[glibc] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT

public inbox for glibc-cvs@sourceware.org
help / color / mirror / Atom feed

* [glibc] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #2520
@ 2019-11-21 12:19 Florian Weimer
  0 siblings, 0 replies; only message in thread
From: Florian Weimer @ 2019-11-21 12:19 UTC (permalink / raw)
  To: glibc-cvs

[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1: Type: text/plain; charset="us-ascii", Size: 1962 bytes --]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5dfad4326fc683c813df1e37bbf5cf920591c8e

commit d5dfad4326fc683c813df1e37bbf5cf920591c8e
Author: Marcin KoÅ›cielnicki <mwk@0x04.net>
Date:   Thu Nov 21 00:20:15 2019 +0100

    rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]
    
    The problem was introduced in glibc 2.23, in commit
    b9eb92ab05204df772eb4929eccd018637c9f3e9
    ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT").

Diff:
---
 NEWS                                            | 6 +++++-
 sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++-
 2 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index 50479f1..df03f4d 100644
--- a/NEWS
+++ b/NEWS
@@ -86,7 +86,11 @@ Changes to build and runtime requirements:
 
 Security related changes:
 
-  [Add security related changes here]
+  CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC
+  environment variable during program execution after a security
+  transition, allowing local attackers to restrict the possible mapping
+  addresses for loaded libraries and thus bypass ASLR for a setuid
+  program.  Reported by Marcin KoÅ›cielnicki.
 
 The following bugs are resolved with this release:
 
diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
index 0e95221..e3af239 100644
--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
@@ -31,7 +31,8 @@
    environment variable, LD_PREFER_MAP_32BIT_EXEC.  */
 #define EXTRA_LD_ENVVARS \
   case 21:								  \
-    if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)		  \
+    if (!__libc_enable_secure						  \
+	&& memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)		  \
       GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \
 	|= bit_arch_Prefer_MAP_32BIT_EXEC;				  \
     break;


^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2019-11-21 12:19 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-11-21 12:19 [glibc] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #2520 Florian Weimer

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).