From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (qmail 5741 invoked by alias); 22 Nov 2019 13:27:58 -0000 Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Subscribe: List-Archive: Sender: libc-stable-owner@sourceware.org Received: (qmail 5730 invoked by uid 89); 22 Nov 2019 13:27:57 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org X-Virus-Found: No X-Spam-SWARE-Status: No, score=-18.4 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3 autolearn=ham version=3.3.1 spammy=HX-Languages-Length:2037 X-Spam-Status: No, score=-18.4 required=5.0 tests=AWL,BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3 autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org X-Spam-Level: X-HELO: us-smtp-1.mimecast.com Received: from us-smtp-delivery-1.mimecast.com (HELO us-smtp-1.mimecast.com) (207.211.31.120) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 22 Nov 2019 13:27:56 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1574429275; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DaYEH7e2gwVLF51S0jghXRlpxoRWMYa3PGJNWVxt3rs=; b=Ze29rjznVKxP7v++J7V6Kgv8FBxFg/0OhL5H3UU+sYUbrLddU2IKPTsBhKdKvuUIkA7Jpr gYgLsI/DbTgjOAZVYSLB+wjiYsVCOBgAkUvMZpg80YO3IG4oO6xMwi9BQAkqUnIHA805EL xcS5/ojKXMapIdio841uEWaKtrhKJ80= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-289-aOjyzqu_OCu9_SSGJiWwVA-1; Fri, 22 Nov 2019 08:27:54 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C5AB5801E5E for ; Fri, 22 Nov 2019 13:27:52 +0000 (UTC) Received: from oldenburg2.str.redhat.com (dhcp-192-200.str.redhat.com [10.33.192.200]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 92A4244FA8 for ; Fri, 22 Nov 2019 13:27:52 +0000 (UTC) Received: by oldenburg2.str.redhat.com (Postfix, from userid 1000) id 14FED8050A12; Fri, 22 Nov 2019 14:27:50 +0100 (CET) Date: Tue, 01 Jan 2019 00:00:00 -0000 To: libc-stable@sourceware.org Subject: [2.24 COMMITTED] rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204] User-Agent: Heirloom mailx 12.5 7/5/10 MIME-Version: 1.0 Message-Id: <20191122132751.14FED8050A12@oldenburg2.str.redhat.com> From: Florian Weimer X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-MC-Unique: aOjyzqu_OCu9_SSGJiWwVA-1 X-Mimecast-Spam-Score: 0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-IsSubscribed: yes X-SW-Source: 2019-11/txt/msg00030.txt.bz2 From: Marcin Ko=C5=9Bcielnicki The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e) diff --git a/NEWS b/NEWS index fa49c52db9..d84fdae7f4 100644 --- a/NEWS +++ b/NEWS @@ -74,6 +74,12 @@ Security related changes: memcmp gave the wrong result since it treated the size argument as zero. Reported by H.J. Lu. =20 + CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC + environment variable during program execution after a security + transition, allowing local attackers to restrict the possible mapping + addresses for loaded libraries and thus bypass ASLR for a setuid + program. Reported by Marcin Ko=C5=9Bcielnicki. + The following bugs are resolved with this release: =20 [20116] nptl: use after free in pthread_create @@ -98,6 +104,7 @@ The following bugs are resolved with this release: [24027] malloc: Integer overflow in realloc [24097] Can't use 64-bit register for size_t in assembly codes for x32 (= CVE-2019-6488) [24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is= set) (CVE-2019-7309) + [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs =20 =0C Version 2.24 diff --git a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h b/sysdeps/unix= /sysv/linux/x86_64/64/dl-librecon.h index 1c6705069d..513735a690 100644 --- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h +++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h @@ -31,7 +31,8 @@ environment variable, LD_PREFER_MAP_32BIT_EXEC. */ #define EXTRA_LD_ENVVARS \ case 21: \ - if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) =3D=3D 0) \ + if (!__libc_enable_secure \ + && memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) =3D=3D 0) \ GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \ |=3D bit_arch_Prefer_MAP_32BIT_EXEC; \ break;