diff options
| author | Aurelien Jarno <aurelien@aurel32.net> | 2017-12-30 10:54:23 +0100 |
|---|---|---|
| committer | Aurelien Jarno <aurelien@aurel32.net> | 2017-12-30 22:07:01 +0100 |
| commit | 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb (patch) | |
| tree | 03d08431ee8978aeeb0536cf913ff66b1965cc2e | |
| parent | 98f244e2456712778d91fcbdf99b1dd78b89c9f6 (diff) | |
| download | glibc-4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb.tar.gz glibc-4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb.tar.xz glibc-4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb.zip | |
elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and interprets empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).
Fix that by moving the check for empty tokens before the dynamic string
token expansion. In addition, check for NULL pointer or empty strings
return by expand_dynamic_string_token.
The above changes highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath
level, but by using a -1 pointer in decompose_rpath and other functions.
Changelog:
[BZ #22625]
* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
string token expansion. Check for NULL pointer or empty string possibly
returned by expand_dynamic_string_token.
(decompose_rpath): Check for empty path after dynamic string
token expansion.
(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
| -rw-r--r-- | ChangeLog | 10 | ||||
| -rw-r--r-- | NEWS | 4 | ||||
| -rw-r--r-- | elf/dl-load.c | 49 |
3 files changed, 47 insertions, 16 deletions
diff --git a/ChangeLog b/ChangeLog index 6ff641a602..414e931aa5 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2017-12-30 Aurelien Jarno <aurelien@aurel32.net> + Dmitry V. Levin <ldv@altlinux.org> + + [BZ #22625] + * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic + string token expansion. Check for NULL pointer or empty string possibly + returned by expand_dynamic_string_token. + (decompose_rpath): Check for empty path after dynamic string + token expansion. + 2017-12-18 Dmitry V. Levin <ldv@altlinux.org> [BZ #22627] diff --git a/NEWS b/NEWS index ac623641e2..f04b3ed4e8 100644 --- a/NEWS +++ b/NEWS @@ -55,6 +55,10 @@ Security related changes: CVE-2017-1000366 has been applied, but it is mentioned here only because of the CVE assignment.) Reported by Qualys. + CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN + for AT_SECURE or SUID binaries could be used to load libraries from the + current directory. + The following bugs are resolved with this release: [16750] ldd: Never run file directly. diff --git a/elf/dl-load.c b/elf/dl-load.c index 50996e29b8..7397c1882c 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -434,31 +434,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, { char *cp; size_t nelems = 0; - char *to_free; while ((cp = __strsep (&rpath, sep)) != NULL) { struct r_search_path_elem *dirp; + char *to_free = NULL; + size_t len = 0; - to_free = cp = expand_dynamic_string_token (l, cp, 1); + /* `strsep' can pass an empty string. */ + if (*cp != '\0') + { + to_free = cp = expand_dynamic_string_token (l, cp, 1); - size_t len = strlen (cp); + /* expand_dynamic_string_token can return NULL in case of empty + path or memory allocation failure. */ + if (cp == NULL) + continue; - /* `strsep' can pass an empty string. This has to be - interpreted as `use the current directory'. */ - if (len == 0) - { - static const char curwd[] = "./"; - cp = (char *) curwd; - } + /* Compute the length after dynamic string token expansion and + ignore empty paths. */ + len = strlen (cp); + if (len == 0) + { + free (to_free); + continue; + } - /* Remove trailing slashes (except for "/"). */ - while (len > 1 && cp[len - 1] == '/') - --len; + /* Remove trailing slashes (except for "/"). */ + while (len > 1 && cp[len - 1] == '/') + --len; - /* Now add one if there is none so far. */ - if (len > 0 && cp[len - 1] != '/') - cp[len++] = '/'; + /* Now add one if there is none so far. */ + if (len > 0 && cp[len - 1] != '/') + cp[len++] = '/'; + } /* Make sure we don't use untrusted directories if we run SUID. */ if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len)) @@ -622,6 +631,14 @@ decompose_rpath (struct r_search_path_struct *sps, necessary. */ free (copy); + /* There is no path after expansion. */ + if (result[0] == NULL) + { + free (result); + sps->dirs = (struct r_search_path_elem **) -1; + return false; + } + sps->dirs = result; /* The caller will change this value if we haven't used a real malloc. */ sps->malloced = 1; |