{"id":7134,"date":"2018-01-29T11:12:22","date_gmt":"2018-01-29T03:12:22","guid":{"rendered":"https:\/\/aqzt.com\/7134.html"},"modified":"2018-01-29T11:12:22","modified_gmt":"2018-01-29T03:12:22","slug":"%e5%ae%89%e5%85%a8%e9%a2%84%e8%ad%a6-linux-libc-realpath-%e5%ad%98%e5%9c%a8%e7%bc%93%e5%86%b2%e5%8c%ba%e4%b8%8b%e6%ba%a2%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"https:\/\/aqzt.com\/7134.html","title":{"rendered":"\u5b89\u5168\u9884\u8b66 | Linux Libc Realpath \u5b58\u5728\u7f13\u51b2\u533a\u4e0b\u6ea2\u6f0f\u6d1e"},"content":{"rendered":"

\u6587\u7ae0\u8f6c\u8f7d\u5f00\u6e90\u4e2d\u56fd<\/a><\/p>\n

\u6700\u8fd1OSS-SEC\u90ae\u4ef6\u7ec4\u62ab\u9732\uff0cLinux\u57fa\u51c6Libc\u51fd\u6570\u5e93\u4e2d\u7684Realpath\u51fd\u6570\u5b58\u5728\u7f13\u51b2\u533a\u4e0b\u6ea2\u6f0f\u6d1e\uff0cCVE\u7f16\u53f7\u4e3aCVE-2018-1000001\u3002\u6f0f\u6d1e\u7684\u4ea7\u751f\u662f\u7531\u4e8eGNU C\u5e93\u6ca1\u6709\u6b63\u786e\u5904\u7406getcwd()\u7cfb\u7edf\u8c03\u7528\u8fd4\u56de\u7684\u76f8\u5bf9\u8def\u5f84\uff0c\u5e76\u4e14\u6ca1\u6709\u5bf9\u7f13\u51b2\u533a\u8fb9\u754c\u8fdb\u884c\u68c0\u67e5\uff0c\u5176\u4ed6\u5e93\u4e5f\u5f88\u53ef\u80fd\u53d7\u6b64\u5f71\u54cd\u3002<\/p>\n

\u8be5\u6f0f\u6d1e\u4e3a\u9ad8\u98ce\u9669\u6f0f\u6d1e\uff0c\u53ef\u76f4\u63a5\u7528\u4e8eLinux\u672c\u5730\u63d0\u6743\uff0c\u76ee\u524d\u5df2\u7ecf\u6709\u653b\u51fbEXP\u516c\u5f00\uff0c\u76f8\u5173\u673a\u5668\u5e94\u5c3d\u5feb\u5b8c\u6210\u76f8\u5e94\u66f4\u65b0\u3002<\/strong><\/p>\n

\u6f0f\u6d1e\u5206\u6790<\/strong><\/p>\n

\u8be5\u6f0f\u6d1e\u6d89\u53ca\u5230\u4e24\u4e2a\u65b9\u9762\uff1a<\/p>\n

    \n
  1. \n

    kernel\u7684getcwd\u7cfb\u7edf\u8c03\u7528<\/p>\n<\/li>\n

  2. \n

    glibc\u7684realpath\u51fd\u6570<\/p>\n<\/li>\n<\/ol>\n

    \u867d\u7136\u5b98\u65b9\u8ba4\u4e3a\u8fd9\u4e0d\u662f\u5185\u6838\u7684\u95ee\u9898\uff0c\u4f46\u662f\u5185\u6838\u8fd8\u662f\u63d0\u4f9b\u4e86\u8865\u4e01\u3002<\/p>\n

    linux kernel \u8865\u4e01\u5730\u5740\uff1a<\/p>\n

    https:\/\/sourceware.org\/git\/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94<\/a><\/p>\n

    getcwd()\u51fd\u6570\u7528\u4e8e\u8fd4\u56de\u5f53\u524d\u5de5\u4f5c\u76ee\u5f55\u7684\u7edd\u5bf9\u8def\u5f84\uff0c\u5982\u679c\u8be5\u76ee\u5f55\u4e0d\u5c5e\u4e8e\u5f53\u524d\u8fdb\u7a0b\u7684\u6839\u76ee\u5f55\uff08\u4f8b\u5982\uff1a\u8be5\u8fdb\u7a0b\u4f7f\u7528chroot\u8bbe\u7f6e\u4e86\u4e00\u4e2a\u65b0\u7684\u6587\u4ef6\u7cfb\u7edf\u6839\u76ee\u5f55\uff0c\u4f46\u662f\u6ca1\u6709\u5c06\u5f53\u524d\u76ee\u5f55\u7684\u6839\u76ee\u5f55\u66ff\u6362\u6210\u65b0\u7684\uff09\uff0c\u4ecelinux 2.6.36\u5f00\u59cb\uff0cgetcwd\u4f1a\u8fd4\u56de\u201c(unreachable)\u201d\u3002\u901a\u8fc7\u6539\u53d8\u5f53\u524d\u76ee\u5f55\u5230\u53e6\u4e00\u4e2a\u6302\u8f7d\u7684\u7528\u6237\u7a7a\u95f4\uff0c\u666e\u901a\u7528\u6237\u53ef\u4ee5\u5b8c\u6210\u4e0a\u8ff0\u7684\u884c\u4e3a\u3002\u6240\u4ee5\u5f53\u5904\u7406\u4e0d\u53ef\u4fe1\u6765\u6e90\u7684\u8def\u5f84\u65f6\uff0c\u5e94\u8be5\u68c0\u67e5\u8fd4\u56de\u7684\u8def\u5f84\u662f\u5426\u4ee5\u201d\/\u201d\u6216\u201d(\u201c\u5f00\u5934\uff0c\u907f\u514d\u8fd4\u56de\u4e00\u4e2a\u4e0d\u53ef\u8fbe\u5730\u5740\uff0c\u88ab\u8ba4\u4e3a\u662f\u76f8\u5bf9\u5730\u5740\u3002<\/p>\n

    \u6f0f\u6d1e\u53d1\u751f\u5904\uff1aglibc stdlib\/canonicalize.c \u7684__realpath\u51fd\u6570\uff1a<\/p>\n

    \u5982\u679c\u89e3\u6790\u7684\u662f\u4e00\u4e2a\u76f8\u5bf9\u8def\u5f84(\u4e0d\u662f\u4ee5\u2019\/\u2019\u5f00\u5934\u7684\u8def\u5f84)\u65f6\uff0c\u5c31\u4f1a\u8c03\u7528__getcwd()<\/p>\n

    if (name[0] != '\/')\n{ if (!__getcwd (rpath, path_max))\n{\nrpath[0] = '0'; goto error;\n}\ndest = __rawmemchr (rpath, '0');\n} else\n{\nrpath[0] = '\/';\ndest = rpath + 1;\n}<\/pre>\n
    \u5982\u679c__getcwd()\u6b64\u65f6\u8fd4\u56de\u7684\u662f\u201d(unreachable)\u201d\uff0c\u5219\u63a5\u4e0b\u6765\u5728\u89e3\u6790\u8def\u5f84\u65f6\uff0c\u53d1\u73b0\u8def\u5f84\u5f00\u5934\u5e76\u4e0d\u5305\u542b\u2019\/\u2019\uff0c\u4f1a\u5728while\u5faa\u73af\u4e2d\u4e0d\u65ad\u8bfb\u53d6dest\u4e4b\u524d\u7684\u5730\u5740\uff0c\u4ea7\u751f\u7f13\u51b2\u533a\u4e0b\u6ea2\u3002<\/p>\n
    else if (end - start == 2 && start[0] == '.' && start[1] == '.')\n{ \/* Back up to previous component, ignore if at root already. *\/\nif (dest > rpath + 1) while ((--dest)[-1] != '\/');\n}<\/pre>\n
    \u4e4b\u540e\u64cd\u4f5c\u7684dest\u5730\u5740\u5c31\u662f\u6ea2\u51fa\u7684\u5730\u5740\u3002<\/p>\n
    \u6f0f\u6d1e\u653b\u51fb\u6548\u679c\u56fe\uff1a<\/p>\n
    \"\"<\/p>\n
    \u6f0f\u6d1e\u5f71\u54cd<\/strong><\/p>\n
    Red Hat <\/strong>\u53d7\u5f71\u54cd\u60c5\u51b5\uff1a<\/strong><\/p>\n
    Centos 7\u7684glibc\u7248\u672c\u53d7\u5f71\u54cd\uff0ccentos 5\uff0c6\u7cfb\u5217\u5747\u4e0d\u53d7\u5f71\u54cd\u3002<\/p>\n
    Ubuntu<\/strong>\u53d7\u5f71\u54cd\u60c5\u51b5\uff1a<\/strong><\/p>\n
    Package<\/p>\n
    Source: eglibc<\/a> (LP<\/a> Ubuntu<\/a> Debian<\/a>)<\/p>\n\n\n\n\n\n\n\n\n
    \n
    Upstream:<\/p>\n<\/td>\n
    		\n
    needed<\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 12.04 ESM (Precise Pangolin):<\/p>\n<\/td>\n
    		\n
    released (2.15-0ubuntu10.21) <\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 14.04 LTS (Trusty Tahr)<\/a>:<\/p>\n<\/td>\n
    		\n
    released (2.19-0ubuntu6.14)<\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 16.04 LTS (Xenial Xerus):<\/p>\n<\/td>\n
    		\n
    DNE<\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 17.10 (Artful Aardvark):<\/p>\n<\/td>\n
    		\n
    DNE<\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 18.04 LTS (Bionic Beaver):<\/p>\n<\/td>\n
    		\n
    DNE<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
    Package<\/p>\n
    Source: glibc<\/a> (LP<\/a> Ubuntu<\/a> Debian<\/a>)<\/p>\n\n\n\n\n\n\n\n\n
    \n
    Upstream:<\/p>\n<\/td>\n
    		\n
    needed<\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 12.04 ESM (Precise Pangolin):<\/p>\n<\/td>\n
    		\n
    DNE<\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 14.04 LTS (Trusty Tahr):<\/p>\n<\/td>\n
    		\n
    DNE<\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 16.04 LTS (Xenial Xerus)<\/a>:<\/p>\n<\/td>\n
    		\n
    released (2.23-0ubuntu10)<\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 17.10 (Artful Aardvark)<\/a>:<\/p>\n<\/td>\n
    		\n
    released (2.26-0ubuntu2.1) <\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 18.04 LTS (Bionic Beaver)<\/a>:<\/p>\n<\/td>\n
    		\n
    needed<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
    Patches:<\/p>\n\n\n\n
    \n
    Upstream:<\/p>\n<\/td>\n
    		\n
    https:\/\/sourceware.org\/git\/gitweb.cgi?p=glibc.git;h=52a713fdd0a30e1bd79818e2e3c4ab44ddca1a94<\/a><\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
    Package<\/p>\n
    Source: dietlibc<\/a> (LP<\/a> Ubuntu<\/a> Debian<\/a>)<\/p>\n\n\n\n\n\n\n\n\n
    \n
    Upstream:<\/p>\n<\/td>\n
    		\n
    needs-triage <\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 12.04 ESM (Precise Pangolin):<\/p>\n<\/td>\n
    		\n
    DNE<\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 14.04 LTS (Trusty Tahr)<\/a>:<\/p>\n<\/td>\n
    		\n
    needs-triage <\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 16.04 LTS (Xenial Xerus)<\/a>:<\/p>\n<\/td>\n
    		\n
    needs-triage <\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 17.10 (Artful Aardvark)<\/a>:<\/p>\n<\/td>\n
    		\n
    needs-triage <\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 18.04 LTS (Bionic Beaver)<\/a>:<\/p>\n<\/td>\n
    		\n
    needs-triage <\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
    Package<\/p>\n
    Source: musl<\/a> (LP<\/a> Ubuntu<\/a> Debian<\/a>)<\/p>\n\n\n\n\n\n\n\n\n
    \n
    Upstream:<\/p>\n<\/td>\n
    		\n
    needs-triage <\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 12.04 ESM (Precise Pangolin):<\/p>\n<\/td>\n
    		\n
    DNE<\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 14.04 LTS (Trusty Tahr)<\/a>:<\/p>\n<\/td>\n
    		\n
    needs-triage <\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 16.04 LTS (Xenial Xerus)<\/a>:<\/p>\n<\/td>\n
    		\n
    needs-triage <\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 17.10 (Artful Aardvark)<\/a>:<\/p>\n<\/td>\n
    		\n
    needs-triage <\/p>\n<\/td>\n<\/tr>\n
    \n
    Ubuntu 18.04 LTS (Bionic Beaver)<\/a>:<\/p>\n<\/td>\n
    		\n
    needs-triage<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n
    \u4fee\u590d\u65b9\u6848<\/strong><\/p>\n
    \u76f8\u5173\u53d7\u5f71\u54cd\u4ea7\u54c1\u5df2\u7ecf\u63d0\u4f9b\u4e86\u5b89\u5168\u66f4\u65b0\u3002centos7 \u901a\u8fc7yum update glibc kernel\u5347\u7ea7\u3002<\/p>\n
    \u53c2\u8003\u94fe\u63a5<\/strong><\/p>\n