CVE-2014-7817: wordexp fails to honour WRDE_NOCMD (#1167569).
This commit is contained in:
Siddhesh Poyarekar
parent
646364078f
commit
07eee66da3
164
glibc-rh1167569.patch
Normal file
164
glibc-rh1167569.patch
Normal file
@ -0,0 +1,164 @@
|
||||
commit 33ceaf6187b31ea15284ac65131749e1cb68d2ae
|
||||
Author: Carlos O'Donell <carlos@redhat.com>
|
||||
Date: Wed Nov 19 11:44:12 2014 -0500
|
||||
|
||||
CVE-2014-7817: wordexp fails to honour WRDE_NOCMD.
|
||||
|
||||
The function wordexp() fails to properly handle the WRDE_NOCMD
|
||||
flag when processing arithmetic inputs in the form of "$((... ``))"
|
||||
where "..." can be anything valid. The backticks in the arithmetic
|
||||
epxression are evaluated by in a shell even if WRDE_NOCMD forbade
|
||||
command substitution. This allows an attacker to attempt to pass
|
||||
dangerous commands via constructs of the above form, and bypass
|
||||
the WRDE_NOCMD flag. This patch fixes this by checking for WRDE_NOCMD
|
||||
in exec_comm(), the only place that can execute a shell. All other
|
||||
checks for WRDE_NOCMD are superfluous and removed.
|
||||
|
||||
We expand the testsuite and add 3 new regression tests of roughly
|
||||
the same form but with a couple of nested levels.
|
||||
|
||||
On top of the 3 new tests we add fork validation to the WRDE_NOCMD
|
||||
testing. If any forks are detected during the execution of a wordexp()
|
||||
call with WRDE_NOCMD, the test is marked as failed. This is slightly
|
||||
heuristic since vfork might be used in the future, but it provides a
|
||||
higher level of assurance that no shells were executed as part of
|
||||
command substitution with WRDE_NOCMD in effect. In addition it doesn't
|
||||
require libpthread or libdl, instead we use the public implementation
|
||||
namespace function __register_atfork (already part of the public ABI
|
||||
for libpthread).
|
||||
|
||||
Tested on x86_64 with no regressions.
|
||||
|
||||
(cherry picked from commit a39208bd7fb76c1b01c127b4c61f9bfd915bfe7c)
|
||||
|
||||
diff --git a/posix/wordexp-test.c b/posix/wordexp-test.c
|
||||
index 4957006..bdd65e4 100644
|
||||
--- a/posix/wordexp-test.c
|
||||
+++ b/posix/wordexp-test.c
|
||||
@@ -27,6 +27,25 @@
|
||||
|
||||
#define IFS " \n\t"
|
||||
|
||||
+extern void *__dso_handle __attribute__ ((__weak__, __visibility__ ("hidden")));
|
||||
+extern int __register_atfork (void (*) (void), void (*) (void), void (*) (void), void *);
|
||||
+
|
||||
+static int __app_register_atfork (void (*prepare) (void), void (*parent) (void), void (*child) (void))
|
||||
+{
|
||||
+ return __register_atfork (prepare, parent, child,
|
||||
+ &__dso_handle == NULL ? NULL : __dso_handle);
|
||||
+}
|
||||
+
|
||||
+/* Number of forks seen. */
|
||||
+static int registered_forks;
|
||||
+
|
||||
+/* For each fork increment the fork count. */
|
||||
+static void
|
||||
+register_fork (void)
|
||||
+{
|
||||
+ registered_forks++;
|
||||
+}
|
||||
+
|
||||
struct test_case_struct
|
||||
{
|
||||
int retval;
|
||||
@@ -206,6 +225,12 @@ struct test_case_struct
|
||||
{ WRDE_SYNTAX, NULL, "$((2+))", 0, 0, { NULL, }, IFS },
|
||||
{ WRDE_SYNTAX, NULL, "`", 0, 0, { NULL, }, IFS },
|
||||
{ WRDE_SYNTAX, NULL, "$((010+4+))", 0, 0, { NULL }, IFS },
|
||||
+ /* Test for CVE-2014-7817. We test 3 combinations of command
|
||||
+ substitution inside an arithmetic expression to make sure that
|
||||
+ no commands are executed and error is returned. */
|
||||
+ { WRDE_CMDSUB, NULL, "$((`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
|
||||
+ { WRDE_CMDSUB, NULL, "$((1+`echo 1`))", WRDE_NOCMD, 0, { NULL, }, IFS },
|
||||
+ { WRDE_CMDSUB, NULL, "$((1+$((`echo 1`))))", WRDE_NOCMD, 0, { NULL, }, IFS },
|
||||
|
||||
{ -1, NULL, NULL, 0, 0, { NULL, }, IFS },
|
||||
};
|
||||
@@ -258,6 +283,15 @@ main (int argc, char *argv[])
|
||||
return -1;
|
||||
}
|
||||
|
||||
+ /* If we are not allowed to do command substitution, we install
|
||||
+ fork handlers to verify that no forks happened. No forks should
|
||||
+ happen at all if command substitution is disabled. */
|
||||
+ if (__app_register_atfork (register_fork, NULL, NULL) != 0)
|
||||
+ {
|
||||
+ printf ("Failed to register fork handler.\n");
|
||||
+ return -1;
|
||||
+ }
|
||||
+
|
||||
for (test = 0; test_case[test].retval != -1; test++)
|
||||
if (testit (&test_case[test]))
|
||||
++fail;
|
||||
@@ -367,6 +401,9 @@ testit (struct test_case_struct *tc)
|
||||
|
||||
printf ("Test %d (%s): ", ++tests, tc->words);
|
||||
|
||||
+ if (tc->flags & WRDE_NOCMD)
|
||||
+ registered_forks = 0;
|
||||
+
|
||||
if (tc->flags & WRDE_APPEND)
|
||||
{
|
||||
/* initial wordexp() call, to be appended to */
|
||||
@@ -378,6 +415,13 @@ testit (struct test_case_struct *tc)
|
||||
}
|
||||
retval = wordexp (tc->words, &we, tc->flags);
|
||||
|
||||
+ if ((tc->flags & WRDE_NOCMD)
|
||||
+ && (registered_forks > 0))
|
||||
+ {
|
||||
+ printf ("FAILED fork called for WRDE_NOCMD\n");
|
||||
+ return 1;
|
||||
+ }
|
||||
+
|
||||
if (tc->flags & WRDE_DOOFFS)
|
||||
start_offs = sav_we.we_offs;
|
||||
|
||||
diff --git a/posix/wordexp.c b/posix/wordexp.c
|
||||
index b6b65dd..26f3a26 100644
|
||||
--- a/posix/wordexp.c
|
||||
+++ b/posix/wordexp.c
|
||||
@@ -893,6 +893,10 @@ exec_comm (char *comm, char **word, size_t *word_length, size_t *max_length,
|
||||
pid_t pid;
|
||||
int noexec = 0;
|
||||
|
||||
+ /* Do nothing if command substitution should not succeed. */
|
||||
+ if (flags & WRDE_NOCMD)
|
||||
+ return WRDE_CMDSUB;
|
||||
+
|
||||
/* Don't fork() unless necessary */
|
||||
if (!comm || !*comm)
|
||||
return 0;
|
||||
@@ -2082,9 +2086,6 @@ parse_dollars (char **word, size_t *word_length, size_t *max_length,
|
||||
}
|
||||
}
|
||||
|
||||
- if (flags & WRDE_NOCMD)
|
||||
- return WRDE_CMDSUB;
|
||||
-
|
||||
(*offset) += 2;
|
||||
return parse_comm (word, word_length, max_length, words, offset, flags,
|
||||
quoted? NULL : pwordexp, ifs, ifs_white);
|
||||
@@ -2196,9 +2197,6 @@ parse_dquote (char **word, size_t *word_length, size_t *max_length,
|
||||
break;
|
||||
|
||||
case '`':
|
||||
- if (flags & WRDE_NOCMD)
|
||||
- return WRDE_CMDSUB;
|
||||
-
|
||||
++(*offset);
|
||||
error = parse_backtick (word, word_length, max_length, words,
|
||||
offset, flags, NULL, NULL, NULL);
|
||||
@@ -2357,12 +2355,6 @@ wordexp (const char *words, wordexp_t *pwordexp, int flags)
|
||||
break;
|
||||
|
||||
case '`':
|
||||
- if (flags & WRDE_NOCMD)
|
||||
- {
|
||||
- error = WRDE_CMDSUB;
|
||||
- goto do_error;
|
||||
- }
|
||||
-
|
||||
++words_offset;
|
||||
error = parse_backtick (&word, &word_length, &max_length, words,
|
||||
&words_offset, flags, pwordexp, ifs,
|
||||
@ -1,6 +1,6 @@
|
||||
%define glibcsrcdir glibc-2.20
|
||||
%define glibcversion 2.20
|
||||
%define glibcrelease 7%{?dist}
|
||||
%define glibcrelease 8%{?dist}
|
||||
# Pre-release tarballs are pulled in from git using a command that is
|
||||
# effectively:
|
||||
#
|
||||
@ -207,6 +207,7 @@ Patch0051: %{name}-disable-rwlock-elision.patch
|
||||
#
|
||||
##############################################################################
|
||||
Patch1001: %{name}-rh1133508.patch
|
||||
Patch1002: %{name}-rh1167569.patch
|
||||
|
||||
##############################################################################
|
||||
#
|
||||
@ -575,6 +576,7 @@ package or when debugging this package.
|
||||
%patch0050 -p1
|
||||
%patch1001 -p1
|
||||
%patch0051 -p1
|
||||
%patch1002 -p1
|
||||
|
||||
##############################################################################
|
||||
# %%prep - Additional prep required...
|
||||
@ -1710,6 +1712,9 @@ rm -f *.filelist*
|
||||
%endif
|
||||
|
||||
%changelog
|
||||
* Fri Feb 27 2015 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.20-8
|
||||
- wordexp fails to honour WRDE_NOCMD (CVE-2014-7817, #1167569).
|
||||
|
||||
* Tue Jan 06 2015 Siddhesh Poyarekar <siddhesh@redhat.com> - 2.20-7
|
||||
- Remove LIB_LANG since we don't install locales in /usr/lib/locale anymore.
|
||||
- Don't own any directories in /usr/share/locale (#1167445).
|
||||
|
||||
Loading…
Reference in New Issue
Block a user