Ignore MALLOC_CONF in set{uid,gid,cap} binaries.

This eliminates the malloc tunables as tools for an attacker. Closes #173
2014-12-09 17:41:34 -05:00 · 2014-12-09 17:41:34 -05:00 · b74041fb6e
commit b74041fb6e
parent e12eaf93dc
3 changed files with 50 additions and 1 deletions
--- a/configure.ac
+++ b/configure.ac
@ -1108,6 +1108,24 @@ fi

 CPPFLAGS="$CPPFLAGS -D_REENTRANT"

+dnl Check if the GNU-specific secure_getenv function exists.
+AC_CHECK_FUNC([secure_getenv],
+              [have_secure_getenv="1"],
+              [have_secure_getenv="0"]
+             )
+if test "x$have_secure_getenv" = "x1" ; then
+  AC_DEFINE([JEMALLOC_HAVE_SECURE_GETENV], [ ])
+fi
+
+dnl Check if the Solaris/BSD issetugid function exists.
+AC_CHECK_FUNC([issetugid],
+              [have_issetugid="1"],
+              [have_issetugid="0"]
+             )
+if test "x$have_issetugid" = "x1" ; then
+  AC_DEFINE([JEMALLOC_HAVE_ISSETUGID], [ ])
+fi
+
 dnl Check whether the BSD-specific _malloc_thread_cleanup() exists.  If so, use
 dnl it rather than pthreads TSD cleanup functions to support cleanup during
 dnl thread exit, in order to avoid pthreads library recursion during
--- a/include/jemalloc/internal/jemalloc_internal_defs.h.in
+++ b/include/jemalloc/internal/jemalloc_internal_defs.h.in
@ -66,6 +66,16 @@
 */
 #undef JEMALLOC_OSSPIN

+/*
+ * Defined if secure_getenv(3) is available.
+ */
+#undef JEMALLOC_HAVE_SECURE_GETENV
+
+/*
+ * Defined if issetugid(2) is available.
+ */
+#undef JEMALLOC_HAVE_ISSETUGID
+
 /*
 * Defined if _malloc_thread_cleanup() exists.  At least in the case of
 * FreeBSD, pthread_key_create() allocates, which if used during malloc
--- a/src/jemalloc.c
+++ b/src/jemalloc.c
@ -648,6 +648,27 @@ stats_print_atexit(void)
 * Begin initialization functions.
 */

+#ifndef JEMALLOC_HAVE_SECURE_GETENV
+#  ifdef JEMALLOC_HAVE_ISSETUGID
+static char *
+secure_getenv(const char *name)
+{
+
+	if (issetugid() == 0)
+		return (getenv(name));
+	else
+		return (NULL);
+}
+#  else
+static char *
+secure_getenv(const char *name)
+{
+
+	return (getenv(name));
+}
+#  endif
+#endif
+
 static unsigned
 malloc_ncpus(void)
 {
@ -824,7 +845,7 @@ malloc_conf_init(void)
 #endif
 			    ;

-			if ((opts = getenv(envname)) != NULL) {
+			if ((opts = secure_getenv(envname)) != NULL) {
 				/*
 				 * Do nothing; opts is already initialized to
 				 * the value of the MALLOC_CONF environment