From b75891075bece24be9fd85618f18af4a2daf7f1c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20B=C3=ADlka?= Date: Mon, 18 Nov 2013 19:56:57 +0100 Subject: [PATCH] Fix breaking of RPATH when $ORIGIN contains colons. Fixes bug 10253 We first expanded origin and then split string by colons. This misbehaves when $ORIGIN contain colon so we first split string, then expand $ORIGIN. --- ChangeLog | 7 +++++++ NEWS | 20 ++++++++++---------- elf/dl-load.c | 26 ++++++++++++++++---------- 3 files changed, 33 insertions(+), 20 deletions(-) diff --git a/ChangeLog b/ChangeLog index eccc4a9fe1..3822e0105e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2013-11-18 Ondřej Bílka + + [BZ #10253] + * elf/dl-load.c (fillin_rpath): Add linkmap parameter and expand path. + (decompose_rpath): Defer expansion to fillin_rpath. + (_dl_init_paths): Pass linkmap to fillin_rpath. + 2013-11-18 Rajalakshmi Srinivasaraghavan * benchtests/Makefile: Add strsep. diff --git a/NEWS b/NEWS index fc1b63c4b1..c14374d272 100644 --- a/NEWS +++ b/NEWS @@ -9,16 +9,16 @@ Version 2.19 * The following bugs are resolved with this release: - 156, 387, 431, 832, 2801, 7003, 9954, 10278, 11087, 13028, 13982, 13985, - 14029, 14143, 14155, 14547, 14699, 14752, 14876, 14910, 15048, 15218, - 15277, 15308, 15362, 15374, 15400, 15427, 15522, 15531, 15532, 15608, - 15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681, 15723, 15734, - 15735, 15736, 15748, 15749, 15754, 15760, 15763, 15764, 15797, 15799, - 15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867, 15886, - 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917, 15919, - 15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997, 16032, - 16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078, 16103, - 16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172. + 156, 387, 431, 832, 2801, 7003, 9954, 10253, 10278, 11087, 13028, 13982, + 13985, 14029, 14143, 14155, 14547, 14699, 14752, 14876, 14910, 15048, + 15218, 15277, 15308, 15362, 15374, 15400, 15427, 15522, 15531, 15532, + 15608, 15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681, 15723, + 15734, 15735, 15736, 15748, 15749, 15754, 15760, 15763, 15764, 15797, + 15799, 15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867, + 15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917, + 15919, 15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997, + 16032, 16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078, + 16103, 16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172. * CVE-2012-4412 The strcoll implementation caches indices and rules for large collation sequences to optimize multiple passes. This cache diff --git a/elf/dl-load.c b/elf/dl-load.c index 6a73f27345..bdd33bd78a 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -481,14 +481,19 @@ static size_t max_dirnamelen; static struct r_search_path_elem ** fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, - int check_trusted, const char *what, const char *where) + int check_trusted, const char *what, const char *where, + struct link_map *l) { char *cp; size_t nelems = 0; + char *to_free; while ((cp = __strsep (&rpath, sep)) != NULL) { struct r_search_path_elem *dirp; + + to_free = cp = expand_dynamic_string_token (l, cp); + size_t len = strlen (cp); /* `strsep' can pass an empty string. This has to be @@ -509,7 +514,10 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, /* Make sure we don't use untrusted directories if we run SUID. */ if (__builtin_expect (check_trusted, 0) && !is_trusted_path (cp, len)) - continue; + { + free (to_free); + continue; + } /* See if this directory is already known. */ for (dirp = GL(dl_all_dirs); dirp != NULL; dirp = dirp->next) @@ -570,6 +578,7 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep, /* Put it in the result array. */ result[nelems++] = dirp; } + free (to_free); } /* Terminate the array. */ @@ -625,9 +634,8 @@ decompose_rpath (struct r_search_path_struct *sps, while (*inhp != '\0'); } - /* Make a writable copy. At the same time expand possible dynamic - string tokens. */ - copy = expand_dynamic_string_token (l, rpath, 1); + /* Make a writable copy. */ + copy = local_strdup (rpath); if (copy == NULL) { errstring = N_("cannot create RUNPATH/RPATH copy"); @@ -660,7 +668,7 @@ decompose_rpath (struct r_search_path_struct *sps, _dl_signal_error (ENOMEM, NULL, NULL, errstring); } - fillin_rpath (copy, result, ":", 0, what, where); + fillin_rpath (copy, result, ":", 0, what, where, l); /* Free the copied RPATH string. `fillin_rpath' make own copies if necessary. */ @@ -708,9 +716,7 @@ _dl_init_paths (const char *llp) const char *strp; struct r_search_path_elem *pelem, **aelem; size_t round_size; -#ifdef SHARED - struct link_map *l; -#endif + struct link_map __attribute__ ((unused)) *l = NULL; /* Initialize to please the compiler. */ const char *errstring = NULL; @@ -865,7 +871,7 @@ _dl_init_paths (const char *llp) (void) fillin_rpath (llp_tmp, env_path_list.dirs, ":;", INTUSE(__libc_enable_secure), "LD_LIBRARY_PATH", - NULL); + NULL, l); if (env_path_list.dirs[0] == NULL) {