From patchwork Wed Nov 20 23:20:15 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?q?Marcin_Ko=C5=9Bcielnicki?= X-Patchwork-Id: 1198576 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=libc-alpha-return-107227-incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=0x04.net Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="jrDzrBAw"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47JJZv5tlPz9s4Y for ; Thu, 21 Nov 2019 10:20:39 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id :mime-version:content-type:content-transfer-encoding; q=dns; s= default; b=MOayfjcRrzj95w/uyaj/vUGdR2aSYCSPQkZCYpNXapzIueScgDbAz mduuKtibbTFN/yQNQHFkJ8Fa7FpVV4wY35fGn6/qFHU8OkbzLZmKfxeFdMC8NF3Q YX/p0cZhD2K3gT/TJUV8N5dV1BBKl3cQaMT9z60vmz9hAuyK+CO2ug= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id :mime-version:content-type:content-transfer-encoding; s=default; bh=QPV5bSPgaJg4qi5ndgRLpxedhPg=; b=jrDzrBAwQxjuQeTYDO5dkwXhBiZV ehXRxJw9OuJ8YUEbYWk9ixviWWmCBnP7NbSkP63KEc7LDphFrJfB+BagSloTBXEO indPpcXf5s4WAqTxEKE+Q2t3w3a5qXWygxDMr1b5D+9e3nL4laMGSKYMnWa2XEfc Zm2qDWs0bodQyPI= Received: (qmail 124307 invoked by alias); 20 Nov 2019 23:20:33 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 124291 invoked by uid 89); 20 Nov 2019 23:20:33 -0000 Authentication-Results: sourceware.org; auth=none X-Spam-SWARE-Status: No, score=-19.4 required=5.0 tests=AWL, BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, SPF_PASS autolearn=ham version=3.3.1 spammy=HContent-Transfer-Encoding:8bit X-HELO: xyzzy.0x04.net From: =?utf-8?q?Marcin_Ko=C5=9Bcielnicki?= To: libc-alpha@sourceware.org Cc: =?utf-8?q?Marcin_Ko=C5=9Bcielnicki?= Subject: [PATCH] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] Date: Thu, 21 Nov 2019 00:20:15 +0100 Message-Id: <20191120232015.25936-1-mwk@0x04.net> MIME-Version: 1.0 The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). --- NEWS | 6 +++++- sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++- 2 files changed, 7 insertions(+), 2 deletions(-) diff --git a/NEWS b/NEWS index 50479f17c9..df03f4dc48 100644 --- a/NEWS +++ b/NEWS @@ -86,7 +86,11 @@ Changes to build and runtime requirements: Security related changes: - [Add security related changes here] + CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC + environment variable during program execution after a security + transition, allowing local attackers to restrict the possible mapping + addresses for loaded libraries and thus bypass ASLR for a setuid + program. Reported by Marcin Koƛcielnicki. The following bugs are resolved with this release: diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h index 0e95221908..e3af239faa 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h @@ -31,7 +31,8 @@ environment variable, LD_PREFER_MAP_32BIT_EXEC. */ #define EXTRA_LD_ENVVARS \ case 21: \ - if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + if (!__libc_enable_secure \ + && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ |= bit_arch_Prefer_MAP_32BIT_EXEC; \ break;