glibc/fillin-rpath-empty-tokens.patch

2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
	    Dmitry V. Levin  <ldv@altlinux.org>

	[BZ #22625]
	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
	string token expansion. Check for NULL pointer or empty string possibly
	returned by expand_dynamic_string_token.
	(decompose_rpath): Check for empty path after dynamic string
	token expansion.

Index: glibc-2.26/elf/dl-load.c
===================================================================
--- glibc-2.26.orig/elf/dl-load.c
+++ glibc-2.26/elf/dl-load.c
@@ -435,32 +435,41 @@ fillin_rpath (char *rpath, struct r_sear
 {
   char *cp;
   size_t nelems = 0;
-  char *to_free;
 
   while ((cp = __strsep (&rpath, sep)) != NULL)
     {
       struct r_search_path_elem *dirp;
+      char *to_free = NULL;
+      size_t len = 0;
 
-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
+      /* `strsep' can pass an empty string.  */
+      if (*cp != '\0')
+	{
+	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
 
-      size_t len = strlen (cp);
+	  /* expand_dynamic_string_token can return NULL in case of empty
+	     path or memory allocation failure.  */
+	  if (cp == NULL)
+	    continue;
+
+	  /* Compute the length after dynamic string token expansion and
+	     ignore empty paths.  */
+	  len = strlen (cp);
+	  if (len == 0)
+	    {
+	      free (to_free);
+	      continue;
+	    }
 
-      /* `strsep' can pass an empty string.  This has to be
-	 interpreted as `use the current directory'. */
-      if (len == 0)
-	{
-	  static const char curwd[] = "./";
-	  cp = (char *) curwd;
+	  /* Remove trailing slashes (except for "/").  */
+	  while (len > 1 && cp[len - 1] == '/')
+	    --len;
+
+	  /* Now add one if there is none so far.  */
+	  if (len > 0 && cp[len - 1] != '/')
+	    cp[len++] = '/';
 	}
 
-      /* Remove trailing slashes (except for "/").  */
-      while (len > 1 && cp[len - 1] == '/')
-	--len;
-
-      /* Now add one if there is none so far.  */
-      if (len > 0 && cp[len - 1] != '/')
-	cp[len++] = '/';
-
       /* Make sure we don't use untrusted directories if we run SUID.  */
       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
 	{
@@ -623,6 +632,14 @@ decompose_rpath (struct r_search_path_st
      necessary.  */
   free (copy);
 
+  /* There is no path after expansion.  */
+  if (result[0] == NULL)
+    {
+      free (result);
+      sps->dirs = (struct r_search_path_elem **) -1;
+      return false;
+    }
+
   sps->dirs = result;
   /* The caller will change this value if we haven't used a real malloc.  */
   sps->malloced = 1;
Accepting request 568213 from home:Andreas_Schwab:Factory - getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679) - dl-init-paths-overflow.patch: Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ #22607, BZ #22627) - fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625) OBS-URL: https://build.opensuse.org/request/show/568213 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=488 2018-01-22 17:14:59 +01:00			`2017-12-30 Aurelien Jarno <aurelien@aurel32.net>`
			`Dmitry V. Levin <ldv@altlinux.org>`

			`[BZ #22625]`
			`* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic`
			`string token expansion. Check for NULL pointer or empty string possibly`
			`returned by expand_dynamic_string_token.`
			`(decompose_rpath): Check for empty path after dynamic string`
			`token expansion.`

			`Index: glibc-2.26/elf/dl-load.c`
			`===================================================================`
			`--- glibc-2.26.orig/elf/dl-load.c`
			`+++ glibc-2.26/elf/dl-load.c`
			`@@ -435,32 +435,41 @@ fillin_rpath (char *rpath, struct r_sear`
			`{`
			`char *cp;`
			`size_t nelems = 0;`
			`- char *to_free;`

			`while ((cp = __strsep (&rpath, sep)) != NULL)`
			`{`
			`struct r_search_path_elem *dirp;`
			`+ char *to_free = NULL;`
			`+ size_t len = 0;`

			`- to_free = cp = expand_dynamic_string_token (l, cp, 1);`
			+ /* `strsep' can pass an empty string. */
			`+ if (*cp != '\0')`
			`+ {`
			`+ to_free = cp = expand_dynamic_string_token (l, cp, 1);`

			`- size_t len = strlen (cp);`
			`+ /* expand_dynamic_string_token can return NULL in case of empty`
			`+ path or memory allocation failure. */`
			`+ if (cp == NULL)`
			`+ continue;`
			`+`
			`+ /* Compute the length after dynamic string token expansion and`
			`+ ignore empty paths. */`
			`+ len = strlen (cp);`
			`+ if (len == 0)`
			`+ {`
			`+ free (to_free);`
			`+ continue;`
			`+ }`

			- /* `strsep' can pass an empty string. This has to be
			- interpreted as `use the current directory'. */
			`- if (len == 0)`
			`- {`
			`- static const char curwd[] = "./";`
			`- cp = (char *) curwd;`
			`+ /* Remove trailing slashes (except for "/"). */`
			`+ while (len > 1 && cp[len - 1] == '/')`
			`+ --len;`
			`+`
			`+ /* Now add one if there is none so far. */`
			`+ if (len > 0 && cp[len - 1] != '/')`
			`+ cp[len++] = '/';`
			`}`

			`- /* Remove trailing slashes (except for "/"). */`
			`- while (len > 1 && cp[len - 1] == '/')`
			`- --len;`
			`-`
			`- /* Now add one if there is none so far. */`
			`- if (len > 0 && cp[len - 1] != '/')`
			`- cp[len++] = '/';`
			`-`
			`/* Make sure we don't use untrusted directories if we run SUID. */`
			`if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))`
			`{`
			`@@ -623,6 +632,14 @@ decompose_rpath (struct r_search_path_st`
			`necessary. */`
			`free (copy);`

			`+ /* There is no path after expansion. */`
			`+ if (result[0] == NULL)`
			`+ {`
			`+ free (result);`
			`+ sps->dirs = (struct r_search_path_elem **) -1;`
			`+ return false;`
			`+ }`
			`+`
			`sps->dirs = result;`
			`/* The caller will change this value if we haven't used a real malloc. */`
			`sps->malloced = 1;`