glibc: Security Fix CVE-2017-16997

Affect glibc < 2.27 including current master glibc hash: 77f921dac17c5fa99bd9e926d926c327982895f7 (From OE-Core rev: f65acd6f8ef7172d75863ee091a3fbbaa57c0f3f) Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Armin Kuster <akuster808@gmail.com> 2018-01-21 09:59:55 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-23 23:43:45 +0000
commit: b1dde7b0311c63dfacbfd701c9b7cb95ae9571a2 (patch)
tree: 4a7e4bda5c2ab6fc25b5a332693820ab7b56f5c8
parent: 042e562a7732f78828a26fb0443f12925435cc12 (diff)
download: poky-b1dde7b0311c63dfacbfd701c9b7cb95ae9571a2.tar.gz
2 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
new file mode 100644
index 0000000000..d9bde7f20a
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
@@ -0,0 +1,151 @@
+From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001
+From: Aurelien Jarno <aurelien@aurel32.net>
+Date: Sat, 30 Dec 2017 10:54:23 +0100
+Subject: [PATCH] elf: Check for empty tokens before dynamic string token
+ expansion [BZ #22625]
+The fillin_rpath function in elf/dl-load.c loops over each RPATH or
+RUNPATH tokens and interprets empty tokens as the current directory
+("./"). In practice the check for empty token is done *after* the
+dynamic string token expansion. The expansion process can return an
+empty string for the $ORIGIN token if __libc_enable_secure is set
+or if the path of the binary can not be determined (/proc not mounted).
+Fix that by moving the check for empty tokens before the dynamic string
+token expansion. In addition, check for NULL pointer or empty strings
+return by expand_dynamic_string_token.
+The above changes highlighted a bug in decompose_rpath, an empty array
+is represented by the first element being NULL at the fillin_rpath
+level, but by using a -1 pointer in decompose_rpath and other functions.
+Changelog:
+        [BZ #22625]
+        * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+        string token expansion. Check for NULL pointer or empty string possibly
+        returned by expand_dynamic_string_token.
+        (decompose_rpath): Check for empty path after dynamic string
+        token expansion.
+(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
+Upstream-Status: Backport
+CVE: CVE-2017-16997
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+---
+ ChangeLog     | 10 ++++++++++
+ NEWS          |  4 ++++
+ elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
+ 3 files changed, 47 insertions(+), 16 deletions(-)
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
+++ git/NEWS
+@@ -211,6 +211,10 @@ Security related changes:
+   on the stack or the heap, depending on the length of the user name).
+   Reported by Tim Rühsen.
+ 
+  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
+  for AT_SECURE or SUID binaries could be used to load libraries from the
+  current directory.
+
+ The following bugs are resolved with this release:
+ 
+   [984] network: Respond to changed resolv.conf in gethostbyname
+Index: git/elf/dl-load.c
+===================================================================
+--- git.orig/elf/dl-load.c
+++ git/elf/dl-load.c
+@@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear
+ {
+   char *cp;
+   size_t nelems = 0;
+-  char *to_free;
+ 
+   while ((cp = __strsep (&rpath, sep)) != NULL)
+     {
+       struct r_search_path_elem *dirp;
+      char *to_free = NULL;
+      size_t len = 0;
+ 
+-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
+      /* `strsep' can pass an empty string.  */
+      if (*cp != '\0')
+       {
+         to_free = cp = expand_dynamic_string_token (l, cp, 1);
+ 
+-      size_t len = strlen (cp);
+         /* expand_dynamic_string_token can return NULL in case of empty
+            path or memory allocation failure.  */
+         if (cp == NULL)
+           continue;
+
+         /* Compute the length after dynamic string token expansion and
+            ignore empty paths.  */
+         len = strlen (cp);
+         if (len == 0)
+           {
+             free (to_free);
+             continue;
+           }
+ 
+-      /* `strsep' can pass an empty string.  This has to be
+-        interpreted as `use the current directory'. */
+-      if (len == 0)
+-       {
+-         static const char curwd[] = "./";
+-         cp = (char *) curwd;
+         /* Remove trailing slashes (except for "/").  */
+         while (len > 1 && cp[len - 1] == '/')
+           --len;
+
+         /* Now add one if there is none so far.  */
+         if (len > 0 && cp[len - 1] != '/')
+           cp[len++] = '/';
+        }
+ 
+-      /* Remove trailing slashes (except for "/").  */
+-      while (len > 1 && cp[len - 1] == '/')
+-       --len;
+-
+-      /* Now add one if there is none so far.  */
+-      if (len > 0 && cp[len - 1] != '/')
+-       cp[len++] = '/';
+-
+       /* Make sure we don't use untrusted directories if we run SUID.  */
+       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
+        {
+@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st
+      necessary.  */
+   free (copy);
+ 
+  /* There is no path after expansion.  */
+  if (result[0] == NULL)
+    {
+      free (result);
+      sps->dirs = (struct r_search_path_elem **) -1;
+      return false;
+    }
+
+   sps->dirs = result;
+   /* The caller will change this value if we haven't used a real malloc.  */
+   sps->malloced = 1;
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
+++ git/ChangeLog
+@@ -1,3 +1,13 @@
+2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
+           Dmitry V. Levin  <ldv@altlinux.org>
+
+       [BZ #22625]
+       * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+       string token expansion. Check for NULL pointer or empty string possibly
+       returned by expand_dynamic_string_token.
+       (decompose_rpath): Check for empty path after dynamic string
+       token expansion.
+
+ 2017-10-22  Paul Eggert <eggert@cs.ucla.edu>
+ 
+        [BZ #22332]
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 0ba29e4525..456ce12d76 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
           file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
           file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
           file://CVE-2017-15671.patch \
+           file://CVE-2017-16997.patch \
 "
 NATIVESDKFIXES ?= ""
author	Armin Kuster <akuster808@gmail.com>	2018-01-21 09:59:55 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-23 23:43:45 +0000
commit	b1dde7b0311c63dfacbfd701c9b7cb95ae9571a2 (patch)
tree	4a7e4bda5c2ab6fc25b5a332693820ab7b56f5c8
parent	042e562a7732f78828a26fb0443f12925435cc12 (diff)
download	poky-b1dde7b0311c63dfacbfd701c9b7cb95ae9571a2.tar.gz

diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch new file mode 100644 index 0000000000..d9bde7f20a --- /dev/null +++ b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
@@ -0,0 +1,151 @@
		1	From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001
		2	From: Aurelien Jarno <aurelien@aurel32.net>
		3	Date: Sat, 30 Dec 2017 10:54:23 +0100
		4	Subject: [PATCH] elf: Check for empty tokens before dynamic string token
		5	expansion [BZ #22625]
		6
		7	The fillin_rpath function in elf/dl-load.c loops over each RPATH or
		8	RUNPATH tokens and interprets empty tokens as the current directory
		9	("./"). In practice the check for empty token is done after the
		10	dynamic string token expansion. The expansion process can return an
		11	empty string for the $ORIGIN token if __libc_enable_secure is set
		12	or if the path of the binary can not be determined (/proc not mounted).
		13
		14	Fix that by moving the check for empty tokens before the dynamic string
		15	token expansion. In addition, check for NULL pointer or empty strings
		16	return by expand_dynamic_string_token.
		17
		18	The above changes highlighted a bug in decompose_rpath, an empty array
		19	is represented by the first element being NULL at the fillin_rpath
		20	level, but by using a -1 pointer in decompose_rpath and other functions.
		21
		22	Changelog:
		23	[BZ #22625]
		24	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
		25	string token expansion. Check for NULL pointer or empty string possibly
		26	returned by expand_dynamic_string_token.
		27	(decompose_rpath): Check for empty path after dynamic string
		28	token expansion.
		29	(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
		30
		31	Upstream-Status: Backport
		32	CVE: CVE-2017-16997
		33	Signed-off-by: Armin Kuster <akuster@mvista.com>
		34
		35	---
		36	ChangeLog \| 10 ++++++++++
		37	NEWS \| 4 ++++
		38	elf/dl-load.c \| 49 +++++++++++++++++++++++++++++++++----------------
		39	3 files changed, 47 insertions(+), 16 deletions(-)
		40
		41	Index: git/NEWS
		42	===================================================================
		43	--- git.orig/NEWS
		44	+++ git/NEWS
		45	@@ -211,6 +211,10 @@ Security related changes:
		46	on the stack or the heap, depending on the length of the user name).
		47	Reported by Tim Rühsen.
		48
		49	+ CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
		50	+ for AT_SECURE or SUID binaries could be used to load libraries from the
		51	+ current directory.
		52	+
		53	The following bugs are resolved with this release:
		54
		55	[984] network: Respond to changed resolv.conf in gethostbyname
		56	Index: git/elf/dl-load.c
		57	===================================================================
		58	--- git.orig/elf/dl-load.c
		59	+++ git/elf/dl-load.c
		60	@@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear
		61	{
		62	char *cp;
		63	size_t nelems = 0;
		64	- char *to_free;
		65
		66	while ((cp = __strsep (&rpath, sep)) != NULL)
		67	{
		68	struct r_search_path_elem *dirp;
		69	+ char *to_free = NULL;
		70	+ size_t len = 0;
		71
		72	- to_free = cp = expand_dynamic_string_token (l, cp, 1);
		73	+ /* `strsep' can pass an empty string. */
		74	+ if (*cp != '\0')
		75	+ {
		76	+ to_free = cp = expand_dynamic_string_token (l, cp, 1);
		77
		78	- size_t len = strlen (cp);
		79	+ /* expand_dynamic_string_token can return NULL in case of empty
		80	+ path or memory allocation failure. */
		81	+ if (cp == NULL)
		82	+ continue;
		83	+
		84	+ /* Compute the length after dynamic string token expansion and
		85	+ ignore empty paths. */
		86	+ len = strlen (cp);
		87	+ if (len == 0)
		88	+ {
		89	+ free (to_free);
		90	+ continue;
		91	+ }
		92
		93	- /* `strsep' can pass an empty string. This has to be
		94	- interpreted as `use the current directory'. */
		95	- if (len == 0)
		96	- {
		97	- static const char curwd[] = "./";
		98	- cp = (char *) curwd;
		99	+ /* Remove trailing slashes (except for "/"). */
		100	+ while (len > 1 && cp[len - 1] == '/')
		101	+ --len;
		102	+
		103	+ /* Now add one if there is none so far. */
		104	+ if (len > 0 && cp[len - 1] != '/')
		105	+ cp[len++] = '/';
		106	}
		107
		108	- /* Remove trailing slashes (except for "/"). */
		109	- while (len > 1 && cp[len - 1] == '/')
		110	- --len;
		111	-
		112	- /* Now add one if there is none so far. */
		113	- if (len > 0 && cp[len - 1] != '/')
		114	- cp[len++] = '/';
		115	-
		116	/* Make sure we don't use untrusted directories if we run SUID. */
		117	if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
		118	{
		119	@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st
		120	necessary. */
		121	free (copy);
		122
		123	+ /* There is no path after expansion. */
		124	+ if (result[0] == NULL)
		125	+ {
		126	+ free (result);
		127	+ sps->dirs = (struct r_search_path_elem **) -1;
		128	+ return false;
		129	+ }
		130	+
		131	sps->dirs = result;
		132	/* The caller will change this value if we haven't used a real malloc. */
		133	sps->malloced = 1;
		134	Index: git/ChangeLog
		135	===================================================================
		136	--- git.orig/ChangeLog
		137	+++ git/ChangeLog
		138	@@ -1,3 +1,13 @@
		139	+2017-12-30 Aurelien Jarno <aurelien@aurel32.net>
		140	+ Dmitry V. Levin <ldv@altlinux.org>
		141	+
		142	+ [BZ #22625]
		143	+ * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
		144	+ string token expansion. Check for NULL pointer or empty string possibly
		145	+ returned by expand_dynamic_string_token.
		146	+ (decompose_rpath): Check for empty path after dynamic string
		147	+ token expansion.
		148	+
		149	2017-10-22 Paul Eggert <eggert@cs.ucla.edu>
		150
		151	[BZ #22332]


diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index 0ba29e4525..456ce12d76 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
44	file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \	44	file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
45	file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \	45	file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
46	file://CVE-2017-15671.patch \	46	file://CVE-2017-15671.patch \
		47	file://CVE-2017-16997.patch \
47	"	48	"
48		49
49	NATIVESDKFIXES ?= ""	50	NATIVESDKFIXES ?= ""