rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019...

author Marcin Kościelnicki <mwk@0x04.net>

Wed, 20 Nov 2019 23:20:15 +0000 (00:20 +0100)

committer Florian Weimer <fweimer@redhat.com>

Fri, 22 Nov 2019 12:40:07 +0000 (13:40 +0100)
author Marcin Kościelnicki <mwk@0x04.net>
Wed, 20 Nov 2019 23:20:15 +0000 (00:20 +0100)
committer Florian Weimer <fweimer@redhat.com>
Fri, 22 Nov 2019 12:40:07 +0000 (13:40 +0100)
diff --git a/NEWS b/NEWS

index dfb4962db798c42af80ebeee3122903872fa641a..03c49fe5c4f4b8107ad0ec4ae3d95363e0c74b99 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -67,6 +67,12 @@ Security related changes:
    memcmp gave the wrong result since it treated the size argument as
    zero.  Reported by H.J. Lu.
  
+  CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC
+  environment variable during program execution after a security
+  transition, allowing local attackers to restrict the possible mapping
+  addresses for loaded libraries and thus bypass ASLR for a setuid
+  program.  Reported by Marcin Kościelnicki.
+
  The following bugs are resolved with this release:
  
    [6889] 'PWD' mentioned but not specified
@@ -145,6 +151,7 @@ The following bugs are resolved with this release:
    [24228] old x86 applications that use legacy libio crash on exit
    [24531] Malloc tunables give tcache assertion failures
    [24744] io: Remove the copy_file_range emulation
+  [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs
  
  \f
  Version 2.27
diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h

index 194369174df08946f620b4c30b28242ccf48fa6e..ac694c032e7baf872d5bebb757dc57beeeb80a7f 100644 (file)
--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
@@ -31,7 +31,8 @@
     environment variable, LD_PREFER_MAP_32BIT_EXEC.  */
  #define EXTRA_LD_ENVVARS \
    case 21:                                                               \
-    if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)              \
+    if (!__libc_enable_secure                                            \
+       && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)            \
        GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \
         |= bit_arch_Prefer_MAP_32BIT_EXEC;                                \
      break;
author	Marcin Kościelnicki <mwk@0x04.net>
	Wed, 20 Nov 2019 23:20:15 +0000 (00:20 +0100)
committer	Florian Weimer <fweimer@redhat.com>
	Fri, 22 Nov 2019 12:40:07 +0000 (13:40 +0100)
NEWS		patch \| blob \| blame \| history
sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h		patch \| blob \| blame \| history