public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
@ 2007-10-26 18:47 stefanus dot dutoit at rapidmind dot com
2007-10-26 18:52 ` [Bug libc/5222] " stefanus dot dutoit at rapidmind dot com
` (2 more replies)
0 siblings, 3 replies; 4+ messages in thread
From: stefanus dot dutoit at rapidmind dot com @ 2007-10-26 18:47 UTC (permalink / raw)
To: glibc-bugs
The size returned in the dls_size field is incorrect, causing subsequent calls of dlinfo() into a buffer of
that size to buffer overflow (hence marked as critical).
The bug is quite obvious in this change:
http://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-load.c.diff?
r1=1.286&r2=1.287&cvsroot=glibc&f=h
Note the line:
si->dls_size += r->dirnamelen < 2 ? r->dirnamelen : 2;
The < should clearly be a > (or >=) instead.
The following test case demonstrates this:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
#include <link.h>
#include <limits.h>
int main()
{
void* h = dlopen(NULL, RTLD_LAZY);
Dl_serinfo info;
dlinfo(h, RTLD_DI_SERINFOSIZE, &info);
{
Dl_serinfo* pinfo = NULL;
unsigned int alloc_size = info.dls_size + 10000;
int location;
pinfo = (Dl_serinfo*)malloc(alloc_size);
memset(pinfo, 0xff, alloc_size);
pinfo->dls_size = info.dls_size;
pinfo->dls_cnt = info.dls_cnt;
dlinfo(h, RTLD_DI_SERINFO, (void *)pinfo);
for (location = alloc_size - 1; location >= 0; --location) {
char* c = (char*)pinfo;
if (c[location] != (char)0xff) break;
}
printf("dls_size = %d, actual = %d\n", pinfo->dls_size, location + 1);
}
}
On an older glibc this prints:
dls_size = 98, actual = 98
On a new glibc (in this case from Ubuntu 7.10), this prints:
dls_size = 48, actual = 98
--
Summary: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an
incorrect dls_size value, causing buffer overflows
Product: glibc
Version: 2.4
Status: NEW
Severity: critical
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: stefanus dot dutoit at rapidmind dot com
CC: glibc-bugs at sources dot redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=5222
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/5222] dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
2007-10-26 18:47 [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows stefanus dot dutoit at rapidmind dot com
@ 2007-10-26 18:52 ` stefanus dot dutoit at rapidmind dot com
2007-10-28 8:24 ` drepper at redhat dot com
2007-10-28 19:11 ` stefanus dot dutoit at rapidmind dot com
2 siblings, 0 replies; 4+ messages in thread
From: stefanus dot dutoit at rapidmind dot com @ 2007-10-26 18:52 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From stefanus dot dutoit at rapidmind dot com 2007-10-26 18:52 -------
I should mention that the test case there was only tested with g++, not gcc, so it may not compile with
gcc.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=5222
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/5222] dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
2007-10-26 18:47 [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows stefanus dot dutoit at rapidmind dot com
2007-10-26 18:52 ` [Bug libc/5222] " stefanus dot dutoit at rapidmind dot com
@ 2007-10-28 8:24 ` drepper at redhat dot com
2007-10-28 19:11 ` stefanus dot dutoit at rapidmind dot com
2 siblings, 0 replies; 4+ messages in thread
From: drepper at redhat dot com @ 2007-10-28 8:24 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From drepper at redhat dot com 2007-10-28 08:24 -------
Fixed in cvs trunk.
--
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
http://sourceware.org/bugzilla/show_bug.cgi?id=5222
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 4+ messages in thread
* [Bug libc/5222] dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
2007-10-26 18:47 [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows stefanus dot dutoit at rapidmind dot com
2007-10-26 18:52 ` [Bug libc/5222] " stefanus dot dutoit at rapidmind dot com
2007-10-28 8:24 ` drepper at redhat dot com
@ 2007-10-28 19:11 ` stefanus dot dutoit at rapidmind dot com
2 siblings, 0 replies; 4+ messages in thread
From: stefanus dot dutoit at rapidmind dot com @ 2007-10-28 19:11 UTC (permalink / raw)
To: glibc-bugs
------- Additional Comments From stefanus dot dutoit at rapidmind dot com 2007-10-28 19:10 -------
Thanks for the quick fix. I'm not sure this is the right place to ask, but do you have a suggestion as to how
we can detect when we need to work around this? We currently overallocate based on dls_cnt and the
maximum path length of the system to work around this, but I would like to avoid this for versions of glibc
preceding this change or after this change. If you don't have a quick suggestion, we'll figure it out, just
thought I'd ask.
--
http://sourceware.org/bugzilla/show_bug.cgi?id=5222
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2007-10-28 19:11 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2007-10-26 18:47 [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows stefanus dot dutoit at rapidmind dot com
2007-10-26 18:52 ` [Bug libc/5222] " stefanus dot dutoit at rapidmind dot com
2007-10-28 8:24 ` drepper at redhat dot com
2007-10-28 19:11 ` stefanus dot dutoit at rapidmind dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).