From patchwork Sun Dec 17 17:21:49 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aurelien Jarno <aurelien@aurel32.net>
X-Patchwork-Id: 24980
Received: (qmail 99975 invoked by alias); 17 Dec 2017 17:22:06 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 99965 invoked by uid 89); 17 Dec 2017 17:22:06 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-25.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	KAM_LAZY_DOMAIN_SECURITY,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.2 spammy=
X-HELO: hall.aurel32.net
From: Aurelien Jarno <aurelien@aurel32.net>
To: libc-alpha@sourceware.org
Cc: Aurelien Jarno <aurelien@aurel32.net>
Subject: [PATCH] elf: Check for empty tokens before dynamic string token
	expansion [BZ #22625]
Date: Sun, 17 Dec 2017 18:21:49 +0100
Message-Id: <20171217172149.1748-1-aurelien@aurel32.net>

The fillin_rpath function in elf/dl-load.c loops over each RPATH or
RUNPATH tokens and intepret empty tokens as the current directory
("./"). In practice the check for empty token is done *after* the
dynamic string token expansion. The expansion process can return an
empty string for the $ORIGIN token if __libc_enable_secure is set
or if the path of the binary can not be determined (/proc not mounted).

Fix that by moving the check for empty tokens before the dynamic string
token expansion. In addition, check for NULL pointer or empty strings
return by expand_dynamic_string_token.

The above changed highlighted a bug in decompose_rpath, an empty array
is represented by the first element being NULL at the fillin_rpath path
level, but by using a -1 pointer in decompose_rpath and other functions.

Changelog:
	[BZ #22625]
	* elf/dl-load.c (fillin_rpath): Check for empty tokens before
	dynamic string token expansion. Check for NULL pointer or empty
	string possibly returned by expand_dynamic_string_token.
	(decompose_rpath): Check for empty path after dynamic string
	token expansion.
---
 ChangeLog     |  9 +++++++++
 NEWS          |  4 ++++
 elf/dl-load.c | 30 ++++++++++++++++++++++++++----
 3 files changed, 39 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 815e73571d..4ef438d08c 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,12 @@
+2017-12-17  Aurelien Jarno  <aurelien@aurel32.net>
+
+	[BZ #22625]
+	* elf/dl-load.c (fillin_rpath): Check for empty tokens before
+	dynamic string token expansion. Check for NULL pointer or empty
+	string possibly returned by expand_dynamic_string_token.
+	(decompose_rpath): Check for empty path after dynamic string
+	token expansion.
+
 2017-12-16  Aurelien Jarno  <aurelien@aurel32.net>
 
 	[BZ #22505]
diff --git a/NEWS b/NEWS
index 0670585b4c..8099ecc8f1 100644
--- a/NEWS
+++ b/NEWS
@@ -149,6 +149,10 @@ Security related changes:
   CVE-2017-1000366 has been applied, but it is mentioned here only because
   of the CVE assignment.)  Reported by Qualys.
 
+  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+  for AT_SECURE or SUID binaries could be used to load libraries from the
+  current directory.
+
 The following bugs are resolved with this release:
 
   [The release manager will add the list generated by
diff --git a/elf/dl-load.c b/elf/dl-load.c
index bbd3be9e20..81a1a03a01 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -433,14 +433,11 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
 {
   char *cp;
   size_t nelems = 0;
-  char *to_free;
+  char *to_free = NULL;
 
   while ((cp = __strsep (&rpath, sep)) != NULL)
     {
       struct r_search_path_elem *dirp;
-
-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
-
       size_t len = strlen (cp);
 
       /* `strsep' can pass an empty string.  This has to be
@@ -450,6 +447,24 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
 	  static const char curwd[] = "./";
 	  cp = (char *) curwd;
 	}
+      else
+	{
+	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
+
+	  /* expand_dynamic_string_token can return NULL in case of memory
+	     allocation failure.  */
+	  if (cp == NULL)
+	    continue;
+
+	  /* Recompute the length after dynamic string token expansion
+	     and ignore empty paths.  */
+	  len = strlen (cp);
+	  if (len == 0)
+	    {
+	      free (to_free);
+	      continue;
+	    }
+	}
 
       /* Remove trailing slashes (except for "/").  */
       while (len > 1 && cp[len - 1] == '/')
@@ -620,6 +635,13 @@ decompose_rpath (struct r_search_path_struct *sps,
      necessary.  */
   free (copy);
 
+  /* There is no path after expansion.  */
+  if (result[0] == NULL) {
+    free (result);
+    sps->dirs = (struct r_search_path_elem **) -1;
+    return false;
+  }
+
   sps->dirs = result;
   /* The caller will change this value if we haven't used a real malloc.  */
   sps->malloced = 1;