Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 183844

Summary: sys-libs/glibc: integer overflow in ld.so CVE-2007-3508
Product: Gentoo Security Reporter: Tavis Ormandy (RETIRED) <taviso>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: major CC: caluml, gengor, ssuominen, toolchain
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: A1 [glsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
ignore HWCAP_MASK for suid/sgid none

Description Tavis Ormandy (RETIRED) gentoo-dev 2007-07-01 15:29:48 UTC
When there are many bits set in LD_HWCAP_MASK, an integer overflow could result in too little memory being allocated, potentially resulting in an exploitable condition.

Reproduce:

$ env -i LD_HWCAP_MASK=$((0xffffffff)) su
$ strace -emmap2 -f env -i LD_HWCAP_MASK=$((0x7fffffff)) su

As hwcap_mask is honoured for suid binaries, this is a security issue. Attached patch disabled this, as some other distributions have already done (eg, Owl).

Vapier, could you prepare an updated ebuild incorporating this patch? Please dont commit it to portage yet, as this issue may require an embargo.
Comment 1 Tavis Ormandy (RETIRED) gentoo-dev 2007-07-01 15:30:21 UTC
Created attachment 123536 [details, diff]
ignore HWCAP_MASK for suid/sgid
Comment 2 Tavis Ormandy (RETIRED) gentoo-dev 2007-07-02 21:54:28 UTC
this is CVE-2007-3508.
Comment 3 solar (RETIRED) gentoo-dev 2007-07-03 03:13:22 UTC
This is in the tree now as -r4 per a taviso request.

solar@hangover / $ LD_HWCAP_MASK=$((0xffffffff)) id
Inconsistency detected by ld.so: dl-minimal.c: 84: __libc_memalign: Assertion `page != ((void *) -1)' failed!
solar@hangover / $ LD_HWCAP_MASK=$((0xffffffff)) su
Password:

http://sources.gentoo.org/viewcvs.py/gentoo/src/patchsets/glibc/2.5/ as patch 1600
Comment 4 Tavis Ormandy (RETIRED) gentoo-dev 2007-07-03 09:21:59 UTC
x86: Please test and mark stable sys-libs/glibc-2.5-r4, in particular, please ensure that the following command succeeds:

$ env -i LD_HWCAP_MASK=$((0xffffffff)) su
Comment 5 Christian Faulhammer (RETIRED) gentoo-dev 2007-07-03 13:09:50 UTC
x86 stable, changing status to glsa?
Comment 6 Jeremy Huddleston (RETIRED) gentoo-dev 2007-07-04 08:51:42 UTC
Shouldn't amd64 be marking this stable too before you do the glsa...
Comment 7 Calum 2007-07-05 09:11:04 UTC
Is there any chance of having a 2.3 and 2.4 version of Glibc made available for this - some binary packages (HelixServer for instance) have problems with some versions of glibc, and if you have to run them, it'd be nice to be able to run them on a secure version of glibc.
Comment 8 Tavis Ormandy (RETIRED) gentoo-dev 2007-07-05 10:07:53 UTC
Jeremy: we believe only x86 is affected, a 64bit arch like amd64 should be safe
Calum: This only affects suid applications, so unless your server is setuid, this shouldnt affect you
Comment 9 Calum 2007-07-05 10:35:47 UTC
Aaah, thanks for the reply.

Doesn't it mean though that someone could use a "standard" suid program such as su/mount/passwd to gain root though?
Comment 10 SpanKY gentoo-dev 2007-07-05 21:06:53 UTC
what's the upstream status ?  has anyone posted there ?  if not, i'll take it up
Comment 11 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-07-06 09:10:35 UTC
GLSA 200707-04
Comment 12 Tavis Ormandy (RETIRED) gentoo-dev 2007-07-06 11:39:25 UTC
Vapier: Yep, it's fixed in upstream CVS

http://sourceware.org/cgi-bin/cvsweb.cgi/libc/ChangeLog.diff?r1=1.10688&r2=1.10689&cvsroot=glibc&sortby=date

(they fixed the bug, rather than just blacklisting it for suid)
Comment 13 SpanKY gentoo-dev 2007-07-06 15:26:25 UTC
ok, i checked for the mask rather than the fix ... i'll update our patches to match upstream ... thanks
Comment 14 SpanKY gentoo-dev 2007-07-07 04:13:31 UTC
considering all arches parse glsa's, i think all should stabilize ... especially since it's pretty trivial/non-invasive
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2007-07-07 13:12:29 UTC
ppc64 stable
Comment 16 Markus Rothe (RETIRED) gentoo-dev 2007-07-07 13:13:19 UTC
reopening bug, so this pops up in bug lists of stable marking monkeys ^^
Comment 17 Raúl Porcel (RETIRED) gentoo-dev 2007-07-07 14:35:01 UTC
alpha/ia64 stable
Comment 18 Joshua Kinard gentoo-dev 2007-07-07 16:19:26 UTC
mips stable.
Comment 19 Jeremy Huddleston (RETIRED) gentoo-dev 2007-07-08 15:42:54 UTC
(In reply to comment #8)
> Jeremy: we believe only x86 is affected, a 64bit arch like amd64 should be safe

32bit suid apps on amd64 are affected though...

$ env -i LD_HWCAP_MASK=$((0xffffffff)) /mnt/gentoo32/bin/su
Segmentation fault

Comment 20 Jeroen Roovers (RETIRED) gentoo-dev 2007-07-09 04:03:08 UTC
Stable for HPPA.
Comment 21 Gustavo Zacarias (RETIRED) gentoo-dev 2007-07-10 12:25:19 UTC
sparc stable.
Comment 22 Tobias Scherbaum (RETIRED) gentoo-dev 2007-07-10 18:41:02 UTC
ppc stable
Comment 23 Christoph Mende (RETIRED) gentoo-dev 2007-07-15 12:11:30 UTC
amd64 stable
Comment 24 Robert Buchholz (RETIRED) gentoo-dev 2007-09-11 22:24:39 UTC
Any reason this is still open?
Comment 25 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-09-12 05:19:41 UTC
I don't think so.