[PATCH v2] tunables: Terminate immediately if end of input is reached

The string parsing routine may end up writing beyond bounds of tunestr
if the input tunable string is malformed, of the form name=name=val.
This gets processed twice, first as name=name=val and next as name=val,
resulting in tunestr being name=name=val:name=val, thus overflowing
tunestr.

Terminate the parsing loop at the first instance itself so that tunestr
does not overflow.

Gbp-Pq: Topic any
Gbp-Pq: Name local-CVE-2023-4911.patch

diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
index 2296ad38707ae74dfbfb131271cb929e46d762d6..49eb383a136eb406922d7a41714e7a091a01b7fc 100644 (file)
--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
@@ -191,11 +191,7 @@ parse_tunables (char *tunestr, char *valstring)
       /* If we reach the end of the string before getting a valid name-value
         pair, bail out.  */
       if (p[len] == '\0')
-       {
-         if (__libc_enable_secure)
-           tunestr[off] = '\0';
-         return;
-       }
+       break;
 
       /* We did not find a valid name-value pair before encountering the
         colon.  */
@@ -255,9 +251,16 @@ parse_tunables (char *tunestr, char *valstring)
            }
        }
 
-      if (p[len] != '\0')
-       p += len + 1;
+      /* We reached the end while processing the tunable string.  */
+      if (p[len] == '\0')
+       break;
+
+      p += len + 1;
     }
+
+  /* Terminate tunestr before we leave.  */
+  if (__libc_enable_secure)
+    tunestr[off] = '\0';
 }
 #endif