Headline
CVE-2019-19126: 25204 – (CVE-2019-19126) LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries (CVE-2019-19126)
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.
Description Marcin Kościelnicki 2019-11-19 08:13:27 UTC
The code using LD_PREFER_MAP_32BIT_EXEC is run before the code that removes security-sensitive variables from the environment, thus the latter is ineffective. This means a local attacker can effectively weaken ASLR strength on setuid binaries.
Comment 2 Florian Weimer 2019-11-19 13:42:47 UTC
I think we should treat this as a security vulnerability because it is quite a significant regression for a system built with PIE-by-default (and slightly older binutils).
Comment 3 Florian Weimer 2019-11-20 16:43:46 UTC
Introduced in glibc 2.23:
commit b9eb92ab05204df772eb4929eccd018637c9f3e9 Author: H.J. Lu <[email protected]> Date: Wed Oct 21 14:44:23 2015 -0700
Add Prefer\_MAP\_32BIT\_EXEC to map executable pages with MAP\_32BIT
According to Silvermont software optimization guide, for 64-bit
applications, branch prediction performance can be negatively impacted
when the target of a branch is more than 4GB away from the branch. Add
the Prefer\_MAP\_32BIT\_EXEC bit so that mmap will try to map executable
pages with MAP\_32BIT first. NB: MAP\_32BIT will map to lower 2GB, not
lower 4GB, address. Prefer\_MAP\_32BIT\_EXEC reduces bits available for
address space layout randomization (ASLR), which is always disabled for
SUID programs and can only be enabled by setting environment variable,
LD\_PREFER\_MAP\_32BIT\_EXEC.
Comment 6 Florian Weimer 2019-11-21 12:26:38 UTC
Fixed for glibc 2.31.
Comment 8 [email protected] 2019-11-22 12:28:35 UTC
The release/2.30/master branch has been updated by Florian Weimer <[email protected]>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=37c90e117310728a4ad1eb998c0bbe7d79c4a398
commit 37c90e117310728a4ad1eb998c0bbe7d79c4a398 Author: Marcin Kościelnicki <[email protected]> Date: Thu Nov 21 00:20:15 2019 +0100
rtld: Check \_\_libc\_enable\_secure before honoring LD\_PREFER\_MAP\_32BIT\_EXEC (CVE-2019-19126) \[BZ #25204\]
The problem was introduced in glibc 2.23, in commit
b9eb92ab05204df772eb4929eccd018637c9f3e9
("Add Prefer\_MAP\_32BIT\_EXEC to map executable pages with MAP\_32BIT").
(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 9 [email protected] 2019-11-22 12:35:33 UTC
The release/2.29/master branch has been updated by Florian Weimer <[email protected]>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=2626b15e88e00b5e9c8cc3962cf4768a5344f07a
commit 2626b15e88e00b5e9c8cc3962cf4768a5344f07a Author: Marcin Kościelnicki <[email protected]> Date: Thu Nov 21 00:20:15 2019 +0100
rtld: Check \_\_libc\_enable\_secure before honoring LD\_PREFER\_MAP\_32BIT\_EXEC (CVE-2019-19126) \[BZ #25204\]
The problem was introduced in glibc 2.23, in commit
b9eb92ab05204df772eb4929eccd018637c9f3e9
("Add Prefer\_MAP\_32BIT\_EXEC to map executable pages with MAP\_32BIT").
(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Change-Id: Ib782573b4623ee3edfa9f98ad62f69b9d8edcb27
Comment 10 [email protected] 2019-11-22 12:59:08 UTC
The release/2.28/master branch has been updated by Florian Weimer <[email protected]>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=7966ce07e89fa4ccc8fdba00d4439fc652862462
commit 7966ce07e89fa4ccc8fdba00d4439fc652862462 Author: Marcin Kościelnicki <[email protected]> Date: Thu Nov 21 00:20:15 2019 +0100
rtld: Check \_\_libc\_enable\_secure before honoring LD\_PREFER\_MAP\_32BIT\_EXEC (CVE-2019-19126) \[BZ #25204\]
The problem was introduced in glibc 2.23, in commit
b9eb92ab05204df772eb4929eccd018637c9f3e9
("Add Prefer\_MAP\_32BIT\_EXEC to map executable pages with MAP\_32BIT").
(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 11 [email protected] 2019-11-22 13:00:57 UTC
The release/2.27/master branch has been updated by Florian Weimer <[email protected]>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=4d5cfeb510125345cb41431afc9022492994cffa
commit 4d5cfeb510125345cb41431afc9022492994cffa Author: Marcin Kościelnicki <[email protected]> Date: Thu Nov 21 00:20:15 2019 +0100
rtld: Check \_\_libc\_enable\_secure before honoring LD\_PREFER\_MAP\_32BIT\_EXEC (CVE-2019-19126) \[BZ #25204\]
The problem was introduced in glibc 2.23, in commit
b9eb92ab05204df772eb4929eccd018637c9f3e9
("Add Prefer\_MAP\_32BIT\_EXEC to map executable pages with MAP\_32BIT").
(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 12 [email protected] 2019-11-22 13:04:45 UTC
The release/2.26/master branch has been updated by Florian Weimer <[email protected]>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=bc42e3bd44e7e9f616162d4550f1d35e04bddb5b
commit bc42e3bd44e7e9f616162d4550f1d35e04bddb5b Author: Marcin Kościelnicki <[email protected]> Date: Thu Nov 21 00:20:15 2019 +0100
rtld: Check \_\_libc\_enable\_secure before honoring LD\_PREFER\_MAP\_32BIT\_EXEC (CVE-2019-19126) \[BZ #25204\]
The problem was introduced in glibc 2.23, in commit
b9eb92ab05204df772eb4929eccd018637c9f3e9
("Add Prefer\_MAP\_32BIT\_EXEC to map executable pages with MAP\_32BIT").
(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 13 [email protected] 2019-11-22 13:15:17 UTC
The release/2.25/master branch has been updated by Florian Weimer <[email protected]>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=e73ac9ce9098d36699231b435168a0a904500ed9
commit e73ac9ce9098d36699231b435168a0a904500ed9 Author: Marcin Kościelnicki <[email protected]> Date: Thu Nov 21 00:20:15 2019 +0100
rtld: Check \_\_libc\_enable\_secure before honoring LD\_PREFER\_MAP\_32BIT\_EXEC (CVE-2019-19126) \[BZ #25204\]
The problem was introduced in glibc 2.23, in commit
b9eb92ab05204df772eb4929eccd018637c9f3e9
("Add Prefer\_MAP\_32BIT\_EXEC to map executable pages with MAP\_32BIT").
(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 14 [email protected] 2019-11-22 13:28:01 UTC
The release/2.24/master branch has been updated by Florian Weimer <[email protected]>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=a7b9e4cb8ec069a4030b081ed7c40a65e0825f47
commit a7b9e4cb8ec069a4030b081ed7c40a65e0825f47 Author: Marcin Kościelnicki <[email protected]> Date: Thu Nov 21 00:20:15 2019 +0100
rtld: Check \_\_libc\_enable\_secure before honoring LD\_PREFER\_MAP\_32BIT\_EXEC (CVE-2019-19126) \[BZ #25204\]
The problem was introduced in glibc 2.23, in commit
b9eb92ab05204df772eb4929eccd018637c9f3e9
("Add Prefer\_MAP\_32BIT\_EXEC to map executable pages with MAP\_32BIT").
(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)
Comment 15 [email protected] 2019-11-22 13:28:35 UTC
The release/2.23/master branch has been updated by Florian Weimer <[email protected]>:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=b039fd85db0717aca309b61925d00a5a6547a649
commit b039fd85db0717aca309b61925d00a5a6547a649 Author: Marcin Kościelnicki <[email protected]> Date: Thu Nov 21 00:20:15 2019 +0100
rtld: Check \_\_libc\_enable\_secure before honoring LD\_PREFER\_MAP\_32BIT\_EXEC (CVE-2019-19126) \[BZ #25204\]
The problem was introduced in glibc 2.23, in commit
b9eb92ab05204df772eb4929eccd018637c9f3e9
("Add Prefer\_MAP\_32BIT\_EXEC to map executable pages with MAP\_32BIT").
(cherry picked from commit d5dfad4326fc683c813df1e37bbf5cf920591c8e)