wok-4.x view glibc/stuff/patches/glibc-2.22-CVE-2017-16997.patch @ rev 12476
Up glibc (2.22) with CVE patchs
| author | Stanislas Leduc <shann@slitaz.org> |
|---|---|
| date | Wed Mar 15 11:41:38 2023 +0000 (16 months ago) |
| parents | |
| children |
line source
1 Based on:
3 From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001
4 From: Aurelien Jarno <aurelien@aurel32.net>
5 Date: Sat, 30 Dec 2017 10:54:23 +0100
6 Subject: [PATCH] elf: Check for empty tokens before dynamic string token
7 expansion [BZ #22625]
9 The fillin_rpath function in elf/dl-load.c loops over each RPATH or
10 RUNPATH tokens and interprets empty tokens as the current directory
11 ("./"). In practice the check for empty token is done *after* the
12 dynamic string token expansion. The expansion process can return an
13 empty string for the $ORIGIN token if __libc_enable_secure is set
14 or if the path of the binary can not be determined (/proc not mounted).
16 Fix that by moving the check for empty tokens before the dynamic string
17 token expansion. In addition, check for NULL pointer or empty strings
18 return by expand_dynamic_string_token.
20 The above changes highlighted a bug in decompose_rpath, an empty array
21 is represented by the first element being NULL at the fillin_rpath
22 level, but by using a -1 pointer in decompose_rpath and other functions.
24 Changelog:
25 [BZ #22625]
26 * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
27 string token expansion. Check for NULL pointer or empty string possibly
28 returned by expand_dynamic_string_token.
29 (decompose_rpath): Check for empty path after dynamic string
30 token expansion.
31 (cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
32 ---
33 ChangeLog | 10 ++++++++++
34 NEWS | 4 ++++
35 elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
36 3 files changed, 47 insertions(+), 16 deletions(-)
38 --- a/elf/dl-load.c
39 +++ b/elf/dl-load.c
40 @@ -431,32 +431,41 @@ fillin_rpath (char *rpath, struct r_sear
41 {
42 char *cp;
43 size_t nelems = 0;
44 - char *to_free;
46 while ((cp = __strsep (&rpath, sep)) != NULL)
47 {
48 struct r_search_path_elem *dirp;
49 + char *to_free = NULL;
50 + size_t len = 0;
52 - to_free = cp = expand_dynamic_string_token (l, cp, 1);
53 + /* `strsep' can pass an empty string. */
54 + if (*cp != '\0')
55 + {
56 + to_free = cp = expand_dynamic_string_token (l, cp, 1);
58 - size_t len = strlen (cp);
59 + /* expand_dynamic_string_token can return NULL in case of empty
60 + path or memory allocation failure. */
61 + if (cp == NULL)
62 + continue;
63 +
64 + /* Compute the length after dynamic string token expansion and
65 + ignore empty paths. */
66 + len = strlen (cp);
67 + if (len == 0)
68 + {
69 + free (to_free);
70 + continue;
71 + }
73 - /* `strsep' can pass an empty string. This has to be
74 - interpreted as `use the current directory'. */
75 - if (len == 0)
76 - {
77 - static const char curwd[] = "./";
78 - cp = (char *) curwd;
79 + /* Remove trailing slashes (except for "/"). */
80 + while (len > 1 && cp[len - 1] == '/')
81 + --len;
82 +
83 + /* Now add one if there is none so far. */
84 + if (len > 0 && cp[len - 1] != '/')
85 + cp[len++] = '/';
86 }
88 - /* Remove trailing slashes (except for "/"). */
89 - while (len > 1 && cp[len - 1] == '/')
90 - --len;
91 -
92 - /* Now add one if there is none so far. */
93 - if (len > 0 && cp[len - 1] != '/')
94 - cp[len++] = '/';
95 -
96 /* Make sure we don't use untrusted directories if we run SUID. */
97 if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
98 {
99 @@ -619,6 +628,14 @@ decompose_rpath (struct r_search_path_st
100 necessary. */
101 free (copy);
103 + /* There is no path after expansion. */
104 + if (result[0] == NULL)
105 + {
106 + free (result);
107 + sps->dirs = (struct r_search_path_elem **) -1;
108 + return false;
109 + }
110 +
111 sps->dirs = result;
112 /* The caller will change this value if we haven't used a real malloc. */
113 sps->malloced = 1;