This is the mail archive of the
glibc-cvs@sourceware.org
mailing list for the glibc project.
GNU C Library master sources branch master updated. glibc-2.26.9000-1048-g3e3c904
- From: aurel32 at sourceware dot org
- To: glibc-cvs at sourceware dot org
- Date: 30 Dec 2017 21:03:02 -0000
- Subject: GNU C Library master sources branch master updated. glibc-2.26.9000-1048-g3e3c904
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef (commit)
from c48831d0eebf876d986919baf2d9240a79192837 (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=3e3c904daef69b8bf7d5cc07f793c9f07c3553ef
commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Sat Dec 30 10:54:23 2017 +0100
elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and interprets empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).
Fix that by moving the check for empty tokens before the dynamic string
token expansion. In addition, check for NULL pointer or empty strings
return by expand_dynamic_string_token.
The above changes highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath
level, but by using a -1 pointer in decompose_rpath and other functions.
Changelog:
[BZ #22625]
* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
string token expansion. Check for NULL pointer or empty string possibly
returned by expand_dynamic_string_token.
(decompose_rpath): Check for empty path after dynamic string
token expansion.
diff --git a/ChangeLog b/ChangeLog
index 26e5f96..cd6fc15 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
+ Dmitry V. Levin <ldv@altlinux.org>
+
+ [BZ #22625]
+ * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+ string token expansion. Check for NULL pointer or empty string possibly
+ returned by expand_dynamic_string_token.
+ (decompose_rpath): Check for empty path after dynamic string
+ token expansion.
+
2017-12-29 Dmitry V. Levin <ldv@altlinux.org>
[BZ #22433]
diff --git a/NEWS b/NEWS
index 95f3683..1b59e51 100644
--- a/NEWS
+++ b/NEWS
@@ -164,6 +164,10 @@ Security related changes:
CVE-2017-1000366 has been applied, but it is mentioned here only because
of the CVE assignment.) Reported by Qualys.
+ CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+ for AT_SECURE or SUID binaries could be used to load libraries from the
+ current directory.
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
diff --git a/elf/dl-load.c b/elf/dl-load.c
index ae86f0b..a0620c2 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -389,31 +389,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
{
char *cp;
size_t nelems = 0;
- char *to_free;
while ((cp = __strsep (&rpath, sep)) != NULL)
{
struct r_search_path_elem *dirp;
+ char *to_free = NULL;
+ size_t len = 0;
- to_free = cp = expand_dynamic_string_token (l, cp);
+ /* `strsep' can pass an empty string. */
+ if (*cp != '\0')
+ {
+ to_free = cp = expand_dynamic_string_token (l, cp);
- size_t len = strlen (cp);
+ /* expand_dynamic_string_token can return NULL in case of empty
+ path or memory allocation failure. */
+ if (cp == NULL)
+ continue;
- /* `strsep' can pass an empty string. This has to be
- interpreted as `use the current directory'. */
- if (len == 0)
- {
- static const char curwd[] = "./";
- cp = (char *) curwd;
- }
+ /* Compute the length after dynamic string token expansion and
+ ignore empty paths. */
+ len = strlen (cp);
+ if (len == 0)
+ {
+ free (to_free);
+ continue;
+ }
- /* Remove trailing slashes (except for "/"). */
- while (len > 1 && cp[len - 1] == '/')
- --len;
+ /* Remove trailing slashes (except for "/"). */
+ while (len > 1 && cp[len - 1] == '/')
+ --len;
- /* Now add one if there is none so far. */
- if (len > 0 && cp[len - 1] != '/')
- cp[len++] = '/';
+ /* Now add one if there is none so far. */
+ if (len > 0 && cp[len - 1] != '/')
+ cp[len++] = '/';
+ }
/* See if this directory is already known. */
for (dirp = GL(dl_all_dirs); dirp != NULL; dirp = dirp->next)
@@ -569,6 +578,14 @@ decompose_rpath (struct r_search_path_struct *sps,
necessary. */
free (copy);
+ /* There is no path after expansion. */
+ if (result[0] == NULL)
+ {
+ free (result);
+ sps->dirs = (struct r_search_path_elem **) -1;
+ return false;
+ }
+
sps->dirs = result;
/* The caller will change this value if we haven't used a real malloc. */
sps->malloced = 1;
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 10 ++++++++++
NEWS | 4 ++++
elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
3 files changed, 47 insertions(+), 16 deletions(-)
hooks/post-receive
--
GNU C Library master sources