diff mbox series

elf: Check for empty tokens before dynamic string token expansion [BZ #22625]

Message ID 20171217172149.1748-1-aurelien@aurel32.net
State New
Headers show
Series elf: Check for empty tokens before dynamic string token expansion [BZ #22625] | expand

Commit Message

Aurelien Jarno Dec. 17, 2017, 5:21 p.m. UTC
The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and intepret empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).

Fix that by moving the check for empty tokens before the dynamic string
token expansion. In addition, check for NULL pointer or empty strings
return by expand_dynamic_string_token.

The above changed highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath path
level, but by using a -1 pointer in decompose_rpath and other functions.

Changelog:
	[BZ #22625]
	* elf/dl-load.c (fillin_rpath): Check for empty tokens before
	dynamic string token expansion. Check for NULL pointer or empty
	string possibly returned by expand_dynamic_string_token.
	(decompose_rpath): Check for empty path after dynamic string
	token expansion.
---
 ChangeLog     |  9 +++++++++
 NEWS          |  4 ++++
 elf/dl-load.c | 30 ++++++++++++++++++++++++++----
 3 files changed, 39 insertions(+), 4 deletions(-)

Comments

Dmitry V. Levin Dec. 17, 2017, 8:07 p.m. UTC | #1
On Sun, Dec 17, 2017 at 06:21:49PM +0100, Aurelien Jarno wrote:
> The fillin_rpath function in elf/dl-load.c loops over each RPATH or
> RUNPATH tokens and intepret empty tokens as the current directory
> ("./"). In practice the check for empty token is done *after* the
> dynamic string token expansion. The expansion process can return an
> empty string for the $ORIGIN token if __libc_enable_secure is set
> or if the path of the binary can not be determined (/proc not mounted).
> 
> Fix that by moving the check for empty tokens before the dynamic string
> token expansion. In addition, check for NULL pointer or empty strings
> return by expand_dynamic_string_token.
> 
> The above changed highlighted a bug in decompose_rpath, an empty array
> is represented by the first element being NULL at the fillin_rpath path
> level, but by using a -1 pointer in decompose_rpath and other functions.
> 
> Changelog:
> 	[BZ #22625]
> 	* elf/dl-load.c (fillin_rpath): Check for empty tokens before
> 	dynamic string token expansion. Check for NULL pointer or empty
> 	string possibly returned by expand_dynamic_string_token.
> 	(decompose_rpath): Check for empty path after dynamic string
> 	token expansion.

Accidentally, I was looking at this issue recently and have been testing
a slightly different patch, so I'd just share my thoughts.

> ---
>  ChangeLog     |  9 +++++++++
>  NEWS          |  4 ++++
>  elf/dl-load.c | 30 ++++++++++++++++++++++++++----
>  3 files changed, 39 insertions(+), 4 deletions(-)
> 
> diff --git a/ChangeLog b/ChangeLog
> index 815e73571d..4ef438d08c 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,12 @@
> +2017-12-17  Aurelien Jarno  <aurelien@aurel32.net>
> +
> +	[BZ #22625]
> +	* elf/dl-load.c (fillin_rpath): Check for empty tokens before
> +	dynamic string token expansion. Check for NULL pointer or empty
> +	string possibly returned by expand_dynamic_string_token.
> +	(decompose_rpath): Check for empty path after dynamic string
> +	token expansion.
> +
>  2017-12-16  Aurelien Jarno  <aurelien@aurel32.net>
>  
>  	[BZ #22505]
> diff --git a/NEWS b/NEWS
> index 0670585b4c..8099ecc8f1 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -149,6 +149,10 @@ Security related changes:
>    CVE-2017-1000366 has been applied, but it is mentioned here only because
>    of the CVE assignment.)  Reported by Qualys.
>  
> +  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
> +  for AT_SECURE or SUID binaries could be used to load libraries from the
> +  current directory.
> +
>  The following bugs are resolved with this release:
>  
>    [The release manager will add the list generated by
> diff --git a/elf/dl-load.c b/elf/dl-load.c
> index bbd3be9e20..81a1a03a01 100644
> --- a/elf/dl-load.c
> +++ b/elf/dl-load.c
> @@ -433,14 +433,11 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
>  {
>    char *cp;
>    size_t nelems = 0;
> -  char *to_free;
> +  char *to_free = NULL;

Let's use this opportunity and move to_free inside the loop.

>    while ((cp = __strsep (&rpath, sep)) != NULL)
>      {
>        struct r_search_path_elem *dirp;
> -
> -      to_free = cp = expand_dynamic_string_token (l, cp, 1);
> -
>        size_t len = strlen (cp);
>  
>        /* `strsep' can pass an empty string.  This has to be

I think the code would be easier to read if len == 0 check below was
changed to *cp == '\0'.  This way you wouldn't have to call strlen twice,
and ...

> @@ -450,6 +447,24 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
>  	  static const char curwd[] = "./";
>  	  cp = (char *) curwd;

... an explicit len = 0 assignment would highlight the nastiness
of the trick with len later in fillin_rpath.

>  	}
> +      else
> +	{
> +	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
> +
> +	  /* expand_dynamic_string_token can return NULL in case of memory
> +	     allocation failure.  */
> +	  if (cp == NULL)
> +	    continue;
> +
> +	  /* Recompute the length after dynamic string token expansion
> +	     and ignore empty paths.  */
> +	  len = strlen (cp);
> +	  if (len == 0)
> +	    {
> +	      free (to_free);
> +	      continue;
> +	    }
> +	}

The alternative (that I was testing in my patch) to len == 0 check is to
change expand_dynamic_string_token to return NULL if _dl_dst_substitute
returned an empty string, e.g.

-  return _dl_dst_substitute (l, s, result, is_path);
+  char *retval = _dl_dst_substitute (l, s, result, is_path);
+
+  /* If substitution of dynamic string tokens resulted to an empty string,
+     return NULL as in case of insufficient memory.  */
+  if (__glibc_unlikely (*retval == '\0'))
+    {
+      free (result);
+      return NULL;
+    }
+
+  return retval;

Both users of expand_dynamic_string_token, fillin_rpath and _dl_map_object,
would be happy.

>        /* Remove trailing slashes (except for "/").  */
>        while (len > 1 && cp[len - 1] == '/')
> @@ -620,6 +635,13 @@ decompose_rpath (struct r_search_path_struct *sps,
>       necessary.  */
>    free (copy);
>  
> +  /* There is no path after expansion.  */
> +  if (result[0] == NULL) {
> +    free (result);
> +    sps->dirs = (struct r_search_path_elem **) -1;
> +    return false;
> +  }
> +
>    sps->dirs = result;
>    /* The caller will change this value if we haven't used a real malloc.  */
>    sps->malloced = 1;

Yes, the bug was just sitting here and waiting for a fix in fillin_rpath
to explode.
Aurelien Jarno Dec. 17, 2017, 9:26 p.m. UTC | #2
On 2017-12-17 23:07, Dmitry V. Levin wrote:
> On Sun, Dec 17, 2017 at 06:21:49PM +0100, Aurelien Jarno wrote:
> > The fillin_rpath function in elf/dl-load.c loops over each RPATH or
> > RUNPATH tokens and intepret empty tokens as the current directory
> > ("./"). In practice the check for empty token is done *after* the
> > dynamic string token expansion. The expansion process can return an
> > empty string for the $ORIGIN token if __libc_enable_secure is set
> > or if the path of the binary can not be determined (/proc not mounted).
> > 
> > Fix that by moving the check for empty tokens before the dynamic string
> > token expansion. In addition, check for NULL pointer or empty strings
> > return by expand_dynamic_string_token.
> > 
> > The above changed highlighted a bug in decompose_rpath, an empty array
> > is represented by the first element being NULL at the fillin_rpath path
> > level, but by using a -1 pointer in decompose_rpath and other functions.
> > 
> > Changelog:
> > 	[BZ #22625]
> > 	* elf/dl-load.c (fillin_rpath): Check for empty tokens before
> > 	dynamic string token expansion. Check for NULL pointer or empty
> > 	string possibly returned by expand_dynamic_string_token.
> > 	(decompose_rpath): Check for empty path after dynamic string
> > 	token expansion.
> 
> Accidentally, I was looking at this issue recently and have been testing
> a slightly different patch, so I'd just share my thoughts.
> 
> > ---
> >  ChangeLog     |  9 +++++++++
> >  NEWS          |  4 ++++
> >  elf/dl-load.c | 30 ++++++++++++++++++++++++++----
> >  3 files changed, 39 insertions(+), 4 deletions(-)
> > 
> > diff --git a/ChangeLog b/ChangeLog
> > index 815e73571d..4ef438d08c 100644
> > --- a/ChangeLog
> > +++ b/ChangeLog
> > @@ -1,3 +1,12 @@
> > +2017-12-17  Aurelien Jarno  <aurelien@aurel32.net>
> > +
> > +	[BZ #22625]
> > +	* elf/dl-load.c (fillin_rpath): Check for empty tokens before
> > +	dynamic string token expansion. Check for NULL pointer or empty
> > +	string possibly returned by expand_dynamic_string_token.
> > +	(decompose_rpath): Check for empty path after dynamic string
> > +	token expansion.
> > +
> >  2017-12-16  Aurelien Jarno  <aurelien@aurel32.net>
> >  
> >  	[BZ #22505]
> > diff --git a/NEWS b/NEWS
> > index 0670585b4c..8099ecc8f1 100644
> > --- a/NEWS
> > +++ b/NEWS
> > @@ -149,6 +149,10 @@ Security related changes:
> >    CVE-2017-1000366 has been applied, but it is mentioned here only because
> >    of the CVE assignment.)  Reported by Qualys.
> >  
> > +  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
> > +  for AT_SECURE or SUID binaries could be used to load libraries from the
> > +  current directory.
> > +
> >  The following bugs are resolved with this release:
> >  
> >    [The release manager will add the list generated by
> > diff --git a/elf/dl-load.c b/elf/dl-load.c
> > index bbd3be9e20..81a1a03a01 100644
> > --- a/elf/dl-load.c
> > +++ b/elf/dl-load.c
> > @@ -433,14 +433,11 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
> >  {
> >    char *cp;
> >    size_t nelems = 0;
> > -  char *to_free;
> > +  char *to_free = NULL;
> 
> Let's use this opportunity and move to_free inside the loop.

Indeed. I was even wondering if we can just use cp = strdup("./") below
to get rid of to_free and limit the amount of different code paths.

> >    while ((cp = __strsep (&rpath, sep)) != NULL)
> >      {
> >        struct r_search_path_elem *dirp;
> > -
> > -      to_free = cp = expand_dynamic_string_token (l, cp, 1);
> > -
> >        size_t len = strlen (cp);
> >  
> >        /* `strsep' can pass an empty string.  This has to be
> 
> I think the code would be easier to read if len == 0 check below was
> changed to *cp == '\0'.  This way you wouldn't have to call strlen twice,
> and ...
> 
> > @@ -450,6 +447,24 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
> >  	  static const char curwd[] = "./";
> >  	  cp = (char *) curwd;
> 
> ... an explicit len = 0 assignment would highlight the nastiness
> of the trick with len later in fillin_rpath.

Good idea indeed.

> >  	}
> > +      else
> > +	{
> > +	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
> > +
> > +	  /* expand_dynamic_string_token can return NULL in case of memory
> > +	     allocation failure.  */
> > +	  if (cp == NULL)
> > +	    continue;
> > +
> > +	  /* Recompute the length after dynamic string token expansion
> > +	     and ignore empty paths.  */
> > +	  len = strlen (cp);
> > +	  if (len == 0)
> > +	    {
> > +	      free (to_free);
> > +	      continue;
> > +	    }
> > +	}
> 
> The alternative (that I was testing in my patch) to len == 0 check is to
> change expand_dynamic_string_token to return NULL if _dl_dst_substitute
> returned an empty string, e.g.
>
> -  return _dl_dst_substitute (l, s, result, is_path);
> +  char *retval = _dl_dst_substitute (l, s, result, is_path);
> +
> +  /* If substitution of dynamic string tokens resulted to an empty string,
> +     return NULL as in case of insufficient memory.  */
> +  if (__glibc_unlikely (*retval == '\0'))
> +    {
> +      free (result);
> +      return NULL;
> +    }
> +
> +  return retval;
> 
> Both users of expand_dynamic_string_token, fillin_rpath and _dl_map_object,
> would be happy.

I thought about that, but refrained as much as possible to change any
interface, as it might trigger more bugs, even if it looks ok.

The current bug actually show that a simple change might have big
consequences. Overall it seems the RPATH handling code became very
complex over the time, and would clearly benefit from a rewrite. I
would not be really surprised if other similar bugs are found.

All that said, if a few more persons review that code path, that should
be fine.

> >        /* Remove trailing slashes (except for "/").  */
> >        while (len > 1 && cp[len - 1] == '/')
> > @@ -620,6 +635,13 @@ decompose_rpath (struct r_search_path_struct *sps,
> >       necessary.  */
> >    free (copy);
> >  
> > +  /* There is no path after expansion.  */
> > +  if (result[0] == NULL) {
> > +    free (result);
> > +    sps->dirs = (struct r_search_path_elem **) -1;
> > +    return false;
> > +  }
> > +
> >    sps->dirs = result;
> >    /* The caller will change this value if we haven't used a real malloc.  */
> >    sps->malloced = 1;
> 
> Yes, the bug was just sitting here and waiting for a fix in fillin_rpath
> to explode.

Yes, however there is at least one more "continue" in fillin_rpath
which can lead to an empty path after expansion. I am surprised it
didn't trigger before today.

Thanks for the review!
Dmitry V. Levin Dec. 17, 2017, 10:10 p.m. UTC | #3
On Sun, Dec 17, 2017 at 10:26:01PM +0100, Aurelien Jarno wrote:
> On 2017-12-17 23:07, Dmitry V. Levin wrote:
[...]
> > >  	}
> > > +      else
> > > +	{
> > > +	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
> > > +
> > > +	  /* expand_dynamic_string_token can return NULL in case of memory
> > > +	     allocation failure.  */
> > > +	  if (cp == NULL)
> > > +	    continue;
> > > +
> > > +	  /* Recompute the length after dynamic string token expansion
> > > +	     and ignore empty paths.  */
> > > +	  len = strlen (cp);
> > > +	  if (len == 0)
> > > +	    {
> > > +	      free (to_free);
> > > +	      continue;
> > > +	    }
> > > +	}
> > 
> > The alternative (that I was testing in my patch) to len == 0 check is to
> > change expand_dynamic_string_token to return NULL if _dl_dst_substitute
> > returned an empty string, e.g.
> >
> > -  return _dl_dst_substitute (l, s, result, is_path);
> > +  char *retval = _dl_dst_substitute (l, s, result, is_path);
> > +
> > +  /* If substitution of dynamic string tokens resulted to an empty string,
> > +     return NULL as in case of insufficient memory.  */
> > +  if (__glibc_unlikely (*retval == '\0'))
> > +    {
> > +      free (result);
> > +      return NULL;
> > +    }
> > +
> > +  return retval;
> > 
> > Both users of expand_dynamic_string_token, fillin_rpath and _dl_map_object,
> > would be happy.
> 
> I thought about that, but refrained as much as possible to change any
> interface, as it might trigger more bugs, even if it looks ok.

I agree in general, but in this particular case I've been playing
with this code for some time and think the change would be safe.

> The current bug actually show that a simple change might have big
> consequences. Overall it seems the RPATH handling code became very
> complex over the time, and would clearly benefit from a rewrite. I
> would not be really surprised if other similar bugs are found.

There are definitely more bugs in this code.  For example, _dl_init_paths
calls _dl_dst_substitute twice on $LD_LIBRARY_PATH: the first time
_dl_dst_substitute is called directly, the second time the result is
passed to fillin_rpath which calls expand_dynamic_string_token which in
turn calls _dl_dst_substitute.  As $LD_LIBRARY_PATH is filtered in case
of __libc_enable_secure, this doesn't look security sensitive, it just
does a wrong thing:

$ mkdir -p /tmp/'$ORIGIN' && cd /tmp/'$ORIGIN' && echo 'int main(){}' |gcc -xc - && strace -qq -E LD_LIBRARY_PATH='$ORIGIN' -e /open ./a.out
open("/tmp//tmp/$ORIGIN/tls/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/tls/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/x86_64/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/tmp//tmp/$ORIGIN/libc.so.6", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
diff mbox series

Patch

diff --git a/ChangeLog b/ChangeLog
index 815e73571d..4ef438d08c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@ 
+2017-12-17  Aurelien Jarno  <aurelien@aurel32.net>
+
+	[BZ #22625]
+	* elf/dl-load.c (fillin_rpath): Check for empty tokens before
+	dynamic string token expansion. Check for NULL pointer or empty
+	string possibly returned by expand_dynamic_string_token.
+	(decompose_rpath): Check for empty path after dynamic string
+	token expansion.
+
 2017-12-16  Aurelien Jarno  <aurelien@aurel32.net>
 
 	[BZ #22505]
diff --git a/NEWS b/NEWS
index 0670585b4c..8099ecc8f1 100644
--- a/NEWS
+++ b/NEWS
@@ -149,6 +149,10 @@  Security related changes:
   CVE-2017-1000366 has been applied, but it is mentioned here only because
   of the CVE assignment.)  Reported by Qualys.
 
+  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+  for AT_SECURE or SUID binaries could be used to load libraries from the
+  current directory.
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by
diff --git a/elf/dl-load.c b/elf/dl-load.c
index bbd3be9e20..81a1a03a01 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -433,14 +433,11 @@  fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
 {
   char *cp;
   size_t nelems = 0;
-  char *to_free;
+  char *to_free = NULL;
 
   while ((cp = __strsep (&rpath, sep)) != NULL)
     {
       struct r_search_path_elem *dirp;
-
-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
-
       size_t len = strlen (cp);
 
       /* `strsep' can pass an empty string.  This has to be
@@ -450,6 +447,24 @@  fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
 	  static const char curwd[] = "./";
 	  cp = (char *) curwd;
 	}
+      else
+	{
+	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
+
+	  /* expand_dynamic_string_token can return NULL in case of memory
+	     allocation failure.  */
+	  if (cp == NULL)
+	    continue;
+
+	  /* Recompute the length after dynamic string token expansion
+	     and ignore empty paths.  */
+	  len = strlen (cp);
+	  if (len == 0)
+	    {
+	      free (to_free);
+	      continue;
+	    }
+	}
 
       /* Remove trailing slashes (except for "/").  */
       while (len > 1 && cp[len - 1] == '/')
@@ -620,6 +635,13 @@  decompose_rpath (struct r_search_path_struct *sps,
      necessary.  */
   free (copy);
 
+  /* There is no path after expansion.  */
+  if (result[0] == NULL) {
+    free (result);
+    sps->dirs = (struct r_search_path_elem **) -1;
+    return false;
+  }
+
   sps->dirs = result;
   /* The caller will change this value if we haven't used a real malloc.  */
   sps->malloced = 1;