Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-79064

glibc: Reduce likelihood of spurious %n failure in printf

Linking RHIVOS CVEs to...Migration: Automation ...SWIFT: POC ConversionSync from "Extern...XMLWordPrintable

    • No
    • Low
    • rhel-pt-c-libs
    • ssg_platform_tools
    • None
    • False
    • False
    • Hide

      None

      Show
      None
    • None
    • None
    • None
    • None
    • Unspecified
    • All
    • None

      If glibc cannot read /proc/self/maps, it's possible that using %n in a format string triggers process termination even though the memory is in fact read-only. Upstream now ignores the failure after this commit:

      commit 7bb8045ec0595a031e68383849c3fbd9af134312
Author: Volker Weißmann <volker.weissmann@gmx.de>
Date:   Tue Oct 3 19:18:44 2023 +0200

    Fix FORTIFY_SOURCE false positive
    
    When -D_FORTIFY_SOURCE=2 was given during compilation,
    sprintf and similar functions will check if their
    first argument is in read-only memory and exit with
    *** %n in writable segment detected ***
    otherwise. To check if the memory is read-only, glibc
    reads frpm the file "/proc/self/maps". If opening this
    file fails due to too many open files (EMFILE), glibc
    will now ignore this error.
    
    Fixes [BZ #30932]
    
    Signed-off-by: Volker Weißmann <volker.weissmann@gmx.de>
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

      However, this change is undesirable because for SUID binaries, a local users can trigger EMFILE errors by adjusting RLIMIT_NOFILE, essentially disabling %n hardening.

      This was noticed when we backported this test under RHEL-46761, which failed because the upstream change above was not backported.

      commit be7a5468d4f694ee8d052b537141f51af43ca7f2
Author: Adhemerval Zanella <adhemerval.zanella@linaro.org>
Date:   Tue Oct 3 15:09:36 2023 -0300

    debug: Add regression tests for BZ 30932
    
    Checked on x86_64-linux-gnu.
    Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>

      This needs to be fixed upstream first. The original reporter does not mind if we still produce the error, but are more explicit about the cause:

      However, I think we can do mich better than that:

      • Use _dl_find_object to get the link map
      • Iterate over the LOAD segments to find a matching read-only segment.
      • If it is read-write, also check the RELRO area.
      • Do the link map access from a new function in the dynamic linker, not libc, to limit layout dependencies.
      • Process termination should be handled from within libc.
      • If we cannot find a link map, proceed as before with /proc/self/maps. But if opening or reading fails, write a different, new error message using __libc_fatal.

              ashankar@redhat.com Arjun Shankar
              fweimer@redhat.com Florian Weimer
              Platform Tools - Libraries Bot Platform Tools - Libraries Bot
              qe-baseos-tools-bugs@redhat.com qe-baseos-tools-bugs@redhat.com qe-baseos-tools-bugs@redhat.com qe-baseos-tools-bugs@redhat.com
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: