From: Siddhesh Poyarekar <siddhesh@redhat.com>
Date: Mon, 11 Sep 2023 22:53:15 +0000 (-0400)
Subject: [PATCH v2] tunables: Terminate immediately if end of input is reached
X-Git-Tag: archive/raspbian/2.31-13+rpi1+deb11u13^2~8
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=66dc40288f041a7d43209ec7091e9f237573b8aa;p=glibc.git

[PATCH v2] tunables: Terminate immediately if end of input is reached

The string parsing routine may end up writing beyond bounds of tunestr
if the input tunable string is malformed, of the form name=name=val.
This gets processed twice, first as name=name=val and next as name=val,
resulting in tunestr being name=name=val:name=val, thus overflowing
tunestr.

Terminate the parsing loop at the first instance itself so that tunestr
does not overflow.

Gbp-Pq: Topic any
Gbp-Pq: Name local-CVE-2023-4911.patch
---

diff --git a/elf/dl-tunables.c b/elf/dl-tunables.c
index 2296ad387..49eb383a1 100644
--- a/elf/dl-tunables.c
+++ b/elf/dl-tunables.c
@@ -191,11 +191,7 @@ parse_tunables (char *tunestr, char *valstring)
       /* If we reach the end of the string before getting a valid name-value
 	 pair, bail out.  */
       if (p[len] == '\0')
-	{
-	  if (__libc_enable_secure)
-	    tunestr[off] = '\0';
-	  return;
-	}
+	break;
 
       /* We did not find a valid name-value pair before encountering the
 	 colon.  */
@@ -255,9 +251,16 @@ parse_tunables (char *tunestr, char *valstring)
 	    }
 	}
 
-      if (p[len] != '\0')
-	p += len + 1;
+      /* We reached the end while processing the tunable string.  */
+      if (p[len] == '\0')
+	break;
+
+      p += len + 1;
     }
+
+  /* Terminate tunestr before we leave.  */
+  if (__libc_enable_secure)
+    tunestr[off] = '\0';
 }
 #endif