glibc: Security Fix CVE-2017-16997

Affect glibc < 2.27 including current master glibc hash: 77f921dac17c5fa99bd9e926d926c327982895f7 Signed-off-by: Armin Kuster <akuster808@gmail.com> Signed-off-by: Ross Burton <ross.burton@intel.com>
author: Armin Kuster <akuster808@gmail.com> 2018-01-21 09:59:55 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2018-01-22 23:25:47 +0000
commit: f65acd6f8ef7172d75863ee091a3fbbaa57c0f3f (patch)
tree: e3f815952e82e5fc5d7ddfcd3503c5e58b43a3a5 /meta/recipes-core/glibc
parent: 9e411843b26d296ba2b048b581d31bd0221e25e6 (diff)
download: openembedded-core-contrib-f65acd6f8ef7172d75863ee091a3fbbaa57c0f3f.tar.gz
2 files changed, 152 insertions, 0 deletions
diff --git a/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
new file mode 100644
index 0000000000..d9bde7f20a
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/CVE-2017-16997.patch
@@ -0,0 +1,151 @@
+From 4ebd0c4191c6073cc8a7c5fdcf1d182c4719bcbb Mon Sep 17 00:00:00 2001
+From: Aurelien Jarno <aurelien@aurel32.net>
+Date: Sat, 30 Dec 2017 10:54:23 +0100
+Subject: [PATCH] elf: Check for empty tokens before dynamic string token
+ expansion [BZ #22625]
+
+The fillin_rpath function in elf/dl-load.c loops over each RPATH or
+RUNPATH tokens and interprets empty tokens as the current directory
+("./"). In practice the check for empty token is done *after* the
+dynamic string token expansion. The expansion process can return an
+empty string for the $ORIGIN token if __libc_enable_secure is set
+or if the path of the binary can not be determined (/proc not mounted).
+
+Fix that by moving the check for empty tokens before the dynamic string
+token expansion. In addition, check for NULL pointer or empty strings
+return by expand_dynamic_string_token.
+
+The above changes highlighted a bug in decompose_rpath, an empty array
+is represented by the first element being NULL at the fillin_rpath
+level, but by using a -1 pointer in decompose_rpath and other functions.
+
+Changelog:
+	[BZ #22625]
+	* elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
+	string token expansion. Check for NULL pointer or empty string possibly
+	returned by expand_dynamic_string_token.
+	(decompose_rpath): Check for empty path after dynamic string
+	token expansion.
+(cherry picked from commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef)
+
+Upstream-Status: Backport
+CVE: CVE-2017-16997
+Signed-off-by: Armin Kuster <akuster@mvista.com>
+
+---
+ ChangeLog     | 10 ++++++++++
+ NEWS          |  4 ++++
+ elf/dl-load.c | 49 +++++++++++++++++++++++++++++++++----------------
+ 3 files changed, 47 insertions(+), 16 deletions(-)
+
+Index: git/NEWS
+===================================================================
+--- git.orig/NEWS
++++ git/NEWS
+@@ -211,6 +211,10 @@ Security related changes:
+   on the stack or the heap, depending on the length of the user name).
+   Reported by Tim Rühsen.
+ 
++  CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN
++  for AT_SECURE or SUID binaries could be used to load libraries from the
++  current directory.
++
+ The following bugs are resolved with this release:
+ 
+   [984] network: Respond to changed resolv.conf in gethostbyname
+Index: git/elf/dl-load.c
+===================================================================
+--- git.orig/elf/dl-load.c
++++ git/elf/dl-load.c
+@@ -433,32 +433,41 @@ fillin_rpath (char *rpath, struct r_sear
+ {
+   char *cp;
+   size_t nelems = 0;
+-  char *to_free;
+ 
+   while ((cp = __strsep (&rpath, sep)) != NULL)
+     {
+       struct r_search_path_elem *dirp;
++      char *to_free = NULL;
++      size_t len = 0;
+ 
+-      to_free = cp = expand_dynamic_string_token (l, cp, 1);
++      /* `strsep' can pass an empty string.  */
++      if (*cp != '\0')
++	{
++	  to_free = cp = expand_dynamic_string_token (l, cp, 1);
+ 
+-      size_t len = strlen (cp);
++	  /* expand_dynamic_string_token can return NULL in case of empty
++	     path or memory allocation failure.  */
++	  if (cp == NULL)
++	    continue;
++
++	  /* Compute the length after dynamic string token expansion and
++	     ignore empty paths.  */
++	  len = strlen (cp);
++	  if (len == 0)
++	    {
++	      free (to_free);
++	      continue;
++	    }
+ 
+-      /* `strsep' can pass an empty string.  This has to be
+-	 interpreted as `use the current directory'. */
+-      if (len == 0)
+-	{
+-	  static const char curwd[] = "./";
+-	  cp = (char *) curwd;
++	  /* Remove trailing slashes (except for "/").  */
++	  while (len > 1 && cp[len - 1] == '/')
++	    --len;
++
++	  /* Now add one if there is none so far.  */
++	  if (len > 0 && cp[len - 1] != '/')
++	    cp[len++] = '/';
+ 	}
+ 
+-      /* Remove trailing slashes (except for "/").  */
+-      while (len > 1 && cp[len - 1] == '/')
+-	--len;
+-
+-      /* Now add one if there is none so far.  */
+-      if (len > 0 && cp[len - 1] != '/')
+-	cp[len++] = '/';
+-
+       /* Make sure we don't use untrusted directories if we run SUID.  */
+       if (__glibc_unlikely (check_trusted) && !is_trusted_path (cp, len))
+ 	{
+@@ -621,6 +630,14 @@ decompose_rpath (struct r_search_path_st
+      necessary.  */
+   free (copy);
+ 
++  /* There is no path after expansion.  */
++  if (result[0] == NULL)
++    {
++      free (result);
++      sps->dirs = (struct r_search_path_elem **) -1;
++      return false;
++    }
++
+   sps->dirs = result;
+   /* The caller will change this value if we haven't used a real malloc.  */
+   sps->malloced = 1;
+Index: git/ChangeLog
+===================================================================
+--- git.orig/ChangeLog
++++ git/ChangeLog
+@@ -1,3 +1,13 @@
++2017-12-30  Aurelien Jarno  <aurelien@aurel32.net>
++           Dmitry V. Levin  <ldv@altlinux.org>
++
++       [BZ #22625]
++       * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic
++       string token expansion. Check for NULL pointer or empty string possibly
++       returned by expand_dynamic_string_token.
++       (decompose_rpath): Check for empty path after dynamic string
++       token expansion.
++
+ 2017-10-22  Paul Eggert <eggert@cs.ucla.edu>
+ 
+        [BZ #22332]
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 0ba29e4525..456ce12d76 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -44,6 +44,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
            file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
            file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
            file://CVE-2017-15671.patch \
+           file://CVE-2017-16997.patch \
 "
 
 NATIVESDKFIXES ?= ""
author	Armin Kuster <akuster808@gmail.com>	2018-01-21 09:59:55 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2018-01-22 23:25:47 +0000
commit	f65acd6f8ef7172d75863ee091a3fbbaa57c0f3f (patch)
tree	e3f815952e82e5fc5d7ddfcd3503c5e58b43a3a5 /meta/recipes-core/glibc
parent	9e411843b26d296ba2b048b581d31bd0221e25e6 (diff)
download	openembedded-core-contrib-f65acd6f8ef7172d75863ee091a3fbbaa57c0f3f.tar.gz