CVE-2017-16997: Incorrect handling of RPATH or RUNPATH containing $ORIGIN

for AT_SECURE or SUID binaries could be used to load libraries from the

current directory.

Depends on f6110a8fee2ca36f8e2d2abecf3cba9fa7b8ea7d which is already

backported by glibc-rh1452721-1.patch.

commit 3e3c904daef69b8bf7d5cc07f793c9f07c3553ef

Author: Aurelien Jarno <aurelien@aurel32.net>

Date:   Sat Dec 30 10:54:23 2017 +0100

    elf: Check for empty tokens before dynamic string token expansion [BZ #22625]

    The fillin_rpath function in elf/dl-load.c loops over each RPATH or

    RUNPATH tokens and interprets empty tokens as the current directory

    ("./"). In practice the check for empty token is done *after* the

    dynamic string token expansion. The expansion process can return an

    empty string for the $ORIGIN token if __libc_enable_secure is set

    or if the path of the binary can not be determined (/proc not mounted).

    Fix that by moving the check for empty tokens before the dynamic string

    token expansion. In addition, check for NULL pointer or empty strings

    return by expand_dynamic_string_token.

    The above changes highlighted a bug in decompose_rpath, an empty array

    is represented by the first element being NULL at the fillin_rpath

    level, but by using a -1 pointer in decompose_rpath and other functions.

    Changelog:

            [BZ #22625]

            * elf/dl-load.c (fillin_rpath): Check for empty tokens before dynamic

            string token expansion. Check for NULL pointer or empty string possibly

            returned by expand_dynamic_string_token.

            (decompose_rpath): Check for empty path after dynamic string

            token expansion.

Index: glibc-2.17-c758a686/elf/dl-load.c

===================================================================

--- glibc-2.17-c758a686.orig/elf/dl-load.c

+++ glibc-2.17-c758a686/elf/dl-load.c

@@ -447,31 +447,39 @@ fillin_rpath (char *rpath, struct r_sear

 {

   char *cp;

   size_t nelems = 0;

-  char *to_free;

   while ((cp = __strsep (&rpath, sep)) != NULL)

     {

       struct r_search_path_elem *dirp;

+      char *to_free = NULL;

+      size_t len = 0;

-      to_free = cp = expand_dynamic_string_token (l, cp);

-

-      size_t len = strlen (cp);

-

-      /* `strsep' can pass an empty string.  This has to be

-	 interpreted as `use the current directory'. */

-      if (len == 0)

+      /* `strsep' can pass an empty string.  */

+      if (*cp != '\0')

 	{

-	  static const char curwd[] = "./";

-	  cp = (char *) curwd;

-	}

+	  to_free = cp = expand_dynamic_string_token (l, cp);

+	  /* expand_dynamic_string_token can return NULL in case of empty

+	     path or memory allocation failure.  */

+	  if (cp == NULL)

+	    continue;

+

+	  /* Compute the length after dynamic string token expansion and

+	     ignore empty paths.  */

+	  len = strlen (cp);

+	  if (len == 0)

+	    {

+	      free (to_free);

+	      continue;

+	    }

-      /* Remove trailing slashes (except for "/").  */

-      while (len > 1 && cp[len - 1] == '/')

-	--len;

-

-      /* Now add one if there is none so far.  */

-      if (len > 0 && cp[len - 1] != '/')

-	cp[len++] = '/';

+	  /* Remove trailing slashes (except for "/").  */

+	  while (len > 1 && cp[len - 1] == '/')

+	    --len;

+

+	  /* Now add one if there is none so far.  */

+	  if (len > 0 && cp[len - 1] != '/')

+	    cp[len++] = '/';

+	}

       /* See if this directory is already known.  */

       for (dirp = GL(dl_all_dirs); dirp != NULL; dirp = dirp->next)

@@ -626,6 +634,14 @@ decompose_rpath (struct r_search_path_st

      necessary.  */

   free (copy);

+  /* There is no path after expansion.  */

+  if (result[0] == NULL)

+    {

+      free (result);

+      sps->dirs = (struct r_search_path_elem **) -1;

+      return false;

+    }

+

   sps->dirs = result;

   /* The caller will change this value if we haven't used a real malloc.  */

   sps->malloced = 1;