From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.4 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3, RCVD_IN_MSPIKE_WL autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 27086 invoked from network); 18 Nov 2021 19:45:08 -0000 Received: from mother.openwall.net (195.42.179.200) by inbox.vuxu.org with ESMTPUTF8; 18 Nov 2021 19:45:08 -0000 Received: (qmail 9846 invoked by uid 550); 18 Nov 2021 19:45:07 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 7736 invoked from network); 18 Nov 2021 19:42:10 -0000 Message-ID: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=unboiled.info; s=mail; t=1637264518; bh=Eoyz1OF7lcKvMkBcjak8r54v0pzcD6CErrkbARiY0hQ=; h=Date:Subject:To:References:From:In-Reply-To; b=e7HMqwLtqyyNvQtX4oOZmeFmKh7hYAroBKotuITIlBrPyw0m1iyGPPq87MuJnWdov 8dCd5wRVCm4aFv4o0nPo423Jt//b23wHCMsN0b2o3Kz1HoeqWtOHawxl1Jb3wAaVXK C+V+jFJlsj838A6txaVn1KQb3M8sfbGlxaKAaJ5E= Date: Thu, 18 Nov 2021 20:41:56 +0100 MIME-Version: 1.0 Content-Language: en-US To: =?UTF-8?Q?=c3=89rico_Nogueira?= , musl@lists.openwall.com References: From: Alexander Sosedkin In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Subject: Re: [musl] $ORIGIN rpath expansion without /proc: code looks wrong On 11/18/21 20:21, Érico Nogueira wrote: > On Wed Nov 17, 2021 at 5:01 PM -03, Jeffrey Walton wrote: >> On Wed, Nov 17, 2021 at 12:09 PM Érico Nogueira >> wrote: >>> >>> On Wed Nov 17, 2021 at 11:04 AM -03, Alexander Sosedkin wrote: >>>> ... >>>> Could somebody take a look at this and double-check that >>>> this codepath makes sense? >>> >>> It does, but it might not be as robust as you wish. fixup_rpath() treats >>> the RPATH entry as a single string, and does all $ORIGIN substitutions >>> in one go (what splits the string by ":" is open_path()). This means >>> that the entire RPATH entry containing $ORIGIN will be ignored if >>> /proc/self/exe can't be accessed, despite one or more of them not >>> depending on $ORIGIN. >> >> This has come up before on the list. It is different behavior from >> libc, and it may be CVE worthy if a down-level library is used when an >> updated library is available but lost because the RPATH/RUNPATH is >> discarded. > > I would file such a CVE on the distro packaging or system administration > rather than musl. The binaries you need to run so /proc is mounted > shouldn't be the sort that depend on dynamic RPATH using ${ORIGIN} > (rather than a static one or no RPATH at all), and any security fix > should be confirmed to actually work before being deployed... > Furthermore, I don't think an unprivileged user should be able to > unmount /proc unless they have called prctl(PR_SET_NO_NEW_PRIVS, 1), no? > Which would make any "attacks" be directed at themselves. Well, an unprivileged user can bind-mount anything they want over /proc with user mount namespaces, no problem. The question would rather be "what gives", because for non-suid case they seem to gain nothing they can't gain by supplying their own dynamic loader; and for suid case we don't resolve $ORIGIN anyway.