From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 119205 invoked by alias); 22 Nov 2019 13:14:43 -0000 Mailing-List: contact glibc-cvs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: glibc-cvs-owner@sourceware.org List-Subscribe: Received: (qmail 119161 invoked by uid 9299); 22 Nov 2019 13:14:43 -0000 Date: Fri, 22 Nov 2019 13:14:00 -0000 Message-ID: <20191122131443.119159.qmail@sourceware.org> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Florian Weimer To: glibc-cvs@sourceware.org Subject: [glibc/release/2.25/master] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #2520 X-Act-Checkin: glibc X-Git-Author: =?utf-8?q?Marcin_Ko=C5=9Bcielnicki?= X-Git-Refname: refs/heads/release/2.25/master X-Git-Oldrev: d83ba68a3e7a05d467c15acee51506360518ccf9 X-Git-Newrev: e73ac9ce9098d36699231b435168a0a904500ed9 X-SW-Source: 2019-q4/txt/msg00383.txt.bz2 https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e73ac9ce9098d36699231b435168a0a904500ed9 commit e73ac9ce9098d36699231b435168a0a904500ed9 Author: Marcin Kościelnicki Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e) Diff: --- NEWS | 7 +++++++ sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index 0ca6b44..a9f0248 100644 --- a/NEWS +++ b/NEWS @@ -66,6 +66,12 @@ Security related changes: memcmp gave the wrong result since it treated the size argument as zero. Reported by H.J. Lu. + CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC + environment variable during program execution after a security + transition, allowing local attackers to restrict the possible mapping + addresses for loaded libraries and thus bypass ASLR for a setuid + program. Reported by Marcin Kościelnicki. + The following bugs are resolved with this release: [20257] sunrpc: clntudp_call does not enforce timeout when receiving data @@ -103,6 +109,7 @@ The following bugs are resolved with this release: [24027] malloc: Integer overflow in realloc [24097] Can't use 64-bit register for size_t in assembly codes for x32 (CVE-2019-6488) [24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309) + [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs Version 2.25 diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h index 8d474d0..37f0b14 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h @@ -31,7 +31,8 @@ environment variable, LD_PREFER_MAP_32BIT_EXEC. */ #define EXTRA_LD_ENVVARS \ case 21: \ - if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + if (!__libc_enable_secure \ + && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ |= bit_arch_Prefer_MAP_32BIT_EXEC; \ break;