From dc304305dfc540caa5d3fded68f95d21ad5de4746fe71ef9efe0d08925e3d725 Mon Sep 17 00:00:00 2001 From: Andreas Schwab Date: Mon, 22 Jan 2018 16:14:59 +0000 Subject: [PATCH] Accepting request 568213 from home:Andreas_Schwab:Factory - getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679) - dl-init-paths-overflow.patch: Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ #22607, BZ #22627) - fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625) OBS-URL: https://build.opensuse.org/request/show/568213 OBS-URL: https://build.opensuse.org/package/show/Base:System/glibc?expand=0&rev=488 --- dl-init-paths-overflow.patch | 90 +++++++++++++++++++++++++++++++++ fillin-rpath-empty-tokens.patch | 88 ++++++++++++++++++++++++++++++++ getcwd-absolute.patch | 34 +++++++++++++ glibc.changes | 15 ++++++ glibc.spec | 11 +++- 5 files changed, 237 insertions(+), 1 deletion(-) create mode 100644 dl-init-paths-overflow.patch create mode 100644 fillin-rpath-empty-tokens.patch create mode 100644 getcwd-absolute.patch diff --git a/dl-init-paths-overflow.patch b/dl-init-paths-overflow.patch new file mode 100644 index 0000000..40b2d18 --- /dev/null +++ b/dl-init-paths-overflow.patch @@ -0,0 +1,90 @@ +2017-12-18 Dmitry V. Levin + + [BZ #22627] + * elf/dl-load.c (_dl_init_paths): Remove _dl_dst_substitute preparatory + code and invocation. + +2017-12-14 Florian Weimer + + [BZ #22607] + CVE-2017-1000409 + * elf/dl-load.c (_dl_init_paths): Compute number of components in + the expanded path string. + +2017-12-14 Florian Weimer + + [BZ #22606] + CVE-2017-1000408 + * elf/dl-load.c (system_dirs): Update comment. + (_dl_init_paths): Use nsystem_dirs_len to compute the array size. + +Index: glibc-2.26/elf/dl-load.c +=================================================================== +--- glibc-2.26.orig/elf/dl-load.c ++++ glibc-2.26/elf/dl-load.c +@@ -103,7 +103,9 @@ static size_t ncapstr attribute_relro; + static size_t max_capstrlen attribute_relro; + + +-/* Get the generated information about the trusted directories. */ ++/* Get the generated information about the trusted directories. Use ++ an array of concatenated strings to avoid relocations. See ++ gen-trusted-dirs.awk. */ + #include "trusted-dirs.h" + + static const char system_dirs[] = SYSTEM_DIRS; +@@ -688,9 +690,8 @@ _dl_init_paths (const char *llp) + + ncapstr * sizeof (enum r_dir_status)) + / sizeof (struct r_search_path_elem)); + +- rtld_search_dirs.dirs[0] = (struct r_search_path_elem *) +- malloc ((sizeof (system_dirs) / sizeof (system_dirs[0])) +- * round_size * sizeof (struct r_search_path_elem)); ++ rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size ++ * sizeof (*rtld_search_dirs.dirs[0])); + if (rtld_search_dirs.dirs[0] == NULL) + { + errstring = N_("cannot create cache for search path"); +@@ -776,37 +777,14 @@ _dl_init_paths (const char *llp) + + if (llp != NULL && *llp != '\0') + { +- size_t nllp; +- const char *cp = llp; +- char *llp_tmp; +- +-#ifdef SHARED +- /* Expand DSTs. */ +- size_t cnt = DL_DST_COUNT (llp, 1); +- if (__glibc_likely (cnt == 0)) +- llp_tmp = strdupa (llp); +- else +- { +- /* Determine the length of the substituted string. */ +- size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt); +- +- /* Allocate the necessary memory. */ +- llp_tmp = (char *) alloca (total + 1); +- llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1); +- } +-#else +- llp_tmp = strdupa (llp); +-#endif ++ char *llp_tmp = strdupa (llp); + + /* Decompose the LD_LIBRARY_PATH contents. First determine how many + elements it has. */ +- nllp = 1; +- while (*cp) +- { +- if (*cp == ':' || *cp == ';') +- ++nllp; +- ++cp; +- } ++ size_t nllp = 1; ++ for (const char *cp = llp_tmp; *cp != '\0'; ++cp) ++ if (*cp == ':' || *cp == ';') ++ ++nllp; + + env_path_list.dirs = (struct r_search_path_elem **) + malloc ((nllp + 1) * sizeof (struct r_search_path_elem *)); diff --git a/fillin-rpath-empty-tokens.patch b/fillin-rpath-empty-tokens.patch new file mode 100644 index 0000000..54b4530 --- /dev/null +++ b/fillin-rpath-empty-tokens.patch @@ -0,0 +1,88 @@ +2017-12-30 Aurelien Jarno + Dmitry V. Levin + + [BZ #22625] + * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic + string token expansion. Check for NULL pointer or empty string possibly + returned by expand_dynamic_string_token. + (decompose_rpath): Check for empty path after dynamic string + token expansion. + +Index: glibc-2.26/elf/dl-load.c +=================================================================== +--- glibc-2.26.orig/elf/dl-load.c ++++ glibc-2.26/elf/dl-load.c +@@ -435,32 +435,41 @@ fillin_rpath (char *rpath, struct r_sear + { + char *cp; + size_t nelems = 0; +- char *to_free; + + while ((cp = __strsep (&rpath, sep)) != NULL) + { + struct r_search_path_elem *dirp; ++ char *to_free = NULL; ++ size_t len = 0; + +- to_free = cp = expand_dynamic_string_token (l, cp, 1); ++ /* `strsep' can pass an empty string. */ ++ if (*cp != '\0') ++ { ++ to_free = cp = expand_dynamic_string_token (l, cp, 1); + +- size_t len = strlen (cp); ++ /* expand_dynamic_string_token can return NULL in case of empty ++ path or memory allocation failure. */ ++ if (cp == NULL) ++ continue; ++ ++ /* Compute the length after dynamic string token expansion and ++ ignore empty paths. */ ++ len = strlen (cp); ++ if (len == 0) ++ { ++ free (to_free); ++ continue; ++ } + +- /* `strsep' can pass an empty string. This has to be +- interpreted as `use the current directory'. */ +- if (len == 0) +- { +- static const char curwd[] = "./"; +- cp = (char *) curwd; ++ /* Remove trailing slashes (except for "/"). */ ++ while (len > 1 && cp[len - 1] == '/') ++ --len; ++ ++ /* Now add one if there is none so far. */ ++ if (len > 0 && cp[len - 1] != '/') ++ cp[len++] = '/'; + } + +- /* Remove trailing slashes (except for "/"). */ +- while (len > 1 && cp[len - 1] == '/') +- --len; +- +- /* Now add one if there is none so far. */ +- if (len > 0 && cp[len - 1] != '/') +- cp[len++] = '/'; +- + /* Make sure we don't use untrusted directories if we run SUID. */ + if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len)) + { +@@ -623,6 +632,14 @@ decompose_rpath (struct r_search_path_st + necessary. */ + free (copy); + ++ /* There is no path after expansion. */ ++ if (result[0] == NULL) ++ { ++ free (result); ++ sps->dirs = (struct r_search_path_elem **) -1; ++ return false; ++ } ++ + sps->dirs = result; + /* The caller will change this value if we haven't used a real malloc. */ + sps->malloced = 1; diff --git a/getcwd-absolute.patch b/getcwd-absolute.patch new file mode 100644 index 0000000..3c1fe2f --- /dev/null +++ b/getcwd-absolute.patch @@ -0,0 +1,34 @@ +2018-01-12 Dmitry V. Levin + + [BZ #22679] + CVE-2018-1000001 + * sysdeps/unix/sysv/linux/getcwd.c (__getcwd): Fall back to + generic_getcwd if the path returned by getcwd syscall is not absolute. + +Index: glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c +=================================================================== +--- glibc-2.26.orig/sysdeps/unix/sysv/linux/getcwd.c ++++ glibc-2.26/sysdeps/unix/sysv/linux/getcwd.c +@@ -76,7 +76,7 @@ __getcwd (char *buf, size_t size) + int retval; + + retval = INLINE_SYSCALL (getcwd, 2, path, alloc_size); +- if (retval >= 0) ++ if (retval > 0 && path[0] == '/') + { + #ifndef NO_ALLOCATION + if (buf == NULL && size == 0) +@@ -92,10 +92,10 @@ __getcwd (char *buf, size_t size) + return buf; + } + +- /* The system call cannot handle paths longer than a page. +- Neither can the magic symlink in /proc/self. Just use the ++ /* The system call either cannot handle paths longer than a page ++ or can succeed without returning an absolute path. Just use the + generic implementation right away. */ +- if (errno == ENAMETOOLONG) ++ if (retval >= 0 || errno == ENAMETOOLONG) + { + #ifndef NO_ALLOCATION + if (buf == NULL && size == 0) diff --git a/glibc.changes b/glibc.changes index 18c59a8..a8097d0 100644 --- a/glibc.changes +++ b/glibc.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Mon Jan 22 10:32:36 UTC 2018 - schwab@suse.de + +- getcwd-absolute.patch: make getcwd(3) fail if it cannot obtain an + absolute path (CVE-2018-1000001, bsc#1074293, BZ #22679) + +------------------------------------------------------------------- +Tue Jan 2 10:43:09 UTC 2018 - schwab@suse.de + +- dl-init-paths-overflow.patch: Count components of the expanded path in + _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ + #22607, BZ #22627) +- fillin-rpath-empty-tokens.patch: Check for empty tokens before dynamic + string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625) + ------------------------------------------------------------------- Wed Dec 13 15:04:54 UTC 2017 - schwab@suse.de diff --git a/glibc.spec b/glibc.spec index e49c0d4..83d0c81 100644 --- a/glibc.spec +++ b/glibc.spec @@ -1,7 +1,7 @@ # # spec file for package glibc # -# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2018 SUSE LINUX GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -326,6 +326,12 @@ Patch1024: tst-tlsopt-powerpc.patch Patch1025: powerpc-hwcap-bits.patch # PATCH-FIX-UPSTREAM Fix integer overflow in malloc when tcache is enabled (CVE-2017-17426, BZ #22375) Patch1026: malloc-tcache-check-overflow.patch +# PATCH-FIX-UPSTREAM Count components of the expanded path in _dl_init_path (CVE-2017-1000408, CVE-2017-1000409, bsc#1071319, BZ #22607, BZ #22627) +Patch1027: dl-init-paths-overflow.patch +# PATCH-FIX-UPSTREAM Check for empty tokens before dynamic string token expansion (CVE-2017-16997, bsc#1073231, BZ #22625) +Patch1028: fillin-rpath-empty-tokens.patch +# PATCH-FIX-UPSTREAM make getcwd(3) fail if it cannot obtain an absolute path (CVE-2018-1000001, BZ #22679) +Patch1029: getcwd-absolute.patch ### # Patches awaiting upstream approval @@ -574,6 +580,9 @@ rm nscd/s-stamp %patch1024 -p1 %patch1025 -p1 %patch1026 -p1 +%patch1027 -p1 +%patch1028 -p1 +%patch1029 -p1 %patch2000 -p1 %patch2001 -p1