From d2b77337f734fcacdfc8e0ddec14cf31a746c7be Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon, 11 Sep 2023 18:53:15 -0400
Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached

The string parsing routine may end up writing beyond bounds of tunestr
if the input tunable string is malformed, of the form name=name=val.
This gets processed twice, first as name=name=val and next as name=val,
resulting in tunestr being name=name=val:name=val, thus overflowing
tunestr.

Terminate the parsing loop at the first instance itself so that tunestr
does not overflow.
---
Changes from v1:

- Also null-terminate tunestr before exiting.

 elf/dl-tunables.c | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

Upstream-Status: Backport [git://sourceware.org/git/glibc.git]
CVE: CVE-2023-4911

diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
index 8e7ee9df10..76cf8b9da3 100644
--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
@@ -187,11 +187,7 @@ parse_tunables (char *tunestr, char *valstring)
       /* If we reach the end of the string before getting a valid name-value
 	 pair, bail out.  */
       if (p[len] == '\0')
-	{
-	  if (__libc_enable_secure)
-	    tunestr[off] = '\0';
-	  return;
-	}
+	break;
 
       /* We did not find a valid name-value pair before encountering the
 	 colon.  */
@@ -251,9 +247,16 @@ parse_tunables (char *tunestr, char *valstring)
 	    }
 	}
 
-      if (p[len] != '\0')
-	p += len + 1;
+      /* We reached the end while processing the tunable string.  */
+      if (p[len] == '\0')
+	break;
+
+      p += len + 1;
     }
+
+  /* Terminate tunestr before we leave.  */
+  if (__libc_enable_secure)
+    tunestr[off] = '\0';
 }
 #endif
 
-- 
2.41.0