summaryrefslogtreecommitdiff
path: root/ldso
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2018-02-07 14:31:42 -0500
committerRich Felker <dalias@aerifal.cx>2018-02-07 14:31:42 -0500
commit376b3c54bba7d235e5a8e2839bb333a826b19636 (patch)
tree8453a90317de98662a71048df26c826fe39fec89 /ldso
parentf0b235c138d26caafeda44475818508f1911e78e (diff)
downloadmusl-376b3c54bba7d235e5a8e2839bb333a826b19636.tar.gz
disallow non-absolute rpath $ORIGIN for suid/sgid/AT_SECURE processes
in theory non-absolute origins can only arise when either the main program is invoked by running ldso as a command (inherently non-suid) or when dlopen was called with a relative pathname containing at least one slash. such usage would be inherently insecure in an suid program anyway, so the old behavior here does not seem to have been insecure. harden against it anyway.
Diffstat (limited to 'ldso')
-rw-r--r--ldso/dynlink.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index 3741c30d..9bf6924b 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -817,6 +817,9 @@ static int fixup_rpath(struct dso *p, char *buf, size_t buf_size)
origin = ".";
l = 1;
}
+ /* Disallow non-absolute origins for suid/sgid/AT_SECURE. */
+ if (libc.secure && *origin != '/')
+ return 0;
p->rpath = malloc(strlen(p->rpath_orig) + n*l + 1);
if (!p->rpath) return -1;