lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-07-28 00:21:52 +03:00
Code Activity

elf: Compute correct array size in _dl_init_paths [BZ #22606]

Browse Source
This commit is contained in:
Florian Weimer
2017-12-14 15:18:38 +01:00
parent f58bd7f055
commit 8a0b17e48b
3 changed files with 20 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
ChangeLog
View File

@ -1,3 +1,11 @@
2017-12-14 Florian Weimer <fweimer@redhat.com>
[BZ #22606]
CVE-2017-1000408
* elf/dl-load.c (system_dirs): Update comment.
(nsystem_dirs_len): Use array_length.
(_dl_init_paths): Use nsystem_dirs_len to compute the array size.
2017-12-14 Florian Weimer <fweimer@redhat.com> 2017-12-14 Florian Weimer <fweimer@redhat.com>
Simplify compiling most of support/ outside of glibc. Simplify compiling most of support/ outside of glibc.

5
NEWS
View File

@ -125,6 +125,11 @@ Security related changes:
instead of NULL. This was a regression introduced with the new malloc instead of NULL. This was a regression introduced with the new malloc
thread cache in glibc 2.26. Reported by Iain Buclaw. thread cache in glibc 2.26. Reported by Iain Buclaw.
CVE-2017-1000408: Incorrect array size computation in _dl_init_paths leads
to the allocation of too much memory. (This is not a security bug per se,
it is mentioned here only because of the CVE assignment.) Reported by
Qualys.
The following bugs are resolved with this release: The following bugs are resolved with this release:
[The release manager will add the list generated by [The release manager will add the list generated by

14
elf/dl-load.c
View File

@ -37,6 +37,7 @@
#include <sysdep.h> #include <sysdep.h>
#include <stap-probe.h> #include <stap-probe.h>
#include <libc-pointer-arith.h> #include <libc-pointer-arith.h>
#include <array_length.h>
#include <dl-dst.h> #include <dl-dst.h>
#include <dl-load.h> #include <dl-load.h>
@ -103,7 +104,9 @@ static size_t ncapstr attribute_relro;
static size_t max_capstrlen attribute_relro; static size_t max_capstrlen attribute_relro;
/* Get the generated information about the trusted directories. */ /* Get the generated information about the trusted directories. Use
an array of concatenated strings to avoid relocations. See
gen-trusted-dirs.awk. */
#include "trusted-dirs.h" #include "trusted-dirs.h"
static const char system_dirs[] = SYSTEM_DIRS; static const char system_dirs[] = SYSTEM_DIRS;
@ -111,9 +114,7 @@ static const size_t system_dirs_len[] =
{ {
SYSTEM_DIRS_LEN SYSTEM_DIRS_LEN
}; };
#define nsystem_dirs_len \ #define nsystem_dirs_len array_length (system_dirs_len)
(sizeof (system_dirs_len) / sizeof (system_dirs_len[0]))
static bool static bool
is_trusted_path (const char *path, size_t len) is_trusted_path (const char *path, size_t len)
@ -685,9 +686,8 @@ _dl_init_paths (const char *llp)
+ ncapstr * sizeof (enum r_dir_status)) + ncapstr * sizeof (enum r_dir_status))
/ sizeof (struct r_search_path_elem)); / sizeof (struct r_search_path_elem));
rtld_search_dirs.dirs[0] = (struct r_search_path_elem *) rtld_search_dirs.dirs[0] = malloc (nsystem_dirs_len * round_size
malloc ((sizeof (system_dirs) / sizeof (system_dirs[0])) * sizeof (*rtld_search_dirs.dirs[0]));
* round_size * sizeof (struct r_search_path_elem));
if (rtld_search_dirs.dirs[0] == NULL) if (rtld_search_dirs.dirs[0] == NULL)
{ {
errstring = N_("cannot create cache for search path"); errstring = N_("cannot create cache for search path");