Bug 183844 - sys-libs/glibc: integer overflow in ld.so CVE-2007-3508
Bug#: 183844 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: taviso@gentoo.org
Component: Vulnerabilities
URL: 
Summary: sys-libs/glibc: integer overflow in ld.so CVE-2007-3508
Keywords:  
Status Whiteboard: A1 [glsa]
Opened: 2007-07-01 15:29 0000
Description:   Opened: 2007-07-01 15:29 0000 
When there are many bits set in LD_HWCAP_MASK, an integer overflow could result
in too little memory being allocated, potentially resulting in an exploitable
condition.

Reproduce:

$ env -i LD_HWCAP_MASK=$((0xffffffff)) su
$ strace -emmap2 -f env -i LD_HWCAP_MASK=$((0x7fffffff)) su

As hwcap_mask is honoured for suid binaries, this is a security issue. Attached
patch disabled this, as some other distributions have already done (eg, Owl).

Vapier, could you prepare an updated ebuild incorporating this patch? Please
dont commit it to portage yet, as this issue may require an embargo.

------- Comment #1 From Tavis Ormandy (RETIRED) 2007-07-01 15:30:21 0000 ------- 
Created an attachment (id=123536) [details]
ignore HWCAP_MASK for suid/sgid

------- Comment #2 From Tavis Ormandy (RETIRED) 2007-07-02 21:54:28 0000 ------- 
this is CVE-2007-3508.

------- Comment #3 From solar 2007-07-03 03:13:22 0000 ------- 
This is in the tree now as -r4 per a taviso request.

solar@hangover / $ LD_HWCAP_MASK=$((0xffffffff)) id
Inconsistency detected by ld.so: dl-minimal.c: 84: __libc_memalign: Assertion
`page != ((void *) -1)' failed!
solar@hangover / $ LD_HWCAP_MASK=$((0xffffffff)) su
Password:

http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/glibc/2.5/ as patch
1600

------- Comment #4 From Tavis Ormandy (RETIRED) 2007-07-03 09:21:59 0000 ------- 
x86: Please test and mark stable sys-libs/glibc-2.5-r4, in particular, please
ensure that the following command succeeds:

$ env -i LD_HWCAP_MASK=$((0xffffffff)) su

------- Comment #5 From Christian Faulhammer 2007-07-03 13:09:50 0000 ------- 
x86 stable, changing status to glsa?

------- Comment #6 From Jeremy Huddleston (RETIRED) 2007-07-04 08:51:42 0000 ------- 
Shouldn't amd64 be marking this stable too before you do the glsa...

------- Comment #7 From Calum 2007-07-05 09:11:04 0000 ------- 
Is there any chance of having a 2.3 and 2.4 version of Glibc made available for
this - some binary packages (HelixServer for instance) have problems with some
versions of glibc, and if you have to run them, it'd be nice to be able to run
them on a secure version of glibc.

------- Comment #8 From Tavis Ormandy (RETIRED) 2007-07-05 10:07:53 0000 ------- 
Jeremy: we believe only x86 is affected, a 64bit arch like amd64 should be safe
Calum: This only affects suid applications, so unless your server is setuid,
this shouldnt affect you

------- Comment #9 From Calum 2007-07-05 10:35:47 0000 ------- 
Aaah, thanks for the reply.

Doesn't it mean though that someone could use a "standard" suid program such as
su/mount/passwd to gain root though?

------- Comment #10 From SpanKY 2007-07-05 21:06:53 0000 ------- 
what's the upstream status ?  has anyone posted there ?  if not, i'll take it
up

------- Comment #11 From Raphael Marichez 2007-07-06 09:10:35 0000 ------- 
GLSA 200707-04

------- Comment #12 From Tavis Ormandy (RETIRED) 2007-07-06 11:39:25 0000 ------- 
Vapier: Yep, it's fixed in upstream CVS

http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?r1=1.10688&r2=1.10689&cvsroot=glibc&sortby=date

(they fixed the bug, rather than just blacklisting it for suid)

------- Comment #13 From SpanKY 2007-07-06 15:26:25 0000 ------- 
ok, i checked for the mask rather than the fix ... i'll update our patches to
match upstream ... thanks

------- Comment #14 From SpanKY 2007-07-07 04:13:31 0000 ------- 
considering all arches parse glsa's, i think all should stabilize ...
especially since it's pretty trivial/non-invasive

------- Comment #15 From Markus Rothe 2007-07-07 13:12:29 0000 ------- 
ppc64 stable

------- Comment #16 From Markus Rothe 2007-07-07 13:13:19 0000 ------- 
reopening bug, so this pops up in bug lists of stable marking monkeys ^^

------- Comment #17 From Raúl Porcel 2007-07-07 14:35:01 0000 ------- 
alpha/ia64 stable

------- Comment #18 From Joshua Kinard 2007-07-07 16:19:26 0000 ------- 
mips stable.

------- Comment #19 From Jeremy Huddleston (RETIRED) 2007-07-08 15:42:54 0000 ------- 
(In reply to comment #8)
> Jeremy: we believe only x86 is affected, a 64bit arch like amd64 should be safe

32bit suid apps on amd64 are affected though...

$ env -i LD_HWCAP_MASK=$((0xffffffff)) /mnt/gentoo32/bin/su
Segmentation fault

------- Comment #20 From Jeroen Roovers 2007-07-09 04:03:08 0000 ------- 
Stable for HPPA.

------- Comment #21 From Gustavo Zacarias (RETIRED) 2007-07-10 12:25:19 0000 ------- 
sparc stable.

------- Comment #22 From Tobias Scherbaum 2007-07-10 18:41:02 0000 ------- 
ppc stable

------- Comment #23 From Christoph Mende 2007-07-15 12:11:30 0000 ------- 
amd64 stable

------- Comment #24 From Robert Buchholz 2007-09-11 22:24:39 0000 ------- 
Any reason this is still open?

------- Comment #25 From Sune Kloppenborg Jeppesen 2007-09-12 05:19:41 0000 ------- 
I don't think so.