[OE-core] [PATCH] fix(glibc): fix bug 22627
Andrej Valek
andrej.valek at siemens.com
Wed Feb 7 13:45:28 UTC 2018
From: Radovan Scasny <radovan.scasny at siemens.com>
---
...030-Bug-22627-do-not-substitute-dst-twice.patch | 56 ++++++++++++++++++++++
meta/recipes-core/glibc/glibc_2.26.bb | 1 +
2 files changed, 57 insertions(+)
create mode 100644 meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch
diff --git a/meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch b/meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch
new file mode 100644
index 0000000..28855e2
--- /dev/null
+++ b/meta/recipes-core/glibc/glibc/0030-Bug-22627-do-not-substitute-dst-twice.patch
@@ -0,0 +1,56 @@
+glibc: Fix Bug-22627
+
+[No upstream tracking] -- https://sourceware.org/bugzilla/show_bug.cgi?id=22627
+
+elf: Check for empty tokens before dynamic string token expansion
+
+The fillin_rpath function in elf/dl-load.c loops over each RPATH or
+RUNPATH tokens and interprets empty tokens as the current directory
+("./"). In practice the check for empty token is done *after* the
+dynamic string token expansion. The expansion process can return an
+empty string for the $ORIGIN token if __libc_enable_secure is set
+or if the path of the binary can not be determined (/proc not mounted).
+
+Fix that by moving the check for empty tokens before the dynamic string
+token expansion. In addition, check for NULL pointer or empty strings
+return by expand_dynamic_string_token.
+
+The above changes highlighted a bug in decompose_rpath, an empty array
+is represented by the first element being NULL at the fillin_rpath
+level, but by using a -1 pointer in decompose_rpath and other functions.
+
+Upstream-Status: Backport [https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=commit;h=bb195224acc14724e9fc2dbaa8d0b20b72ace79b]
+Bug: 22627
+Signed-off-by: Radovan Scasny <radovan.scasny at siemens.com>
+
+diff --git a/glibc/elf/dl-load.c b/glibc/elf/dl-load.c
+index 70c259b..c29257c 100644
+--- a/glibc/elf/dl-load.c
++++ b/glibc/elf/dl-load.c
+@@ -778,25 +778,7 @@ _dl_init_paths (const char *llp)
+ {
+ size_t nllp;
+ const char *cp = llp;
+- char *llp_tmp;
+-
+-#ifdef SHARED
+- /* Expand DSTs. */
+- size_t cnt = DL_DST_COUNT (llp, 1);
+- if (__glibc_likely (cnt == 0))
+- llp_tmp = strdupa (llp);
+- else
+- {
+- /* Determine the length of the substituted string. */
+- size_t total = DL_DST_REQUIRED (l, llp, strlen (llp), cnt);
+-
+- /* Allocate the necessary memory. */
+- llp_tmp = (char *) alloca (total + 1);
+- llp_tmp = _dl_dst_substitute (l, llp, llp_tmp, 1);
+- }
+-#else
+- llp_tmp = strdupa (llp);
+-#endif
++ char *llp_tmp = strdupa (llp);
+
+ /* Decompose the LD_LIBRARY_PATH contents. First determine how many
+ elements it has. */
diff --git a/meta/recipes-core/glibc/glibc_2.26.bb b/meta/recipes-core/glibc/glibc_2.26.bb
index 7eb56b3..e5c171c 100644
--- a/meta/recipes-core/glibc/glibc_2.26.bb
+++ b/meta/recipes-core/glibc/glibc_2.26.bb
@@ -43,6 +43,7 @@ SRC_URI = "${GLIBC_GIT_URI};branch=${SRCBRANCH};name=glibc \
file://0027-glibc-reset-dl-load-write-lock-after-forking.patch \
file://0028-Bug-4578-add-ld.so-lock-while-fork.patch \
file://0029-malloc-add-missing-arena-lock-in-malloc-info.patch \
+ file://0030-Bug-22627-do-not-substitute-dst-twice.patch \
file://CVE-2017-15671.patch \
file://CVE-2017-16997.patch \
file://CVE-2017-17426.patch \
--
2.1.4
More information about the Openembedded-core
mailing list