diff mbox series

[v3] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]

Message ID 20171220202359.7765-1-aurelien@aurel32.net
State New
Headers show
Series [v3] elf: Check for empty tokens before dynamic string token expansion [BZ #22625] | expand

Commit Message

Aurelien Jarno Dec. 20, 2017, 8:23 p.m. UTC
The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and interprets empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).

Fix that by moving the check for empty tokens before the dynamic string
token expansion. In addition, check for NULL pointer or empty strings
return by expand_dynamic_string_token.

The above changes highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath
level, but by using a -1 pointer in decompose_rpath and other functions.

Changelog:
	[BZ #22625]
	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
	string token expansion. Check for NULL pointer or empty string possibly
	returned by expand_dynamic_string_token.
	(decompose_rpath): Check for empty path after dynamic string
	token expansion.
---
 ChangeLog     | 10 ++++++++++
 NEWS          |  4 ++++
 elf/dl-load.c | 35 ++++++++++++++++++++++++++---------
 3 files changed, 40 insertions(+), 9 deletions(-)

Comments

Dmitry V. Levin Dec. 20, 2017, 9:06 p.m. UTC | #1
On Wed, Dec 20, 2017 at 09:23:59PM +0100, Aurelien Jarno wrote:
> The fillin_rpath function in elf/dl-load.c loops over each RPATH or
> RUNPATH tokens and interprets empty tokens as the current directory
> ("./"). In practice the check for empty token is done *after* the
> dynamic string token expansion. The expansion process can return an
> empty string for the $ORIGIN token if __libc_enable_secure is set
> or if the path of the binary can not be determined (/proc not mounted).
> 
> Fix that by moving the check for empty tokens before the dynamic string
> token expansion. In addition, check for NULL pointer or empty strings
> return by expand_dynamic_string_token.
> 
> The above changes highlighted a bug in decompose_rpath, an empty array
> is represented by the first element being NULL at the fillin_rpath
> level, but by using a -1 pointer in decompose_rpath and other functions.
> 
> Changelog:
> 	[BZ #22625]
> 	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
> 	string token expansion. Check for NULL pointer or empty string possibly
> 	returned by expand_dynamic_string_token.
> 	(decompose_rpath): Check for empty path after dynamic string
> 	token expansion.
> ---
>  ChangeLog     | 10 ++++++++++
>  NEWS          |  4 ++++
>  elf/dl-load.c | 35 ++++++++++++++++++++++++++---------
>  3 files changed, 40 insertions(+), 9 deletions(-)
[...]
> -      /* `strsep' can pass an empty string.  This has to be
> -	 interpreted as `use the current directory'. */
> -      if (len == 0)
> -	{
> -	  static const char curwd[] = "./";
> -	  cp = (char *) curwd;
> +         /* Compute the length after dynamic string token expansion and
> +            ignore empty paths.  */
> +         len = strlen (cp);
> +         if (len == 0)
> +           {
> +             free (to_free);
> +             continue;
> +           }

The leading 8+ spaces are not replaced by tabs in these newly added lines.
As other lines in this file seem to use tabs, it might be a good idea
to follow the same style.

Besides that, the change is fine.
Dmitry V. Levin Dec. 29, 2017, 1:07 p.m. UTC | #2
On Wed, Dec 20, 2017 at 09:23:59PM +0100, Aurelien Jarno wrote:
> The fillin_rpath function in elf/dl-load.c loops over each RPATH or
> RUNPATH tokens and interprets empty tokens as the current directory
> ("./"). In practice the check for empty token is done *after* the
> dynamic string token expansion. The expansion process can return an
> empty string for the $ORIGIN token if __libc_enable_secure is set
> or if the path of the binary can not be determined (/proc not mounted).
> 
> Fix that by moving the check for empty tokens before the dynamic string
> token expansion. In addition, check for NULL pointer or empty strings
> return by expand_dynamic_string_token.
> 
> The above changes highlighted a bug in decompose_rpath, an empty array
> is represented by the first element being NULL at the fillin_rpath
> level, but by using a -1 pointer in decompose_rpath and other functions.
> 
> Changelog:
> 	[BZ #22625]
> 	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
> 	string token expansion. Check for NULL pointer or empty string possibly
> 	returned by expand_dynamic_string_token.
> 	(decompose_rpath): Check for empty path after dynamic string
> 	token expansion.
> ---
>  ChangeLog     | 10 ++++++++++
>  NEWS          |  4 ++++
>  elf/dl-load.c | 35 ++++++++++++++++++++++++++---------
>  3 files changed, 40 insertions(+), 9 deletions(-)
> 
> diff --git a/ChangeLog b/ChangeLog
> index 35d1d102f6..0ed4d0ab15 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,13 @@
> +2017-12-20  Aurelien Jarno  <aurelien@aurel32.net>
> +	    Dmitry V. Levin  <ldv@altlinux.org>
> +
> +	[BZ #22625]
> +	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
> +	string token expansion. Check for NULL pointer or empty string possibly
> +	returned by expand_dynamic_string_token.
> +	(decompose_rpath): Check for empty path after dynamic string
> +	token expansion.
> +
>  2017-12-20  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
>  
>  	* nptl/Makefile (libpthread-routines): Add pthread_join_common.
> diff --git a/NEWS b/NEWS
> index a43ff26e83..0d43e93a17 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -149,6 +149,10 @@ Security related changes:
>    CVE-2017-1000366 has been applied, but it is mentioned here only because
>    of the CVE assignment.)  Reported by Qualys.
>  
> +  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
> +  for AT_SECURE or SUID binaries could be used to load libraries from the
> +  current directory.
> +
>  The following bugs are resolved with this release:
>  
>    [The release manager will add the list generated by
> diff --git a/elf/dl-load.c b/elf/dl-load.c
> index 2964464158..955eb49ecb 100644
> --- a/elf/dl-load.c
> +++ b/elf/dl-load.c
> @@ -414,22 +414,31 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
>  {
>    char *cp;
>    size_t nelems = 0;
> -  char *to_free;
>  
>    while ((cp = __strsep (&rpath, sep)) != NULL)
>      {
>        struct r_search_path_elem *dirp;
> +      char *to_free = NULL;
> +      size_t len = 0;
>  
> -      to_free = cp = expand_dynamic_string_token (l, cp, 1);
> +      /* `strsep' can pass an empty string.  */
> +      if (*cp != '\0')
> +	{
> +	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
>  
> -      size_t len = strlen (cp);
> +	  /* expand_dynamic_string_token can return NULL in case of empty
> +	     path or memory allocation failure.  */
> +	  if (cp == NULL)
> +	    continue;
>  
> -      /* `strsep' can pass an empty string.  This has to be
> -	 interpreted as `use the current directory'. */
> -      if (len == 0)
> -	{
> -	  static const char curwd[] = "./";
> -	  cp = (char *) curwd;
> +         /* Compute the length after dynamic string token expansion and
> +            ignore empty paths.  */
> +         len = strlen (cp);
> +         if (len == 0)
> +           {
> +             free (to_free);
> +             continue;
> +           }
>  	}
>  
>        /* Remove trailing slashes (except for "/").  */

The longer I look at this hunk of fillin_rpath, the more I think
that moving "Remove trailing slashes" and "Now add one" code inside
"if (*cp != '\0')" statement will make fillin_rpath a bit more readable.
Aurelien Jarno Dec. 30, 2017, 10:10 a.m. UTC | #3
On 2017-12-29 16:07, Dmitry V. Levin wrote:
> On Wed, Dec 20, 2017 at 09:23:59PM +0100, Aurelien Jarno wrote:
> > The fillin_rpath function in elf/dl-load.c loops over each RPATH or
> > RUNPATH tokens and interprets empty tokens as the current directory
> > ("./"). In practice the check for empty token is done *after* the
> > dynamic string token expansion. The expansion process can return an
> > empty string for the $ORIGIN token if __libc_enable_secure is set
> > or if the path of the binary can not be determined (/proc not mounted).
> > 
> > Fix that by moving the check for empty tokens before the dynamic string
> > token expansion. In addition, check for NULL pointer or empty strings
> > return by expand_dynamic_string_token.
> > 
> > The above changes highlighted a bug in decompose_rpath, an empty array
> > is represented by the first element being NULL at the fillin_rpath
> > level, but by using a -1 pointer in decompose_rpath and other functions.
> > 
> > Changelog:
> > 	[BZ #22625]
> > 	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
> > 	string token expansion. Check for NULL pointer or empty string possibly
> > 	returned by expand_dynamic_string_token.
> > 	(decompose_rpath): Check for empty path after dynamic string
> > 	token expansion.
> > ---
> >  ChangeLog     | 10 ++++++++++
> >  NEWS          |  4 ++++
> >  elf/dl-load.c | 35 ++++++++++++++++++++++++++---------
> >  3 files changed, 40 insertions(+), 9 deletions(-)
> > 
> > diff --git a/ChangeLog b/ChangeLog
> > index 35d1d102f6..0ed4d0ab15 100644
> > --- a/ChangeLog
> > +++ b/ChangeLog
> > @@ -1,3 +1,13 @@
> > +2017-12-20  Aurelien Jarno  <aurelien@aurel32.net>
> > +	    Dmitry V. Levin  <ldv@altlinux.org>
> > +
> > +	[BZ #22625]
> > +	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
> > +	string token expansion. Check for NULL pointer or empty string possibly
> > +	returned by expand_dynamic_string_token.
> > +	(decompose_rpath): Check for empty path after dynamic string
> > +	token expansion.
> > +
> >  2017-12-20  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
> >  
> >  	* nptl/Makefile (libpthread-routines): Add pthread_join_common.
> > diff --git a/NEWS b/NEWS
> > index a43ff26e83..0d43e93a17 100644
> > --- a/NEWS
> > +++ b/NEWS
> > @@ -149,6 +149,10 @@ Security related changes:
> >    CVE-2017-1000366 has been applied, but it is mentioned here only because
> >    of the CVE assignment.)  Reported by Qualys.
> >  
> > +  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
> > +  for AT_SECURE or SUID binaries could be used to load libraries from the
> > +  current directory.
> > +
> >  The following bugs are resolved with this release:
> >  
> >    [The release manager will add the list generated by
> > diff --git a/elf/dl-load.c b/elf/dl-load.c
> > index 2964464158..955eb49ecb 100644
> > --- a/elf/dl-load.c
> > +++ b/elf/dl-load.c
> > @@ -414,22 +414,31 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
> >  {
> >    char *cp;
> >    size_t nelems = 0;
> > -  char *to_free;
> >  
> >    while ((cp = __strsep (&rpath, sep)) != NULL)
> >      {
> >        struct r_search_path_elem *dirp;
> > +      char *to_free = NULL;
> > +      size_t len = 0;
> >  
> > -      to_free = cp = expand_dynamic_string_token (l, cp, 1);
> > +      /* `strsep' can pass an empty string.  */
> > +      if (*cp != '\0')
> > +	{
> > +	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
> >  
> > -      size_t len = strlen (cp);
> > +	  /* expand_dynamic_string_token can return NULL in case of empty
> > +	     path or memory allocation failure.  */
> > +	  if (cp == NULL)
> > +	    continue;
> >  
> > -      /* `strsep' can pass an empty string.  This has to be
> > -	 interpreted as `use the current directory'. */
> > -      if (len == 0)
> > -	{
> > -	  static const char curwd[] = "./";
> > -	  cp = (char *) curwd;
> > +         /* Compute the length after dynamic string token expansion and
> > +            ignore empty paths.  */
> > +         len = strlen (cp);
> > +         if (len == 0)
> > +           {
> > +             free (to_free);
> > +             continue;
> > +           }
> >  	}
> >  
> >        /* Remove trailing slashes (except for "/").  */
> 
> The longer I look at this hunk of fillin_rpath, the more I think
> that moving "Remove trailing slashes" and "Now add one" code inside
> "if (*cp != '\0')" statement will make fillin_rpath a bit more readable.

I am testing this solution I'll send a new version of this patch if all
is working fine.
diff mbox series

Patch

diff --git a/ChangeLog b/ChangeLog
index 35d1d102f6..0ed4d0ab15 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,13 @@ 
+2017-12-20  Aurelien Jarno  <aurelien@aurel32.net>
+	    Dmitry V. Levin  <ldv@altlinux.org>
+
+	[BZ #22625]
+	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+	string token expansion. Check for NULL pointer or empty string possibly
+	returned by expand_dynamic_string_token.
+	(decompose_rpath): Check for empty path after dynamic string
+	token expansion.
+
 2017-12-20  Adhemerval Zanella  <adhemerval.zanella@linaro.org>
 
 	* nptl/Makefile (libpthread-routines): Add pthread_join_common.
diff --git a/NEWS b/NEWS
index a43ff26e83..0d43e93a17 100644
--- a/NEWS
+++ b/NEWS
@@ -149,6 +149,10 @@  Security related changes:
   CVE-2017-1000366 has been applied, but it is mentioned here only because
   of the CVE assignment.)  Reported by Qualys.
 
+  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+  for AT_SECURE or SUID binaries could be used to load libraries from the
+  current directory.
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by
diff --git a/elf/dl-load.c b/elf/dl-load.c
index 2964464158..955eb49ecb 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -414,22 +414,31 @@  fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
 {
   char *cp;
   size_t nelems = 0;
-  char *to_free;
 
   while ((cp = __strsep (&rpath, sep)) != NULL)
     {
       struct r_search_path_elem *dirp;
+      char *to_free = NULL;
+      size_t len = 0;
 
-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
+      /* `strsep' can pass an empty string.  */
+      if (*cp != '\0')
+	{
+	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
 
-      size_t len = strlen (cp);
+	  /* expand_dynamic_string_token can return NULL in case of empty
+	     path or memory allocation failure.  */
+	  if (cp == NULL)
+	    continue;
 
-      /* `strsep' can pass an empty string.  This has to be
-	 interpreted as `use the current directory'. */
-      if (len == 0)
-	{
-	  static const char curwd[] = "./";
-	  cp = (char *) curwd;
+         /* Compute the length after dynamic string token expansion and
+            ignore empty paths.  */
+         len = strlen (cp);
+         if (len == 0)
+           {
+             free (to_free);
+             continue;
+           }
 	}
 
       /* Remove trailing slashes (except for "/").  */
@@ -594,6 +603,14 @@  decompose_rpath (struct r_search_path_struct *sps,
      necessary.  */
   free (copy);
 
+  /* There is no path after expansion.  */
+  if (result[0] == NULL)
+    {
+      free (result);
+      sps->dirs = (struct r_search_path_elem **) -1;
+      return false;
+    }
+
   sps->dirs = result;
   /* The caller will change this value if we haven't used a real malloc.  */
   sps->malloced = 1;