[COMMITTED 2.26 2/3] elf: Compute correct array size in _dl_init_paths [BZ #22606]
Aurelien Jarno
aurelien@aurel32.net
Sun Jan 1 00:00:00 GMT 2017
From: Florian Weimer <fweimer@redhat.com>
(cherry picked from commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e)
---
ChangeLog | 8 ++++++++
NEWS | 5 +++++
elf/dl-load.c | 14 +++++++-------
3 files changed, 20 insertions(+), 7 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index 90ea98550f..772b96ee42 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2017-12-14 Florian Weimer <fweimer@redhat.com>
+
+ [BZ #22606]
+ CVE-2017-1000408
+ * elf/dl-load.c (system_dirs): Update comment.
+ (nsystem_dirs_len): Use array_length.
+ (_dl_init_paths): Use nsystem_dirs_len to compute the array size.
+
2017-11-02 Florian Weimer <fweimer@redhat.com>
Add array_length and array_end macros.
diff --git a/NEWS b/NEWS
index 8810b57cd9..437b9ee00f 100644
--- a/NEWS
+++ b/NEWS
@@ -44,6 +44,11 @@ Security related changes:
instead of NULL. This was a regression introduced with the new malloc
thread cache in glibc 2.26. Reported by Iain Buclaw.
+ CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
+ to the allocation of too much memory. (This is not a security bug per se,
+ it is mentioned here only because of the CVE assignment.) Reported by
+ Qualys.
+
The following bugs are resolved with this release:
[16750] ldd: Never run file directly.
diff --git a/elf/dl-load.c b/elf/dl-load.c
index c1b6d4ba0f..b3b0b37bf9 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -37,6 +37,7 @@
#include <sysdep.h>
#include <stap-probe.h>
#include <libc-pointer-arith.h>
+#include <array_length.h>
#include <dl-dst.h>
#include <dl-load.h>
@@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro;
static size_t max_capstrlen attribute_relro;
-/* Get the generated information about the trusted directories. */
+/* Get the generated information about the trusted directories. Use
+ an array of concatenated strings to avoid relocations. See
+ gen-trusted-dirs.awk. */
#include "trusted-dirs.h"
static const char system_dirs[] = SYSTEM_DIRS;
@@ -111,9 +114,7 @@ static const size_t system_dirs_len[] =
{
SYSTEM_DIRS_LEN
};
-#define nsystem_dirs_len \
- (sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
-
+#define nsystem_dirs_len array_length (system_dirs_len)
static bool
is_trusted_path (const char *path, size_t len)
@@ -688,9 +689,8 @@ _dl_init_paths (const char *llp)
+ ncapstr * sizeof (enum r_dir_status))
/ sizeof (struct r_search_path_elem));
- rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
- malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
- * round_size * sizeof (struct r_search_path_elem));
+ rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
+ * sizeof (*rtld_search_dirs.dirs[0]));
if (rtld_search_dirs.dirs[0] == NULL)
{
errstring = N_("cannot create cache for search path");
--
2.15.1
More information about the Libc-stable
mailing list