diff options
Diffstat (limited to 'pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_PRELOAD.patch')
| -rw-r--r-- | pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_PRELOAD.patch | 115 |
1 files changed, 115 insertions, 0 deletions
diff --git a/pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_PRELOAD.patch b/pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_PRELOAD.patch new file mode 100644 index 000000000000..76be2a3308f6 --- /dev/null +++ b/pkgs/development/libraries/glibc/CVE-2017-1000366-rtld-LD_PRELOAD.patch @@ -0,0 +1,115 @@ +From 65ff0b7a085b85271ec8fde99f542281b495e3bc Mon Sep 17 00:00:00 2001 +Message-Id: <65ff0b7a085b85271ec8fde99f542281b495e3bc.1495998948.git.fweimer@redhat.com> +In-Reply-To: <cover.1495998948.git.fweimer@redhat.com> +References: <cover.1495998948.git.fweimer@redhat.com> +From: Florian Weimer <fweimer@redhat.com> +Date: Sun, 28 May 2017 20:57:40 +0200 +Subject: [PATCH 2/3] rtld: Reject overly long LD_PRELOAD path elements +To: libc-alpha@sourceware.org + +--- + elf/rtld.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++--------------- + 1 file changed, 53 insertions(+), 16 deletions(-) + +diff --git a/elf/rtld.c b/elf/rtld.c +index 824b6cf..30f0cae 100644 +--- a/elf/rtld.c ++++ b/elf/rtld.c +@@ -99,6 +99,22 @@ uintptr_t __pointer_chk_guard_local + strong_alias (__pointer_chk_guard_local, __pointer_chk_guard) + #endif + ++/* Check that AT_SECURE=0, or that the passed name does not contain ++ directories and is not overly long. Reject empty names ++ unconditionally. */ ++static bool ++dso_name_valid_for_suid (const char *p) ++{ ++ if (__glibc_unlikely (__libc_enable_secure)) ++ { ++ /* Ignore pathnames with directories for AT_SECURE=1 ++ programs, and also skip overlong names. */ ++ size_t len = strlen (p); ++ if (len >= NAME_MAX || memchr (p, '/', len) != NULL) ++ return false; ++ } ++ return *p != '\0'; ++} + + /* List of auditing DSOs. */ + static struct audit_list +@@ -716,6 +732,46 @@ static const char *preloadlist attribute_relro; + /* Nonzero if information about versions has to be printed. */ + static int version_info attribute_relro; + ++/* The LD_PRELOAD environment variable gives list of libraries ++ separated by white space or colons that are loaded before the ++ executable's dependencies and prepended to the global scope list. ++ (If the binary is running setuid all elements containing a '/' are ++ ignored since it is insecure.) Return the number of preloads ++ performed. */ ++unsigned int ++handle_ld_preload (const char *preloadlist, struct link_map *main_map) ++{ ++ unsigned int npreloads = 0; ++ const char *p = preloadlist; ++#ifdef PATH_MAX ++ char fname[PATH_MAX]; ++#else ++ char fname[4096]; ++#endif ++ ++ while (*p != '\0') ++ { ++ /* Split preload list at space/colon. */ ++ size_t len = strcspn (p, " :"); ++ if (len > 0 && len < sizeof(fname)) ++ { ++ memcpy (fname, p, len); ++ fname[len] = '\0'; ++ } ++ else ++ fname[0] = '\0'; ++ ++ /* Skip over the substring and the following delimiter. */ ++ p += len; ++ if (*p == ' ' || *p == ':') ++ ++p; ++ ++ if (dso_name_valid_for_suid (fname)) ++ npreloads += do_preload (fname, main_map, "LD_PRELOAD"); ++ } ++ return npreloads; ++} ++ + static void + dl_main (const ElfW(Phdr) *phdr, + ElfW(Word) phnum, +@@ -1462,23 +1514,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", + + if (__glibc_unlikely (preloadlist != NULL)) + { +- /* The LD_PRELOAD environment variable gives list of libraries +- separated by white space or colons that are loaded before the +- executable's dependencies and prepended to the global scope +- list. If the binary is running setuid all elements +- containing a '/' are ignored since it is insecure. */ +- char *list = strdupa (preloadlist); +- char *p; +- + HP_TIMING_NOW (start); +- +- /* Prevent optimizing strsep. Speed is not important here. */ +- while ((p = (strsep) (&list, " :")) != NULL) +- if (p[0] != '\0' +- && (__builtin_expect (! __libc_enable_secure, 1) +- || strchr (p, '/') == NULL)) +- npreloads += do_preload (p, main_map, "LD_PRELOAD"); +- ++ npreloads += handle_ld_preload (preloadlist, main_map); + HP_TIMING_NOW (stop); + HP_TIMING_DIFF (diff, start, stop); + HP_TIMING_ACCUM_NT (load_time, diff); +-- +2.9.4 + |