[v4] Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug, 23259, CVE-2011-0536 ).
Commit Message
On 06/06/2018 04:18 PM, Carlos O'Donell wrote:
> On 06/06/2018 12:10 PM, Carlos O'Donell wrote:
>> On 06/06/2018 01:02 AM, Carlos O'Donell wrote:
>>> This commit improves DST handling significantly in the following
>>
>> v2
>>
>> - Fix is_dst() by adding back string comparison, and clarify comment.
>> Added extra test testcases (49 now) to cover this error.
>> - Renamed parameters as 'input' for data from ELF file, and 'ref' as
>> reference DST to compare against.
>> - Removed dead update to name in is_dst().
>> - Killed DL_DST_COUNT, not needed really, and a weak optimization.
>> - Did not remove len from _dl_dst_count because we use it to advance
>> input more quickly to the next DST.
>>
>
> v3
> - Use memcmp in is_dst().
> - In _dl_dst_substitute use 'len != 0' conditional to clarify that
> all we are looking to do is distinguish between a valid DST
> for which we don't recognize the DST, and an invalid DST which
> may just be stray characters which we will copy to the result.
> - Added a few more tests: Small invalid sequence e.g. ${}, and
> large valid sequence with unknown DST.
>
v4
- Remove ":" logic from _dl_dst_substitute, and rewrite exception
logic without the double negative, and in general cleanup the
function to make it clear we accept only single path elements
for processing.
- Cleanup comments regarding RESULT size and what is required.
- Adjust is_dst() comment to note that $ is not counted in length
returned.
- Fix _dl_dst_substitute exception logic to check for NULL separator
between non-first path since fillin_rpath and other callers will
use strsep to split colon separated path elements. This fixes
the case tested by test 19.
This commit improves DST handling significantly in the following
ways: firstly is_dst () is overhauled to correctly process DST
sequences that would be accepted given the ELF gABI. This means that
we actually now accept slightly more sequences than before. Now we
accept $ORIGIN$ORIGIN, but in the past we accepted only $ORIGIN\0 or
$ORIGIN/..., but this kind of behaviour results in unexpected
and uninterpreted DST sequences being used as literal search paths
leading to security defects. Therefore the first step in correcting
this defect is making is_dst () properly account for all DSTs
and making the function context free in the sense that it counts
DSTs without knowledge of path, or AT_SECURE. Next, _dl_dst_count ()
is also simplified to count all DSTs regardless of context.
Then in _dl_dst_substitute () we reintroduce context-dependent
processing for such things as AT_SECURE handling. At the level of
_dl_dst_substitute we can have access to things like the true start
of the string sequence to validate $ORIGIN-based paths rooted in
trusted directories. Lastly, callers of _dl_dst_substitute () are
adjusted to pass in the start of their string sequences, this includes
expand_dynamic_string_token () and fillin_rpath (). Lastly, after this
commit we tighten up the accepted sequences in AT_SECURE, and avoid
leaving unexpanded DSTs, this is noted in the NEWS entry.
Verified with a sequence of 63 tests on x86_64 that cover
non-AT_SECURE and AT_SECURE testing using a sysroot (requires root
to run). The tests cover cases for bug 23102, bug 21942, bug 18018,
and bug 23259. These tests are not yet appropriate for the glibc
regression testsuite, but with the upcoming test-in-container testing
framework it should be possible to include these tests upstream soon.
See the mailing list for the tests:
https://www.sourceware.org/ml/libc-alpha/2018-06/msg00073.html
---
ChangeLog | 20 +++++
NEWS | 10 +++
elf/dl-deps.c | 4 +-
elf/dl-dst.h | 13 ---
elf/dl-load.c | 210 ++++++++++++++++++++++++++++++---------------
sysdeps/generic/ldsodefs.h | 5 +-
6 files changed, 177 insertions(+), 85 deletions(-)
Comments
On 06/08/2018 07:45 AM, Carlos O'Donell wrote:
> + /* For SUID/GUID programs we normally ignore the path with
> + a DST in DT_RUNPATH, or DT_RPATH. However, there is
> + one exception to this rule, and it is:
> +
> + * $ORIGIN appears first in the path element, and is
> + the only thing in the element or is immediately
> + followed by a path separator and the rest of the
> + path.
> +
> + * The path element is rooted in a trusted directory.
> +
> + This exception allows such programs to reference
> + shared libraries in subdirectories of trusted
> + directories. The use case is one of general
> + organization and deployment flexibility.
> + Trusted directories are usually such paths as "/lib64"
> + or "/lib". */
> + if (__glibc_unlikely (__libc_enable_secure)
> + && !((input == start + 1
> + || (input > start + 1 && input[-2] == '\0'))
> + && (input[len] == '\0' || input[len] == '/')))
> + repl = (const char *) -1;
The comment does not match the code: The code checks that $ORIGIN comes
first in the *path*, not *path element* (hence the need for the start
variable). I'm not sure what the right behavior is here. Going by path
element seems more correct.
(The begin variable doesn't seem to add much value, as you noted.)
Thanks,
Florian
On 06/08/2018 01:51 AM, Florian Weimer wrote:
> On 06/08/2018 07:45 AM, Carlos O'Donell wrote:
>> + /* For SUID/GUID programs we normally ignore the path with
>> + a DST in DT_RUNPATH, or DT_RPATH. However, there is
>> + one exception to this rule, and it is:
>> +
>> + * $ORIGIN appears first in the path element, and is
>> + the only thing in the element or is immediately
>> + followed by a path separator and the rest of the
>> + path.
>> +
>> + * The path element is rooted in a trusted directory.
>> +
>> + This exception allows such programs to reference
>> + shared libraries in subdirectories of trusted
>> + directories. The use case is one of general
>> + organization and deployment flexibility.
>> + Trusted directories are usually such paths as "/lib64"
>> + or "/lib". */
>> + if (__glibc_unlikely (__libc_enable_secure)
>> + && !((input == start + 1
>> + || (input > start + 1 && input[-2] == '\0'))
>> + && (input[len] == '\0' || input[len] == '/')))
>> + repl = (const char *) -1;
>
> The comment does not match the code: The code checks that $ORIGIN
> comes first in the *path*, not *path element* (hence the need for the
> start variable). I'm not sure what the right behavior is here.
> Going by path element seems more correct.
Sorry, there is a bit of confusion regarding terminology here.
When you have multiple colon separated paths in DT_RUNPATH or
DT_RPATH, what is each path called? Are they path elements?
Or are we calling path elements only those things that are
between slashes in a singular path?
It seems context dependent, but I understand the confusion.
[/path/dir:/path/dir1:/path/dir2]
^^^^^^^^^ --- What do we call this in the context of multiple paths?
Just a 'path' ?
I consider the following valid:
[$ORIGIN/../$LIB]
I do *not* consider the following valid:
[$LIB/../$ORIGIN/../$LIB]
Even though they are the same path.
I believe the glibc exception was a very *narrow* exception which
allowed only $ORIGIN-starting paths rooted in trusted directories
to be allowed for SUID/SGID. It's just easier to explain to
developers.
In the abstract all we really care about is that the result be
rooted in a trusted directory. So in that case the appearance
of *any* DST would enable check_for_trusted. That would be an
expansion of what is allowed for SUID/SGID though, and I'm not
sure I want to do that any further.
Thoughts?
Cheers,
Carlos.
On 06/08/2018 08:03 AM, Carlos O'Donell wrote:
> On 06/08/2018 01:51 AM, Florian Weimer wrote:
>> On 06/08/2018 07:45 AM, Carlos O'Donell wrote:
>>> + /* For SUID/GUID programs we normally ignore the path with
>>> + a DST in DT_RUNPATH, or DT_RPATH. However, there is
>>> + one exception to this rule, and it is:
>>> +
>>> + * $ORIGIN appears first in the path element, and is
>>> + the only thing in the element or is immediately
>>> + followed by a path separator and the rest of the
>>> + path.
>>> +
>>> + * The path element is rooted in a trusted directory.
>>> +
>>> + This exception allows such programs to reference
>>> + shared libraries in subdirectories of trusted
>>> + directories. The use case is one of general
>>> + organization and deployment flexibility.
>>> + Trusted directories are usually such paths as "/lib64"
>>> + or "/lib". */
>>> + if (__glibc_unlikely (__libc_enable_secure)
>>> + && !((input == start + 1
>>> + || (input > start + 1 && input[-2] == '\0'))
>>> + && (input[len] == '\0' || input[len] == '/')))
>>> + repl = (const char *) -1;
>>
>> The comment does not match the code: The code checks that $ORIGIN
>> comes first in the *path*, not *path element* (hence the need for the
>> start variable). I'm not sure what the right behavior is here.
>> Going by path element seems more correct.
> Sorry, there is a bit of confusion regarding terminology here.
>
> When you have multiple colon separated paths in DT_RUNPATH or
> DT_RPATH, what is each path called? Are they path elements?
>
> Or are we calling path elements only those things that are
> between slashes in a singular path?
>
> It seems context dependent, but I understand the confusion.
>
> [/path/dir:/path/dir1:/path/dir2]
> ^^^^^^^^^ --- What do we call this in the context of multiple paths?
>
> Just a 'path' ?
>
> I consider the following valid:
>
> [$ORIGIN/../$LIB]
I'm actually asking about this:
[$LIB:$ORIGIN/../$LIB]
Doesn't the current code reject this?
(Some of the callers split at :, not /.)
Thanks,
Florian
On 06/08/2018 02:25 AM, Florian Weimer wrote:
> On 06/08/2018 08:03 AM, Carlos O'Donell wrote:
>> On 06/08/2018 01:51 AM, Florian Weimer wrote:
>>> On 06/08/2018 07:45 AM, Carlos O'Donell wrote:
>>>> + /* For SUID/GUID programs we normally ignore the path with
>>>> + a DST in DT_RUNPATH, or DT_RPATH. However, there is
>>>> + one exception to this rule, and it is:
>>>> +
>>>> + * $ORIGIN appears first in the path element, and is
>>>> + the only thing in the element or is immediately
>>>> + followed by a path separator and the rest of the
>>>> + path.
>>>> +
>>>> + * The path element is rooted in a trusted directory.
>>>> +
>>>> + This exception allows such programs to reference
>>>> + shared libraries in subdirectories of trusted
>>>> + directories. The use case is one of general
>>>> + organization and deployment flexibility.
>>>> + Trusted directories are usually such paths as "/lib64"
>>>> + or "/lib". */
>>>> + if (__glibc_unlikely (__libc_enable_secure)
>>>> + && !((input == start + 1
>>>> + || (input > start + 1 && input[-2] == '\0'))
>>>> + && (input[len] == '\0' || input[len] == '/')))
>>>> + repl = (const char *) -1;
>>>
>>> The comment does not match the code: The code checks that $ORIGIN
>>> comes first in the *path*, not *path element* (hence the need for the
>>> start variable). I'm not sure what the right behavior is here.
>>> Going by path element seems more correct.
>> Sorry, there is a bit of confusion regarding terminology here.
>>
>> When you have multiple colon separated paths in DT_RUNPATH or
>> DT_RPATH, what is each path called? Are they path elements?
>>
>> Or are we calling path elements only those things that are
>> between slashes in a singular path?
>>
>> It seems context dependent, but I understand the confusion.
>>
>> [/path/dir:/path/dir1:/path/dir2]
>> ^^^^^^^^^ --- What do we call this in the context of multiple paths?
>>
>> Just a 'path' ?
>>
>> I consider the following valid:
>>
>> [$ORIGIN/../$LIB]
>
> I'm actually asking about this:
>
> [$LIB:$ORIGIN/../$LIB]
>
> Doesn't the current code reject this?
The current code does not reject this. In fact it accepts $LIB in RPATH
et. al. because there is no code to reject it. Only $ORIGIN has any
restrictions.
The patched code continues to accept [$LIB:$ORIGIN/../$LIB].
> (Some of the callers split at :, not /.)
The fillin_rpath caller splits at ':', generally for DT_RUNPATH and
DT_RPATH. While the other callers do no splitting. Do you see a caller
that splits at '/'?
In summary, the current patch doesn't change the handling of *just* $LIB
for SUID/SGID binaries.
Should all paths get tested for trusted paths for a SUID/SGID binary?
It seems like that's the right idea.
@@ -365,7 +383,8 @@ _dl_dst_substitute (struct link_map *l, const char *start,
/* In SUID/SGID programs, after DST expansion the normalized
path must be rooted in one of the trusted directories. */
- if (__glibc_unlikely (check_for_trusted)
+ if (__glibc_unlikely (__libc_enable_secure)
+ && l->l_type == lt_executable
&& !is_trusted_path_normalize (result, wp - result))
{
*result = '\0';
Just drop check_for_trusted, and execute the is_trusted_path_normalize
check for all SUID/SGID paths?
Cheers,
Carlos.
On 06/11/2018 04:54 AM, Carlos O'Donell wrote:
>>> I consider the following valid:
>>>
>>> [$ORIGIN/../$LIB]
>> I'm actually asking about this:
>>
>> [$LIB:$ORIGIN/../$LIB]
>>
>> Doesn't the current code reject this?
> The current code does not reject this. In fact it accepts $LIB in RPATH
> et. al. because there is no code to reject it. Only $ORIGIN has any
> restrictions.
I meant the $ORIGN part. As far as I understand it, start will not be
close to input for the second part containing origin (after the :), so
this check in _dl_dst_substitute should reject it:
|| (input != start + 1
|| (input > start + 2 && input[-2] != ':'))))
I'm not sure that this is right.
> Should all paths get tested for trusted paths for a SUID/SGID binary?
> It seems like that's the right idea.
>
> @@ -365,7 +383,8 @@ _dl_dst_substitute (struct link_map *l, const char *start,
>
> /* In SUID/SGID programs, after DST expansion the normalized
> path must be rooted in one of the trusted directories. */
> - if (__glibc_unlikely (check_for_trusted)
> + if (__glibc_unlikely (__libc_enable_secure)
> + && l->l_type == lt_executable
> && !is_trusted_path_normalize (result, wp - result))
> {
> *result = '\0';
>
> Just drop check_for_trusted, and execute the is_trusted_path_normalize
> check for all SUID/SGID paths?
No, $ORIGIN in a trusted path is itself trusted (because you cannot
manipulate it using hard links). I think there are installations out
there which depend on this.
Thanks,
Florian
On 06/11/2018 03:28 AM, Florian Weimer wrote:
> On 06/11/2018 04:54 AM, Carlos O'Donell wrote:
>>>> I consider the following valid:
>>>>
>>>> [$ORIGIN/../$LIB]
>>> I'm actually asking about this:
>>>
>>> [$LIB:$ORIGIN/../$LIB]
>>>
>>> Doesn't the current code reject this?
>> The current code does not reject this. In fact it accepts $LIB in RPATH
>> et. al. because there is no code to reject it. Only $ORIGIN has any
>> restrictions.
>
> I meant the $ORIGN part. As far as I understand it, start will not
> be close to input for the second part containing origin (after the
> :), so this check in _dl_dst_substitute should reject it:
The only code that splits on ':' is fillin_rpath, and it passes start
as the start of the whole DT_RUNPATH/DT_RPATH, and uses strsep so there
is no ':' to find.
> || (input != start + 1
> || (input > start + 2 && input[-2] != ':'))))
>
> I'm not sure that this is right.
You are correct, and I fixed this for you based on earlier comments when
I sent out v4. Notice the v4 patch calls this out and I added a test
case for it when you commented on it.
- Fix _dl_dst_substitute exception logic to check for NULL separator
between non-first path since fillin_rpath and other callers will
use strsep to split colon separated path elements. This fixes
the case tested by test 19.
+ /* For SUID/GUID programs we normally ignore the path with
+ a DST in DT_RUNPATH, or DT_RPATH. However, there is
+ one exception to this rule, and it is:
+
+ * $ORIGIN appears first in the path element, and is
+ the only thing in the element or is immediately
+ followed by a path separator and the rest of the
+ path.
+
+ * The path element is rooted in a trusted directory.
+
+ This exception allows such programs to reference
+ shared libraries in subdirectories of trusted
+ directories. The use case is one of general
+ organization and deployment flexibility.
+ Trusted directories are usually such paths as "/lib64"
+ or "/lib". */
+ if (__glibc_unlikely (__libc_enable_secure)
+ && !((input == start + 1
+ || (input > start + 1 && input[-2] == '\0'))
+ && (input[len] == '\0' || input[len] == '/')))
The sequence in question:
+ && !((input == start + 1
+ || (input > start + 1 && input[-2] == '\0'))
Will match:
[$ORIGIN\0...]
^--- start
^--- input
input == start + 1
or
[...........\0$ORIGIN]
^--- start ^--- input
input > start + 1 (not the first path element)
&& input[-2] == '\0' (first in the path element)
Does that answer your question?
However, I see your point now that start itself can also be deleted.
If we are only ever handling single paths, we can remove start from the API
and just track the start of the singular sequence.
I will clean up the code further.
I will also remove a ":" check in is_trusted_path_normalize().
>> Should all paths get tested for trusted paths for a SUID/SGID binary?
>> It seems like that's the right idea.
>>
>> @@ -365,7 +383,8 @@ _dl_dst_substitute (struct link_map *l, const char *start,
>>
>> /* In SUID/SGID programs, after DST expansion the normalized
>> path must be rooted in one of the trusted directories. */
>> - if (__glibc_unlikely (check_for_trusted)
>> + if (__glibc_unlikely (__libc_enable_secure)
>> + && l->l_type == lt_executable
>> && !is_trusted_path_normalize (result, wp - result))
>> {
>> *result = '\0';
>>
>> Just drop check_for_trusted, and execute the is_trusted_path_normalize
>> check for all SUID/SGID paths?
>
> No, $ORIGIN in a trusted path is itself trusted (because you cannot
> manipulate it using hard links). I think there are installations out
> there which depend on this.
Understood.
I think a clearer statement would be like this:
The $LIB and $PLATFORM DST cannot in any way be manipulated by the caller
because they are fixed values that are set by the dynamic loader and therefore
any paths using just $LIB or $PLATFORM need not be checked for trust, the
authors of the binaries themselves are trusted to have designed this correctly.
Only $ORIGIN is tested in this way because it may be manipulated in some ways
with hard links.
I will add something like this as a comment.
Cheers,
Carlos.
@@ -1,3 +1,23 @@
+2018-06-06 Carlos O'Donell <carlos@redhat.com>
+ Andreas Schwab <schwab@suse.de>
+ Dmitry V. Levin <ldv@altlinux.org>
+
+ [BZ #23102]
+ [BZ #21942]
+ [BZ #18018]
+ [BZ #23259]
+ CVE-2011-0536
+ * elf/dl-load.c (is_dst): Comment. Support ELF gABI.
+ (_dl_dst_count): Comment. Simplify and count DSTs.
+ (_dl_dst_substitute): Comment. Support __libc_enable_secure handling.
+ Add string start to arguments.
+ (expand_dybamic_string_token): Comment. Accept path start.
+ (fillin_rpath): Pass string start to expand_dynamic_string_token.
+ * sysdeps/generic/ldsodefs.h: _dl_dst_substitute takes additiional
+ string start argument.
+ * elf/dl-deps.c (expand_dst): Adjust call to _dl_dst_substitute.
+ * elf/dl-dst.h: Remove DL_DST_COUNT.
+
2018-06-05 Joseph Myers <joseph@codesourcery.com>
* sysdeps/unix/sysv/linux/aarch64/bits/hwcap.h (HWCAP_DIT): New
@@ -41,6 +41,16 @@ Major new features:
NI_IDN_ALLOW_UNASSIGNED, NI_IDN_USE_STD3_ASCII_RULES) have been
deprecated. They no longer have any effect.
+* Parsing of dynamic string tokens in DT_RPATH, DT_RUNPATH, and DT_NEEDED
+ has been expanded to support the full range of ELF gABI expressions
+ including such constructs as '$ORIGIN$ORIGIN' (if valid). For SUID/GUID
+ applications the rules have been further restricted, and where in the
+ past a dynamic string token sequence may have been interpreted as a
+ literal string it will now cause a load failure. These load failures
+ were always considered unspecified behaviour from the perspective of the
+ dynamic loader, and for safety are now load errors e.g. /foo/${ORIGIN}.so
+ in DT_NEEDED results in a load failure now.
+
Deprecated and removed features, and other changes affecting compatibility:
* The nonstandard header files <libio.h> and <_G_config.h> are no longer
@@ -100,7 +100,7 @@ struct list
({ \
const char *__str = (str); \
const char *__result = __str; \
- size_t __dst_cnt = DL_DST_COUNT (__str); \
+ size_t __dst_cnt = _dl_dst_count (__str); \
\
if (__dst_cnt != 0) \
{ \
@@ -114,7 +114,7 @@ DST not allowed in SUID/SGID programs")); \
__newp = (char *) alloca (DL_DST_REQUIRED (l, __str, strlen (__str), \
__dst_cnt)); \
\
- __result = _dl_dst_substitute (l, __str, __newp); \
+ __result = _dl_dst_substitute (l, __str, __str, __newp); \
\
if (*__result == '\0') \
{ \
@@ -18,19 +18,6 @@
#include "trusted-dirs.h"
-/* Determine the number of DST elements in the name. Only if IS_PATH is
- nonzero paths are recognized (i.e., multiple, ':' separated filenames). */
-#define DL_DST_COUNT(name) \
- ({ \
- size_t __cnt = 0; \
- const char *__sf = strchr (name, '$'); \
- \
- if (__glibc_unlikely (__sf != NULL)) \
- __cnt = _dl_dst_count (__sf); \
- \
- __cnt; })
-
-
#ifdef SHARED
# define IS_RTLD(l) (l) == &GL(dl_rtld_map)
#else
@@ -177,114 +177,181 @@ is_trusted_path_normalize (const char *path, size_t len)
return false;
}
+/* Given a substring starting at INPUT, just after the DST '$' start
+ token, determine if INPUT contains DST token REF, following the
+ ELF gABI rules for DSTs:
+ * Longest possible sequence using the rules (greedy).
+
+ * Must start with a $ (enforced by caller).
+
+ * Must follow $ with one underscore or ASCII [A-Za-z] (caller
+ follows these rules for REF and we enforce the comparison)
+ or '{' (start curly quoted name).
+
+ * Must follow first two characters with zero or more [A-Za-z0-9_]
+ (enforced by caller) or '}' (end curly quoted name).
+
+ If the sequence is a DST matching REF then the length of the DST
+ (excluding the $ sign but including curly braces, if any) is
+ returned, otherwise 0. */
static size_t
-is_dst (const char *start, const char *name, const char *str, int secure)
+is_dst (const char *input, const char *ref)
{
- size_t len;
+ size_t ilen, rlen;
bool is_curly = false;
- if (name[0] == '{')
+ /* Is a ${...} input sequence? */
+ if (input[0] == '{')
{
is_curly = true;
- ++name;
+ ++input;
}
- len = 0;
- while (name[len] == str[len] && name[len] != '\0')
- ++len;
+ /* Find longest valid input sequence. */
+ ilen = 0;
+ while ((input[ilen] >= 'A' && input[ilen] <= 'Z')
+ || (input[ilen] >= 'a' && input[ilen] <= 'z')
+ || (input[ilen] >= '0' && input[ilen] <= '9')
+ || (input[ilen] == '_'))
+ ++ilen;
+
+ rlen = strlen (ref);
+
+ /* Can't be the DST we are looking for. */
+ if (rlen != ilen)
+ return 0;
+
+ /* Compare the DST (no strncmp this early in startup). */
+ if (memcmp (input, ref, ilen) != 0)
+ return 0;
if (is_curly)
{
- if (name[len] != '}')
+ /* Invalid curly sequence! */
+ if (input[ilen] != '}')
return 0;
- /* Point again at the beginning of the name. */
- --name;
- /* Skip over closing curly brace and adjust for the --name. */
- len += 2;
+ /* Count the two curly braces. */
+ ilen += 2;
}
- else if (name[len] != '\0' && name[len] != '/')
- return 0;
-
- if (__glibc_unlikely (secure)
- && ((name[len] != '\0' && name[len] != '/')
- || (name != start + 1)))
- return 0;
- return len;
+ return ilen;
}
-
+/* INPUT is the start of a DST sequence at the first '$' occurrence.
+ If there is a DST we call into _dl_dst_count to count the number of
+ DSTs. We count all known DSTs regardless of __libc_enable_secure;
+ the caller is responsible for enforcing the security of the
+ substitution rules (usually _dl_dst_substitute). */
size_t
-_dl_dst_count (const char *name)
+_dl_dst_count (const char *input)
{
- const char *const start = name;
size_t cnt = 0;
+ input = strchr (input, '$');
+
+ /* Most likely there is no DST. */
+ if (__glibc_likely (input == NULL))
+ return 0;
+
do
{
size_t len;
- /* $ORIGIN is not expanded for SUID/GUID programs (except if it
- is $ORIGIN alone) and it must always appear first in path. */
- ++name;
- if ((len = is_dst (start, name, "ORIGIN", __libc_enable_secure)) != 0
- || (len = is_dst (start, name, "PLATFORM", 0)) != 0
- || (len = is_dst (start, name, "LIB", 0)) != 0)
+ ++input;
+ /* All DSTs must follow ELF gABI rules, see is_dst (). */
+ if ((len = is_dst (input, "ORIGIN")) != 0
+ || (len = is_dst (input, "PLATFORM")) != 0
+ || (len = is_dst (input, "LIB")) != 0)
++cnt;
- name = strchr (name + len, '$');
+ /* There may be more than one DST in the input. */
+ input = strchr (input + len, '$');
}
- while (name != NULL);
+ while (input != NULL);
return cnt;
}
-
+/* Process INPUT for DSTs and store in RESULT using the information
+ from link map L to resolve the DSTs. The value of START must equal
+ the start of the parent string if INPUT is a substring sequence
+ being parsed with a NULL separator e.g. $ORIGIN\0$PLATFORM. This
+ function only handles one path element and does not handle
+ ":"-separated path elements (see fillin_rpath ()). Lastly the size
+ of result in bytes should be at least equal to the value returned
+ by DL_DST_REQUIRED. Note that it is possible for a DT_NEEDED,
+ DT_AUXILIARY, and DT_FILTER entries to have colons, but we treat
+ those as literal colons here, not as path delimeters. */
char *
-_dl_dst_substitute (struct link_map *l, const char *name, char *result)
+_dl_dst_substitute (struct link_map *l, const char *start,
+ const char *input, char *result)
{
- const char *const start = name;
-
/* Now fill the result path. While copying over the string we keep
- track of the start of the last path element. When we come across
- a DST we copy over the value or (if the value is not available)
- leave the entire path element out. */
+ track of the start of the start of the path element i.e. begin.
+ When we come across a DST we copy over the value or (if the value
+ is not available) if the value is not available we discard the
+ path. */
char *wp = result;
- char *last_elem = result;
+ char *begin = result;
bool check_for_trusted = false;
do
{
- if (__glibc_unlikely (*name == '$'))
+ if (__glibc_unlikely (*input == '$'))
{
const char *repl = NULL;
size_t len;
- ++name;
- if ((len = is_dst (start, name, "ORIGIN", __libc_enable_secure)) != 0)
+ ++input;
+ if ((len = is_dst (input, "ORIGIN")) != 0)
{
- repl = l->l_origin;
+ /* For SUID/GUID programs we normally ignore the path with
+ a DST in DT_RUNPATH, or DT_RPATH. However, there is
+ one exception to this rule, and it is:
+
+ * $ORIGIN appears first in the path element, and is
+ the only thing in the element or is immediately
+ followed by a path separator and the rest of the
+ path.
+
+ * The path element is rooted in a trusted directory.
+
+ This exception allows such programs to reference
+ shared libraries in subdirectories of trusted
+ directories. The use case is one of general
+ organization and deployment flexibility.
+ Trusted directories are usually such paths as "/lib64"
+ or "/lib". */
+ if (__glibc_unlikely (__libc_enable_secure)
+ && !((input == start + 1
+ || (input > start + 1 && input[-2] == '\0'))
+ && (input[len] == '\0' || input[len] == '/')))
+ repl = (const char *) -1;
+ else
+ repl = l->l_origin;
+
check_for_trusted = (__libc_enable_secure
&& l->l_type == lt_executable);
}
- else if ((len = is_dst (start, name, "PLATFORM", 0)) != 0)
+ else if ((len = is_dst (input, "PLATFORM")) != 0)
repl = GLRO(dl_platform);
- else if ((len = is_dst (start, name, "LIB", 0)) != 0)
+ else if ((len = is_dst (input, "LIB")) != 0)
repl = DL_DST_LIB;
if (repl != NULL && repl != (const char *) -1)
{
wp = __stpcpy (wp, repl);
- name += len;
+ input += len;
}
- else if (len > 1)
+ else if (len != 0)
{
- /* We cannot use this path element, the value of the
- replacement is unknown. */
- wp = last_elem;
- break;
+ /* We found a valid DST that we know about, but we could
+ not find a replacement value for it, therefore we
+ cannot use this path element and discard it. */
+ *begin = '\0';
+ return result;
}
else
/* No DST we recognize. */
@@ -292,16 +359,19 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result)
}
else
{
- *wp++ = *name++;
+ *wp++ = *input++;
}
}
- while (*name != '\0');
+ while (*input != '\0');
- /* In SUID/SGID programs, after $ORIGIN expansion the normalized
+ /* In SUID/SGID programs, after DST expansion the normalized
path must be rooted in one of the trusted directories. */
if (__glibc_unlikely (check_for_trusted)
- && !is_trusted_path_normalize (last_elem, wp - last_elem))
- wp = last_elem;
+ && !is_trusted_path_normalize (begin, wp - begin))
+ {
+ *begin = '\0';
+ return result;
+ }
*wp = '\0';
@@ -309,13 +379,16 @@ _dl_dst_substitute (struct link_map *l, const char *name, char *result)
}
-/* Return copy of argument with all recognized dynamic string tokens
- ($ORIGIN and $PLATFORM for now) replaced. On some platforms it
- might not be possible to determine the path from which the object
- belonging to the map is loaded. In this case the path element
- containing $ORIGIN is left out. */
+/* Return a malloc allocated copy of INPUT with all recognized DSTs
+ replaced. The value of START must equal the start of the parent
+ string if INPUT is a substring sequence being parsed with NULL
+ separators e.g. $ORIGIN\0$PLATFORM. On some platforms it might not
+ be possible to determine the path from which the object belonging to
+ the map is loaded. In this case the path element containing the DST
+ is left out. On error NULL is returned. */
static char *
-expand_dynamic_string_token (struct link_map *l, const char *s)
+expand_dynamic_string_token (struct link_map *l, const char *start,
+ const char *input)
{
/* We make two runs over the string. First we determine how large the
resulting string is and then we copy it over. Since this is no
@@ -326,21 +399,21 @@ expand_dynamic_string_token (struct link_map *l, const char *s)
char *result;
/* Determine the number of DST elements. */
- cnt = DL_DST_COUNT (s);
+ cnt = _dl_dst_count (input);
/* If we do not have to replace anything simply copy the string. */
if (__glibc_likely (cnt == 0))
- return __strdup (s);
+ return __strdup (input);
/* Determine the length of the substituted string. */
- total = DL_DST_REQUIRED (l, s, strlen (s), cnt);
+ total = DL_DST_REQUIRED (l, input, strlen (input), cnt);
/* Allocate the necessary memory. */
result = (char *) malloc (total + 1);
if (result == NULL)
return NULL;
- return _dl_dst_substitute (l, s, result);
+ return _dl_dst_substitute (l, start, input, result);
}
@@ -387,6 +460,7 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
const char *what, const char *where, struct link_map *l)
{
char *cp;
+ char *start = rpath;
size_t nelems = 0;
while ((cp = __strsep (&rpath, sep)) != NULL)
@@ -398,7 +472,7 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
/* `strsep' can pass an empty string. */
if (*cp != '\0')
{
- to_free = cp = expand_dynamic_string_token (l, cp);
+ to_free = cp = expand_dynamic_string_token (l, start, cp);
/* expand_dynamic_string_token can return NULL in case of empty
path or memory allocation failure. */
@@ -2091,7 +2165,7 @@ _dl_map_object (struct link_map *loader, const char *name,
{
/* The path may contain dynamic string tokens. */
realname = (loader
- ? expand_dynamic_string_token (loader, name)
+ ? expand_dynamic_string_token (loader, name, name)
: __strdup (name));
if (realname == NULL)
fd = -1;
@@ -1108,8 +1108,9 @@ extern const char *_dl_get_origin (void) attribute_hidden;
extern size_t _dl_dst_count (const char *name) attribute_hidden;
/* Substitute DST values. */
-extern char *_dl_dst_substitute (struct link_map *l, const char *name,
- char *result) attribute_hidden;
+extern char *_dl_dst_substitute (struct link_map *l, const char *start,
+ const char *name, char *result)
+ attribute_hidden;
/* Open the shared object NAME, relocate it, and run its initializer if it
hasn't already been run. MODE is as for `dlopen' (see <dlfcn.h>). If