Attachment 726742 Details for Bug 1039357

[patch] 0002-rtld-Reject-overly-long-LD_PRELOAD-path-elements.patch

0002-rtld-Reject-overly-long-LD_PRELOAD-path-elements.patch (text/plain), 3.63 KB, created by Marcus Meissner on 2017-05-29 07:12:54 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Marcus Meissner

Created: 2017-05-29 07:12:54 UTC

Size: 3.63 KB

patch

obsolete

>From 65ff0b7a085b85271ec8fde99f542281b495e3bc Mon Sep 17 00:00:00 2001
>Message-Id: <65ff0b7a085b85271ec8fde99f542281b495e3bc.1495998948.git.fweimer@redhat.com>
>In-Reply-To: <cover.1495998948.git.fweimer@redhat.com>
>References: <cover.1495998948.git.fweimer@redhat.com>
>From: Florian Weimer <fweimer@redhat.com>
>Date: Sun, 28 May 2017 20:57:40 +0200
>Subject: [PATCH 2/3] rtld: Reject overly long LD_PRELOAD path elements
>To: libc-alpha@sourceware.org
>
>---
> elf/rtld.c | 69 +++++++++++++++++++++++++++++++++++++++++++++++---------------
> 1 file changed, 53 insertions(+), 16 deletions(-)
>
>diff --git a/elf/rtld.c b/elf/rtld.c
>index 824b6cf..30f0cae 100644
>--- a/elf/rtld.c
>+++ b/elf/rtld.c
>@@ -99,6 +99,22 @@ uintptr_t __pointer_chk_guard_local
> strong_alias (__pointer_chk_guard_local, __pointer_chk_guard)
> #endif
> 
>+/* Check that AT_SECURE=0, or that the passed name does not contain
>+   directories and is not overly long.  Reject empty names
>+   unconditionally.  */
>+static bool
>+dso_name_valid_for_suid (const char *p)
>+{
>+  if (__glibc_unlikely (__libc_enable_secure))
>+    {
>+      /* Ignore pathnames with directories for AT_SECURE=1
>+	 programs, and also skip overlong names.  */
>+      size_t len = strlen (p);
>+      if (len >= NAME_MAX || memchr (p, '/', len) != NULL)
>+	return false;
>+    }
>+  return *p != '\0';
>+}
> 
> /* List of auditing DSOs.  */
> static struct audit_list
>@@ -716,6 +732,42 @@ static const char *preloadlist attribute_relro;
> /* Nonzero if information about versions has to be printed.  */
> static int version_info attribute_relro;
> 
>+/* The LD_PRELOAD environment variable gives list of libraries
>+   separated by white space or colons that are loaded before the
>+   executable's dependencies and prepended to the global scope list.
>+   (If the binary is running setuid all elements containing a '/' are
>+   ignored since it is insecure.)  Return the number of preloads
>+   performed.  */
>+unsigned int
>+handle_ld_preload (const char *preloadlist, struct link_map *main_map)
>+{
>+  unsigned int npreloads = 0;
>+  const char *p = preloadlist;
>+  char fname[PATH_MAX];
>+
>+  while (*p != '\0')
>+    {
>+      /* Split preload list at space/colon.  */
>+      size_t len = strcspn (p, " :");
>+      if (len > 0 && len < PATH_MAX)
>+	{
>+	  memcpy (fname, p, len);
>+	  fname[len] = '\0';
>+	}
>+      else
>+	fname[0] = '\0';
>+
>+      /* Skip over the substring and the following delimiter.  */
>+      p += len;
>+      if (*p == ' ' || *p == ':')
>+	++p;
>+
>+      if (dso_name_valid_for_suid (fname))
>+	npreloads += do_preload (fname, main_map, "LD_PRELOAD");
>+    }
>+  return npreloads;
>+}
>+
> static void
> dl_main (const ElfW(Phdr) *phdr,
> 	 ElfW(Word) phnum,
>@@ -1462,23 +1514,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
> 
>   if (__glibc_unlikely (preloadlist != NULL))
>     {
>-      /* The LD_PRELOAD environment variable gives list of libraries
>-	 separated by white space or colons that are loaded before the
>-	 executable's dependencies and prepended to the global scope
>-	 list.  If the binary is running setuid all elements
>-	 containing a '/' are ignored since it is insecure.  */
>-      char *list = strdupa (preloadlist);
>-      char *p;
>-
>       HP_TIMING_NOW (start);
>-
>-      /* Prevent optimizing strsep.  Speed is not important here.  */
>-      while ((p = (strsep) (&list, " :")) != NULL)
>-	if (p[0] != '\0'
>-	    && (__builtin_expect (! __libc_enable_secure, 1)
>-		|| strchr (p, '/') == NULL))
>-	  npreloads += do_preload (p, main_map, "LD_PRELOAD");
>-
>+      npreloads += handle_ld_preload (preloadlist, main_map);
>       HP_TIMING_NOW (stop);
>       HP_TIMING_DIFF (diff, start, stop);
>       HP_TIMING_ACCUM_NT (load_time, diff);
>-- 
>2.9.4
>

Actions: View | Diff

Attachments on bug 1039357: 726741 | 726742 | 726743