diff options
author | Armin Kuster <akuster808@gmail.com> | 2018-01-21 09:59:55 -0800 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2018-01-23 23:43:45 +0000 |
commit | b1dde7b0311c63dfacbfd701c9b7cb95ae9571a2 (patch) | |
tree | 4a7e4bda5c2ab6fc25b5a332693820ab7b56f5c8 | |
parent | 042e562a7732f78828a26fb0443f12925435cc12 (diff) | |
download | poky-b1dde7b0311c63dfacbfd701c9b7cb95ae9571a2.tar.gz |
glibc: Security Fix CVE-2017-16997
Affect glibc < 2.27
including current master glibc hash: 77f921dac17c5fa99bd9e926d926c327982895f7
(From OE-Core rev: f65acd6f8ef7172d75863ee091a3fbbaa57c0f3f)
Signed-off-by: Armin Kuster <akuster808@gmail.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r-- | meta/recipes-core/glibc/glibc/CVE-2017-16997.patch | 151 | ||||
-rw-r--r-- | meta/recipes-core/glibc/glibc_2.26.bb | 1 |
2 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch new file mode 100644 index 0000000000..d9bde7f20a --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch | |||
@@ -0,0 +1,151 @@ | |||
1 | From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001 | ||
2 | From: Aurelien Jarno <aurelien@aurel32.net> | ||
3 | Date: Sat, 30 Dec 2017 10:54:23 +0100 | ||
4 | Subject: [PATCH] elf: Check for empty tokens before dynamic string token | ||
5 | expansion [BZ #22625] | ||
6 | |||
7 | The fillin_rpath function in elf/dl-load.c loops over each RPATH or | ||
8 | RUNPATH tokens and interprets empty tokens as the current directory | ||
9 | ("./"). In practice the check for empty token is done *after* the | ||
10 | dynamic string token expansion. The expansion process can return an | ||
11 | empty string for the $ORIGIN token if __libc_enable_secure is set | ||
12 | or if the path of the binary can not be determined (/proc not mounted). | ||
13 | |||
14 | Fix that by moving the check for empty tokens before the dynamic string | ||
15 | token expansion. In addition, check for NULL pointer or empty strings | ||
16 | return by expand_dynamic_string_token. | ||
17 | |||
18 | The above changes highlighted a bug in decompose_rpath, an empty array | ||
19 | is represented by the first element being NULL at the fillin_rpath | ||
20 | level, but by using a -1 pointer in decompose_rpath and other functions. | ||
21 | |||
22 | Changelog: | ||
23 | [BZ #22625] | ||
24 | * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic | ||
25 | string token expansion. Check for NULL pointer or empty string possibly | ||
26 | returned by expand_dynamic_string_token. | ||
27 | (decompose_rpath): Check for empty path after dynamic string | ||
28 | token expansion. | ||
29 | (cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef) | ||
30 | |||
31 | Upstream-Status: Backport | ||
32 | CVE: CVE-2017-16997 | ||
33 | Signed-off-by: Armin Kuster <akuster@mvista.com> | ||
34 | |||
35 | --- | ||
36 | ChangeLog | 10 ++++++++++ | ||
37 | NEWS | 4 ++++ | ||
38 | elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++---------------- | ||
39 | 3 files changed, 47 insertions(+), 16 deletions(-) | ||
40 | |||
41 | Index: git/NEWS | ||
42 | =================================================================== | ||
43 | --- git.orig/NEWS | ||
44 | +++ git/NEWS | ||
45 | @@ -211,6 +211,10 @@ Security related changes: | ||
46 | on the stack or the heap, depending on the length of the user name). | ||
47 | Reported by Tim Rühsen. | ||
48 | |||
49 | + CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN | ||
50 | + for AT_SECURE or SUID binaries could be used to load libraries from the | ||
51 | + current directory. | ||
52 | + | ||
53 | The following bugs are resolved with this release: | ||
54 | |||
55 | [984] network: Respond to changed resolv.conf in gethostbyname | ||
56 | Index: git/elf/dl-load.c | ||
57 | =================================================================== | ||
58 | --- git.orig/elf/dl-load.c | ||
59 | +++ git/elf/dl-load.c | ||
60 | @@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear | ||
61 | { | ||
62 | char *cp; | ||
63 | size_t nelems = 0; | ||
64 | - char *to_free; | ||
65 | |||
66 | while ((cp = __strsep (&rpath, sep)) != NULL) | ||
67 | { | ||
68 | struct r_search_path_elem *dirp; | ||
69 | + char *to_free = NULL; | ||
70 | + size_t len = 0; | ||
71 | |||
72 | - to_free = cp = expand_dynamic_string_token (l, cp, 1); | ||
73 | + /* `strsep' can pass an empty string. */ | ||
74 | + if (*cp != '\0') | ||
75 | + { | ||
76 | + to_free = cp = expand_dynamic_string_token (l, cp, 1); | ||
77 | |||
78 | - size_t len = strlen (cp); | ||
79 | + /* expand_dynamic_string_token can return NULL in case of empty | ||
80 | + path or memory allocation failure. */ | ||
81 | + if (cp == NULL) | ||
82 | + continue; | ||
83 | + | ||
84 | + /* Compute the length after dynamic string token expansion and | ||
85 | + ignore empty paths. */ | ||
86 | + len = strlen (cp); | ||
87 | + if (len == 0) | ||
88 | + { | ||
89 | + free (to_free); | ||
90 | + continue; | ||
91 | + } | ||
92 | |||
93 | - /* `strsep' can pass an empty string. This has to be | ||
94 | - interpreted as `use the current directory'. */ | ||
95 | - if (len == 0) | ||
96 | - { | ||
97 | - static const char curwd[] = "./"; | ||
98 | - cp = (char *) curwd; | ||
99 | + /* Remove trailing slashes (except for "/"). */ | ||
100 | + while (len > 1 && cp[len - 1] == '/') | ||
101 | + --len; | ||
102 | + | ||
103 | + /* Now add one if there is none so far. */ | ||
104 | + if (len > 0 && cp[len - 1] != '/') | ||
105 | + cp[len++] = '/'; | ||
106 | } | ||
107 | |||
108 | - /* Remove trailing slashes (except for "/"). */ | ||
109 | - while (len > 1 && cp[len - 1] == '/') | ||
110 | - --len; | ||
111 | - | ||
112 | - /* Now add one if there is none so far. */ | ||
113 | - if (len > 0 && cp[len - 1] != '/') | ||
114 | - cp[len++] = '/'; | ||
115 | - | ||
116 | /* Make sure we don't use untrusted directories if we run SUID. */ | ||
117 | if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len)) | ||
118 | { | ||
119 | @@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st | ||
120 | necessary. */ | ||
121 | free (copy); | ||
122 | |||
123 | + /* There is no path after expansion. */ | ||
124 | + if (result[0] == NULL) | ||
125 | + { | ||
126 | + free (result); | ||
127 | + sps->dirs = (struct r_search_path_elem **) -1; | ||
128 | + return false; | ||
129 | + } | ||
130 | + | ||
131 | sps->dirs = result; | ||
132 | /* The caller will change this value if we haven't used a real malloc. */ | ||
133 | sps->malloced = 1; | ||
134 | Index: git/ChangeLog | ||
135 | =================================================================== | ||
136 | --- git.orig/ChangeLog | ||
137 | +++ git/ChangeLog | ||
138 | @@ -1,3 +1,13 @@ | ||
139 | +2017-12-30 Aurelien Jarno <aurelien@aurel32.net> | ||
140 | + Dmitry V. Levin <ldv@altlinux.org> | ||
141 | + | ||
142 | + [BZ #22625] | ||
143 | + * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic | ||
144 | + string token expansion. Check for NULL pointer or empty string possibly | ||
145 | + returned by expand_dynamic_string_token. | ||
146 | + (decompose_rpath): Check for empty path after dynamic string | ||
147 | + token expansion. | ||
148 | + | ||
149 | 2017-10-22 Paul Eggert <eggert@cs.ucla.edu> | ||
150 | |||
151 | [BZ #22332] | ||
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index 0ba29e4525..456ce12d76 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb | |||
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ | |||
44 | file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \ | 44 | file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \ |
45 | file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \ | 45 | file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \ |
46 | file://CVE-2017-15671.patch \ | 46 | file://CVE-2017-15671.patch \ |
47 | file://CVE-2017-16997.patch \ | ||
47 | " | 48 | " |
48 | 49 | ||
49 | NATIVESDKFIXES ?= "" | 50 | NATIVESDKFIXES ?= "" |