disallow non-absolute rpath $ORIGIN for suid/sgid/AT_SECURE processes

in theory non-absolute origins can only arise when either the main
program is invoked by running ldso as a command (inherently non-suid)
or when dlopen was called with a relative pathname containing at least
one slash. such usage would be inherently insecure in an suid program
anyway, so the old behavior here does not seem to have been insecure.
harden against it anyway.

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index 3741c30d3da49b047925a15d4f0b7026ce6ceb92..9bf6924b8259716f6b312ec4fe96ba0c406fc61b 100644 (file)
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -817,6 +817,9 @@ static int fixup_rpath(struct dso *p, char *buf, size_t buf_size)
                origin = ".";
                l = 1;
        }
+       /* Disallow non-absolute origins for suid/sgid/AT_SECURE. */
+       if (libc.secure && *origin != '/')
+               return 0;
        p->rpath = malloc(strlen(p->rpath_orig) + n*l + 1);
        if (!p->rpath) return -1;