute the array size.
+
2017-11-02 Florian Weimer <fweimer@redhat.com>
Add array_length and array_end macros.
diff --git a/NEWS b/NEWS
index d047d96..c0596ae 100644
--- a/NEWS
+++ b/NEWS
@@ -25,6 +25,11 @@ Security related changes:
without GLOB_NOESCAPE, could write past the end of a buffer while
unescaping user names. Reported by Tim Rühsen.
+ CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
+ to the allocation of too much memory. (This is not a security bug per se,
+ it is mentioned here only because of the CVE assignment.) Reported by
+ Qualys.
+
The following bugs are resolved with this release:
[20257] sunrpc: clntudp_call does not enforce timeout when receiving data
diff --git a/elf/dl-load.c b/elf/dl-load.c
index a5318f9..c8cf96e 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -37,6 +37,7 @@
#include <sysdep.h>
#include <stap-probe.h>
#include <libc-internal.h>
+#include <array_length.h>
#include <dl-dst.h>
#include <dl-load.h>
@@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro;
static size_t max_capstrlen attribute_relro;
-/* Get the generated information about the trusted directories. */
+/* Get the generated information about the trusted directories. Use
+ an array of concatenated strings to avoid relocations. See
+ gen-trusted-dirs.awk. */
#include "trusted-dirs.h"
static const char system_dirs[] = SYSTEM_DIRS;
@@ -111,9 +114,7 @@ static const size_t system_dirs_len[] =
{
SYSTEM_DIRS_LEN
};
-#define nsystem_dirs_len \
- (sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
-
+#define nsystem_dirs_len array_length (system_dirs_len)
static bool
is_trusted_path (const char *path, size_t len)
@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp)
+ ncapstr * sizeof (enum r_dir_status))
/ sizeof (struct r_search_path_elem));
- rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
- malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
- * round_size * sizeof (struct r_search_path_elem));
+ rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
+ * sizeof (*rtld_search_dirs.dirs[0]));
if (rtld_search_dirs.dirs[0] == NULL)
{
errstring = N_("cannot create cache for search path");
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=6474863dcb277eaeeff47a5f53de424ec49dd03d
commit 6474863dcb277eaeeff47a5f53de424ec49dd03d
Author: Florian Weimer <fweimer@redhat.com>
Date: Thu Nov 2 12:14:01 2017 +0100
<array_length.h>: New array_length and array_end macros
(cherry picked from commit c94a5688fb1228a862b2d4a3f1239cdc0e3349e5)
diff --git a/ChangeLog b/ChangeLog
index 574ea60..4334e6e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,8 @@
+2017-11-02 Florian Weimer <fweimer@redhat.com>
+
+ Add array_length and array_end macros.
+ * include/array_length.h: New file.
+
2017-12-12 James Clarke <jrtc27@jrtc27.com>
* sysdeps/unix/sysv/linux/ia64/ipc_priv.h: New file defining
diff --git a/include/array_length.h b/include/array_length.h
new file mode 100644
index 0000000..cb4a8b2
--- /dev/null
+++ b/include/array_length.h
@@ -0,0 +1,36 @@
+/* The array_length and array_end macros.
+ Copyright (C) 2017 Free Software Foundation, Inc.
+ This file is part of the GNU C Library.
+
+ The GNU C Library is free software; you can redistribute it and/or
+ modify it under the terms of the GNU Lesser General Public
+ License as published by the Free Software Foundation; either
+ version 2.1 of the License, or (at your option) any later version.
+
+ The GNU C Library is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public
+ License along with the GNU C Library; if not, see
+ <http://www.gnu.org/licenses/>. */
+
+#ifndef _ARRAY_LENGTH_H
+#define _ARRAY_LENGTH_H
+
+/* array_length (VAR) is the number of elements in the array VAR. VAR
+ must evaluate to an array, not a pointer. */
+#define array_length(var) \
+ __extension__ ({ \
+ _Static_assert (!__builtin_types_compatible_p \
+ (__typeof (var), __typeof (&(var)[0])), \
+ "argument must be an array"); \
+ sizeof (var) / sizeof ((var)[0]); \
+ })
+
+/* array_end (VAR) is a pointer one past the end of the array VAR.
+ VAR must evaluate to an array, not a pointer. */
+#define array_end(var) (&(var)[array_length (var)])
+
+#endif /* _ARRAY_LENGTH_H */
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 20 ++++++++++++++++++++
NEWS | 11 +++++++++++
elf/dl-load.c | 27 +++++++++++----------------
include/array_length.h | 36 ++++++++++++++++++++++++++++++++++++
4 files changed, 78 insertions(+), 16 deletions(-)
create mode 100644 include/array_length.h
hooks/post-receive
--
GNU C Library master sources