Bug 1774681 (CVE-2019-19126) - CVE-2019-19126 glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries
Summary: CVE-2019-19126 glibc: LD_PREFER_MAP_32BIT_EXEC not ignored in setuid binaries
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-19126
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1774021 1774682 1775599 1775600
Blocks: 1774683
TreeView+ depends on / blocked
 
Reported: 2019-11-20 17:09 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-12-15 16:58 UTC (History)
15 users (show)

Fixed In Version: glibc 2.31
Clone Of:
Environment:
Last Closed: 2020-04-28 16:34:38 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:1828 0 None None None 2020-04-28 15:57:57 UTC
Red Hat Product Errata RHSA-2020:3861 0 None None None 2020-09-29 19:20:27 UTC

Description Guilherme de Almeida Suckevicz 2019-11-20 17:09:15 UTC 
On the x86-64 architecture, the GNU C Library (aka glibc) before 2.31 fails to ignore the LD_PREFER_MAP_32BIT_EXEC environment variable during program execution after a security transition, allowing local attackers to restrict the possible mapping addresses for loaded libraries and thus bypass ASLR for a setuid program.

Reference:
https://sourceware.org/bugzilla/show_bug.cgi?id=25204
Comment 1 Riccardo Schirone 2019-11-21 17:12:27 UTC 
LD_PREFER_MAP_32BIT_EXEC is an environment variable that can be set to let the dynamic linker first try to map executable pages using the mmap flag MAP_32BIT, which will map to the low 2 GB of the address space. According to the documentation, LD_PREFER_MAP_32BIT_EXEC should be disabled for setuid binaries, however the code using it (https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=blob;f=sysdeps/unix/sysv/linux/x86_64/64/dl-librecon.h;h=0e95221908b07eb29c33deda31e6e830ae151fbe;hb=2a764c6ee848dfe92cb2921ed3b14085f15d9e79#l32) is run before the code that removes security-sensitive environment variables.
Comment 2 Riccardo Schirone 2019-11-21 17:12:50 UTC 
Upstream patch:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d5dfad4326fc683c813df1e37bbf5cf920591c8e
Comment 3 Riccardo Schirone 2019-11-21 17:13:37 UTC 
Issue introduced in:
https://sourceware.org/git/gitweb.cgi?p=glibc.git;a=object;h=b9eb92ab05204df772eb4929eccd018637c9f3e9
Comment 7 errata-xmlrpc 2020-04-28 15:57:55 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:1828 https://access.redhat.com/errata/RHSA-2020:1828
Comment 8 Product Security DevOps Team 2020-04-28 16:34:38 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-19126
Comment 9 errata-xmlrpc 2020-09-29 19:20:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:3861 https://access.redhat.com/errata/RHSA-2020:3861
Note You need to log in before you can comment on or make changes to this bug.