From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 103302 invoked by alias); 22 Nov 2019 12:59:12 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 103287 invoked by uid 89); 22 Nov 2019 12:59:12 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-18.4 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3 autolearn=ham version=3.3.1 spammy= X-Spam-Status: No, score=-18.4 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org X-Spam-Level: X-HELO: us-smtp-delivery-1.mimecast.com Received: from us-smtp-2.mimecast.com (HELO us-smtp-delivery-1.mimecast.com) (205.139.110.61) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 22 Nov 2019 12:59:11 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1574427549; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=JGPb+kaR4oBs2Cyrq3H5mA3C0a4/YfPhZ2Lt/F//ju0=; b=IoKWAXgjUh7OaQcJ/gBd9oYaT0DdZGW+48GBrF9oFdhJQyaQ48X1uFnXygV5f6jR4IPT4m JEBHFY0BRuZbgaUmcrzI7EA6IQkQNiLXBlASBfxt3oi1TSOcuRC1TeIo1oGVDO3jg2z5hZ llB90dqWa9ATyfHV1PG2KItvD8wOR/I= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-344-BSHBbXeXNHyX0ByfthXOtw-1; Fri, 22 Nov 2019 07:59:08 -0500 Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 10D98800054 for ; Fri, 22 Nov 2019 12:59:07 +0000 (UTC) Received: from oldenburg2.str.redhat.com (dhcp-192-200.str.redhat.com [10.33.192.200]) by smtp.corp.redhat.com (Postfix) with ESMTPS id D933E1036C83 for ; Fri, 22 Nov 2019 12:59:06 +0000 (UTC) Received: by oldenburg2.str.redhat.com (Postfix, from userid 1000) id 5F489810F7C8; Fri, 22 Nov 2019 13:59:05 +0100 (CET) Date: Tue, 01 Jan 2019 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.28 COMMITTED] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Message-Id: <20191122125905.5F489810F7C8@oldenburg2.str.redhat.com> From: Florian Weimer X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22 X-MC-Unique: BSHBbXeXNHyX0ByfthXOtw-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-IsSubscribed: yes X-SW-Source: 2019-11/txt/msg00026.txt.bz2 From: Marcin Ko=C5=9Bcielnicki The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e) diff --git a/NEWS b/NEWS index f249ff690c..2a97ce5dac 100644 --- a/NEWS +++ b/NEWS @@ -69,6 +69,7 @@ The following bugs are resolved with this release: [24228] old x86 applications that use legacy libio crash on exit [24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once) [24744] io: Remove the copy_file_range emulation. + [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs =20 Security related changes: =20 @@ -97,6 +98,13 @@ Security related changes: CVE-2019-9169: Attempted case-insensitive regular-expression match via proceed_next_node in posix/regexec.c leads to heap-based buffer over-read. Reported by Hongxu Chen. + + CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC + environment variable during program execution after a security + transition, allowing local attackers to restrict the possible mapping + addresses for loaded libraries and thus bypass ASLR for a setuid + program. Reported by Marcin Ko=C5=9Bcielnicki. + =0C Version 2.28 =20 diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix= /sysv/linux/x86_64/64/dl-librecon.h index 194369174d..ac694c032e 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h @@ -31,7 +31,8 @@ environment variable, LD_PREFER_MAP_32BIT_EXEC. */ #define EXTRA_LD_ENVVARS \ case 21: \ - if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) =3D=3D 0) \ + if (!__libc_enable_secure \ + && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) =3D=3D 0) \ GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ |=3D bit_arch_Prefer_MAP_32BIT_EXEC; \ break;