[ipfire-2.x.git] / src / patches / glibc / glibc-rh1171296.patch

#
# commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c
# Author: Carlos O'Donell <carlos@redhat.com>
# Date:   Wed Nov 19 11:44:12 2014 -0500
# 
#     CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
#     
#     The function wordexp() fails to properly handle the WRDE_NOCMD
#     flag when processing arithmetic inputs in the form of "$((... ``))"
#     where "..." can be anything valid. The backticks in the arithmetic
#     epxression are evaluated by in a shell even if WRDE_NOCMD forbade
#     command substitution. This allows an attacker to attempt to pass
#     dangerous commands via constructs of the above form, and bypass
#     the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
#     in exec_comm(), the only place that can execute a shell. All other
#     checks for WRDE_NOCMD are superfluous and removed.
#     
#     We expand the testsuite and add 3 new regression tests of roughly
#     the same form but with a couple of nested levels.
#     
#     On top of the 3 new tests we add fork validation to the WRDE_NOCMD
#     testing. If any forks are detected during the execution of a wordexp()
#     call with WRDE_NOCMD, the test is marked as failed. This is slightly
#     heuristic since vfork might be used in the future, but it provides a
#     higher level of assurance that no shells were executed as part of
#     command substitution with WRDE_NOCMD in effect. In addition it doesn't
#     require libpthread or libdl, instead we use the public implementation
#     namespace function __register_atfork (already part of the public ABI
#     for libpthread).
#     
#     Tested on x86_64 with no regressions.
# 
diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
index 4957006..bdd65e4 100644
--- a/posix/wordexp-test.c
+++ b/posix/wordexp-test.c
@@ -27,6 +27,25 @@
 
 #define IFS " \n\t"
 
+extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
+extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
+
+static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
+{
+  return __register_atfork (prepare, parent, child,
+			    &__dso_handle == NULL ? NULL : __dso_handle);
+}
+
+/* Number of forks seen.  */
+static int registered_forks;
+
+/* For each fork increment the fork count.  */
+static void
+register_fork (void)
+{
+  registered_forks++;
+}
+
 struct test_case_struct
 {
   int retval;
@@ -206,6 +225,12 @@ struct test_case_struct
     { WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS },
     { WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS },
     { WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS },
+    /* Test for CVE-2014-7817. We test 3 combinations of command
+       substitution inside an arithmetic expression to make sure that
+       no commands are executed and error is returned.  */
+    { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
+    { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
+    { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
 
     { -1, NULL, NULL, 0, 0, { NULL, }, IFS },
   };
@@ -258,6 +283,15 @@ main (int argc, char *argv[])
 	  return -1;
     }
 
+  /* If we are not allowed to do command substitution, we install
+     fork handlers to verify that no forks happened.  No forks should
+     happen at all if command substitution is disabled.  */
+  if (__app_register_atfork (register_fork, NULL, NULL) != 0)
+    {
+      printf ("Failed to register fork handler.\n");
+      return -1;
+    }
+
   for (test = 0; test_case[test].retval != -1; test++)
     if (testit (&test_case[test]))
       ++fail;
@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc)
 
   printf ("Test %d (%s): ", ++tests, tc->words);
 
+  if (tc->flags & WRDE_NOCMD)
+    registered_forks = 0;
+
   if (tc->flags & WRDE_APPEND)
     {
       /* initial wordexp() call, to be appended to */
@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc)
     }
   retval = wordexp (tc->words, &we, tc->flags);
 
+  if ((tc->flags & WRDE_NOCMD)
+      && (registered_forks > 0))
+    {
+	  printf ("FAILED fork called for WRDE_NOCMD\n");
+	  return 1;
+    }
+
   if (tc->flags & WRDE_DOOFFS)
       start_offs = sav_we.we_offs;
 
diff --git a/posix/wordexp.c b/posix/wordexp.c
index b6b65dd..26f3a26 100644
--- a/posix/wordexp.c
+++ b/posix/wordexp.c
@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size_t *word_length, size_t *max_length,
   pid_t pid;
   int noexec = 0;
 
+  /* Do nothing if command substitution should not succeed.  */
+  if (flags & WRDE_NOCMD)
+    return WRDE_CMDSUB;
+
   /* Don't fork() unless necessary */
   if (!comm || !*comm)
     return 0;
@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word_length, size_t *max_length,
 	    }
 	}
 
-      if (flags & WRDE_NOCMD)
-	return WRDE_CMDSUB;
-
       (*offset) += 2;
       return parse_comm (word, word_length, max_length, words, offset, flags,
 			 quoted? NULL : pwordexp, ifs, ifs_white);
@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_length, size_t *max_length,
 	  break;
 
 	case '`':
-	  if (flags & WRDE_NOCMD)
-	    return WRDE_CMDSUB;
-
 	  ++(*offset);
 	  error = parse_backtick (word, word_length, max_length, words,
 				  offset, flags, NULL, NULL, NULL);
@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags)
 	break;
 
       case '`':
-	if (flags & WRDE_NOCMD)
-	  {
-	    error = WRDE_CMDSUB;
-	    goto do_error;
-	  }
-
 	++words_offset;
 	error = parse_backtick (&word, &word_length, &max_length, words,
 				&words_offset, flags, pwordexp, ifs,
Commit	Line	Data
fe875de8 MT	1	#
	2	# commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c
	3	# Author: Carlos O'Donell <carlos@redhat.com>
	4	# Date: Wed Nov 19 11:44:12 2014 -0500
	5	#
	6	# CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
	7	#
	8	# The function wordexp() fails to properly handle the WRDE_NOCMD
	9	# flag when processing arithmetic inputs in the form of "$((... ``))"
	10	# where "..." can be anything valid. The backticks in the arithmetic
	11	# epxression are evaluated by in a shell even if WRDE_NOCMD forbade
	12	# command substitution. This allows an attacker to attempt to pass
	13	# dangerous commands via constructs of the above form, and bypass
	14	# the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
	15	# in exec_comm(), the only place that can execute a shell. All other
	16	# checks for WRDE_NOCMD are superfluous and removed.
	17	#
	18	# We expand the testsuite and add 3 new regression tests of roughly
	19	# the same form but with a couple of nested levels.
	20	#
	21	# On top of the 3 new tests we add fork validation to the WRDE_NOCMD
	22	# testing. If any forks are detected during the execution of a wordexp()
	23	# call with WRDE_NOCMD, the test is marked as failed. This is slightly
	24	# heuristic since vfork might be used in the future, but it provides a
	25	# higher level of assurance that no shells were executed as part of
	26	# command substitution with WRDE_NOCMD in effect. In addition it doesn't
	27	# require libpthread or libdl, instead we use the public implementation
	28	# namespace function __register_atfork (already part of the public ABI
	29	# for libpthread).
	30	#
	31	# Tested on x86_64 with no regressions.
	32	#
	33	diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
	34	index 4957006..bdd65e4 100644
	35	--- a/posix/wordexp-test.c
	36	+++ b/posix/wordexp-test.c
	37	@@ -27,6 +27,25 @@
	38
	39	#define IFS " \n\t"
	40
	41	+extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
	42	+extern int __register_atfork (void () (void), void () (void), void () (void), void );
	43	+
	44	+static int __app_register_atfork (void (prepare) (void), void (parent) (void), void (*child) (void))
	45	+{
	46	+ return __register_atfork (prepare, parent, child,
	47	+ &__dso_handle == NULL ? NULL : __dso_handle);
	48	+}
	49	+
	50	+/* Number of forks seen. */
	51	+static int registered_forks;
	52	+
	53	+/* For each fork increment the fork count. */
	54	+static void
	55	+register_fork (void)
	56	+{
	57	+ registered_forks++;
	58	+}
	59	+
	60	struct test_case_struct
	61	{
	62	int retval;
	63	@@ -206,6 +225,12 @@ struct test_case_struct
	64	{ WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS },
65	{ WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS },
66	{ WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS },
67	+ /* Test for CVE-2014-7817. We test 3 combinations of command
68	+ substitution inside an arithmetic expression to make sure that
69	+ no commands are executed and error is returned. */
70	+ { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
71	+ { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
72	+ { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
73
74	{ -1, NULL, NULL, 0, 0, { NULL, }, IFS },
75	};
76	@@ -258,6 +283,15 @@ main (int argc, char *argv[])
77	return -1;
78	}
79
80	+ /* If we are not allowed to do command substitution, we install
81	+ fork handlers to verify that no forks happened. No forks should
82	+ happen at all if command substitution is disabled. */
83	+ if (__app_register_atfork (register_fork, NULL, NULL) != 0)
84	+ {
85	+ printf ("Failed to register fork handler.\n");
86	+ return -1;
87	+ }
88	+
89	for (test = 0; test_case[test].retval != -1; test++)
90	if (testit (&test_case[test]))
91	++fail;
92	@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc)
93
94	printf ("Test %d (%s): ", ++tests, tc->words);
95
96	+ if (tc->flags & WRDE_NOCMD)
97	+ registered_forks = 0;
98	+
99	if (tc->flags & WRDE_APPEND)
100	{
101	/* initial wordexp() call, to be appended to */
102	@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc)
103	}
104	retval = wordexp (tc->words, &we, tc->flags);
105
106	+ if ((tc->flags & WRDE_NOCMD)
107	+ && (registered_forks > 0))
108	+ {
109	+ printf ("FAILED fork called for WRDE_NOCMD\n");
110	+ return 1;
111	+ }
112	+
113	if (tc->flags & WRDE_DOOFFS)
114	start_offs = sav_we.we_offs;
115
116	diff --git a/posix/wordexp.c b/posix/wordexp.c
117	index b6b65dd..26f3a26 100644
118	--- a/posix/wordexp.c
119	+++ b/posix/wordexp.c
120	@@ -893,6 +893,10 @@ exec_comm (char comm, char word, size_t word_length, size_t *max_length,
121	pid_t pid;
122	int noexec = 0;
123
124	+ /* Do nothing if command substitution should not succeed. */
125	+ if (flags & WRDE_NOCMD)
126	+ return WRDE_CMDSUB;
127	+
128	/* Don't fork() unless necessary */
129	if (!comm \|\| !*comm)
130	return 0;
131	@@ -2082,9 +2086,6 @@ parse_dollars (char *word, size_t word_length, size_t *max_length,
132	}
133	}
134
135	- if (flags & WRDE_NOCMD)
136	- return WRDE_CMDSUB;
137	-
138	(*offset) += 2;
139	return parse_comm (word, word_length, max_length, words, offset, flags,
140	quoted? NULL : pwordexp, ifs, ifs_white);
141	@@ -2196,9 +2197,6 @@ parse_dquote (char *word, size_t word_length, size_t *max_length,
142	break;
143
144	case '`':
145	- if (flags & WRDE_NOCMD)
146	- return WRDE_CMDSUB;
147	-
148	++(*offset);
149	error = parse_backtick (word, word_length, max_length, words,
150	offset, flags, NULL, NULL, NULL);
151	@@ -2357,12 +2355,6 @@ wordexp (const char words, wordexp_t pwordexp, int flags)
152	break;
153
154	case '`':
155	- if (flags & WRDE_NOCMD)
156	- {
157	- error = WRDE_CMDSUB;
158	- goto do_error;
159	- }
160	-
161	++words_offset;
162	error = parse_backtick (&word, &word_length, &max_length, words,
163	&words_offset, flags, pwordexp, ifs,