# B27 โ€” cmake/Linux.cmake: rpath set to "." instead of "$ORIGIN" Bug ref : always.md B.27 ; pharo.md ยง7 Severity : MEDIUM (library load order depends on CWD, not on the binary location) File : cmake/Linux.cmake Lines (HEAD) : 1 (`set(CMAKE_INSTALL_RPATH ".")`) ## Problem ```cmake set(CMAKE_INSTALL_RPATH ".") ``` `"."` in an RPATH is interpreted relative to the **process's current working directory**, not the binary's location. The intended behavior โ€” "look for sibling .so files next to the binary" โ€” is spelled `$ORIGIN`. The current value means: - If a user launches `pharo` from `/tmp`, the loader looks for libraries in `/tmp`. An attacker who can write to `/tmp` and influence the user to run the VM from there can drop a malicious `libffi.so.7` and hijack the load. - If `cwd` happens to contain a legitimate but old version of one of the bundled libraries, that version is loaded. ## Fix ```diff diff --git a/cmake/Linux.cmake b/cmake/Linux.cmake index 3841e85a5..f8512a73c 100644 --- a/cmake/Linux.cmake +++ b/cmake/Linux.cmake @@ -1,6 +1,9 @@ option(READ_ONLY_CODE_ZONE "Makes Cogit's code zone never writeable and executable at the same time" OFF) -set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-rpath=.") +# $ORIGIN expands to the directory of the binary at load time. The +# previous "." was relative to CWD which can be controlled by an attacker +# (drop a malicious libffi.so in $cwd and run the VM from there). +set(CMAKE_C_FLAGS "${CMAKE_C_FLAGS} -Wl,-rpath=$ORIGIN:$ORIGIN/lib") set(PHARO_BIN_LOCATION "default" CACHE STRING "The default location of the PHARO bin, used by the launch.sh.in") if(${PHARO_BIN_LOCATION} STREQUAL "default") ``` The `$ORIGIN/lib` second segment supports a layout where shared libraries are installed to `/lib` alongside the binary. ## Test plan - Build and install the VM. Confirm `readelf -d pharo | grep RUNPATH` shows `$ORIGIN:$ORIGIN/lib`. - Run the VM from a different `cwd` than its install directory. Confirm sibling libraries (e.g. `libffi.so`) still resolve. - Drop a stub library with one of the bundled names into the launching `cwd`. Confirm it is **not** loaded (it would have been loaded by the old config). ## Risk notes - `$ORIGIN` must be quoted to survive cmake variable expansion; cmake handles the quoting correctly when the value is passed to the linker. - If any external tool relies on the old "." rpath (e.g. test harness assumptions about CWD-relative loading), update it. The in-tree harness uses absolute paths.