public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug libc/18093] New: Corrupted aux-cache causes ldconfig to segfault
@ 2015-03-08 20:46 aurelien at aurel32 dot net
2015-03-12 1:12 ` [Bug libc/18093] " cvs-commit at gcc dot gnu.org
2015-03-12 11:11 ` aurelien at aurel32 dot net
0 siblings, 2 replies; 3+ messages in thread
From: aurelien at aurel32 dot net @ 2015-03-08 20:46 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18093
Bug ID: 18093
Summary: Corrupted aux-cache causes ldconfig to segfault
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: aurelien at aurel32 dot net
CC: drepper.fsp at gmail dot com
ldconfig is using an aux-cache to speed up the ld.so.cache update. It is read
by mmaping the file to a structure which contains data offsets used as
pointers. As they are not checked, it is not hard to get ldconfig to segfault
with a corrupted file. This happens for instance if the file is truncated,
which is common following a filesystem check after system crash.
This can be reproduced for example by truncating the file to roughly half of
it's size.
There is already in some code in elf/cache.c (load_aux_cache) to check for a
corrupted aux cache, but it happens not to be enough.
Patch to fix that will follow on the mailing list.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libc/18093] Corrupted aux-cache causes ldconfig to segfault
2015-03-08 20:46 [Bug libc/18093] New: Corrupted aux-cache causes ldconfig to segfault aurelien at aurel32 dot net
@ 2015-03-12 1:12 ` cvs-commit at gcc dot gnu.org
2015-03-12 11:11 ` aurelien at aurel32 dot net
1 sibling, 0 replies; 3+ messages in thread
From: cvs-commit at gcc dot gnu.org @ 2015-03-12 1:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18093
--- Comment #1 from cvs-commit at gcc dot gnu.org <cvs-commit at gcc dot gnu.org> ---
This is an automated email from the git hooks/post-receive script. It was
generated because a ref change was pushed to the repository containing
the project "GNU C Library master sources".
The branch, master has been updated
via 6a1cf708dd5681b517744d6d4fac02e4e4a0aa2e (commit)
from a2d4cf72c0ab07d4e58b42c01ac3ed2b95ca8d9b (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=6a1cf708dd5681b517744d6d4fac02e4e4a0aa2e
commit 6a1cf708dd5681b517744d6d4fac02e4e4a0aa2e
Author: Aurelien Jarno <aurelien@aurel32.net>
Date: Wed Mar 11 21:03:50 2015 -0400
Fix ldconfig segmentation fault with corrupted cache (Bug 18093).
ldconfig is using an aux-cache to speed up the ld.so.cache update. It
is read by mmaping the file to a structure which contains data offsets
used as pointers. As they are not checked, it is not hard to get
ldconfig to segfault with a corrupted file. This happens for instance if
the file is truncated, which is common following a filesystem check
following a system crash.
This can be reproduced for example by truncating the file to roughly
half of it's size.
There is already some code in elf/cache.c (load_aux_cache) to check
for a corrupted aux cache, but it happens to be broken and not enough.
The test (aux_cache->nlibs >= aux_cache_size) compares the number of
libs entry with the cache size. It's a non sense, as it basically
assumes that each library entry is a 1 byte... Instead this commit
computes the theoretical cache size using the headers and compares it
to the real size.
-----------------------------------------------------------------------
Summary of changes:
ChangeLog | 6 ++++++
NEWS | 2 +-
elf/cache.c | 4 +++-
3 files changed, 10 insertions(+), 2 deletions(-)
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
* [Bug libc/18093] Corrupted aux-cache causes ldconfig to segfault
2015-03-08 20:46 [Bug libc/18093] New: Corrupted aux-cache causes ldconfig to segfault aurelien at aurel32 dot net
2015-03-12 1:12 ` [Bug libc/18093] " cvs-commit at gcc dot gnu.org
@ 2015-03-12 11:11 ` aurelien at aurel32 dot net
1 sibling, 0 replies; 3+ messages in thread
From: aurelien at aurel32 dot net @ 2015-03-12 11:11 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=18093
Aurelien Jarno <aurelien at aurel32 dot net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #2 from Aurelien Jarno <aurelien at aurel32 dot net> ---
Fixed in master.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-03-12 11:11 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-03-08 20:46 [Bug libc/18093] New: Corrupted aux-cache causes ldconfig to segfault aurelien at aurel32 dot net
2015-03-12 1:12 ` [Bug libc/18093] " cvs-commit at gcc dot gnu.org
2015-03-12 11:11 ` aurelien at aurel32 dot net
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).