From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from dragonfly.apple.relay.mailchannels.net (dragonfly.apple.relay.mailchannels.net [23.83.208.51]) by sourceware.org (Postfix) with ESMTPS id A98F0399E05E for ; Wed, 14 Apr 2021 05:41:53 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org A98F0399E05E X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from relay.mailchannels.net (localhost [127.0.0.1]) by relay.mailchannels.net (Postfix) with ESMTP id 94A1F7025BF; Wed, 14 Apr 2021 05:41:52 +0000 (UTC) Received: from pdx1-sub0-mail-a20.g.dreamhost.com (100-96-16-53.trex.outbound.svc.cluster.local [100.96.16.53]) (Authenticated sender: dreamhost) by relay.mailchannels.net (Postfix) with ESMTPA id C193F701E2F; Wed, 14 Apr 2021 05:41:51 +0000 (UTC) X-Sender-Id: dreamhost|x-authsender|siddhesh@gotplt.org Received: from pdx1-sub0-mail-a20.g.dreamhost.com (pop.dreamhost.com [64.90.62.162]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384) by 100.96.16.53 (trex/6.1.1); Wed, 14 Apr 2021 05:41:52 +0000 X-MC-Relay: Good X-MailChannels-SenderId: dreamhost|x-authsender|siddhesh@gotplt.org X-MailChannels-Auth-Id: dreamhost X-Bitter-Duck: 478112f219cf1025_1618378912390_3975785956 X-MC-Loop-Signature: 1618378912390:3400388151 X-MC-Ingress-Time: 1618378912390 Received: from pdx1-sub0-mail-a20.g.dreamhost.com (localhost [127.0.0.1]) by pdx1-sub0-mail-a20.g.dreamhost.com (Postfix) with ESMTP id 709C97EFBB; Tue, 13 Apr 2021 22:41:51 -0700 (PDT) Received: from rhbox.intra.reserved-bit.com (unknown [1.186.101.110]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) (Authenticated sender: siddhesh@gotplt.org) by pdx1-sub0-mail-a20.g.dreamhost.com (Postfix) with ESMTPSA id A97027EFBE; Tue, 13 Apr 2021 22:41:49 -0700 (PDT) X-DH-BACKEND: pdx1-sub0-mail-a20 From: Siddhesh Poyarekar To: libc-stable@sourceware.org Cc: Carlos O'Donell Subject: [COMMITTED 2.29 6/6] Fix SXID_ERASE behavior in setuid programs (BZ #27471) Date: Wed, 14 Apr 2021 11:11:28 +0530 Message-Id: <20210414054128.1249310-6-siddhesh@sourceware.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20210414054128.1249310-1-siddhesh@sourceware.org> References: <20210414054128.1249310-1-siddhesh@sourceware.org> MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-3494.9 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_NONE, KAM_DMARC_STATUS, RCVD_IN_BARRACUDACENTRAL, RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NEUTRAL, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: libc-stable@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-stable mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2021 05:41:55 -0000 When parse_tunables tries to erase a tunable marked as SXID_ERASE for setuid programs, it ends up setting the envvar string iterator incorrectly, because of which it may parse the next tunable incorrectly. Given that currently the implementation allows malformed and unrecognized tunables pass through, it may even allow SXID_ERASE tunables to go through. This change revamps the SXID_ERASE implementation so that: - Only valid tunables are written back to the tunestr string, because of which children of SXID programs will only inherit a clean list of identified tunables that are not SXID_ERASE. - Unrecognized tunables get scrubbed off from the environment and subsequently from the child environment. - This has the side-effect that a tunable that is not identified by the setxid binary, will not be passed on to a non-setxid child even if the child could have identified that tunable. This may break applications that expect this behaviour but expecting such tunables to cross the SXID boundary is wrong. Reviewed-by: Carlos O'Donell (cherry picked from commit 2ed18c5b534d9e92fc006202a5af0df6b72e7aca) --- elf/dl-tunables.c | 56 ++++++++++++++++------------------- elf/tst-env-setuid-tunables.c | 26 ++++++++++++++++ 2 files changed, 52 insertions(+), 30 deletions(-) diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c index 542e837832..87d21f2e8e 100644 --- a/elf/dl-tunables.c +++ b/elf/dl-tunables.c @@ -178,6 +178,7 @@ parse_tunables (char *tunestr, char *valstring) return; =20 char *p =3D tunestr; + size_t off =3D 0; =20 while (true) { @@ -191,7 +192,11 @@ parse_tunables (char *tunestr, char *valstring) /* If we reach the end of the string before getting a valid name-v= alue pair, bail out. */ if (p[len] =3D=3D '\0') - return; + { + if (__libc_enable_secure) + tunestr[off] =3D '\0'; + return; + } =20 /* We did not find a valid name-value pair before encountering the colon. */ @@ -217,35 +222,28 @@ parse_tunables (char *tunestr, char *valstring) =20 if (tunable_is_name (cur->name, name)) { - /* If we are in a secure context (AT_SECURE) then ignore the tuna= ble - unless it is explicitly marked as secure. Tunable values take - precendence over their envvar aliases. */ + /* If we are in a secure context (AT_SECURE) then ignore the + tunable unless it is explicitly marked as secure. Tunable + values take precedence over their envvar aliases. We write + the tunables that are not SXID_ERASE back to TUNESTR, thus + dropping all SXID_ERASE tunables and any invalid or + unrecognized tunables. */ if (__libc_enable_secure) { - if (cur->security_level =3D=3D TUNABLE_SECLEVEL_SXID_ERASE) + if (cur->security_level !=3D TUNABLE_SECLEVEL_SXID_ERASE) { - if (p[len] =3D=3D '\0') - { - /* Last tunable in the valstring. Null-terminate and - return. */ - *name =3D '\0'; - return; - } - else - { - /* Remove the current tunable from the string. We do - this by overwriting the string starting from NAME - (which is where the current tunable begins) with - the remainder of the string. We then have P point - to NAME so that we continue in the correct - position in the valstring. */ - char *q =3D &p[len + 1]; - p =3D name; - while (*q !=3D '\0') - *name++ =3D *q++; - name[0] =3D '\0'; - len =3D 0; - } + if (off > 0) + tunestr[off++] =3D ':'; + + const char *n =3D cur->name; + + while (*n !=3D '\0') + tunestr[off++] =3D *n++; + + tunestr[off++] =3D '=3D'; + + for (size_t j =3D 0; j < len; j++) + tunestr[off++] =3D value[j]; } =20 if (cur->security_level !=3D TUNABLE_SECLEVEL_NONE) @@ -258,9 +256,7 @@ parse_tunables (char *tunestr, char *valstring) } } =20 - if (p[len] =3D=3D '\0') - return; - else + if (p[len] !=3D '\0') p +=3D len + 1; } } diff --git a/elf/tst-env-setuid-tunables.c b/elf/tst-env-setuid-tunables.= c index 4681a60494..0e9aedeb2e 100644 --- a/elf/tst-env-setuid-tunables.c +++ b/elf/tst-env-setuid-tunables.c @@ -45,11 +45,37 @@ const char *teststrings[] =3D { "glibc.malloc.check=3D2:glibc.malloc.mmap_threshold=3D4096", + "glibc.malloc.check=3D2:glibc.malloc.check=3D2:glibc.malloc.mmap_thres= hold=3D4096", + "glibc.malloc.check=3D2:glibc.malloc.mmap_threshold=3D4096:glibc.mallo= c.check=3D2", + "glibc.malloc.perturb=3D0x800", + "glibc.malloc.perturb=3D0x800:glibc.malloc.mmap_threshold=3D4096", + "glibc.malloc.perturb=3D0x800:not_valid.malloc.check=3D2:glibc.malloc.= mmap_threshold=3D4096", + "glibc.not_valid.check=3D2:glibc.malloc.mmap_threshold=3D4096", + "not_valid.malloc.check=3D2:glibc.malloc.mmap_threshold=3D4096", + "glibc.malloc.garbage=3D2:glibc.maoc.mmap_threshold=3D4096:glibc.mallo= c.check=3D2", + "glibc.malloc.check=3D4:glibc.malloc.garbage=3D2:glibc.maoc.mmap_thres= hold=3D4096", + ":glibc.malloc.garbage=3D2:glibc.malloc.check=3D1", + "glibc.malloc.check=3D1:glibc.malloc.check=3D2", + "not_valid.malloc.check=3D2", + "glibc.not_valid.check=3D2", }; =20 const char *resultstrings[] =3D { "glibc.malloc.mmap_threshold=3D4096", + "glibc.malloc.mmap_threshold=3D4096", + "glibc.malloc.mmap_threshold=3D4096", + "glibc.malloc.perturb=3D0x800", + "glibc.malloc.perturb=3D0x800:glibc.malloc.mmap_threshold=3D4096", + "glibc.malloc.perturb=3D0x800:glibc.malloc.mmap_threshold=3D4096", + "glibc.malloc.mmap_threshold=3D4096", + "glibc.malloc.mmap_threshold=3D4096", + "", + "", + "", + "", + "", + "", }; =20 static int --=20 2.29.2