From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from cyan.ash.relay.mailchannels.net (cyan.ash.relay.mailchannels.net [23.83.222.47]) by sourceware.org (Postfix) with ESMTPS id CF4843858D20 for ; Tue, 3 Oct 2023 18:16:22 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org CF4843858D20 Authentication-Results: sourceware.org; dmarc=fail (p=none dis=none) header.from=sourceware.org Authentication-Results: sourceware.org; spf=fail smtp.mailfrom=sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 534C9841147; Tue, 3 Oct 2023 18:16:19 +0000 (UTC) Received: from pdx1-sub0-mail-a208.dreamhost.com (unknown [127.0.0.6]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id A913084163F; Tue, 3 Oct 2023 18:16:18 +0000 (UTC) ARC-Seal: i=1; s=arc-2022; d=mailchannels.net; t=1696356978; a=rsa-sha256; cv=none; b=E3M+hPEnqT54y1fNAftmklfJiVWgVrt5Venp6We8EnxnGiR9xyeCNY9DkRK040QBgUYSUt G/mxX4ESX6UriwT/hnPuaf9eVm66PdvdPPP2JfmHYNjDNmq8AskCYMDEaBrHpdl0OvmsA0 uqMnphedcefTiJH3MbHmSkUyde10VfkjgzBJjcHDdcKjc21obF7YhY2dDbjwsUZPP/hAR2 FzuGcZfea7Fcsl32HJja+nJl5kgLfxtBEdiXRNMftlxqYd7on0rX0QQmZHVthSQlmoDYpS E95pVSqsc/hM6KU7uyTKqHXz3bsiqzk2jSEvQ34jEstyYq3WyGdI+Yrk1/CHTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=mailchannels.net; s=arc-2022; t=1696356978; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=+8bQkU182KPDmQR88Ail370ipKFin/mxvgptPlzNRvE=; b=wzUh0QINqLBo4dj29cfuDGyAtfqLXrv22x5a6y6ipeqsK5wP8hyr4xjGnJxyKnBmhmLkfB fXn9TJAgafaX91j2wH7ExFC8QeDDBRQBK7ipD+SGCjk+fSfs1xvrrAyg1ncCdmihWyOkpq eajDleqR+9RB+9p3Atx6jQHk5pWEI7qClySx8774AgTOPFdRQfwaE+rgukJVSJ0JxDmr/N kwaCqOKq2nOOZvBlkzk3B17COweiUqBhBsD6ENOr9GjMHwGrnKEYCc5BW2TLnPsllMKtvc 5W7t5UFQHOY5ykbxZF/nJuF/ju18+rmAL++mHFDuurEqPXJrKODtDTkVRYmWVg== ARC-Authentication-Results: i=1; rspamd-7d5dc8fd68-78xqj; auth=pass smtp.auth=dreamhost smtp.mailfrom=siddhesh@sourceware.org X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org X-MC-Relay: Neutral X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Duck-Versed: 3313c0093df010da_1696356978959_618073792 X-MC-Loop-Signature: 1696356978959:1761860982 X-MC-Ingress-Time: 1696356978959 Received: from pdx1-sub0-mail-a208.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384) by 100.106.112.200 (trex/6.9.1); Tue, 03 Oct 2023 18:16:18 +0000 Received: from [192.168.2.12] (bras-vprn-toroon4834w-lp130-02-142-113-138-41.dsl.bell.ca [142.113.138.41]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a208.dreamhost.com (Postfix) with ESMTPSA id 4S0QxZ1ZWJzMG; Tue, 3 Oct 2023 11:16:18 -0700 (PDT) Message-ID: Date: Tue, 3 Oct 2023 14:16:17 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.13.0 Subject: Re: [committed 2/2] tunables: Terminate if end of input is reached (CVE-2023-4911) Content-Language: en-US To: Adhemerval Zanella Netto , libc-alpha@sourceware.org Cc: Carlos O'Donell , Arjun Shankar References: <20231003170811.64957-1-siddhesh@sourceware.org> <20231003170811.64957-3-siddhesh@sourceware.org> <51a2d2d6-883b-44e5-b857-33337d3260e0@linaro.org> From: Siddhesh Poyarekar In-Reply-To: <51a2d2d6-883b-44e5-b857-33337d3260e0@linaro.org> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, score=-1167.0 required=5.0 tests=BAYES_00,KAM_DMARC_NONE,KAM_DMARC_STATUS,NICE_REPLY_A,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_SOFTFAIL,TXREP autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org List-Id: On 2023-10-03 14:07, Adhemerval Zanella Netto wrote: > So how should we handle what might be inconsistent invalid inputs like: > > glibc.malloc.mmap_threshold=4096=4096 > > Since glibc does not provide any TUNABLE_SECLEVEL_NONE, this tunables > will be ignored. But for TUNABLE_SECLEVEL_NONE one, the value is > still parsed by _dl_strtoul or stored in the tunable. > Ack, it probably makes sense to drop all tunables that don't match at this stage. Arjun is going to rework the parsing for pr#30683 and it probably makes sense to, in addition to enhancing the parsing, also weed out invalid inputs and harden around allocations for the tunable string to provide some resilience against overflows. The other aspect to think about may be the utility of passing tunables to (or through) setuid programs. I had done it to maintain compatibility with the malloc envvars that were getting passed through, but maybe it's a good idea to filter all of them out. Perhaps with systemwide tunables we could even have a way for tunables to be read in sxid programs in a safer way. Thanks, Sid