rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019...

author Marcin Kościelnicki <mwk@0x04.net>

Wed, 20 Nov 2019 23:20:15 +0000 (00:20 +0100)

committer Florian Weimer <fweimer@redhat.com>

Fri, 22 Nov 2019 12:46:54 +0000 (13:46 +0100)
author Marcin Kościelnicki <mwk@0x04.net>
Wed, 20 Nov 2019 23:20:15 +0000 (00:20 +0100)
committer Florian Weimer <fweimer@redhat.com>
Fri, 22 Nov 2019 12:46:54 +0000 (13:46 +0100)
diff --git a/NEWS b/NEWS

index f249ff690c9baae8c71963e61e7a1925f0233a6e..2a97ce5dacb10da6e42bf6ee9da7880ba8f9c7f7 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -69,6 +69,7 @@ The following bugs are resolved with this release:
    [24228] old x86 applications that use legacy libio crash on exit
    [24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once)
    [24744] io: Remove the copy_file_range emulation.
+  [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
  
  Security related changes:
  
@@ -97,6 +98,13 @@ Security related changes:
    CVE-2019-9169: Attempted case-insensitive regular-expression match
    via proceed_next_node in posix/regexec.c leads to heap-based buffer
    over-read.  Reported by Hongxu Chen.
+
+  CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC
+  environment variable during program execution after a security
+  transition, allowing local attackers to restrict the possible mapping
+  addresses for loaded libraries and thus bypass ASLR for a setuid
+  program.  Reported by Marcin Kościelnicki.
+
  \f
  Version 2.28
  
diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h

index 194369174df08946f620b4c30b28242ccf48fa6e..ac694c032e7baf872d5bebb757dc57beeeb80a7f 100644 (file)
--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
@@ -31,7 +31,8 @@
     environment variable, LD_PREFER_MAP_32BIT_EXEC.  */
  #define EXTRA_LD_ENVVARS \
    case 21:                                                               \
-    if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)              \
+    if (!__libc_enable_secure                                            \
+       && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)            \
        GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \
         |= bit_arch_Prefer_MAP_32BIT_EXEC;                                \
      break;
author	Marcin Kościelnicki <mwk@0x04.net>
	Wed, 20 Nov 2019 23:20:15 +0000 (00:20 +0100)
committer	Florian Weimer <fweimer@redhat.com>
	Fri, 22 Nov 2019 12:46:54 +0000 (13:46 +0100)
NEWS		patch \| blob \| blame \| history
sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h		patch \| blob \| blame \| history