about summary refs log tree commit diff
diff options
context:
space:
mode:
authorOndřej Bílka <neleai@seznam.cz>2013-11-18 19:56:57 +0100
committerOndřej Bílka <neleai@seznam.cz>2013-11-18 19:59:46 +0100
commitb75891075bece24be9fd85618f18af4a2daf7f1c (patch)
treee9ac3fb4d864a255d977fcd4a6de78343feed08a
parent250c23bdd9557f8609054c7000380e1ebbd351ee (diff)
downloadglibc-b75891075bece24be9fd85618f18af4a2daf7f1c.tar.gz
glibc-b75891075bece24be9fd85618f18af4a2daf7f1c.tar.xz
glibc-b75891075bece24be9fd85618f18af4a2daf7f1c.zip
Fix breaking of RPATH when $ORIGIN contains colons. Fixes bug 10253
We first expanded origin and then split string by colons. This
misbehaves when $ORIGIN contain colon so we first split string, then
expand $ORIGIN.
-rw-r--r--ChangeLog7
-rw-r--r--NEWS20
-rw-r--r--elf/dl-load.c26
3 files changed, 33 insertions, 20 deletions
diff --git a/ChangeLog b/ChangeLog
index eccc4a9fe1..3822e0105e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-11-18  Ondřej Bílka  <neleai@seznam.cz>
+
+	[BZ #10253]
+	* elf/dl-load.c (fillin_rpath): Add linkmap parameter and expand path.
+	(decompose_rpath): Defer expansion to fillin_rpath.
+	(_dl_init_paths): Pass linkmap to fillin_rpath.
+
 2013-11-18  Rajalakshmi Srinivasaraghavan  <raji@linux.vnet.ibm.com>
 
 	* benchtests/Makefile: Add strsep.
diff --git a/NEWS b/NEWS
index fc1b63c4b1..c14374d272 100644
--- a/NEWS
+++ b/NEWS
@@ -9,16 +9,16 @@ Version 2.19
 
 * The following bugs are resolved with this release:
 
-  156, 387, 431, 832, 2801, 7003, 9954, 10278, 11087, 13028, 13982, 13985,
-  14029, 14143, 14155, 14547, 14699, 14752, 14876, 14910, 15048, 15218,
-  15277, 15308, 15362, 15374, 15400, 15427, 15522, 15531, 15532, 15608,
-  15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681, 15723, 15734,
-  15735, 15736, 15748, 15749, 15754, 15760, 15763, 15764, 15797, 15799,
-  15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867, 15886,
-  15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917, 15919,
-  15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997, 16032,
-  16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078, 16103,
-  16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172.
+  156, 387, 431, 832, 2801, 7003, 9954, 10253, 10278, 11087, 13028, 13982,
+  13985, 14029, 14143, 14155, 14547, 14699, 14752, 14876, 14910, 15048,
+  15218, 15277, 15308, 15362, 15374, 15400, 15427, 15522, 15531, 15532,
+  15608, 15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681, 15723,
+  15734, 15735, 15736, 15748, 15749, 15754, 15760, 15763, 15764, 15797,
+  15799, 15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867,
+  15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917,
+  15919, 15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997,
+  16032, 16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078,
+  16103, 16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172.
 
 * CVE-2012-4412 The strcoll implementation caches indices and rules for
   large collation sequences to optimize multiple passes.  This cache
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 6a73f27345..bdd33bd78a 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -481,14 +481,19 @@ static size_t max_dirnamelen;
 
 static struct r_search_path_elem **
 fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
-	      int check_trusted, const char *what, const char *where)
+	      int check_trusted, const char *what, const char *where,
+	      struct link_map *l)
 {
   char *cp;
   size_t nelems = 0;
+  char *to_free;
 
   while ((cp = __strsep (&rpath, sep)) != NULL)
     {
       struct r_search_path_elem *dirp;
+
+      to_free = cp = expand_dynamic_string_token (l, cp);
+
       size_t len = strlen (cp);
 
       /* `strsep' can pass an empty string.  This has to be
@@ -509,7 +514,10 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
 
       /* Make sure we don't use untrusted directories if we run SUID.  */
       if (__builtin_expect (check_trusted, 0) && !is_trusted_path (cp, len))
-	continue;
+	{
+	  free (to_free);
+	  continue;
+	}
 
       /* See if this directory is already known.  */
       for (dirp = GL(dl_all_dirs); dirp != NULL; dirp = dirp->next)
@@ -570,6 +578,7 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
 	  /* Put it in the result array.  */
 	  result[nelems++] = dirp;
 	}
+      free (to_free);
     }
 
   /* Terminate the array.  */
@@ -625,9 +634,8 @@ decompose_rpath (struct r_search_path_struct *sps,
       while (*inhp != '\0');
     }
 
-  /* Make a writable copy.  At the same time expand possible dynamic
-     string tokens.  */
-  copy = expand_dynamic_string_token (l, rpath, 1);
+  /* Make a writable copy.  */
+  copy = local_strdup (rpath);
   if (copy == NULL)
     {
       errstring = N_("cannot create RUNPATH/RPATH copy");
@@ -660,7 +668,7 @@ decompose_rpath (struct r_search_path_struct *sps,
       _dl_signal_error (ENOMEM, NULL, NULL, errstring);
     }
 
-  fillin_rpath (copy, result, ":", 0, what, where);
+  fillin_rpath (copy, result, ":", 0, what, where, l);
 
   /* Free the copied RPATH string.  `fillin_rpath' make own copies if
      necessary.  */
@@ -708,9 +716,7 @@ _dl_init_paths (const char *llp)
   const char *strp;
   struct r_search_path_elem *pelem, **aelem;
   size_t round_size;
-#ifdef SHARED
-  struct link_map *l;
-#endif
+  struct link_map __attribute__ ((unused)) *l = NULL;
   /* Initialize to please the compiler.  */
   const char *errstring = NULL;
 
@@ -865,7 +871,7 @@ _dl_init_paths (const char *llp)
 
       (void) fillin_rpath (llp_tmp, env_path_list.dirs, ":;",
 			   INTUSE(__libc_enable_secure), "LD_LIBRARY_PATH",
-			   NULL);
+			   NULL, l);
 
       if (env_path_list.dirs[0] == NULL)
 	{