[v3] elf: Check for empty tokens before dynamic string token expansion [BZ #22625]
Commit Message
The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and interprets empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).
Fix that by moving the check for empty tokens before the dynamic string
token expansion. In addition, check for NULL pointer or empty strings
return by expand_dynamic_string_token.
The above changes highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath
level, but by using a -1 pointer in decompose_rpath and other functions.
Changelog:
[BZ #22625]
* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
string token expansion. Check for NULL pointer or empty string possibly
returned by expand_dynamic_string_token.
(decompose_rpath): Check for empty path after dynamic string
token expansion.
---
ChangeLog | 10 ++++++++++
NEWS | 4 ++++
elf/dl-load.c | 35 ++++++++++++++++++++++++++---------
3 files changed, 40 insertions(+), 9 deletions(-)
Comments
On Wed, Dec 20, 2017 at 09:23:59PM +0100, Aurelien Jarno wrote:
> The fillin_rpath function in elf/dl-load.c loops over each RPATH or
> RUNPATH tokens and interprets empty tokens as the current directory
> ("./"). In practice the check for empty token is done *after* the
> dynamic string token expansion. The expansion process can return an
> empty string for the $ORIGIN token if __libc_enable_secure is set
> or if the path of the binary can not be determined (/proc not mounted).
>
> Fix that by moving the check for empty tokens before the dynamic string
> token expansion. In addition, check for NULL pointer or empty strings
> return by expand_dynamic_string_token.
>
> The above changes highlighted a bug in decompose_rpath, an empty array
> is represented by the first element being NULL at the fillin_rpath
> level, but by using a -1 pointer in decompose_rpath and other functions.
>
> Changelog:
> [BZ #22625]
> * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
> string token expansion. Check for NULL pointer or empty string possibly
> returned by expand_dynamic_string_token.
> (decompose_rpath): Check for empty path after dynamic string
> token expansion.
> ---
> ChangeLog | 10 ++++++++++
> NEWS | 4 ++++
> elf/dl-load.c | 35 ++++++++++++++++++++++++++---------
> 3 files changed, 40 insertions(+), 9 deletions(-)
[...]
> - /* `strsep' can pass an empty string. This has to be
> - interpreted as `use the current directory'. */
> - if (len == 0)
> - {
> - static const char curwd[] = "./";
> - cp = (char *) curwd;
> + /* Compute the length after dynamic string token expansion and
> + ignore empty paths. */
> + len = strlen (cp);
> + if (len == 0)
> + {
> + free (to_free);
> + continue;
> + }
The leading 8+ spaces are not replaced by tabs in these newly added lines.
As other lines in this file seem to use tabs, it might be a good idea
to follow the same style.
Besides that, the change is fine.
On Wed, Dec 20, 2017 at 09:23:59PM +0100, Aurelien Jarno wrote:
> The fillin_rpath function in elf/dl-load.c loops over each RPATH or
> RUNPATH tokens and interprets empty tokens as the current directory
> ("./"). In practice the check for empty token is done *after* the
> dynamic string token expansion. The expansion process can return an
> empty string for the $ORIGIN token if __libc_enable_secure is set
> or if the path of the binary can not be determined (/proc not mounted).
>
> Fix that by moving the check for empty tokens before the dynamic string
> token expansion. In addition, check for NULL pointer or empty strings
> return by expand_dynamic_string_token.
>
> The above changes highlighted a bug in decompose_rpath, an empty array
> is represented by the first element being NULL at the fillin_rpath
> level, but by using a -1 pointer in decompose_rpath and other functions.
>
> Changelog:
> [BZ #22625]
> * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
> string token expansion. Check for NULL pointer or empty string possibly
> returned by expand_dynamic_string_token.
> (decompose_rpath): Check for empty path after dynamic string
> token expansion.
> ---
> ChangeLog | 10 ++++++++++
> NEWS | 4 ++++
> elf/dl-load.c | 35 ++++++++++++++++++++++++++---------
> 3 files changed, 40 insertions(+), 9 deletions(-)
>
> diff --git a/ChangeLog b/ChangeLog
> index 35d1d102f6..0ed4d0ab15 100644
> --- a/ChangeLog
> +++ b/ChangeLog
> @@ -1,3 +1,13 @@
> +2017-12-20 Aurelien Jarno <aurelien@aurel32.net>
> + Dmitry V. Levin <ldv@altlinux.org>
> +
> + [BZ #22625]
> + * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
> + string token expansion. Check for NULL pointer or empty string possibly
> + returned by expand_dynamic_string_token.
> + (decompose_rpath): Check for empty path after dynamic string
> + token expansion.
> +
> 2017-12-20 Adhemerval Zanella <adhemerval.zanella@linaro.org>
>
> * nptl/Makefile (libpthread-routines): Add pthread_join_common.
> diff --git a/NEWS b/NEWS
> index a43ff26e83..0d43e93a17 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -149,6 +149,10 @@ Security related changes:
> CVE-2017-1000366 has been applied, but it is mentioned here only because
> of the CVE assignment.) Reported by Qualys.
>
> + CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
> + for AT_SECURE or SUID binaries could be used to load libraries from the
> + current directory.
> +
> The following bugs are resolved with this release:
>
> [The release manager will add the list generated by
> diff --git a/elf/dl-load.c b/elf/dl-load.c
> index 2964464158..955eb49ecb 100644
> --- a/elf/dl-load.c
> +++ b/elf/dl-load.c
> @@ -414,22 +414,31 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
> {
> char *cp;
> size_t nelems = 0;
> - char *to_free;
>
> while ((cp = __strsep (&rpath, sep)) != NULL)
> {
> struct r_search_path_elem *dirp;
> + char *to_free = NULL;
> + size_t len = 0;
>
> - to_free = cp = expand_dynamic_string_token (l, cp, 1);
> + /* `strsep' can pass an empty string. */
> + if (*cp != '\0')
> + {
> + to_free = cp = expand_dynamic_string_token (l, cp, 1);
>
> - size_t len = strlen (cp);
> + /* expand_dynamic_string_token can return NULL in case of empty
> + path or memory allocation failure. */
> + if (cp == NULL)
> + continue;
>
> - /* `strsep' can pass an empty string. This has to be
> - interpreted as `use the current directory'. */
> - if (len == 0)
> - {
> - static const char curwd[] = "./";
> - cp = (char *) curwd;
> + /* Compute the length after dynamic string token expansion and
> + ignore empty paths. */
> + len = strlen (cp);
> + if (len == 0)
> + {
> + free (to_free);
> + continue;
> + }
> }
>
> /* Remove trailing slashes (except for "/"). */
The longer I look at this hunk of fillin_rpath, the more I think
that moving "Remove trailing slashes" and "Now add one" code inside
"if (*cp != '\0')" statement will make fillin_rpath a bit more readable.
On 2017-12-29 16:07, Dmitry V. Levin wrote:
> On Wed, Dec 20, 2017 at 09:23:59PM +0100, Aurelien Jarno wrote:
> > The fillin_rpath function in elf/dl-load.c loops over each RPATH or
> > RUNPATH tokens and interprets empty tokens as the current directory
> > ("./"). In practice the check for empty token is done *after* the
> > dynamic string token expansion. The expansion process can return an
> > empty string for the $ORIGIN token if __libc_enable_secure is set
> > or if the path of the binary can not be determined (/proc not mounted).
> >
> > Fix that by moving the check for empty tokens before the dynamic string
> > token expansion. In addition, check for NULL pointer or empty strings
> > return by expand_dynamic_string_token.
> >
> > The above changes highlighted a bug in decompose_rpath, an empty array
> > is represented by the first element being NULL at the fillin_rpath
> > level, but by using a -1 pointer in decompose_rpath and other functions.
> >
> > Changelog:
> > [BZ #22625]
> > * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
> > string token expansion. Check for NULL pointer or empty string possibly
> > returned by expand_dynamic_string_token.
> > (decompose_rpath): Check for empty path after dynamic string
> > token expansion.
> > ---
> > ChangeLog | 10 ++++++++++
> > NEWS | 4 ++++
> > elf/dl-load.c | 35 ++++++++++++++++++++++++++---------
> > 3 files changed, 40 insertions(+), 9 deletions(-)
> >
> > diff --git a/ChangeLog b/ChangeLog
> > index 35d1d102f6..0ed4d0ab15 100644
> > --- a/ChangeLog
> > +++ b/ChangeLog
> > @@ -1,3 +1,13 @@
> > +2017-12-20 Aurelien Jarno <aurelien@aurel32.net>
> > + Dmitry V. Levin <ldv@altlinux.org>
> > +
> > + [BZ #22625]
> > + * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
> > + string token expansion. Check for NULL pointer or empty string possibly
> > + returned by expand_dynamic_string_token.
> > + (decompose_rpath): Check for empty path after dynamic string
> > + token expansion.
> > +
> > 2017-12-20 Adhemerval Zanella <adhemerval.zanella@linaro.org>
> >
> > * nptl/Makefile (libpthread-routines): Add pthread_join_common.
> > diff --git a/NEWS b/NEWS
> > index a43ff26e83..0d43e93a17 100644
> > --- a/NEWS
> > +++ b/NEWS
> > @@ -149,6 +149,10 @@ Security related changes:
> > CVE-2017-1000366 has been applied, but it is mentioned here only because
> > of the CVE assignment.) Reported by Qualys.
> >
> > + CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
> > + for AT_SECURE or SUID binaries could be used to load libraries from the
> > + current directory.
> > +
> > The following bugs are resolved with this release:
> >
> > [The release manager will add the list generated by
> > diff --git a/elf/dl-load.c b/elf/dl-load.c
> > index 2964464158..955eb49ecb 100644
> > --- a/elf/dl-load.c
> > +++ b/elf/dl-load.c
> > @@ -414,22 +414,31 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
> > {
> > char *cp;
> > size_t nelems = 0;
> > - char *to_free;
> >
> > while ((cp = __strsep (&rpath, sep)) != NULL)
> > {
> > struct r_search_path_elem *dirp;
> > + char *to_free = NULL;
> > + size_t len = 0;
> >
> > - to_free = cp = expand_dynamic_string_token (l, cp, 1);
> > + /* `strsep' can pass an empty string. */
> > + if (*cp != '\0')
> > + {
> > + to_free = cp = expand_dynamic_string_token (l, cp, 1);
> >
> > - size_t len = strlen (cp);
> > + /* expand_dynamic_string_token can return NULL in case of empty
> > + path or memory allocation failure. */
> > + if (cp == NULL)
> > + continue;
> >
> > - /* `strsep' can pass an empty string. This has to be
> > - interpreted as `use the current directory'. */
> > - if (len == 0)
> > - {
> > - static const char curwd[] = "./";
> > - cp = (char *) curwd;
> > + /* Compute the length after dynamic string token expansion and
> > + ignore empty paths. */
> > + len = strlen (cp);
> > + if (len == 0)
> > + {
> > + free (to_free);
> > + continue;
> > + }
> > }
> >
> > /* Remove trailing slashes (except for "/"). */
>
> The longer I look at this hunk of fillin_rpath, the more I think
> that moving "Remove trailing slashes" and "Now add one" code inside
> "if (*cp != '\0')" statement will make fillin_rpath a bit more readable.
I am testing this solution I'll send a new version of this patch if all
is working fine.
@@ -1,3 +1,13 @@
+2017-12-20 Aurelien Jarno <aurelien@aurel32.net>
+ Dmitry V. Levin <ldv@altlinux.org>
+
+ [BZ #22625]
+ * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+ string token expansion. Check for NULL pointer or empty string possibly
+ returned by expand_dynamic_string_token.
+ (decompose_rpath): Check for empty path after dynamic string
+ token expansion.
+
2017-12-20 Adhemerval Zanella <adhemerval.zanella@linaro.org>
* nptl/Makefile (libpthread-routines): Add pthread_join_common.
@@ -149,6 +149,10 @@ Security related changes:
CVE-2017-1000366 has been applied, but it is mentioned here only because
of the CVE assignment.) Reported by Qualys.
+ CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+ for AT_SECURE or SUID binaries could be used to load libraries from the
+ current directory.
+
The following bugs are resolved with this release:
[The release manager will add the list generated by
@@ -414,22 +414,31 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
{
char *cp;
size_t nelems = 0;
- char *to_free;
while ((cp = __strsep (&rpath, sep)) != NULL)
{
struct r_search_path_elem *dirp;
+ char *to_free = NULL;
+ size_t len = 0;
- to_free = cp = expand_dynamic_string_token (l, cp, 1);
+ /* `strsep' can pass an empty string. */
+ if (*cp != '\0')
+ {
+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
- size_t len = strlen (cp);
+ /* expand_dynamic_string_token can return NULL in case of empty
+ path or memory allocation failure. */
+ if (cp == NULL)
+ continue;
- /* `strsep' can pass an empty string. This has to be
- interpreted as `use the current directory'. */
- if (len == 0)
- {
- static const char curwd[] = "./";
- cp = (char *) curwd;
+ /* Compute the length after dynamic string token expansion and
+ ignore empty paths. */
+ len = strlen (cp);
+ if (len == 0)
+ {
+ free (to_free);
+ continue;
+ }
}
/* Remove trailing slashes (except for "/"). */
@@ -594,6 +603,14 @@ decompose_rpath (struct r_search_path_struct *sps,
necessary. */
free (copy);
+ /* There is no path after expansion. */
+ if (result[0] == NULL)
+ {
+ free (result);
+ sps->dirs = (struct r_search_path_elem **) -1;
+ return false;
+ }
+
sps->dirs = result;
/* The caller will change this value if we haven't used a real malloc. */
sps->malloced = 1;