From patchwork Tue Oct 3 17:08:11 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Siddhesh Poyarekar X-Patchwork-Id: 77040 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 90535385CC8E for ; Tue, 3 Oct 2023 17:09:27 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 90535385CC8E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1696352967; bh=1a0fWBPdnW+Tu1zUE/ZtlBb3zkAS8ABX2A2qqUYl2W0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:List-Id: List-Unsubscribe:List-Archive:List-Post:List-Help:List-Subscribe: From; b=p8p8AVjSvb0mchlnPPLXBSl0uiO3Ll19jk44ZZYoNT/9rfxwwP3sQrBZ96DGvgZp4 hofaD3CNHD+uzWfyRTZMphCrbIzU0+8P333aw5k0mzhopX6efSYBak9XSXrFvUS7HH x+o5TNG8pF9tO14j6BBePr2bqtCu+31XO/DLjIJw= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from butterfly.birch.relay.mailchannels.net (butterfly.birch.relay.mailchannels.net [23.83.209.27]) by sourceware.org (Postfix) with ESMTPS id 81AA83858C5E for ; Tue, 3 Oct 2023 17:08:20 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 81AA83858C5E Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 0871D81B37; Tue, 3 Oct 2023 17:08:19 +0000 (UTC) Received: from pdx1-sub0-mail-a208.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id 882CC81ABC; Tue, 3 Oct 2023 17:08:18 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696352898; a=rsa-sha256; cv=none; b=5qfMxmUwI83hq0oagEYhS/XgeghenGvdsyyQNyzIxdd+sx0pSvj2LvtFItP5IdfEzyT0mo z99sZFlNFC3QVzXqioS/dDGwPLP4cQekn81NxD+M6x6IWv8b9Y4ItKCBrHDSLA8zsQNLZh fAQ3pRbUuJ+9tF1UeQNh5hrAVZL9XL4TNpw4wwxteUidysvDET7N40V2gDjNM3OJOLgnN3 sm08CH3vTmtyluSrZDldARABDURZWCqS3EU6aM7++rsPREkVlXXITjy3RYLNl4adR30vQf KH5M6FKgN59Aj/rUqYr3/fo6WLPByT2Y1NbKGCMZt3jsx56W2PRcLp7i3S44LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1696352898; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=1a0fWBPdnW+Tu1zUE/ZtlBb3zkAS8ABX2A2qqUYl2W0=; b=Tn8H65fgxUzepI2lrbb5auhvz4tbajJWXlsUHCOwkvZeeb9srwdum3GsKRr3JQCTyO8FqJ g2HfiKLD6NjF7FdYESP0U7821Ws2xDZHXxvCpOFAfGR4Heqneim0tCAam0hZtaRPpAJXS2 9d8uxJZfHZE5nmclYZWYPjT8SeekWSy1KDKDaYT12KuEqIBSCAz8dn4YJuOHOazU7ENOpX MWMz4Y+ynPVJ54o75g3iSj85Bsc4yppJ9evbKP9CNtzt+7rplj0QPr2Wb/0B+Qj+l6A6OH WIvjpSe2aOre5EqSL0iTXQk+j3RrfY0po6JvId2S7KeVTVblzhzmr1t1lvcJ0A== ARC-Authentication-Results: i=1; rspamd-7d5dc8fd68-zzz4g; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MC-Copy: stored-urls X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Shoe-Irritate: 4ee5cef551df488b_1696352898863_921716443 X-MC-Loop-Signature: 1696352898863:2049982880 X-MC-Ingress-Time: 1696352898863 Received: from pdx1-sub0-mail-a208.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.109.140.241 (trex/6.9.1); Tue, 03 Oct 2023 17:08:18 +0000 Received: from fedora.redhat.com (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a208.dreamhost.com (Postfix) with ESMTPSA id 4S0PR61KXqzM7; Tue, 3 Oct 2023 10:08:18 -0700 (PDT) From: Siddhesh Poyarekar To: libc-alpha@sourceware.org Cc: Carlos O'Donell Subject: [committed 2/2] tunables: Terminate if end of input is reached (CVE-2023-4911) Date: Tue, 3 Oct 2023 13:08:11 -0400 Message-ID: <20231003170811.64957-3-siddhesh@sourceware.org> X-Mailer: git-send-email 2.41.0 In-Reply-To: <20231003170811.64957-1-siddhesh@sourceware.org> References: <20231003170811.64957-1-siddhesh@sourceware.org> MIME-Version: 1.0 X-Spam-Status: No, score=-1172.5 required=5.0 tests=BAYES_00, GIT_PATCH_0, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_SOFTFAIL, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org The string parsing routine may end up writing beyond bounds of tunestr if the input tunable string is malformed, of the form name=name=val. This gets processed twice, first as name=name=val and next as name=val, resulting in tunestr being name=name=val:name=val, thus overflowing tunestr. Terminate the parsing loop at the first instance itself so that tunestr does not overflow. This also fixes up tst-env-setuid-tunables to actually handle failures correct and add new tests to validate the fix for this CVE. Signed-off-by: Siddhesh Poyarekar Reviewed-by: Carlos O'Donell --- NEWS | 5 +++++ elf/dl-tunables.c | 17 +++++++++------- elf/tst-env-setuid-tunables.c | 37 +++++++++++++++++++++++++++-------- 3 files changed, 44 insertions(+), 15 deletions(-) diff --git a/NEWS b/NEWS index a94650da64..cc4b81f0ac 100644 --- a/NEWS +++ b/NEWS @@ -64,6 +64,11 @@ Security related changes: an application calls getaddrinfo for AF_INET6 with AI_CANONNAME, AI_ALL and AI_V4MAPPED flags set. + CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the + environment of a setuid program and NAME is valid, it may result in a + buffer overflow, which could be exploited to achieve escalated + privileges. This flaw was introduced in glibc 2.34. + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c index 62b7332d95..cae67efa0a 100644 --- a/elf/dl-tunables.c +++ b/elf/dl-tunables.c @@ -180,11 +180,7 @@ parse_tunables (char *tunestr, char *valstring) /* If we reach the end of the string before getting a valid name-value pair, bail out. */ if (p[len] == '\0') - { - if (__libc_enable_secure) - tunestr[off] = '\0'; - return; - } + break; /* We did not find a valid name-value pair before encountering the colon. */ @@ -244,9 +240,16 @@ parse_tunables (char *tunestr, char *valstring) } } - if (p[len] != '\0') - p += len + 1; + /* We reached the end while processing the tunable string. */ + if (p[len] == '\0') + break; + + p += len + 1; } + + /* Terminate tunestr before we leave. */ + if (__libc_enable_secure) + tunestr[off] = '\0'; } /* Enable the glibc.malloc.check tunable in SETUID/SETGID programs only when diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.c index 7dfb0e073a..f0b92c97e7 100644 --- a/elf/tst-env-setuid-tunables.c +++ b/elf/tst-env-setuid-tunables.c @@ -50,6 +50,8 @@ const char *teststrings[] = "glibc.malloc.perturb=0x800:not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", "glibc.not_valid.check=2:glibc.malloc.mmap_threshold=4096", "not_valid.malloc.check=2:glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", + "glibc.malloc.check=2", "glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096:glibc.malloc.check=2", "glibc.malloc.check=4:glibc.malloc.garbage=2:glibc.maoc.mmap_threshold=4096", ":glibc.malloc.garbage=2:glibc.malloc.check=1", @@ -68,6 +70,8 @@ const char *resultstrings[] = "glibc.malloc.perturb=0x800:glibc.malloc.mmap_threshold=4096", "glibc.malloc.mmap_threshold=4096", "glibc.malloc.mmap_threshold=4096", + "glibc.malloc.mmap_threshold=glibc.malloc.mmap_threshold=4096", + "", "", "", "", @@ -81,11 +85,18 @@ test_child (int off) { const char *val = getenv ("GLIBC_TUNABLES"); + printf (" [%d] GLIBC_TUNABLES is %s\n", off, val); + fflush (stdout); if (val != NULL && strcmp (val, resultstrings[off]) == 0) return 0; if (val != NULL) - printf ("[%d] Unexpected GLIBC_TUNABLES VALUE %s\n", off, val); + printf (" [%d] Unexpected GLIBC_TUNABLES VALUE %s, expected %s\n", + off, val, resultstrings[off]); + else + printf (" [%d] GLIBC_TUNABLES environment variable absent\n", off); + + fflush (stdout); return 1; } @@ -106,21 +117,26 @@ do_test (int argc, char **argv) if (ret != 0) exit (1); - exit (EXIT_SUCCESS); + /* Special return code to make sure that the child executed all the way + through. */ + exit (42); } else { - int ret = 0; - /* Spawn tests. */ for (int i = 0; i < array_length (teststrings); i++) { char buf[INT_BUFSIZE_BOUND (int)]; - printf ("Spawned test for %s (%d)\n", teststrings[i], i); + printf ("[%d] Spawned test for %s\n", i, teststrings[i]); snprintf (buf, sizeof (buf), "%d\n", i); + fflush (stdout); if (setenv ("GLIBC_TUNABLES", teststrings[i], 1) != 0) - exit (1); + { + printf (" [%d] Failed to set GLIBC_TUNABLES: %m", i); + support_record_failure (); + continue; + } int status = support_capture_subprogram_self_sgid (buf); @@ -128,9 +144,14 @@ do_test (int argc, char **argv) if (WEXITSTATUS (status) == EXIT_UNSUPPORTED) return EXIT_UNSUPPORTED; - ret |= status; + if (WEXITSTATUS (status) != 42) + { + printf (" [%d] child failed with status %d\n", i, + WEXITSTATUS (status)); + support_record_failure (); + } } - return ret; + return 0; } }