Fix breaking of RPATH when $ORIGIN contains colons. Fixes bug 10253

We first expanded origin and then split string by colons. This
misbehaves when $ORIGIN contain colon so we first split string, then
expand $ORIGIN.

diff --git a/ChangeLog b/ChangeLog
index eccc4a9..3822e01 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2013-11-18  Ondřej Bílka  <neleai@seznam.cz>
+
+       [BZ #10253]
+       * elf/dl-load.c (fillin_rpath): Add linkmap parameter and expand path.
+       (decompose_rpath): Defer expansion to fillin_rpath.
+       (_dl_init_paths): Pass linkmap to fillin_rpath.
+
 2013-11-18  Rajalakshmi Srinivasaraghavan  <raji@linux.vnet.ibm.com>
 
        * benchtests/Makefile: Add strsep.

diff --git a/NEWS b/NEWS
index fc1b63c..c14374d 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -9,16 +9,16 @@ Version 2.19
 
 * The following bugs are resolved with this release:
 
-  156, 387, 431, 832, 2801, 7003, 9954, 10278, 11087, 13028, 13982, 13985,
-  14029, 14143, 14155, 14547, 14699, 14752, 14876, 14910, 15048, 15218,
-  15277, 15308, 15362, 15374, 15400, 15427, 15522, 15531, 15532, 15608,
-  15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681, 15723, 15734,
-  15735, 15736, 15748, 15749, 15754, 15760, 15763, 15764, 15797, 15799,
-  15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867, 15886,
-  15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917, 15919,
-  15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997, 16032,
-  16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078, 16103,
-  16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172.
+  156, 387, 431, 832, 2801, 7003, 9954, 10253, 10278, 11087, 13028, 13982,
+  13985, 14029, 14143, 14155, 14547, 14699, 14752, 14876, 14910, 15048,
+  15218, 15277, 15308, 15362, 15374, 15400, 15427, 15522, 15531, 15532,
+  15608, 15609, 15610, 15632, 15640, 15670, 15672, 15680, 15681, 15723,
+  15734, 15735, 15736, 15748, 15749, 15754, 15760, 15763, 15764, 15797,
+  15799, 15825, 15844, 15847, 15849, 15855, 15856, 15857, 15859, 15867,
+  15886, 15887, 15890, 15892, 15893, 15895, 15897, 15905, 15909, 15917,
+  15919, 15921, 15923, 15939, 15948, 15963, 15966, 15985, 15988, 15997,
+  16032, 16034, 16036, 16037, 16041, 16055, 16071, 16072, 16074, 16078,
+  16103, 16112, 16143, 16146, 16150, 16151, 16153, 16167, 16172.
 
 * CVE-2012-4412 The strcoll implementation caches indices and rules for
   large collation sequences to optimize multiple passes.  This cache

diff --git a/elf/dl-load.c b/elf/dl-load.c
index 6a73f27..bdd33bd 100644 (file)
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -481,14 +481,19 @@ static size_t max_dirnamelen;
 
 static struct r_search_path_elem **
 fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
-             int check_trusted, const char *what, const char *where)
+             int check_trusted, const char *what, const char *where,
+             struct link_map *l)
 {
   char *cp;
   size_t nelems = 0;
+  char *to_free;
 
   while ((cp = __strsep (&rpath, sep)) != NULL)
     {
       struct r_search_path_elem *dirp;
+
+      to_free = cp = expand_dynamic_string_token (l, cp);
+
       size_t len = strlen (cp);
 
       /* `strsep' can pass an empty string.  This has to be
@@ -509,7 +514,10 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
 
       /* Make sure we don't use untrusted directories if we run SUID.  */
       if (__builtin_expect (check_trusted, 0) && !is_trusted_path (cp, len))
-       continue;
+       {
+         free (to_free);
+         continue;
+       }
 
       /* See if this directory is already known.  */
       for (dirp = GL(dl_all_dirs); dirp != NULL; dirp = dirp->next)
@@ -570,6 +578,7 @@ fillin_rpath (char *rpath, struct r_search_path_elem **result, const char *sep,
          /* Put it in the result array.  */
          result[nelems++] = dirp;
        }
+      free (to_free);
     }
 
   /* Terminate the array.  */
@@ -625,9 +634,8 @@ decompose_rpath (struct r_search_path_struct *sps,
       while (*inhp != '\0');
     }
 
-  /* Make a writable copy.  At the same time expand possible dynamic
-     string tokens.  */
-  copy = expand_dynamic_string_token (l, rpath, 1);
+  /* Make a writable copy.  */
+  copy = local_strdup (rpath);
   if (copy == NULL)
     {
       errstring = N_("cannot create RUNPATH/RPATH copy");
@@ -660,7 +668,7 @@ decompose_rpath (struct r_search_path_struct *sps,
       _dl_signal_error (ENOMEM, NULL, NULL, errstring);
     }
 
-  fillin_rpath (copy, result, ":", 0, what, where);
+  fillin_rpath (copy, result, ":", 0, what, where, l);
 
   /* Free the copied RPATH string.  `fillin_rpath' make own copies if
      necessary.  */
@@ -708,9 +716,7 @@ _dl_init_paths (const char *llp)
   const char *strp;
   struct r_search_path_elem *pelem, **aelem;
   size_t round_size;
-#ifdef SHARED
-  struct link_map *l;
-#endif
+  struct link_map __attribute__ ((unused)) *l = NULL;
   /* Initialize to please the compiler.  */
   const char *errstring = NULL;
 
@@ -865,7 +871,7 @@ _dl_init_paths (const char *llp)
 
       (void) fillin_rpath (llp_tmp, env_path_list.dirs, ":;",
                           INTUSE(__libc_enable_secure), "LD_LIBRARY_PATH",
-                          NULL);
+                          NULL, l);
 
       if (env_path_list.dirs[0] == NULL)
        {