rtld: Check __libc_enable_secure before honoring LD_PREFER_MAP_32BIT_EXEC (CVE-2019-19126) [BZ #25204]

The problem was introduced in glibc 2.23, in commit b9eb92ab05204df772eb4929eccd018637c9f3e9 ("Add Prefer_MAP_32BIT_EXEC to map executable pages with MAP_32BIT"). (cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
2025-04-18 14:30:43 +08:00 · 2019-11-21 00:20:15 +01:00 · 2019-11-21 00:20:15 +01:00 · 37c90e1173
commit 37c90e1173
parent a4b3bbf71e
2 changed files with 11 additions and 1 deletions
--- a/9
+++ b/9
@ -7,6 +7,14 @@ using `glibc' in the "product" field.

 Version 2.30.1

+Security related changes:
+
+CVE-2019-19126: ld.so failed to ignore the LD_PREFER_MAP_32BIT_EXEC
+  environment variable during program execution after a security
+  transition, allowing local attackers to restrict the possible mapping
+  addresses for loaded libraries and thus bypass ASLR for a setuid
+  program.  Reported by Marcin Kościelnicki.
+
 The following bugs are resolved with this release:

  [24682] localedata: zh_CN first weekday should be Monday per GB/T
@ -15,6 +23,7 @@ The following bugs are resolved with this release:
  [24986] alpha: new getegid, geteuid and getppid syscalls used
    unconditionally
  [25189] Don't use a custom wrapper macro around __has_include
+  [25204] Ignore LD_PREFER_MAP_32BIT_EXEC for SUID programs


 Version 2.30
--- a/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
+++ b/sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h
@ -31,7 +31,8 @@
   environment variable, LD_PREFER_MAP_32BIT_EXEC.  */
 #define EXTRA_LD_ENVVARS \
  case 21:								  \
-    if (memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)		  \
+    if (!__libc_enable_secure						  \
+	&& memcmp (envline, "PREFER_MAP_32BIT_EXEC", 21) == 0)		  \
      GLRO(dl_x86_cpu_features).feature[index_arch_Prefer_MAP_32BIT_EXEC] \
 	|= bit_arch_Prefer_MAP_32BIT_EXEC;				  \
    break;