elf: Count components of the expanded path in _dl_init_path [BZ #22607]
Commit Message
2017-12-14 Florian Weimer <fweimer@redhat.com>
[BZ #22607]
CVE-2017-1000409
* elf/dl-load.c (_dl_init_paths): Compute number of components in
the expanded path string.
Comments
On Dez 14 2017, fweimer@redhat.com (Florian Weimer) wrote:
> + {
> + const char *cp = llp_tmp;
> + while (*cp)
> + {
> + if (*cp == ':' || *cp == ';')
> + ++nllp;
> + ++cp;
> + }
> + }
No need for the outermost braces.
Andreas.
On 12/14/2017 02:45 PM, Andreas Schwab wrote:
> On Dez 14 2017, fweimer@redhat.com (Florian Weimer) wrote:
>
>> + {
>> + const char *cp = llp_tmp;
>> + while (*cp)
>> + {
>> + if (*cp == ':' || *cp == ';')
>> + ++nllp;
>> + ++cp;
>> + }
>> + }
>
> No need for the outermost braces.
I included them to limit the scope of cp, to make sure that there aren't
any uses afterwards because of the changed value of cp compared to the
original code.
Thanks,
Florian
On Thu, Dec 14, 2017 at 02:31:25PM +0100, Florian Weimer wrote:
> 2017-12-14 Florian Weimer <fweimer@redhat.com>
>
> [BZ #22607]
> CVE-2017-1000409
> * elf/dl-load.c (_dl_init_paths): Compute number of components in
> the expanded path string.
>
> diff --git a/NEWS b/NEWS
> index eef51b65a6..c5607c855f 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -130,6 +130,12 @@ Security related changes:
> it is mentioned here only because of the CVE assignment.) Reported by
> Qualys.
>
> + CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
> + of the number of search path components. (This is not a security
> + vulnerability per se because no trust boundary is crossed if the fix for
> + CVE-2017-1000366 has been applied, but it is mentioned here only because
> + of the CVE assignment.) Reported by Qualys.
> +
> The following bugs are resolved with this release:
>
> [The release manager will add the list generated by
> diff --git a/elf/dl-load.c b/elf/dl-load.c
> index 82c9f46050..540f91f9d6 100644
> --- a/elf/dl-load.c
> +++ b/elf/dl-load.c
> @@ -773,8 +773,6 @@ _dl_init_paths (const char *llp)
>
> if (llp != NULL && *llp != '\0')
> {
> - size_t nllp;
> - const char *cp = llp;
> char *llp_tmp;
>
> #ifdef SHARED
> @@ -797,13 +795,16 @@ _dl_init_paths (const char *llp)
>
> /* Decompose the LD_LIBRARY_PATH contents. First determine how many
> elements it has. */
> - nllp = 1;
> - while (*cp)
> - {
> - if (*cp == ':' || *cp == ';')
> - ++nllp;
> - ++cp;
> - }
> + size_t nllp = 1;
> + {
> + const char *cp = llp_tmp;
> + while (*cp)
> + {
> + if (*cp == ':' || *cp == ';')
> + ++nllp;
> + ++cp;
> + }
> + }
I'd really prefer to see a "for" statement here, e.g.
+ size_t nllp = 1;
+ {
+ const char *cp;
+ for (cp = llp_tmp; *cp; ++cp)
+ {
+ if (*cp == ':' || *cp == ';')
+ ++nllp;
+ }
+ }
On Dez 14 2017, Florian Weimer <fweimer@redhat.com> wrote:
> On 12/14/2017 02:45 PM, Andreas Schwab wrote:
>> On Dez 14 2017, fweimer@redhat.com (Florian Weimer) wrote:
>>
>>> + {
>>> + const char *cp = llp_tmp;
>>> + while (*cp)
>>> + {
>>> + if (*cp == ':' || *cp == ';')
>>> + ++nllp;
>>> + ++cp;
>>> + }
>>> + }
>>
>> No need for the outermost braces.
>
> I included them to limit the scope of cp, to make sure that there aren't
> any uses afterwards because of the changed value of cp compared to the
> original code.
Since it is obviously unused afterwards I don't see any value for that.
Andreas.
@@ -130,6 +130,12 @@ Security related changes:
it is mentioned here only because of the CVE assignment.) Reported by
Qualys.
+ CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation
+ of the number of search path components. (This is not a security
+ vulnerability per se because no trust boundary is crossed if the fix for
+ CVE-2017-1000366 has been applied, but it is mentioned here only because
+ of the CVE assignment.) Reported by Qualys.
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
@@ -773,8 +773,6 @@ _dl_init_paths (const char *llp)
if (llp != NULL && *llp != '\0')
{
- size_t nllp;
- const char *cp = llp;
char *llp_tmp;
#ifdef SHARED
@@ -797,13 +795,16 @@ _dl_init_paths (const char *llp)
/* Decompose the LD_LIBRARY_PATH contents. First determine how many
elements it has. */
- nllp = 1;
- while (*cp)
- {
- if (*cp == ':' || *cp == ';')
- ++nllp;
- ++cp;
- }
+ size_t nllp = 1;
+ {
+ const char *cp = llp_tmp;
+ while (*cp)
+ {
+ if (*cp == ':' || *cp == ';')
+ ++nllp;
+ ++cp;
+ }
+ }
env_path_list.dirs = (struct r_search_path_elem **)
malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));