From: Radovan Scasny <[email protected]> --- ...030-Bug-22627-do-not-substitute-dst-twice.patch | 56 ++++++++++++++++++++++ meta/recipes-core/glibc/glibc_2.26.bb | 1 + 2 files changed, 57 insertions(+) create mode 100644 meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch
diff --git a/meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch b/meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch new file mode 100644 index 0000000..28855e2 --- /dev/null +++ b/meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch @@ -0,0 +1,56 @@ +glibc: Fix Bug-22627 + +[No upstream tracking] -- https://sourceware.org/bugzilla/show_bug.cgi?id=22627 + +elf: Check for empty tokens before dynamic string token expansion + +The fillin_rpath function in elf/dl-load.c loops over each RPATH or +RUNPATH tokens and interprets empty tokens as the current directory +("./"). In practice the check for empty token is done *after* the +dynamic string token expansion. The expansion process can return an +empty string for the $ORIGIN token if __libc_enable_secure is set +or if the path of the binary can not be determined (/proc not mounted). + +Fix that by moving the check for empty tokens before the dynamic string +token expansion. In addition, check for NULL pointer or empty strings +return by expand_dynamic_string_token. + +The above changes highlighted a bug in decompose_rpath, an empty array +is represented by the first element being NULL at the fillin_rpath +level, but by using a -1 pointer in decompose_rpath and other functions. + +Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=bb195224acc14724e9fc2dbaa8d0b20b72ace79b] +Bug: 22627 +Signed-off-by: Radovan Scasny <[email protected]> + +diff --git a/glibc/elf/dl-load.c b/glibc/elf/dl-load.c +index 70c259b..c29257c 100644 +--- a/glibc/elf/dl-load.c ++++ b/glibc/elf/dl-load.c +@@ -778,25 +778,7 @@ _dl_init_paths (const char *llp) + { + size_t nllp; + const char *cp = llp; +- char *llp_tmp; +- +-#ifdef SHARED +- /* Expand DSTs. */ +- size_t cnt = DL_DST_COUNT (llp, 1); +- if (__glibc_likely (cnt == 0)) +- llp_tmp = strdupa (llp); +- else +- { +- /* Determine the length of the substituted string. */ +- size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt); +- +- /* Allocate the necessary memory. */ +- llp_tmp = (char *) alloca (total + 1); +- llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1); +- } +-#else +- llp_tmp = strdupa (llp); +-#endif ++ char *llp_tmp = strdupa (llp); + + /* Decompose the LD_LIBRARY_PATH contents. First determine how many + elements it has. */ diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb index 7eb56b3..e5c171c 100644 --- a/meta/recipes-core/glibc/glibc_2.26.bb +++ b/meta/recipes-core/glibc/glibc_2.26.bb @@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \ file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \ file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \ file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \ + file://0030-Bug-22627-do-not-substitute-dst-twice.patch \ file://CVE-2017-15671.patch \ file://CVE-2017-16997.patch \ file://CVE-2017-17426.patch \ -- 2.1.4 -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
