This is the mail archive of the glibc-cvs@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

GNU C Library master sources branch release/2.24/master updated. glibc-2.24-87-gf24c345


This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".

The branch, release/2.24/master has been updated
       via  f24c345bf5486cc8d659f7a17463adcae402ec8e (commit)
       via  248475457e40d44b12f1f69c889765bba4571add (commit)
      from  c5b38f2ecec6facf818e3c50ad014be05b52c179 (commit)

Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.

- Log -----------------------------------------------------------------
http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=f24c345bf5486cc8d659f7a17463adcae402ec8e

commit f24c345bf5486cc8d659f7a17463adcae402ec8e
Author: Aurelien Jarno <aurelien@aurel32.net>
Date:   Sat Dec 30 10:54:23 2017 +0100

    elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
    
    The fillin_rpath function in elf/dl-load.c loops over each RPATH or
    RUNPATH tokens and interprets empty tokens as the current directory
    ("./"). In practice the check for empty token is done *after* the
    dynamic string token expansion. The expansion process can return an
    empty string for the $ORIGIN token if __libc_enable_secure is set
    or if the path of the binary can not be determined (/proc not mounted).
    
    Fix that by moving the check for empty tokens before the dynamic string
    token expansion. In addition, check for NULL pointer or empty strings
    return by expand_dynamic_string_token.
    
    The above changes highlighted a bug in decompose_rpath, an empty array
    is represented by the first element being NULL at the fillin_rpath
    level, but by using a -1 pointer in decompose_rpath and other functions.
    
    Changelog:
    	[BZ #22625]
    	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
    	string token expansion. Check for NULL pointer or empty string possibly
    	returned by expand_dynamic_string_token.
    	(decompose_rpath): Check for empty path after dynamic string
    	token expansion.
    (cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)

diff --git a/ChangeLog b/ChangeLog
index 4802d9f..723b363 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
+	    Dmitry V. Levin  <ldv@altlinux.org>
+
+	[BZ #22625]
+	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+	string token expansion. Check for NULL pointer or empty string possibly
+	returned by expand_dynamic_string_token.
+	(decompose_rpath): Check for empty path after dynamic string
+	token expansion.
+
 2017-12-18  Dmitry V. Levin  <ldv@altlinux.org>
 
 	[BZ #22627]
diff --git a/NEWS b/NEWS
index 9e20117..c2de2df 100644
--- a/NEWS
+++ b/NEWS
@@ -45,6 +45,10 @@ Security related changes:
   CVE-2017-1000366 has been applied, but it is mentioned here only because
   of the CVE assignment.)  Reported by Qualys.
 
+  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+  for AT_SECURE or SUID binaries could be used to load libraries from the
+  current directory.
+
 The following bugs are resolved with this release:
 
   [20790] Fix rpcgen buffer overrun
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 75a1700..1f774e1 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -434,31 +434,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
 {
   char *cp;
   size_t nelems = 0;
-  char *to_free;
 
   while ((cp = __strsep (&rpath, sep)) != NULL)
     {
       struct r_search_path_elem *dirp;
+      char *to_free = NULL;
+      size_t len = 0;
 
-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
+      /* `strsep' can pass an empty string.  */
+      if (*cp != '\0')
+	{
+	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
 
-      size_t len = strlen (cp);
+	  /* expand_dynamic_string_token can return NULL in case of empty
+	     path or memory allocation failure.  */
+	  if (cp == NULL)
+	    continue;
 
-      /* `strsep' can pass an empty string.  This has to be
-	 interpreted as `use the current directory'. */
-      if (len == 0)
-	{
-	  static const char curwd[] = "./";
-	  cp = (char *) curwd;
-	}
+	  /* Compute the length after dynamic string token expansion and
+	     ignore empty paths.  */
+	  len = strlen (cp);
+	  if (len == 0)
+	    {
+	      free (to_free);
+	      continue;
+	    }
 
-      /* Remove trailing slashes (except for "/").  */
-      while (len > 1 && cp[len - 1] == '/')
-	--len;
+	  /* Remove trailing slashes (except for "/").  */
+	  while (len > 1 && cp[len - 1] == '/')
+	    --len;
 
-      /* Now add one if there is none so far.  */
-      if (len > 0 && cp[len - 1] != '/')
-	cp[len++] = '/';
+	  /* Now add one if there is none so far.  */
+	  if (len > 0 && cp[len - 1] != '/')
+	    cp[len++] = '/';
+	}
 
       /* Make sure we don't use untrusted directories if we run SUID.  */
       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
@@ -622,6 +631,14 @@ decompose_rpath (struct r_search_path_struct *sps,
      necessary.  */
   free (copy);
 
+  /* There is no path after expansion.  */
+  if (result[0] == NULL)
+    {
+      free (result);
+      sps->dirs = (struct r_search_path_elem **) -1;
+      return false;
+    }
+
   sps->dirs = result;
   /* The caller will change this value if we haven't used a real malloc.  */
   sps->malloced = 1;

http://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commitdiff;h=248475457e40d44b12f1f69c889765bba4571add

commit 248475457e40d44b12f1f69c889765bba4571add
Author: Dmitry V. Levin <ldv@altlinux.org>
Date:   Sun Dec 17 23:49:46 2017 +0000

    elf: do not substitute dst in $LD_LIBRARY_PATH twice [BZ #22627]
    
    Starting with commit
    glibc-2.18.90-470-g2a939a7e6d81f109d49306bc2e10b4ac9ceed8f9 that
    introduced substitution of dynamic string tokens in fillin_rpath,
    _dl_init_paths invokes _dl_dst_substitute for $LD_LIBRARY_PATH twice:
    the first time it's called directly, the second time the result
    is passed on to fillin_rpath which calls expand_dynamic_string_token
    which in turn calls _dl_dst_substitute, leading to the following
    behaviour:
    
    $ mkdir -p /tmp/'$ORIGIN' && cd /tmp/'$ORIGIN' &&
      echo 'int main(){}' |gcc -xc - &&
      strace -qq -E LD_LIBRARY_PATH='$ORIGIN' -e /open ./a.out
    open("/tmp//tmp/$ORIGIN/tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/tmp//tmp/$ORIGIN/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/tmp//tmp/$ORIGIN/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/tmp//tmp/$ORIGIN/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
    open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
    open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
    
    Fix this by removing the direct _dl_dst_substitute invocation.
    
    * elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
    code and invocation.
    
    (cherry picked from commit bb195224acc14724e9fc2dbaa8d0b20b72ace79b)

diff --git a/ChangeLog b/ChangeLog
index 2c2e9d5..4802d9f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2017-12-18  Dmitry V. Levin  <ldv@altlinux.org>
+
+	[BZ #22627]
+	* elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
+	code and invocation.
+
 2017-12-14  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #22607]
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 64f5514..75a1700 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -776,25 +776,7 @@ _dl_init_paths (const char *llp)
 
   if (llp != NULL && *llp != '\0')
     {
-      char *llp_tmp;
-
-#ifdef SHARED
-      /* Expand DSTs.  */
-      size_t cnt = DL_DST_COUNT (llp, 1);
-      if (__glibc_likely (cnt == 0))
-	llp_tmp = strdupa (llp);
-      else
-	{
-	  /* Determine the length of the substituted string.  */
-	  size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);
-
-	  /* Allocate the necessary memory.  */
-	  llp_tmp = (char *) alloca (total + 1);
-	  llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);
-	}
-#else
-      llp_tmp = strdupa (llp);
-#endif
+      char *llp_tmp = strdupa (llp);
 
       /* Decompose the LD_LIBRARY_PATH contents.  First determine how many
 	 elements it has.  */

-----------------------------------------------------------------------

Summary of changes:
 ChangeLog     |   16 +++++++++++++
 NEWS          |    4 +++
 elf/dl-load.c |   69 ++++++++++++++++++++++++++++-----------------------------
 3 files changed, 54 insertions(+), 35 deletions(-)


hooks/post-receive
-- 
GNU C Library master sources


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]