diff options
| author | Florian Weimer <fweimer@redhat.com> | 2017-12-14 15:18:38 +0100 |
|---|---|---|
| committer | Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com> | 2018-04-06 16:24:19 -0300 |
| commit | c64d6bc3da8e61feab4117bcad53bd97e7a111cd (patch) | |
| tree | 41009b7bdd8f05de6268215da4de33ddad37687a | |
| parent | d9c54360ca92a92ee8ee587f15a3cfc64fe4cb37 (diff) | |
| download | glibc-c64d6bc3da8e61feab4117bcad53bd97e7a111cd.tar.gz glibc-c64d6bc3da8e61feab4117bcad53bd97e7a111cd.tar.xz glibc-c64d6bc3da8e61feab4117bcad53bd97e7a111cd.zip | |
elf: Compute correct array size in _dl_init_paths [BZ #22606]
(cherry picked from commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e)
| -rw-r--r-- | ChangeLog | 8 | ||||
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | elf/dl-load.c | 14 |
3 files changed, 20 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog index 59d00dbb4e..abd3289c78 100644 --- a/ChangeLog +++ b/ChangeLog @@ -5,6 +5,14 @@ 2017-12-14 Florian Weimer <fweimer@redhat.com> + [BZ #22606] + CVE-2017-1000408 + * elf/dl-load.c (system_dirs): Update comment. + (nsystem_dirs_len): Use array_length. + (_dl_init_paths): Use nsystem_dirs_len to compute the array size. + +2017-12-14 Florian Weimer <fweimer@redhat.com> + [BZ #22607] CVE-2017-1000409 * elf/dl-load.c (_dl_init_paths): Compute number of components in diff --git a/NEWS b/NEWS index 7b2e078224..ebebb402e1 100644 --- a/NEWS +++ b/NEWS @@ -76,6 +76,11 @@ Version 2.22.1 vulnerability per se because no trust boundary is crossed if the fix for CVE-2017-1000366 has been applied, but it is mentioned here only because of the CVE assignment.) Reported by Qualys. + +* CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads + to the allocation of too much memory. (This is not a security bug per se, + it is mentioned here only because of the CVE assignment.) Reported by + Qualys. Version 2.22 diff --git a/elf/dl-load.c b/elf/dl-load.c index f22fd0d303..32c3159e43 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -36,6 +36,7 @@ #include <caller.h> #include <sysdep.h> #include <stap-probe.h> +#include <array_length.h> #include <dl-dst.h> #include <dl-load.h> @@ -102,7 +103,9 @@ static size_t ncapstr attribute_relro; static size_t max_capstrlen attribute_relro; -/* Get the generated information about the trusted directories. */ +/* Get the generated information about the trusted directories. Use + an array of concatenated strings to avoid relocations. See + gen-trusted-dirs.awk. */ #include "trusted-dirs.h" static const char system_dirs[] = SYSTEM_DIRS; @@ -110,9 +113,7 @@ static const size_t system_dirs_len[] = { SYSTEM_DIRS_LEN }; -#define nsystem_dirs_len \ - (sizeof (system_dirs_len) / sizeof (system_dirs_len[0])) - +#define nsystem_dirs_len array_length (system_dirs_len) static bool is_trusted_path (const char *path, size_t len) @@ -704,9 +705,8 @@ _dl_init_paths (const char *llp) + ncapstr * sizeof (enum r_dir_status)) / sizeof (struct r_search_path_elem)); - rtld_search_dirs.dirs[0] = (struct r_search_path_elem *) - malloc ((sizeof (system_dirs) / sizeof (system_dirs[0])) - * round_size * sizeof (struct r_search_path_elem)); + rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size + * sizeof (*rtld_search_dirs.dirs[0])); if (rtld_search_dirs.dirs[0] == NULL) { errstring = N_("cannot create cache for search path"); |