From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 67464 invoked by alias); 22 Nov 2019 12:28:03 -0000 Mailing-List: contact glibc-cvs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: glibc-cvs-owner@sourceware.org List-Subscribe: Received: (qmail 67446 invoked by uid 9299); 22 Nov 2019 12:28:03 -0000 Date: Fri, 22 Nov 2019 12:28:00 -0000 Message-ID: <20191122122803.67445.qmail@sourceware.org> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Florian Weimer To: glibc-cvs@sourceware.org Subject: [glibc/release/2.30/master] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #2520 X-Act-Checkin: glibc X-Git-Author: =?utf-8?q?Marcin_Ko=C5=9Bcielnicki?= X-Git-Refname: refs/heads/release/2.30/master X-Git-Oldrev: a4b3bbf71e8a608ac6ee4f423b5e2db50e06b846 X-Git-Newrev: 37c90e117310728a4ad1eb998c0bbe7d79c4a398 X-SW-Source: 2019-q4/txt/msg00377.txt.bz2 https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37c90e117310728a4ad1eb998c0bbe7d79c4a398 commit 37c90e117310728a4ad1eb998c0bbe7d79c4a398 Author: Marcin Kościelnicki Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e) Diff: --- NEWS | 9 +++++++++ sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++- 2 files changed, 11 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index c7dcb54..b0d2167 100644 --- a/NEWS +++ b/NEWS @@ -7,6 +7,14 @@ using `glibc' in the "product" field. Version 2.30.1 +Security related changes: + +CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC + environment variable during program execution after a security + transition, allowing local attackers to restrict the possible mapping + addresses for loaded libraries and thus bypass ASLR for a setuid + program. Reported by Marcin Kościelnicki. + The following bugs are resolved with this release: [24682] localedata: zh_CN first weekday should be Monday per GB/T @@ -15,6 +23,7 @@ The following bugs are resolved with this release: [24986] alpha: new getegid, geteuid and getppid syscalls used unconditionally [25189] Don't use a custom wrapper macro around __has_include + [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs Version 2.30 diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h index 975cbe2..df2cdfd 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h @@ -31,7 +31,8 @@ environment variable, LD_PREFER_MAP_32BIT_EXEC. */ #define EXTRA_LD_ENVVARS \ case 21: \ - if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + if (!__libc_enable_secure \ + && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ |= bit_arch_Prefer_MAP_32BIT_EXEC; \ break;