tzset robustness [BZ#17715]

This patch removes two different unbounded alloca calls, and also fixes 
the TZ parser issue identified here:

   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772705

This is not my preferred approach.  I would rather like to sanitize TZ 
in AT_SECURE mode, so that specifying a file from a non-default TZDIR 
does not work.  However, this alternative approach is a bit involved 
because the current ld.so setup code is not fit to handle 
content-dependent environment variable scrubbing.

Tested on x86_64-redhat-linux-gnu with no regressions.  I also ran the 
tests in time/ and timezone/ on i386-redhat-linux-gnu, with no failures. 
  The test case from the Debian bug no longer crashes after installing 
the new glibc version (also on i386).

On Wed, Jan 14, 2015 at 11:11:42PM +0100, Florian Weimer wrote:
> This patch removes two different unbounded alloca calls, and also
> fixes the TZ parser issue identified here:
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772705
> 
> This is not my preferred approach.  I would rather like to sanitize
> TZ in AT_SECURE mode, so that specifying a file from a non-default
> TZDIR does not work.  However, this alternative approach is a bit
> involved because the current ld.so setup code is not fit to handle
> content-dependent environment variable scrubbing.

Doing the scrubbing in the dynamic linker does not seem appropriate
anyway. It wouldn't solve the problem for static-linked binaries and
it would wrongly remove environment entries rather than just ignoring
them. Instead, tzset should be doing its own path enforcement based on
the presence of getauxval(AT_SECURE) or similar (e.g. the proposed
issetugid function).

Rich

On 01/15/2015 02:39 PM, Rich Felker wrote:
> On Wed, Jan 14, 2015 at 11:11:42PM +0100, Florian Weimer wrote:
>> This patch removes two different unbounded alloca calls, and also
>> fixes the TZ parser issue identified here:
>>
>>    https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772705
>>
>> This is not my preferred approach.  I would rather like to sanitize
>> TZ in AT_SECURE mode, so that specifying a file from a non-default
>> TZDIR does not work.  However, this alternative approach is a bit
>> involved because the current ld.so setup code is not fit to handle
>> content-dependent environment variable scrubbing.
>
> Doing the scrubbing in the dynamic linker does not seem appropriate
> anyway. It wouldn't solve the problem for static-linked binaries and

I have working scrubbing for statically linked binaries, I think.

> it would wrongly remove environment entries rather than just ignoring
> them. Instead, tzset should be doing its own path enforcement based on
> the presence of getauxval(AT_SECURE) or similar (e.g. the proposed
> issetugid function).

We already do that, but we aren't consistent about it: We scrub TZDIR 
unconditionally (which is cleared in AT_SECURE mode), but we pass TZ 
variables containing absolute paths to subprocesses.  The latter means 
that the TZDIR scrubbing isn't effective.

On Thu, Jan 15, 2015 at 02:45:55PM +0100, Florian Weimer wrote:
> On 01/15/2015 02:39 PM, Rich Felker wrote:
> >On Wed, Jan 14, 2015 at 11:11:42PM +0100, Florian Weimer wrote:
> >>This patch removes two different unbounded alloca calls, and also
> >>fixes the TZ parser issue identified here:
> >>
> >>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772705
> >>
> >>This is not my preferred approach.  I would rather like to sanitize
> >>TZ in AT_SECURE mode, so that specifying a file from a non-default
> >>TZDIR does not work.  However, this alternative approach is a bit
> >>involved because the current ld.so setup code is not fit to handle
> >>content-dependent environment variable scrubbing.
> >
> >Doing the scrubbing in the dynamic linker does not seem appropriate
> >anyway. It wouldn't solve the problem for static-linked binaries and
> 
> I have working scrubbing for statically linked binaries, I think.
> 
> >it would wrongly remove environment entries rather than just ignoring
> >them. Instead, tzset should be doing its own path enforcement based on
> >the presence of getauxval(AT_SECURE) or similar (e.g. the proposed
> >issetugid function).
> 
> We already do that, but we aren't consistent about it: We scrub
> TZDIR unconditionally (which is cleared in AT_SECURE mode), but we
> pass TZ variables containing absolute paths to subprocesses.  The
> latter means that the TZDIR scrubbing isn't effective.

I fail to see how removing env vars behind the program's back is
conforming. I understand that the _intent_ is to improve security, but
IMO any contract violation such as this is a potential cause of
vulnerabilities in itself (e.g. as a silly example, suppose the child
process you were executing is a tool that examines the environment and
exits with 0/1 to tell if the environment contained anything
dangerous).

Rich

On Wed, 14 Jan 2015, Florian Weimer wrote:

> @@ -434,6 +437,10 @@ __tzfile_read (const char *file, size_t extra, char **extrap)
>  	goto lose;
>  
>        tzspec_len = st.st_size - off - 1;
> +      if (tzspec_len >= 256)
> +	/* POSIX time zone specifiers are much shorter than 256
> +	   characters.  */
> +	goto lose;
>        char *tzstr = alloca (tzspec_len);
>        if (getc_unlocked (f) != '\n'
>  	  || (__fread_unlocked (tzstr, 1, tzspec_len - 1, f)

Is it possible to have tzspec_len == 0 here?  The code doesn't look safe 
if tzspec_len is 0 - it would pass (size_t)-1 to __fread_unlocked.

This code is for the case where time_t is 4-byte (and so size_t is 
4-byte).  tzspec_len is of type size_t.  st.st_size is of type off64_t (st 
is struct stat64), so 8-byte.  If st.st_size < off + 2 we didn't get here, 
but if st.st_size is off + 4GB + 1 it seems to me you could then get 
tzspec_len being 0.  (This file is opened with fopen not fopen64 so the 
open should fail if it's a large file at fopen time, but one might suppose 
it only becomes a large file between the fopen call and the fstat64 call.)

On 01/15/2015 09:02 AM, Rich Felker wrote:
> On Thu, Jan 15, 2015 at 02:45:55PM +0100, Florian Weimer wrote:
>> On 01/15/2015 02:39 PM, Rich Felker wrote:
>>> On Wed, Jan 14, 2015 at 11:11:42PM +0100, Florian Weimer wrote:
>>>> This patch removes two different unbounded alloca calls, and also
>>>> fixes the TZ parser issue identified here:
>>>>
>>>>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=772705
>>>>
>>>> This is not my preferred approach.  I would rather like to sanitize
>>>> TZ in AT_SECURE mode, so that specifying a file from a non-default
>>>> TZDIR does not work.  However, this alternative approach is a bit
>>>> involved because the current ld.so setup code is not fit to handle
>>>> content-dependent environment variable scrubbing.
>>>
>>> Doing the scrubbing in the dynamic linker does not seem appropriate
>>> anyway. It wouldn't solve the problem for static-linked binaries and
>>
>> I have working scrubbing for statically linked binaries, I think.
>>
>>> it would wrongly remove environment entries rather than just ignoring
>>> them. Instead, tzset should be doing its own path enforcement based on
>>> the presence of getauxval(AT_SECURE) or similar (e.g. the proposed
>>> issetugid function).
>>
>> We already do that, but we aren't consistent about it: We scrub
>> TZDIR unconditionally (which is cleared in AT_SECURE mode), but we
>> pass TZ variables containing absolute paths to subprocesses.  The
>> latter means that the TZDIR scrubbing isn't effective.
> 
> I fail to see how removing env vars behind the program's back is
> conforming. I understand that the _intent_ is to improve security, but
> IMO any contract violation such as this is a potential cause of
> vulnerabilities in itself (e.g. as a silly example, suppose the child
> process you were executing is a tool that examines the environment and
> exits with 0/1 to tell if the environment contained anything
> dangerous).

I can't help but agree. Removing env vars is a bad idea, ignoring them
is the only way I'd handle this.

c.

On 01/16/2015 09:27 PM, Carlos O'Donell wrote:
>>> We already do that, but we aren't consistent about it: We scrub
>>> TZDIR unconditionally (which is cleared in AT_SECURE mode), but we
>>> pass TZ variables containing absolute paths to subprocesses.  The
>>> latter means that the TZDIR scrubbing isn't effective.
>>
>> I fail to see how removing env vars behind the program's back is
>> conforming. I understand that the _intent_ is to improve security, but
>> IMO any contract violation such as this is a potential cause of
>> vulnerabilities in itself (e.g. as a silly example, suppose the child
>> process you were executing is a tool that examines the environment and
>> exits with 0/1 to tell if the environment contained anything
>> dangerous).
> 
> I can't help but agree. Removing env vars is a bad idea, ignoring them
> is the only way I'd handle this.

On the other hand, looking at TZDIR at all is non-confirming as well.

It is certainly easier not to scrub the TZ variable because no
additional patch is required.  But I'm worried that the TZ parser
crosses a trust boundary, and we'll have to patch it again (and again).
 Ulrich already tried to robustify the parser in commit
97ac2654b2d831acaa18a2b018b0736245903fd2, BZ #13506, but missed a few
corner cases.  I don't feel very confident that my latest patch
addresses all remaining issues.

On Tue, Jan 20, 2015 at 02:18:01PM +0100, Florian Weimer wrote:
> On 01/16/2015 09:27 PM, Carlos O'Donell wrote:
> >>> We already do that, but we aren't consistent about it: We scrub
> >>> TZDIR unconditionally (which is cleared in AT_SECURE mode), but we
> >>> pass TZ variables containing absolute paths to subprocesses.  The
> >>> latter means that the TZDIR scrubbing isn't effective.
> >>
> >> I fail to see how removing env vars behind the program's back is
> >> conforming. I understand that the _intent_ is to improve security, but
> >> IMO any contract violation such as this is a potential cause of
> >> vulnerabilities in itself (e.g. as a silly example, suppose the child
> >> process you were executing is a tool that examines the environment and
> >> exits with 0/1 to tell if the environment contained anything
> >> dangerous).
> > 
> > I can't help but agree. Removing env vars is a bad idea, ignoring them
> > is the only way I'd handle this.
> 
> On the other hand, looking at TZDIR at all is non-confirming as well.

Are you sure? The way in which the TZ is processed when it's not a
POSIX TZ string is implementation-defined. Defining that to include
processing of the TZDIR environment variable is perfectly acceptable.
These interfaces are already permitted to access the environment so
there's no issue with concurrent environment access.

Rich

On 01/20/2015 04:14 PM, Rich Felker wrote:
> On Tue, Jan 20, 2015 at 02:18:01PM +0100, Florian Weimer wrote:
>> On 01/16/2015 09:27 PM, Carlos O'Donell wrote:
>>>>> We already do that, but we aren't consistent about it: We scrub
>>>>> TZDIR unconditionally (which is cleared in AT_SECURE mode), but we
>>>>> pass TZ variables containing absolute paths to subprocesses.  The
>>>>> latter means that the TZDIR scrubbing isn't effective.
>>>>
>>>> I fail to see how removing env vars behind the program's back is
>>>> conforming. I understand that the _intent_ is to improve security, but
>>>> IMO any contract violation such as this is a potential cause of
>>>> vulnerabilities in itself (e.g. as a silly example, suppose the child
>>>> process you were executing is a tool that examines the environment and
>>>> exits with 0/1 to tell if the environment contained anything
>>>> dangerous).
>>>
>>> I can't help but agree. Removing env vars is a bad idea, ignoring them
>>> is the only way I'd handle this.
>>
>> On the other hand, looking at TZDIR at all is non-confirming as well.
> 
> Are you sure?

No, mainly because I'm not entirely sure what a POSIX TZ string should
look like.

I tried this, based on some test case:

$ TZ=AEST-10AEDST-11,M10.5.0,M3.5.0 strace -eopen date
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/usr/share/zoneinfo/AEST-10AEDST-11,M10.5.0,M3.5.0",
O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
Wed Jan 21 02:30:07 AEDST 2015
+++ exited with 0 +++
$ TZDIR=/tmp TZ=AEST-10AEDST-11,M10.5.0,M3.5.0 strace -eopen date
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
open("/tmp/AEST-10AEDST-11,M10.5.0,M3.5.0", O_RDONLY|O_CLOEXEC) = 3
Tue Jan 20 15:30:14 UTC 2015
+++ exited with 0 +++

The file is copied from /usr/share/zoneinfo/UTC.

This seems to suggest that the glibc behavior is non-compliant.

Florian Weimer wrote:
> This seems to suggest that the glibc behavior is non-compliant.

No, because POSIX reserves the environment variable name TZDIR for the 
implementation (just as it reserves all upper-case-only names).

On Tue, Jan 20, 2015 at 04:37:01PM +0100, Florian Weimer wrote:
> On 01/20/2015 04:14 PM, Rich Felker wrote:
> > On Tue, Jan 20, 2015 at 02:18:01PM +0100, Florian Weimer wrote:
> >> On 01/16/2015 09:27 PM, Carlos O'Donell wrote:
> >>>>> We already do that, but we aren't consistent about it: We scrub
> >>>>> TZDIR unconditionally (which is cleared in AT_SECURE mode), but we
> >>>>> pass TZ variables containing absolute paths to subprocesses.  The
> >>>>> latter means that the TZDIR scrubbing isn't effective.
> >>>>
> >>>> I fail to see how removing env vars behind the program's back is
> >>>> conforming. I understand that the _intent_ is to improve security, but
> >>>> IMO any contract violation such as this is a potential cause of
> >>>> vulnerabilities in itself (e.g. as a silly example, suppose the child
> >>>> process you were executing is a tool that examines the environment and
> >>>> exits with 0/1 to tell if the environment contained anything
> >>>> dangerous).
> >>>
> >>> I can't help but agree. Removing env vars is a bad idea, ignoring them
> >>> is the only way I'd handle this.
> >>
> >> On the other hand, looking at TZDIR at all is non-confirming as well.
> > 
> > Are you sure?
> 
> No, mainly because I'm not entirely sure what a POSIX TZ string should
> look like.
> 
> I tried this, based on some test case:
> 
> $ TZ=AEST-10AEDST-11,M10.5.0,M3.5.0 strace -eopen date
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
> open("/usr/share/zoneinfo/AEST-10AEDST-11,M10.5.0,M3.5.0",
> O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
> Wed Jan 21 02:30:07 AEDST 2015
> +++ exited with 0 +++
> $ TZDIR=/tmp TZ=AEST-10AEDST-11,M10.5.0,M3.5.0 strace -eopen date
> open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
> open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
> open("/tmp/AEST-10AEDST-11,M10.5.0,M3.5.0", O_RDONLY|O_CLOEXEC) = 3
> Tue Jan 20 15:30:14 UTC 2015
> +++ exited with 0 +++
> 
> The file is copied from /usr/share/zoneinfo/UTC.
> 
> This seems to suggest that the glibc behavior is non-compliant.

Yes, glibc is wrongly attempting to process strings as filenames
first, then as POSIX-format TZ strings. I'd like to see this fixed,
but I suspect too many users would complain.

Rich

On 01/20/2015 08:54 AM, Rich Felker wrote:
> Yes, glibc is wrongly attempting to process strings as filenames
> first, then as POSIX-format TZ strings.

This is OK, so long as all the file names actually installed in the 
system cannot be confused with valid POSIX-format TZ strings.  That is 
the case with the standard time zone database normally installed in 
GNU/Linux systems (at least it is now; long ago there were ambiguities 
but they were removed many years ago).

On 01/20/2015 05:01 PM, Paul Eggert wrote:
> Florian Weimer wrote:
>> This seems to suggest that the glibc behavior is non-compliant.
> 
> No, because POSIX reserves the environment variable name TZDIR for the
> implementation (just as it reserves all upper-case-only names).

Hmm. Does that mean that scrubbing TZ and TZDIR in AT_SECURE mode would
also be compliant?

Anyway, this part of the discussion is only about potential future patch
I might submit.  What about the last iteration of the existing parser fixes?

<https://sourceware.org/ml/libc-alpha/2015-01/msg00360.html>

Okay to commit?

On 01/22/2015 01:54 AM, Florian Weimer wrote:
> Does that mean that scrubbing TZ and TZDIR in AT_SECURE mode would
> also be compliant?
I doubt it, though I can't easily cite chapter and verse on that.

On Thu, Jan 22, 2015 at 10:54:57AM +0100, Florian Weimer wrote:
> On 01/20/2015 05:01 PM, Paul Eggert wrote:
> > Florian Weimer wrote:
> >> This seems to suggest that the glibc behavior is non-compliant.
> > 
> > No, because POSIX reserves the environment variable name TZDIR for the
> > implementation (just as it reserves all upper-case-only names).
> 
> Hmm. Does that mean that scrubbing TZ and TZDIR in AT_SECURE mode would
> also be compliant?

No. Silently removing or modifying env vars is never compliant.

Rich