SHA256
1
0
forked from pool/glibc

Accepting request 568213 from home:Andreas_Schwab:Factory

- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an
  absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679)

- dl-init-paths-overflow.patch: Count components of the expanded path in
  _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ
  #22607, BZ #22627)
- fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic
  string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)

OBS-URL: https://build.opensuse.org/request/show/568213
OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=488
This commit is contained in:
Andreas Schwab 2018-01-22 16:14:59 +00:00 committed by Git OBS Bridge
parent 3d1d35fa2b
commit dc304305df
5 changed files with 237 additions and 1 deletions

View File

@ -0,0 +1,90 @@
2017-12-18 Dmitry V. Levin <ldv@altlinux.org>
[BZ #22627]
* elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory
code and invocation.
2017-12-14 Florian Weimer <fweimer@redhat.com>
[BZ #22607]
CVE-2017-1000409
* elf/dl-load.c (_dl_init_paths): Compute number of components in
the expanded path string.
2017-12-14 Florian Weimer <fweimer@redhat.com>
[BZ #22606]
CVE-2017-1000408
* elf/dl-load.c (system_dirs): Update comment.
(_dl_init_paths): Use nsystem_dirs_len to compute the array size.
Index: glibc-2.26/elf/dl-load.c
===================================================================
--- glibc-2.26.orig/elf/dl-load.c
+++ glibc-2.26/elf/dl-load.c
@@ -103,7 +103,9 @@ static size_t ncapstr attribute_relro;
static size_t max_capstrlen attribute_relro;
-/* Get the generated information about the trusted directories. */
+/* Get the generated information about the trusted directories. Use
+ an array of concatenated strings to avoid relocations. See
+ gen-trusted-dirs.awk. */
#include "trusted-dirs.h"
static const char system_dirs[] = SYSTEM_DIRS;
@@ -688,9 +690,8 @@ _dl_init_paths (const char *llp)
+ ncapstr * sizeof (enum r_dir_status))
/ sizeof (struct r_search_path_elem));
- rtld_search_dirs.dirs[0] = (struct r_search_path_elem *)
- malloc ((sizeof (system_dirs) / sizeof (system_dirs[0]))
- * round_size * sizeof (struct r_search_path_elem));
+ rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
+ * sizeof (*rtld_search_dirs.dirs[0]));
if (rtld_search_dirs.dirs[0] == NULL)
{
errstring = N_("cannot create cache for search path");
@@ -776,37 +777,14 @@ _dl_init_paths (const char *llp)
if (llp != NULL && *llp != '\0')
{
- size_t nllp;
- const char *cp = llp;
- char *llp_tmp;
-
-#ifdef SHARED
- /* Expand DSTs. */
- size_t cnt = DL_DST_COUNT (llp, 1);
- if (__glibc_likely (cnt == 0))
- llp_tmp = strdupa (llp);
- else
- {
- /* Determine the length of the substituted string. */
- size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);
-
- /* Allocate the necessary memory. */
- llp_tmp = (char *) alloca (total + 1);
- llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);
- }
-#else
- llp_tmp = strdupa (llp);
-#endif
+ char *llp_tmp = strdupa (llp);
/* Decompose the LD_LIBRARY_PATH contents. First determine how many
elements it has. */
- nllp = 1;
- while (*cp)
- {
- if (*cp == ':' || *cp == ';')
- ++nllp;
- ++cp;
- }
+ size_t nllp = 1;
+ for (const char *cp = llp_tmp; *cp != '\0'; ++cp)
+ if (*cp == ':' || *cp == ';')
+ ++nllp;
env_path_list.dirs = (struct r_search_path_elem **)
malloc ((nllp + 1) * sizeof (struct r_search_path_elem *));

View File

@ -0,0 +1,88 @@
2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
Dmitry V. Levin <ldv@altlinux.org>
[BZ #22625]
* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
string token expansion. Check for NULL pointer or empty string possibly
returned by expand_dynamic_string_token.
(decompose_rpath): Check for empty path after dynamic string
token expansion.
Index: glibc-2.26/elf/dl-load.c
===================================================================
--- glibc-2.26.orig/elf/dl-load.c
+++ glibc-2.26/elf/dl-load.c
@@ -435,32 +435,41 @@ fillin_rpath (char *rpath, struct r_sear
{
char *cp;
size_t nelems = 0;
- char *to_free;
while ((cp = __strsep (&rpath, sep)) != NULL)
{
struct r_search_path_elem *dirp;
+ char *to_free = NULL;
+ size_t len = 0;
- to_free = cp = expand_dynamic_string_token (l, cp, 1);
+ /* `strsep' can pass an empty string. */
+ if (*cp != '\0')
+ {
+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
- size_t len = strlen (cp);
+ /* expand_dynamic_string_token can return NULL in case of empty
+ path or memory allocation failure. */
+ if (cp == NULL)
+ continue;
+
+ /* Compute the length after dynamic string token expansion and
+ ignore empty paths. */
+ len = strlen (cp);
+ if (len == 0)
+ {
+ free (to_free);
+ continue;
+ }
- /* `strsep' can pass an empty string. This has to be
- interpreted as `use the current directory'. */
- if (len == 0)
- {
- static const char curwd[] = "./";
- cp = (char *) curwd;
+ /* Remove trailing slashes (except for "/"). */
+ while (len > 1 && cp[len - 1] == '/')
+ --len;
+
+ /* Now add one if there is none so far. */
+ if (len > 0 && cp[len - 1] != '/')
+ cp[len++] = '/';
}
- /* Remove trailing slashes (except for "/"). */
- while (len > 1 && cp[len - 1] == '/')
- --len;
-
- /* Now add one if there is none so far. */
- if (len > 0 && cp[len - 1] != '/')
- cp[len++] = '/';
-
/* Make sure we don't use untrusted directories if we run SUID. */
if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
{
@@ -623,6 +632,14 @@ decompose_rpath (struct r_search_path_st
necessary. */
free (copy);
+ /* There is no path after expansion. */
+ if (result[0] == NULL)
+ {
+ free (result);
+ sps->dirs = (struct r_search_path_elem **) -1;
+ return false;
+ }
+
sps->dirs = result;
/* The caller will change this value if we haven't used a real malloc. */
sps->malloced = 1;

34
getcwd-absolute.patch Normal file
View File

@ -0,0 +1,34 @@
2018-01-12 Dmitry V. Levin <ldv@altlinux.org>
[BZ #22679]
CVE-2018-1000001
* sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to
generic_getcwd if the path returned by getcwd syscall is not absolute.
Index: glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c
===================================================================
--- glibc-2.26.orig/sysdeps/unix/sysv/linux/getcwd.c
+++ glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c
@@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size)
int retval;
retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size);
- if (retval >= 0)
+ if (retval > 0 && path[0] == '/')
{
#ifndef NO_ALLOCATION
if (buf == NULL && size == 0)
@@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size)
return buf;
}
- /* The system call cannot handle paths longer than a page.
- Neither can the magic symlink in /proc/self. Just use the
+ /* The system call either cannot handle paths longer than a page
+ or can succeed without returning an absolute path. Just use the
generic implementation right away. */
- if (errno == ENAMETOOLONG)
+ if (retval >= 0 || errno == ENAMETOOLONG)
{
#ifndef NO_ALLOCATION
if (buf == NULL && size == 0)

View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Mon Jan 22 10:32:36 UTC 2018 - schwab@suse.de
- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an
absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679)
-------------------------------------------------------------------
Tue Jan 2 10:43:09 UTC 2018 - schwab@suse.de
- dl-init-paths-overflow.patch: Count components of the expanded path in
_dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ
#22607, BZ #22627)
- fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic
string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)
-------------------------------------------------------------------
Wed Dec 13 15:04:54 UTC 2017 - schwab@suse.de

View File

@ -1,7 +1,7 @@
#
# spec file for package glibc
#
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -326,6 +326,12 @@ Patch1024: tst-tlsopt-powerpc.patch
Patch1025: powerpc-hwcap-bits.patch
# PATCH-FIX-UPSTREAM Fix integer overflow in malloc when tcache is enabled (CVE-2017-17426, BZ #22375)
Patch1026: malloc-tcache-check-overflow.patch
# PATCH-FIX-UPSTREAM Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ #22607, BZ #22627)
Patch1027: dl-init-paths-overflow.patch
# PATCH-FIX-UPSTREAM Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625)
Patch1028: fillin-rpath-empty-tokens.patch
# PATCH-FIX-UPSTREAM make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, BZ #22679)
Patch1029: getcwd-absolute.patch
###
# Patches awaiting upstream approval
@ -574,6 +580,9 @@ rm nscd/s-stamp
%patch1024 -p1
%patch1025 -p1
%patch1026 -p1
%patch1027 -p1
%patch1028 -p1
%patch1029 -p1
%patch2000 -p1
%patch2001 -p1