about summary refs log tree commit diff
diff options
context:
space:
mode:
authorFlorian Weimer <fweimer@redhat.com>2017-12-14 15:18:38 +0100
committerTulio Magno Quites Machado Filho <tuliom@linux.ibm.com>2018-04-06 16:24:19 -0300
commitc64d6bc3da8e61feab4117bcad53bd97e7a111cd (patch)
tree41009b7bdd8f05de6268215da4de33ddad37687a
parentd9c54360ca92a92ee8ee587f15a3cfc64fe4cb37 (diff)
downloadglibc-c64d6bc3da8e61feab4117bcad53bd97e7a111cd.tar.gz
glibc-c64d6bc3da8e61feab4117bcad53bd97e7a111cd.tar.xz
glibc-c64d6bc3da8e61feab4117bcad53bd97e7a111cd.zip
elf: Compute correct array size in _dl_init_paths [BZ #22606]
(cherry picked from commit 8a0b17e48b83e933960dfeb8fa08b259f03f310e)
-rw-r--r--ChangeLog8
-rw-r--r--NEWS5
-rw-r--r--elf/dl-load.c14
3 files changed, 20 insertions, 7 deletions
diff --git a/ChangeLog b/ChangeLog
index 59d00dbb4e..abd3289c78 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,14 @@
 
 2017-12-14  Florian Weimer  <fweimer@redhat.com>
 
+	[BZ #22606]
+	CVE-2017-1000408
+	* elf/dl-load.c (system_dirs): Update comment.
+	(nsystem_dirs_len): Use array_length.
+	(_dl_init_paths): Use nsystem_dirs_len to compute the array size.
+
+2017-12-14  Florian Weimer  <fweimer@redhat.com>
+
 	[BZ #22607]
 	CVE-2017-1000409
 	* elf/dl-load.c (_dl_init_paths): Compute number of components in
diff --git a/NEWS b/NEWS
index 7b2e078224..ebebb402e1 100644
--- a/NEWS
+++ b/NEWS
@@ -76,6 +76,11 @@ Version 2.22.1
   vulnerability per se because no trust boundary is crossed if the fix for
   CVE-2017-1000366 has been applied, but it is mentioned here only because
   of the CVE assignment.)  Reported by Qualys.
+
+* CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
+  to the allocation of too much memory.  (This is not a security bug per se,
+  it is mentioned here only because of the CVE assignment.)  Reported by
+  Qualys.
 
 Version 2.22
 
diff --git a/elf/dl-load.c b/elf/dl-load.c
index f22fd0d303..32c3159e43 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -36,6 +36,7 @@
 #include <caller.h>
 #include <sysdep.h>
 #include <stap-probe.h>
+#include <array_length.h>
 
 #include <dl-dst.h>
 #include <dl-load.h>
@@ -102,7 +103,9 @@ static size_t ncapstr attribute_relro;
 static size_t max_capstrlen attribute_relro;
 
 
-/* Get the generated information about the trusted directories.  */
+/* Get the generated information about the trusted directories.  Use
+   an array of concatenated strings to avoid relocations.  See
+   gen-trusted-dirs.awk.  */
 #include "trusted-dirs.h"
 
 static const char system_dirs[] = SYSTEM_DIRS;
@@ -110,9 +113,7 @@ static const size_t system_dirs_len[] =
 {
   SYSTEM_DIRS_LEN
 };
-#define nsystem_dirs_len \
-  (sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
-
+#define nsystem_dirs_len array_length (system_dirs_len)
 
 static bool
 is_trusted_path (const char *path, size_t len)
@@ -704,9 +705,8 @@ _dl_init_paths (const char *llp)
 		 + ncapstr * sizeof (enum r_dir_status))
 		/ sizeof (struct r_search_path_elem));
 
-  rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
-    malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
-	    * round_size * sizeof (struct r_search_path_elem));
+  rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
+				     * sizeof (*rtld_search_dirs.dirs[0]));
   if (rtld_search_dirs.dirs[0] == NULL)
     {
       errstring = N_("cannot create cache for search path");