From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5171 invoked by alias); 22 Nov 2019 13:27:30 -0000 Mailing-List: contact glibc-cvs-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Archive: List-Post: List-Help: , Sender: glibc-cvs-owner@sourceware.org List-Subscribe: Received: (qmail 5125 invoked by uid 9299); 22 Nov 2019 13:27:30 -0000 Date: Fri, 22 Nov 2019 13:27:00 -0000 Message-ID: <20191122132730.5123.qmail@sourceware.org> Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit From: Florian Weimer To: glibc-cvs@sourceware.org Subject: [glibc/release/2.24/master] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #2520 X-Act-Checkin: glibc X-Git-Author: =?utf-8?q?Marcin_Ko=C5=9Bcielnicki?= X-Git-Refname: refs/heads/release/2.24/master X-Git-Oldrev: 910576119f1876f7a522be826302c399c1f40ca7 X-Git-Newrev: a7b9e4cb8ec069a4030b081ed7c40a65e0825f47 X-SW-Source: 2019-q4/txt/msg00384.txt.bz2 https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a7b9e4cb8ec069a4030b081ed7c40a65e0825f47 commit a7b9e4cb8ec069a4030b081ed7c40a65e0825f47 Author: Marcin Kościelnicki Date: Thu Nov 21 00:20:15 2019 +0100 rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e) Diff: --- NEWS | 7 +++++++ sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h | 3 ++- 2 files changed, 9 insertions(+), 1 deletion(-) diff --git a/NEWS b/NEWS index fa49c52..d84fdae 100644 --- a/NEWS +++ b/NEWS @@ -74,6 +74,12 @@ Security related changes: memcmp gave the wrong result since it treated the size argument as zero. Reported by H.J. Lu. + CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC + environment variable during program execution after a security + transition, allowing local attackers to restrict the possible mapping + addresses for loaded libraries and thus bypass ASLR for a setuid + program. Reported by Marcin Kościelnicki. + The following bugs are resolved with this release: [20116] nptl: use after free in pthread_create @@ -98,6 +104,7 @@ The following bugs are resolved with this release: [24027] malloc: Integer overflow in realloc [24097] Can't use 64-bit register for size_t in assembly codes for x32 (CVE-2019-6488) [24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309) + [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs Version 2.24 diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h index 1c67050..513735a 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h @@ -31,7 +31,8 @@ environment variable, LD_PREFER_MAP_32BIT_EXEC. */ #define EXTRA_LD_ENVVARS \ case 21: \ - if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ + if (!__libc_enable_secure \ + && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0) \ GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ |= bit_arch_Prefer_MAP_32BIT_EXEC; \ break;