Re: Fixing the glibc runtime linker

[Tim Brown <tmb () 65535 com>]

On Thursday 19 February 2015 23:33:26 Stuart Gathman wrote:
> On 02/19/2015 05:19 PM, Tim Brown wrote:
> > What's the fix?
> >
> > More often than not, the underlying issue is an empty element within the
> > DT_RPATH header or equivalent. Sometimes it's not, but even in those
> > cases, it is largely that one or more elements isn't qualifed (i.e. it
> > doesn't start with /). The attached patch fixes this, by ignoring any
> > elements of DT_RPATH, LD_LIBRARY_PATH that do not start with a /, and/or
> > junking any use of dlopen where the filename is likewise unqualified.
> >
> > Won't this break stuff?
> >
> > Maybe (certainly it is means a change to glibc behaviour), but more often
> > than not, the fact that a given binary currently works in an unsafe way
> > is a bug - and an exploitable one at that. Moreoever, Solaris has had a
> > similar sanitity check (in their case only for privileged setuid
> > binaries) for a good number of years without serious incident. I believe
> > we should be fixing software that exhibits the behaviour I've described,
> > but this patch will (I think) kill the bug class irrespective of that.
>
> There needs to be a way to log the paths being ignored - so at least
> some people will have a clue as to why their program doesn't work. I'm
> not sure what that way is.

Probably something to take up with the glibc folk directly, but I could 
envisage using the LD_DEBUG infrastructure.

Tim
-- 
Tim Brown
<mailto:tmb () 65535 com>

Attachment: signature.asc
Description: This is a digitally signed message part.