elf: Check for empty tokens before dynamic string token expansion [BZ #22625]

The fillin_rpath function in elf/dl-load.c loops over each RPATH or RUNPATH tokens and interprets empty tokens as the current directory ("./"). In practice the check for empty token is done *after* the dynamic string token expansion. The expansion process can return an empty string for the $ORIGIN token if __libc_enable_secure is set or if the path of the binary can not be determined (/proc not mounted). Fix that by moving the check for empty tokens before the dynamic string token expansion. In addition, check for NULL pointer or empty strings return by expand_dynamic_string_token. The above changes highlighted a bug in decompose_rpath, an empty array is represented by the first element being NULL at the fillin_rpath level, but by using a -1 pointer in decompose_rpath and other functions. Changelog: [BZ #22625] * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic string token expansion. Check for NULL pointer or empty string possibly returned by expand_dynamic_string_token. (decompose_rpath): Check for empty path after dynamic string token expansion. (cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
author: Aurelien Jarno <aurelien@aurel32.net> 2017-12-30 10:54:23 +0100
committer: Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com> 2018-04-06 16:23:20 -0300
commit: 21c5d14bfb4e08bee86f94fd815535d3be2c3869 (patch)
tree: c5b4450b964d8c27f4d10bd680d6f2f4ced3c62d
parent: 9d0aec236891576c7f12e935128364669b785233 (diff)
download: glibc-21c5d14bfb4e08bee86f94fd815535d3be2c3869.tar.gz
glibc-21c5d14bfb4e08bee86f94fd815535d3be2c3869.tar.xz
glibc-21c5d14bfb4e08bee86f94fd815535d3be2c3869.zip
3 files changed, 47 insertions, 16 deletions
diff --git a/ChangeLog b/ChangeLog
index f7e20898af..066b0d2402 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@
+2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
+	    Dmitry V. Levin  <ldv@altlinux.org>
+
+	[BZ #22625]
+	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+	string token expansion. Check for NULL pointer or empty string possibly
+	returned by expand_dynamic_string_token.
+	(decompose_rpath): Check for empty path after dynamic string
+	token expansion.
+
 2017-02-27  Florian Weimer  <fweimer@redhat.com>
 
 	[BZ #21115]
diff --git a/NEWS b/NEWS
index fc6ee5267e..3a33aeeea1 100644
--- a/NEWS
+++ b/NEWS
@@ -66,6 +66,10 @@ Version 2.22.1
 
 * A use-after-free vulnerability in clntudp_call in the Sun RPC system has been
   fixed (CVE-2017-12133).
+
+* CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+  for AT_SECURE or SUID binaries could be used to load libraries from the
+  current directory.
 
 Version 2.22
 
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 7e6f4c52d1..d0ac65e650 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -432,31 +432,40 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
 {
   char *cp;
   size_t nelems = 0;
-  char *to_free;
 
   while ((cp = __strsep (&rpath, sep)) != NULL)
     {
       struct r_search_path_elem *dirp;
+      char *to_free = NULL;
+      size_t len = 0;
 
-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
+      /* `strsep' can pass an empty string.  */
+      if (*cp != '\0')
+	{
+	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
 
-      size_t len = strlen (cp);
+	  /* expand_dynamic_string_token can return NULL in case of empty
+	     path or memory allocation failure.  */
+	  if (cp == NULL)
+	    continue;
 
-      /* `strsep' can pass an empty string.  This has to be
-	 interpreted as `use the current directory'. */
-      if (len == 0)
-	{
-	  static const char curwd[] = "./";
-	  cp = (char *) curwd;
-	}
+	  /* Compute the length after dynamic string token expansion and
+	     ignore empty paths.  */
+	  len = strlen (cp);
+	  if (len == 0)
+	    {
+	      free (to_free);
+	      continue;
+	    }
 
-      /* Remove trailing slashes (except for "/").  */
-      while (len > 1 && cp[len - 1] == '/')
-	--len;
+	  /* Remove trailing slashes (except for "/").  */
+	  while (len > 1 && cp[len - 1] == '/')
+	    --len;
 
-      /* Now add one if there is none so far.  */
-      if (len > 0 && cp[len - 1] != '/')
-	cp[len++] = '/';
+	  /* Now add one if there is none so far.  */
+	  if (len > 0 && cp[len - 1] != '/')
+	    cp[len++] = '/';
+	}
 
       /* Make sure we don't use untrusted directories if we run SUID.  */
       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
@@ -620,6 +629,14 @@ decompose_rpath (struct r_search_path_struct *sps,
      necessary.  */
   free (copy);
 
+  /* There is no path after expansion.  */
+  if (result[0] == NULL)
+    {
+      free (result);
+      sps->dirs = (struct r_search_path_elem **) -1;
+      return false;
+    }
+
   sps->dirs = result;
   /* The caller will change this value if we haven't used a real malloc.  */
   sps->malloced = 1;
author	Aurelien Jarno <aurelien@aurel32.net>	2017-12-30 10:54:23 +0100
committer	Tulio Magno Quites Machado Filho <tuliom@linux.ibm.com>	2018-04-06 16:23:20 -0300
commit	21c5d14bfb4e08bee86f94fd815535d3be2c3869 (patch)
tree	c5b4450b964d8c27f4d10bd680d6f2f4ced3c62d
parent	9d0aec236891576c7f12e935128364669b785233 (diff)
download	glibc-21c5d14bfb4e08bee86f94fd815535d3be2c3869.tar.gz glibc-21c5d14bfb4e08bee86f94fd815535d3be2c3869.tar.xz glibc-21c5d14bfb4e08bee86f94fd815535d3be2c3869.zip