From 02809c23a3e5a55e4c47692b935f02e712afca30 Mon Sep 17 00:00:00 2001
From: Florian Weimer <fweimer@redhat.com>
Date: Tue, 20 May 2025 19:45:06 +0200
Subject: [PATCH] elf: Test case for bug 32976 (CVE-2025-4802)

Check that LD_LIBRARY_PATH is ignored for AT_SECURE statically
linked binaries, using support_capture_subprogram_self_sgid.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit d8f7a79335b0d861c12c42aec94c04cd5bb181e2)
---
 elf/Makefile              |   4 ++
 elf/tst-dlopen-sgid-mod.c |   1 +
 elf/tst-dlopen-sgid.c     | 104 ++++++++++++++++++++++++++++++++++++++
 3 files changed, 109 insertions(+)
 create mode 100644 elf/tst-dlopen-sgid-mod.c
 create mode 100644 elf/tst-dlopen-sgid.c

diff --git a/elf/Makefile b/elf/Makefile
index eb77ff641d..3e08a8046d 100644
--- a/elf/Makefile
+++ b/elf/Makefile
@@ -273,6 +273,7 @@ tests-static-normal := \
   tst-array1-static \
   tst-array5-static \
   tst-dl-iter-static \
+  tst-dlopen-sgid \
   tst-dst-static \
   tst-env-setuid \
   tst-env-setuid-tunables \
@@ -846,6 +847,7 @@ modules-names += \
   tst-dlmopen-gethostbyname-mod \
   tst-dlmopen-twice-mod1 \
   tst-dlmopen-twice-mod2 \
+  tst-dlopen-sgid-mod \
   tst-dlopenfaillinkmod \
   tst-dlopenfailmod1 \
   tst-dlopenfailmod2 \
@@ -3016,3 +3018,5 @@ $(objpfx)tst-recursive-tls.out: \
     0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15)
 $(objpfx)tst-recursive-tlsmod%.os: tst-recursive-tlsmodN.c
 	$(compile-command.c) -DVAR=thread_$* -DFUNC=get_threadvar_$*
+
+$(objpfx)tst-dlopen-sgid.out: $(objpfx)tst-dlopen-sgid-mod.so
diff --git a/elf/tst-dlopen-sgid-mod.c b/elf/tst-dlopen-sgid-mod.c
new file mode 100644
index 0000000000..5eb79eef48
--- /dev/null
+++ b/elf/tst-dlopen-sgid-mod.c
@@ -0,0 +1 @@
+/* Opening this object should not succeed.  */
diff --git a/elf/tst-dlopen-sgid.c b/elf/tst-dlopen-sgid.c
new file mode 100644
index 0000000000..47829a405e
--- /dev/null
+++ b/elf/tst-dlopen-sgid.c
@@ -0,0 +1,104 @@
+/* Test case for ignored LD_LIBRARY_PATH in static startug (bug 32976).
+   Copyright (C) 2025 Free Software Foundation, Inc.
+   This file is part of the GNU C Library.
+
+   The GNU C Library is free software; you can redistribute it and/or
+   modify it under the terms of the GNU Lesser General Public
+   License as published by the Free Software Foundation; either
+   version 2.1 of the License, or (at your option) any later version.
+
+   The GNU C Library is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+   Lesser General Public License for more details.
+
+   You should have received a copy of the GNU Lesser General Public
+   License along with the GNU C Library; if not, see
+   <https://www.gnu.org/licenses/>.  */
+
+#include <dlfcn.h>
+#include <gnu/lib-names.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <support/capture_subprocess.h>
+#include <support/check.h>
+#include <support/support.h>
+#include <support/temp_file.h>
+#include <unistd.h>
+
+/* This is the name of our test object.  Use a custom module for
+   testing, so that this object does not get picked up from the system
+   path.  */
+static const char dso_name[] = "tst-dlopen-sgid-mod.so";
+
+/* Used to mark the recursive invocation.  */
+static const char magic_argument[] = "run-actual-test";
+
+static int
+do_test (void)
+{
+/* Pathname of the directory that receives the shared objects this
+   test attempts to load.  */
+  char *libdir = support_create_temp_directory ("tst-dlopen-sgid-");
+
+  /* This is supposed to be ignored and stripped.  */
+  TEST_COMPARE (setenv ("LD_LIBRARY_PATH", libdir, 1), 0);
+
+  /* Copy of libc.so.6.  */
+  {
+    char *from = xasprintf ("%s/%s", support_objdir_root, LIBC_SO);
+    char *to = xasprintf ("%s/%s", libdir, LIBC_SO);
+    add_temp_file (to);
+    support_copy_file (from, to);
+    free (to);
+    free (from);
+  }
+
+  /* Copy of the test object.   */
+  {
+    char *from = xasprintf ("%s/elf/%s", support_objdir_root, dso_name);
+    char *to = xasprintf ("%s/%s", libdir, dso_name);
+    add_temp_file (to);
+    support_copy_file (from, to);
+    free (to);
+    free (from);
+  }
+
+  TEST_COMPARE (support_capture_subprogram_self_sgid (magic_argument), 0);
+
+  free (libdir);
+
+  return 0;
+}
+
+static void
+alternative_main (int argc, char **argv)
+{
+  if (argc == 2 && strcmp (argv[1], magic_argument) == 0)
+    {
+      if (getgid () == getegid ())
+        /* This can happen if the file system is mounted nosuid.  */
+        FAIL_UNSUPPORTED ("SGID failed: GID and EGID match (%jd)\n",
+                          (intmax_t) getgid ());
+
+      /* Should be removed due to SGID.  */
+      TEST_COMPARE_STRING (getenv ("LD_LIBRARY_PATH"), NULL);
+
+      TEST_VERIFY (dlopen (dso_name, RTLD_NOW) == NULL);
+      {
+        const char *message = dlerror ();
+        TEST_COMPARE_STRING (message,
+                             "tst-dlopen-sgid-mod.so:"
+                             " cannot open shared object file:"
+                             " No such file or directory");
+      }
+
+      support_record_failure_barrier ();
+      exit (EXIT_SUCCESS);
+    }
+}
+
+#define PREPARE alternative_main
+#include <support/test-driver.c>
-- 
2.47.2