From patchwork Thu Dec 14 14:08:31 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 24939 Received: (qmail 97195 invoked by alias); 14 Dec 2017 14:08:39 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 97095 invoked by uid 89); 14 Dec 2017 14:08:39 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, SPF_HELO_PASS, T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy= X-HELO: mx1.redhat.com Subject: Re: [PATCH] elf: Count components of the expanded path in _dl_init_path [BZ #22607] To: Andreas Schwab Cc: libc-alpha@sourceware.org References: <20171214133125.72E16439942EA@oldenburg.str.redhat.com> <75ae8262-9006-6ea2-a9c6-2a17d95cac5b@redhat.com> From: Florian Weimer Message-ID: <3be519e4-5ba0-e6b2-27a6-4819087caafb@redhat.com> Date: Thu, 14 Dec 2017 15:08:31 +0100 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.4.0 MIME-Version: 1.0 In-Reply-To: On 12/14/2017 02:58 PM, Andreas Schwab wrote: > On Dez 14 2017, Florian Weimer wrote: > >> On 12/14/2017 02:45 PM, Andreas Schwab wrote: >>> On Dez 14 2017, fweimer@redhat.com (Florian Weimer) wrote: >>> >>>> + { >>>> + const char *cp = llp_tmp; >>>> + while (*cp) >>>> + { >>>> + if (*cp == ':' || *cp == ';') >>>> + ++nllp; >>>> + ++cp; >>>> + } >>>> + } >>> >>> No need for the outermost braces. >> >> I included them to limit the scope of cp, to make sure that there aren't >> any uses afterwards because of the changed value of cp compared to the >> original code. > > Since it is obviously unused afterwards I don't see any value for that. What about this? It follows Dmitry's suggestion to use a for loop. Thanks, Florian Subject: [PATCH] elf: Count components of the expanded path in _dl_init_path [BZ #22607] To: libc-alpha@sourceware.org 2017-12-14 Florian Weimer [BZ #22607] CVE-2017-1000409 * elf/dl-load.c (_dl_init_paths): Compute number of components in the expanded path string. diff --git a/NEWS b/NEWS index eef51b65a6..c5607c855f 100644 --- a/NEWS +++ b/NEWS @@ -130,6 +130,12 @@ Security related changes: it is mentioned here only because of the CVE assignment.) Reported by Qualys. + CVE-2017-1000409: Buffer overflow in _dl_init_paths due to miscomputation + of the number of search path components. (This is not a security + vulnerability per se because no trust boundary is crossed if the fix for + CVE-2017-1000366 has been applied, but it is mentioned here only because + of the CVE assignment.) Reported by Qualys. + The following bugs are resolved with this release: [The release manager will add the list generated by diff --git a/elf/dl-load.c b/elf/dl-load.c index 82c9f46050..f5a9c0cc8e 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -773,8 +773,6 @@ _dl_init_paths (const char *llp) if (llp != NULL && *llp != '\0') { - size_t nllp; - const char *cp = llp; char *llp_tmp; #ifdef SHARED @@ -797,13 +795,10 @@ _dl_init_paths (const char *llp) /* Decompose the LD_LIBRARY_PATH contents. First determine how many elements it has. */ - nllp = 1; - while (*cp) - { - if (*cp == ':' || *cp == ';') - ++nllp; - ++cp; - } + size_t nllp = 1; + for (const char *cp = llp_tmp; *cp != '\0'; ++cp) + if (*cp == ':' || *cp == ';') + ++nllp; env_path_list.dirs = (struct r_search_path_elem **) malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));