From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 109459 invoked by alias); 22 Nov 2019 13:04:40 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 109394 invoked by uid 89); 22 Nov 2019 13:04:40 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-18.4 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3 autolearn=ham version=3.3.1 spammy= X-Spam-Status: No, score=-18.4 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org X-Spam-Level: X-HELO: us-smtp-1.mimecast.com Received: from us-smtp-delivery-1.mimecast.com (HELO us-smtp-1.mimecast.com) (207.211.31.120) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 22 Nov 2019 13:04:39 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1574427877; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=/O/dGhvNmtkiANEgBvB9f9boEW6LJxNO+8/jzHgjIqw=; b=C0Q0KIbumSfZTOgLeyWQmTurf18EGL1oD7iTJAd6OoDLFauMizwZNQoYWN96WEpGfPY3Hp owi+wvLxR3+/yD0f4hXX9DccNdNfyW3AiqQv2TDpE3E3/YyLdxu7CS8BmXuvWlMjtuFoAL V4vvNHX2yWuXi3PrmNJ4U4/OrG6xGhg= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-287-RLTlLm5zM3WGB0AgbOwwng-1; Fri, 22 Nov 2019 08:04:35 -0500 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id E50758026AE for ; Fri, 22 Nov 2019 13:04:34 +0000 (UTC) Received: from oldenburg2.str.redhat.com (dhcp-192-200.str.redhat.com [10.33.192.200]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B9EE85DE79 for ; Fri, 22 Nov 2019 13:04:34 +0000 (UTC) Received: by oldenburg2.str.redhat.com (Postfix, from userid 1000) id 41E47ADC864F; Fri, 22 Nov 2019 14:04:33 +0100 (CET) Date: Tue, 01 Jan 2019 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.26 COMMITTED] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Message-Id: <20191122130433.41E47ADC864F@oldenburg2.str.redhat.com> From: Florian Weimer X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-MC-Unique: RLTlLm5zM3WGB0AgbOwwng-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-IsSubscribed: yes X-SW-Source: 2019-11/txt/msg00028.txt.bz2 From: Marcin Ko=C5=9Bcielnicki The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e) diff --git a/NEWS b/NEWS index c6c44a3914..89adc868bb 100644 --- a/NEWS +++ b/NEWS @@ -100,6 +100,12 @@ Security related changes: memcmp gave the wrong result since it treated the size argument as zero. Reported by H.J. Lu. =20 + CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC + environment variable during program execution after a security + transition, allowing local attackers to restrict the possible mapping + addresses for loaded libraries and thus bypass ASLR for a setuid + program. Reported by Marcin Ko=C5=9Bcielnicki. + The following bugs are resolved with this release: =20 [16750] ldd: Never run file directly. @@ -182,6 +188,7 @@ The following bugs are resolved with this release: [24027] malloc: Integer overflow in realloc [24097] Can't use 64-bit register for size_t in assembly codes for x32 (= CVE-2019-6488) [24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is= set) (CVE-2019-7309) + [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs =20 =0C Version 2.26 diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix= /sysv/linux/x86_64/64/dl-librecon.h index 8d474d0d04..37f0b14adb 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h @@ -31,7 +31,8 @@ environment variable, LD_PREFER_MAP_32BIT_EXEC. */ #define EXTRA_LD_ENVVARS \ case 21: \ - if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) =3D=3D 0) \ + if (!__libc_enable_secure \ + && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) =3D=3D 0) \ GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ |=3D bit_arch_Prefer_MAP_32BIT_EXEC; \ break;