[v4] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
Commit Message
C programs which use uninitialized stack variables can be exploited if an attacker
can control the contents of memory where the buggy function's stack frame lands.
If the buggy function is called very early in the program's execution, that memory
might still hold values written by ld.so, so manipulation of ld.so is one way to
carry out such an exploit.
But how can an unprivileged user, running a set-UID program, cause ld.so to write arbitrary data onto the stack? One way is to assign it to LD_DEBUG. When printing the
resulting warning message, ld.so uses alloca to create a buffer on the stack, and
copies the entire contents of LD_DEBUG into it (even if it is dozens of kilobytes long).
Of course, people shouldn't write programs which use uninitialized variables, but it
is easy enough to plug this hole if they do. Simply avoid copying the string onto the
stack. Because the string may not be null-terminated, we need to provide a string
length to _dl_error_printf.
---
As suggested by Paul Eggert, the warning message printed when LD_DEBUG has an
unrecognized value is now limited to a reasonable length.
elf/dl-misc.c | 7 ++++---
elf/rtld.c | 9 +++++----
2 files changed, 9 insertions(+), 7 deletions(-)
Comments
On 08/10/2015 08:04 PM, Alex Dowad wrote:
> C programs which use uninitialized stack variables can be exploited if an attacker
> can control the contents of memory where the buggy function's stack frame lands.
> If the buggy function is called very early in the program's execution, that memory
> might still hold values written by ld.so, so manipulation of ld.so is one way to
> carry out such an exploit.
Could you write a test case for this in some way? I wonder what else
ends up on the stack.
@@ -143,7 +143,7 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg)
++fmt;
}
- /* See whether with comes from a parameter. Note that no other
+ /* See whether width comes from a parameter. Note that no other
way to specify the width is implemented. */
if (*fmt == '*')
{
@@ -205,9 +205,10 @@ _dl_debug_vdprintf (int fd, int tag_p, const char *fmt, va_list arg)
case 's':
/* Get the string argument. */
iov[niov].iov_base = va_arg (arg, char *);
- iov[niov].iov_len = strlen (iov[niov].iov_base);
if (prec != -1)
- iov[niov].iov_len = MIN ((size_t) prec, iov[niov].iov_len);
+ iov[niov].iov_len = strnlen (iov[niov].iov_base, (size_t) prec);
+ else
+ iov[niov].iov_len = strlen (iov[niov].iov_base);
++niov;
break;
@@ -2404,10 +2404,11 @@ process_dl_debug (const char *dl_debug)
if (cnt == ndebopts)
{
/* Display a warning and skip everything until next
- separator. */
- char *copy = strndupa (dl_debug, len);
- _dl_error_printf ("\
-warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy);
+ separator. */
+ int deblen = MIN(len, 100);
+ _dl_error_printf ("warning: debug option '%.*s%s' unknown;"
+ " try LD_DEBUG=help\n",
+ deblen, dl_debug, len <= 100 ? "" : "...");
}
dl_debug += len;