| Message ID | 20171220202359.7765-1-aurelien@aurel32.net |
|---|---|
| State | New |
| Headers | show |
| Series | [v3] elf: Check for empty tokens before dynamic string token expansion [BZ #22625] | expand |
On Wed, Dec 20, 2017 at 09:23:59PM +0100, Aurelien Jarno wrote: > The fillin_rpath function in elf/dl-load.c loops over each RPATH or > RUNPATH tokens and interprets empty tokens as the current directory > ("./"). In practice the check for empty token is done *after* the > dynamic string token expansion. The expansion process can return an > empty string for the $ORIGIN token if __libc_enable_secure is set > or if the path of the binary can not be determined (/proc not mounted). > > Fix that by moving the check for empty tokens before the dynamic string > token expansion. In addition, check for NULL pointer or empty strings > return by expand_dynamic_string_token. > > The above changes highlighted a bug in decompose_rpath, an empty array > is represented by the first element being NULL at the fillin_rpath > level, but by using a -1 pointer in decompose_rpath and other functions. > > Changelog: > [BZ #22625] > * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic > string token expansion. Check for NULL pointer or empty string possibly > returned by expand_dynamic_string_token. > (decompose_rpath): Check for empty path after dynamic string > token expansion. > --- > ChangeLog | 10 ++++++++++ > NEWS | 4 ++++ > elf/dl-load.c | 35 ++++++++++++++++++++++++++--------- > 3 files changed, 40 insertions(+), 9 deletions(-) [...] > - /* `strsep' can pass an empty string. This has to be > - interpreted as `use the current directory'. */ > - if (len == 0) > - { > - static const char curwd[] = "./"; > - cp = (char *) curwd; > + /* Compute the length after dynamic string token expansion and > + ignore empty paths. */ > + len = strlen (cp); > + if (len == 0) > + { > + free (to_free); > + continue; > + } The leading 8+ spaces are not replaced by tabs in these newly added lines. As other lines in this file seem to use tabs, it might be a good idea to follow the same style. Besides that, the change is fine.
On Wed, Dec 20, 2017 at 09:23:59PM +0100, Aurelien Jarno wrote: > The fillin_rpath function in elf/dl-load.c loops over each RPATH or > RUNPATH tokens and interprets empty tokens as the current directory > ("./"). In practice the check for empty token is done *after* the > dynamic string token expansion. The expansion process can return an > empty string for the $ORIGIN token if __libc_enable_secure is set > or if the path of the binary can not be determined (/proc not mounted). > > Fix that by moving the check for empty tokens before the dynamic string > token expansion. In addition, check for NULL pointer or empty strings > return by expand_dynamic_string_token. > > The above changes highlighted a bug in decompose_rpath, an empty array > is represented by the first element being NULL at the fillin_rpath > level, but by using a -1 pointer in decompose_rpath and other functions. > > Changelog: > [BZ #22625] > * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic > string token expansion. Check for NULL pointer or empty string possibly > returned by expand_dynamic_string_token. > (decompose_rpath): Check for empty path after dynamic string > token expansion. > --- > ChangeLog | 10 ++++++++++ > NEWS | 4 ++++ > elf/dl-load.c | 35 ++++++++++++++++++++++++++--------- > 3 files changed, 40 insertions(+), 9 deletions(-) > > diff --git a/ChangeLog b/ChangeLog > index 35d1d102f6..0ed4d0ab15 100644 > --- a/ChangeLog > +++ b/ChangeLog > @@ -1,3 +1,13 @@ > +2017-12-20 Aurelien Jarno <aurelien@aurel32.net> > + Dmitry V. Levin <ldv@altlinux.org> > + > + [BZ #22625] > + * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic > + string token expansion. Check for NULL pointer or empty string possibly > + returned by expand_dynamic_string_token. > + (decompose_rpath): Check for empty path after dynamic string > + token expansion. > + > 2017-12-20 Adhemerval Zanella <adhemerval.zanella@linaro.org> > > * nptl/Makefile (libpthread-routines): Add pthread_join_common. > diff --git a/NEWS b/NEWS > index a43ff26e83..0d43e93a17 100644 > --- a/NEWS > +++ b/NEWS > @@ -149,6 +149,10 @@ Security related changes: > CVE-2017-1000366 has been applied, but it is mentioned here only because > of the CVE assignment.) Reported by Qualys. > > + CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN > + for AT_SECURE or SUID binaries could be used to load libraries from the > + current directory. > + > The following bugs are resolved with this release: > > [The release manager will add the list generated by > diff --git a/elf/dl-load.c b/elf/dl-load.c > index 2964464158..955eb49ecb 100644 > --- a/elf/dl-load.c > +++ b/elf/dl-load.c > @@ -414,22 +414,31 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, > { > char *cp; > size_t nelems = 0; > - char *to_free; > > while ((cp = __strsep (&rpath, sep)) != NULL) > { > struct r_search_path_elem *dirp; > + char *to_free = NULL; > + size_t len = 0; > > - to_free = cp = expand_dynamic_string_token (l, cp, 1); > + /* `strsep' can pass an empty string. */ > + if (*cp != '\0') > + { > + to_free = cp = expand_dynamic_string_token (l, cp, 1); > > - size_t len = strlen (cp); > + /* expand_dynamic_string_token can return NULL in case of empty > + path or memory allocation failure. */ > + if (cp == NULL) > + continue; > > - /* `strsep' can pass an empty string. This has to be > - interpreted as `use the current directory'. */ > - if (len == 0) > - { > - static const char curwd[] = "./"; > - cp = (char *) curwd; > + /* Compute the length after dynamic string token expansion and > + ignore empty paths. */ > + len = strlen (cp); > + if (len == 0) > + { > + free (to_free); > + continue; > + } > } > > /* Remove trailing slashes (except for "/"). */ The longer I look at this hunk of fillin_rpath, the more I think that moving "Remove trailing slashes" and "Now add one" code inside "if (*cp != '\0')" statement will make fillin_rpath a bit more readable.
On 2017-12-29 16:07, Dmitry V. Levin wrote: > On Wed, Dec 20, 2017 at 09:23:59PM +0100, Aurelien Jarno wrote: > > The fillin_rpath function in elf/dl-load.c loops over each RPATH or > > RUNPATH tokens and interprets empty tokens as the current directory > > ("./"). In practice the check for empty token is done *after* the > > dynamic string token expansion. The expansion process can return an > > empty string for the $ORIGIN token if __libc_enable_secure is set > > or if the path of the binary can not be determined (/proc not mounted). > > > > Fix that by moving the check for empty tokens before the dynamic string > > token expansion. In addition, check for NULL pointer or empty strings > > return by expand_dynamic_string_token. > > > > The above changes highlighted a bug in decompose_rpath, an empty array > > is represented by the first element being NULL at the fillin_rpath > > level, but by using a -1 pointer in decompose_rpath and other functions. > > > > Changelog: > > [BZ #22625] > > * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic > > string token expansion. Check for NULL pointer or empty string possibly > > returned by expand_dynamic_string_token. > > (decompose_rpath): Check for empty path after dynamic string > > token expansion. > > --- > > ChangeLog | 10 ++++++++++ > > NEWS | 4 ++++ > > elf/dl-load.c | 35 ++++++++++++++++++++++++++--------- > > 3 files changed, 40 insertions(+), 9 deletions(-) > > > > diff --git a/ChangeLog b/ChangeLog > > index 35d1d102f6..0ed4d0ab15 100644 > > --- a/ChangeLog > > +++ b/ChangeLog > > @@ -1,3 +1,13 @@ > > +2017-12-20 Aurelien Jarno <aurelien@aurel32.net> > > + Dmitry V. Levin <ldv@altlinux.org> > > + > > + [BZ #22625] > > + * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic > > + string token expansion. Check for NULL pointer or empty string possibly > > + returned by expand_dynamic_string_token. > > + (decompose_rpath): Check for empty path after dynamic string > > + token expansion. > > + > > 2017-12-20 Adhemerval Zanella <adhemerval.zanella@linaro.org> > > > > * nptl/Makefile (libpthread-routines): Add pthread_join_common. > > diff --git a/NEWS b/NEWS > > index a43ff26e83..0d43e93a17 100644 > > --- a/NEWS > > +++ b/NEWS > > @@ -149,6 +149,10 @@ Security related changes: > > CVE-2017-1000366 has been applied, but it is mentioned here only because > > of the CVE assignment.) Reported by Qualys. > > > > + CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN > > + for AT_SECURE or SUID binaries could be used to load libraries from the > > + current directory. > > + > > The following bugs are resolved with this release: > > > > [The release manager will add the list generated by > > diff --git a/elf/dl-load.c b/elf/dl-load.c > > index 2964464158..955eb49ecb 100644 > > --- a/elf/dl-load.c > > +++ b/elf/dl-load.c > > @@ -414,22 +414,31 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, > > { > > char *cp; > > size_t nelems = 0; > > - char *to_free; > > > > while ((cp = __strsep (&rpath, sep)) != NULL) > > { > > struct r_search_path_elem *dirp; > > + char *to_free = NULL; > > + size_t len = 0; > > > > - to_free = cp = expand_dynamic_string_token (l, cp, 1); > > + /* `strsep' can pass an empty string. */ > > + if (*cp != '\0') > > + { > > + to_free = cp = expand_dynamic_string_token (l, cp, 1); > > > > - size_t len = strlen (cp); > > + /* expand_dynamic_string_token can return NULL in case of empty > > + path or memory allocation failure. */ > > + if (cp == NULL) > > + continue; > > > > - /* `strsep' can pass an empty string. This has to be > > - interpreted as `use the current directory'. */ > > - if (len == 0) > > - { > > - static const char curwd[] = "./"; > > - cp = (char *) curwd; > > + /* Compute the length after dynamic string token expansion and > > + ignore empty paths. */ > > + len = strlen (cp); > > + if (len == 0) > > + { > > + free (to_free); > > + continue; > > + } > > } > > > > /* Remove trailing slashes (except for "/"). */ > > The longer I look at this hunk of fillin_rpath, the more I think > that moving "Remove trailing slashes" and "Now add one" code inside > "if (*cp != '\0')" statement will make fillin_rpath a bit more readable. I am testing this solution I'll send a new version of this patch if all is working fine.
diff --git a/ChangeLog b/ChangeLog index 35d1d102f6..0ed4d0ab15 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,13 @@ +2017-12-20 Aurelien Jarno <aurelien@aurel32.net> + Dmitry V. Levin <ldv@altlinux.org> + + [BZ #22625] + * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic + string token expansion. Check for NULL pointer or empty string possibly + returned by expand_dynamic_string_token. + (decompose_rpath): Check for empty path after dynamic string + token expansion. + 2017-12-20 Adhemerval Zanella <adhemerval.zanella@linaro.org> * nptl/Makefile (libpthread-routines): Add pthread_join_common. diff --git a/NEWS b/NEWS index a43ff26e83..0d43e93a17 100644 --- a/NEWS +++ b/NEWS @@ -149,6 +149,10 @@ Security related changes: CVE-2017-1000366 has been applied, but it is mentioned here only because of the CVE assignment.) Reported by Qualys. + CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN + for AT_SECURE or SUID binaries could be used to load libraries from the + current directory. + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/elf/dl-load.c b/elf/dl-load.c index 2964464158..955eb49ecb 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -414,22 +414,31 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, { char *cp; size_t nelems = 0; - char *to_free; while ((cp = __strsep (&rpath, sep)) != NULL) { struct r_search_path_elem *dirp; + char *to_free = NULL; + size_t len = 0; - to_free = cp = expand_dynamic_string_token (l, cp, 1); + /* `strsep' can pass an empty string. */ + if (*cp != '\0') + { + to_free = cp = expand_dynamic_string_token (l, cp, 1); - size_t len = strlen (cp); + /* expand_dynamic_string_token can return NULL in case of empty + path or memory allocation failure. */ + if (cp == NULL) + continue; - /* `strsep' can pass an empty string. This has to be - interpreted as `use the current directory'. */ - if (len == 0) - { - static const char curwd[] = "./"; - cp = (char *) curwd; + /* Compute the length after dynamic string token expansion and + ignore empty paths. */ + len = strlen (cp); + if (len == 0) + { + free (to_free); + continue; + } } /* Remove trailing slashes (except for "/"). */ @@ -594,6 +603,14 @@ decompose_rpath (struct r_search_path_struct *sps, necessary. */ free (copy); + /* There is no path after expansion. */ + if (result[0] == NULL) + { + free (result); + sps->dirs = (struct r_search_path_elem **) -1; + return false; + } + sps->dirs = result; /* The caller will change this value if we haven't used a real malloc. */ sps->malloced = 1;
The fillin_rpath function in elf/dl-load.c loops over each RPATH or RUNPATH tokens and interprets empty tokens as the current directory ("./"). In practice the check for empty token is done *after* the dynamic string token expansion. The expansion process can return an empty string for the $ORIGIN token if __libc_enable_secure is set or if the path of the binary can not be determined (/proc not mounted). Fix that by moving the check for empty tokens before the dynamic string token expansion. In addition, check for NULL pointer or empty strings return by expand_dynamic_string_token. The above changes highlighted a bug in decompose_rpath, an empty array is represented by the first element being NULL at the fillin_rpath level, but by using a -1 pointer in decompose_rpath and other functions. Changelog: [BZ #22625] * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic string token expansion. Check for NULL pointer or empty string possibly returned by expand_dynamic_string_token. (decompose_rpath): Check for empty path after dynamic string token expansion. --- ChangeLog | 10 ++++++++++ NEWS | 4 ++++ elf/dl-load.c | 35 ++++++++++++++++++++++++++--------- 3 files changed, 40 insertions(+), 9 deletions(-)