[Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls

public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed

* [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
@ 2007-10-26 18:47 stefanus dot dutoit at rapidmind dot com
  2007-10-26 18:52 ` [Bug libc/5222] " stefanus dot dutoit at rapidmind dot com
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: stefanus dot dutoit at rapidmind dot com @ 2007-10-26 18:47 UTC (permalink / raw)
  To: glibc-bugs

The size returned in the dls_size field is incorrect, causing subsequent calls of dlinfo() into a buffer of 
that size to buffer overflow (hence marked as critical).

The bug is quite obvious in this change:

http://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-load.c.diff?
r1=1.286&r2=1.287&cvsroot=glibc&f=h

Note the line:

                   si->dls_size += r->dirnamelen < 2 ? r->dirnamelen : 2;

The < should clearly be a > (or >=) instead.

The following test case demonstrates this:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
#include <link.h>
#include <limits.h>

int main()
{
  void* h = dlopen(NULL, RTLD_LAZY);
  Dl_serinfo info;
  dlinfo(h, RTLD_DI_SERINFOSIZE, &info);
  {
    Dl_serinfo* pinfo = NULL;
    unsigned int alloc_size = info.dls_size + 10000;
    int location;
    pinfo = (Dl_serinfo*)malloc(alloc_size);
    memset(pinfo, 0xff, alloc_size); 
    pinfo->dls_size = info.dls_size;
    pinfo->dls_cnt = info.dls_cnt;
    dlinfo(h, RTLD_DI_SERINFO, (void *)pinfo);

    for (location = alloc_size - 1; location >= 0; --location) {
      char* c = (char*)pinfo;
      if (c[location] != (char)0xff) break;
    }
    printf("dls_size = %d, actual = %d\n", pinfo->dls_size, location + 1);
  }
}

On an older glibc this prints:
dls_size = 98, actual = 98

On a new glibc (in this case from Ubuntu 7.10), this prints:
dls_size = 48, actual = 98

-- 
           Summary: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an
                    incorrect dls_size value, causing buffer overflows
           Product: glibc
           Version: 2.4
            Status: NEW
          Severity: critical
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: stefanus dot dutoit at rapidmind dot com
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=5222

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Bug libc/5222] dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
  2007-10-26 18:47 [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows stefanus dot dutoit at rapidmind dot com
@ 2007-10-26 18:52 ` stefanus dot dutoit at rapidmind dot com
  2007-10-28  8:24 ` drepper at redhat dot com
  2007-10-28 19:11 ` stefanus dot dutoit at rapidmind dot com
  2 siblings, 0 replies; 4+ messages in thread
From: stefanus dot dutoit at rapidmind dot com @ 2007-10-26 18:52 UTC (permalink / raw)
  To: glibc-bugs


------- Additional Comments From stefanus dot dutoit at rapidmind dot com  2007-10-26 18:52 -------
I should mention that the test case there was only tested with g++, not gcc, so it may not compile with 
gcc.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=5222

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Bug libc/5222] dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
  2007-10-26 18:47 [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows stefanus dot dutoit at rapidmind dot com
  2007-10-26 18:52 ` [Bug libc/5222] " stefanus dot dutoit at rapidmind dot com
@ 2007-10-28  8:24 ` drepper at redhat dot com
  2007-10-28 19:11 ` stefanus dot dutoit at rapidmind dot com
  2 siblings, 0 replies; 4+ messages in thread
From: drepper at redhat dot com @ 2007-10-28  8:24 UTC (permalink / raw)
  To: glibc-bugs


------- Additional Comments From drepper at redhat dot com  2007-10-28 08:24 -------
Fixed in cvs trunk.

-- 
           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED


http://sourceware.org/bugzilla/show_bug.cgi?id=5222

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Bug libc/5222] dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
  2007-10-26 18:47 [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows stefanus dot dutoit at rapidmind dot com
  2007-10-26 18:52 ` [Bug libc/5222] " stefanus dot dutoit at rapidmind dot com
  2007-10-28  8:24 ` drepper at redhat dot com
@ 2007-10-28 19:11 ` stefanus dot dutoit at rapidmind dot com
  2 siblings, 0 replies; 4+ messages in thread
From: stefanus dot dutoit at rapidmind dot com @ 2007-10-28 19:11 UTC (permalink / raw)
  To: glibc-bugs


------- Additional Comments From stefanus dot dutoit at rapidmind dot com  2007-10-28 19:10 -------
Thanks for the quick fix. I'm not sure this is the right place to ask, but do you have a suggestion as to how 
we can detect when we need to work around this? We currently overallocate based on dls_cnt and the 
maximum path length of the system to work around this, but I would like to avoid this for versions of glibc 
preceding this change or after this change. If you don't have a quick suggestion, we'll figure it out, just 
thought I'd ask.

-- 


http://sourceware.org/bugzilla/show_bug.cgi?id=5222

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2007-10-28 19:11 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-10-26 18:47 [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows stefanus dot dutoit at rapidmind dot com
2007-10-26 18:52 ` [Bug libc/5222] " stefanus dot dutoit at rapidmind dot com
2007-10-28  8:24 ` drepper at redhat dot com
2007-10-28 19:11 ` stefanus dot dutoit at rapidmind dot com

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).