1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
|
From 1056e5b4c3f2d90ed2b4a55f96add28da2f4c8fa Mon Sep 17 00:00:00 2001
From: Siddhesh Poyarekar <siddhesh@sourceware.org>
Date: Tue, 19 Sep 2023 18:39:32 -0400
Subject: [PATCH] tunables: Terminate if end of input is reached
(CVE-2023-4911)
The string parsing routine may end up writing beyond bounds of tunestr
if the input tunable string is malformed, of the form name=name=val.
This gets processed twice, first as name=name=val and next as name=val,
resulting in tunestr being name=name=val:name=val, thus overflowing
tunestr.
Terminate the parsing loop at the first instance itself so that tunestr
does not overflow.
Signed-off-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Reviewed-by: Carlos O'Donell <carlos@redhat.com>
---
NEWS | 5 +++++
elf/dl-tunables.c | 17 +++++++++-------
--- ./NEWS.orig 2023-01-31 21:27:45.000000000 -0600
+++ ./NEWS 2023-10-03 15:47:54.560781260 -0500
@@ -28,6 +28,11 @@
heap and prints it to the target log file, potentially revealing a
portion of the contents of the heap.
+ CVE-2023-4911: If a tunable of the form NAME=NAME=VAL is passed in the
+ environment of a setuid program and NAME is valid, it may result in a
+ buffer overflow, which could be exploited to achieve escalated
+ privileges. This flaw was introduced in glibc 2.34.
+
The following bugs are resolved with this release:
[12154] network: Cannot resolve hosts which have wildcard aliases
--- ./elf/dl-tunables.c.orig 2023-01-31 21:27:45.000000000 -0600
+++ ./elf/dl-tunables.c 2023-10-03 15:47:54.560781260 -0500
@@ -187,11 +187,7 @@
/* If we reach the end of the string before getting a valid name-value
pair, bail out. */
if (p[len] == '\0')
- {
- if (__libc_enable_secure)
- tunestr[off] = '\0';
- return;
- }
+ break;
/* We did not find a valid name-value pair before encountering the
colon. */
@@ -251,9 +247,16 @@
}
}
- if (p[len] != '\0')
- p += len + 1;
+ /* We reached the end while processing the tunable string. */
+ if (p[len] == '\0')
+ break;
+
+ p += len + 1;
}
+
+ /* Terminate tunestr before we leave. */
+ if (__libc_enable_secure)
+ tunestr[off] = '\0';
}
#endif
|