From patchwork Mon Dec 18 20:42:13 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Aurelien Jarno X-Patchwork-Id: 850391 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=sourceware.org (client-ip=209.132.180.131; helo=sourceware.org; envelope-from=libc-alpha-return-88300-incoming=patchwork.ozlabs.org@sourceware.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b="nV+dDmzV"; dkim-atps=neutral Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3z0tJd1zV3z9s7m for ; Tue, 19 Dec 2017 07:42:41 +1100 (AEDT) DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id; q=dns; s= default; b=NeuFCUsbUmUq4Tl6TDWkAXpabR0oukZZRq2dQKQM4Yti1c11kgOAo lDIP/FElJsCppMGdxudgn41svHwgP1bLcUgXxlNvpnRNr/t2Dx41EfE2mF61koI/ iviaMUGAxybRpMuSiWyKjl3PjNv91cARNCEWnn3li25+HFnFTrPQVI= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:from:to:cc:subject:date:message-id; s=default; bh=u5NnWkjHmIMipmq6R06j610wMIU=; b=nV+dDmzVf9C5I5cm+bR29O7pttvQ rDHUWfOnoPWoQ8eQVTWpAYbPmd4PgQF8+wYP781SF9Iyyq9zZg1xQx9QOvPFqTvx 2twFvxXS0T2KDHWwvSPK1YkKRoOLolOSYPaRlN4R83SSNRo3lDqy+IAGI1HNaJIj MoeSBk2QzMMhXtw= Received: (qmail 99263 invoked by alias); 18 Dec 2017 20:42:32 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 99251 invoked by uid 89); 18 Dec 2017 20:42:32 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_LAZY_DOMAIN_SECURITY, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy= X-HELO: hall.aurel32.net From: Aurelien Jarno To: libc-alpha@sourceware.org Cc: "Dmitry V . Levin" , Aurelien Jarno Subject: [PATCH v2] elf: Check for empty tokens before dynamic string token expansion [BZ #22625] Date: Mon, 18 Dec 2017 21:42:13 +0100 Message-Id: <20171218204213.26583-1-aurelien@aurel32.net> The fillin_rpath function in elf/dl-load.c loops over each RPATH or RUNPATH tokens and intepret empty tokens as the current directory ("./"). In practice the check for empty token is done *after* the dynamic string token expansion. The expansion process can return an empty string for the $ORIGIN token if __libc_enable_secure is set or if the path of the binary can not be determined (/proc not mounted). To fix that, move the check for empty tokens before the dynamic string token expansion. Change expand_dynamic_string_token to return NULL instead of an empty string, and check for NULL pointer returned by expand_dynamic_string_token. The above changed highlighted a bug in decompose_rpath, an empty array is represented by the first element being NULL at the fillin_rpath path level, but by using a -1 pointer in decompose_rpath and other functions. Changelog: [BZ #22625] * elf/dl-load.c (expand_dynamic_string_token): Return NULL instead of an empty string. (fillin_rpath): Check for empty tokens before dynamic string token expansion. Check for NULL pointer possibly returned by expand_dynamic_string_token. (decompose_rpath): Check for empty path after dynamic string token expansion. --- ChangeLog | 12 ++++++++++++ NEWS | 4 ++++ elf/dl-load.c | 43 ++++++++++++++++++++++++++++++++++++------- 3 files changed, 52 insertions(+), 7 deletions(-) This new version includes the suggestions done by Dmitry. It would be nice if it could be reviewed by at least one more person, especially the part modifying expand_dynamic_string_token. diff --git a/ChangeLog b/ChangeLog index 4a7164354f..24a5223485 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,15 @@ +2017-12-17 Aurelien Jarno + Dmitry V. Levin + + [BZ #22625] + * elf/dl-load.c (expand_dynamic_string_token): Return NULL instead + of an empty string. + (fillin_rpath): Check for empty tokens before dynamic string token + expansion. Check for NULL pointer possibly returned by + expand_dynamic_string_token. + (decompose_rpath): Check for empty path after dynamic string + token expansion. + 2017-12-18 Sergei Trofimovich [BZ #22624] diff --git a/NEWS b/NEWS index a43ff26e83..0d43e93a17 100644 --- a/NEWS +++ b/NEWS @@ -149,6 +149,10 @@ Security related changes: CVE-2017-1000366 has been applied, but it is mentioned here only because of the CVE assignment.) Reported by Qualys. + CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN + for AT_SECURE or SUID binaries could be used to load libraries from the + current directory. + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/elf/dl-load.c b/elf/dl-load.c index e7d97dcc56..827ec1c491 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -384,7 +384,17 @@ expand_dynamic_string_token (struct link_map *l, const char *s, int is_path) if (result == NULL) return NULL; - return _dl_dst_substitute (l, s, result, is_path); + char *retval = _dl_dst_substitute (l, s, result, is_path); + + /* If substitution of dynamic string tokens resulted to an empty string, + return NULL as in case of insufficient memory. */ + if (__glibc_unlikely (*retval == '\0')) + { + free (result); + return NULL; + } + + return retval; } @@ -433,22 +443,33 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, { char *cp; size_t nelems = 0; - char *to_free; while ((cp = __strsep (&rpath, sep)) != NULL) { struct r_search_path_elem *dirp; - - to_free = cp = expand_dynamic_string_token (l, cp, 1); - - size_t len = strlen (cp); + char *to_free = NULL; + size_t len; /* `strsep' can pass an empty string. This has to be interpreted as `use the current directory'. */ - if (len == 0) + if (*cp == '\0') { static const char curwd[] = "./"; cp = (char *) curwd; + len = 0; + } + else + { + to_free = cp = expand_dynamic_string_token (l, cp, 1); + + /* expand_dynamic_string_token can return NULL in case of empty + path or memory allocation failure. */ + if (cp == NULL) + continue; + + /* Recompute the length after dynamic string token expansion + and ignore empty paths. */ + len = strlen (cp); } /* Remove trailing slashes (except for "/"). */ @@ -620,6 +641,14 @@ decompose_rpath (struct r_search_path_struct *sps, necessary. */ free (copy); + /* There is no path after expansion. */ + if (result[0] == NULL) + { + free (result); + sps->dirs = (struct r_search_path_elem **) -1; + return false; + } + sps->dirs = result; /* The caller will change this value if we haven't used a real malloc. */ sps->malloced = 1;