diff options
| author | Carlos O'Donell <carlos@redhat.com> | 2018-06-05 23:55:17 -0400 |
|---|---|---|
| committer | Carlos O'Donell <carlos@redhat.com> | 2018-06-12 11:07:56 -0400 |
| commit | 5aad5f617892e75d91d4c8fb7594ff35b610c042 (patch) | |
| tree | 944a1fcdc0b9403ef03cd3a1b43d75c02c9817c7 /NEWS | |
| parent | 329ea513b451ae8322aa7a24ed84da13992af2dd (diff) | |
| download | glibc-5aad5f617892e75d91d4c8fb7594ff35b610c042.tar glibc-5aad5f617892e75d91d4c8fb7594ff35b610c042.tar.gz glibc-5aad5f617892e75d91d4c8fb7594ff35b610c042.tar.bz2 glibc-5aad5f617892e75d91d4c8fb7594ff35b610c042.zip | |
Improve DST handling (Bug 23102, Bug 21942, Bug 18018, Bug 23259).
This commit improves DST handling significantly in the following
ways: firstly is_dst () is overhauled to correctly process DST
sequences that would be accepted given the ELF gABI. This means that
we actually now accept slightly more sequences than before. Now we
accept $ORIGIN$ORIGIN, but in the past we accepted only $ORIGIN\0 or
$ORIGIN/..., but this kind of behaviour results in unexpected
and uninterpreted DST sequences being used as literal search paths
leading to security defects. Therefore the first step in correcting
this defect is making is_dst () properly account for all DSTs
and making the function context free in the sense that it counts
DSTs without knowledge of path, or AT_SECURE. Next, _dl_dst_count ()
is also simplified to count all DSTs regardless of context.
Then in _dl_dst_substitute () we reintroduce context-dependent
processing for such things as AT_SECURE handling. At the level of
_dl_dst_substitute we can have access to things like the true start
of the string sequence to validate $ORIGIN-based paths rooted in
trusted directories. Lastly, we tighten up the accepted sequences
in AT_SECURE, and avoid leaving known unexpanded DSTs, this is
noted in the NEWS entry.
Verified with a sequence of 68 tests on x86_64 that cover
non-AT_SECURE and AT_SECURE testing using a sysroot (requires root
to run). The tests cover cases for bug 23102, bug 21942, bug 18018,
and bug 23259. These tests are not yet appropriate for the glibc
regression testsuite, but with the upcoming test-in-container testing
framework it should be possible to include these tests upstream soon.
See the mailing list for the tests:
https://www.sourceware.org/ml/libc-alpha/2018-06/msg00251.html
Diffstat (limited to 'NEWS')
| -rw-r--r-- | NEWS | 11 |
1 files changed, 11 insertions, 0 deletions
@@ -42,6 +42,17 @@ Major new features: NI_IDN_ALLOW_UNASSIGNED, NI_IDN_USE_STD3_ASCII_RULES) have been deprecated. They no longer have any effect. +* Parsing of dynamic string tokens in DT_RPATH, DT_RUNPATH, DT_NEEDED, + DT_AUXILIARY, and DT_FILTER has been expanded to support the full + range of ELF gABI expressions including such constructs as + '$ORIGIN$ORIGIN' (if valid). For SUID/GUID applications the rules + have been further restricted, and where in the past a dynamic string + token sequence may have been interpreted as a literal string it will + now cause a load failure. These load failures were always considered + unspecified behaviour from the perspective of the dynamic loader, and + for safety are now load errors e.g. /foo/${ORIGIN}.so in DT_NEEDED + results in a load failure now. + Deprecated and removed features, and other changes affecting compatibility: * The nonstandard header files <libio.h> and <_G_config.h> are no longer |