public inbox for glibc-cvs@sourceware.org help / color / mirror / Atom feed
From: Aurelien Jarno <aurel32@sourceware.org> To: glibc-cvs@sourceware.org Subject: [glibc/release/2.33/master] elf: Earlier missing dynamic segment check in _dl_map_object_from_fd Date: Sat, 9 Jul 2022 08:46:16 +0000 (GMT) [thread overview] Message-ID: <20220709084616.5C5083858430@sourceware.org> (raw) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=1916c5f0626a0127882aa3c60a91f47bafde8bbd commit 1916c5f0626a0127882aa3c60a91f47bafde8bbd Author: Florian Weimer <fweimer@redhat.com> Date: Fri Nov 5 17:01:24 2021 +0100 elf: Earlier missing dynamic segment check in _dl_map_object_from_fd Separated debuginfo files have PT_DYNAMIC with p_filesz == 0. We need to check for that before the _dl_map_segments call because that could attempt to write to mappings that extend beyond the end of the file, resulting in SIGBUS. Reviewed-by: H.J. Lu <hjl.tools@gmail.com> (cherry picked from commit ea32ec354c65ddad11b82ca9d057010df13a9cea) Diff: --- elf/dl-load.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/elf/dl-load.c b/elf/dl-load.c index 2f760503c5..639d78083c 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -1114,6 +1114,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, struct loadcmd loadcmds[l->l_phnum]; size_t nloadcmds = 0; bool has_holes = false; + bool empty_dynamic = false; /* The struct is initialized to zero so this is not necessary: l->l_ld = 0; @@ -1126,7 +1127,9 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, segments are mapped in. We record the addresses it says verbatim, and later correct for the run-time load address. */ case PT_DYNAMIC: - if (ph->p_filesz) + if (ph->p_filesz == 0) + empty_dynamic = true; /* Usually separate debuginfo. */ + else { /* Debuginfo only files from "objcopy --only-keep-debug" contain a PT_DYNAMIC segment with p_filesz == 0. Skip @@ -1248,6 +1251,13 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, goto lose; } + /* This check recognizes most separate debuginfo files. */ + if (__glibc_unlikely ((l->l_ld == 0 && type == ET_DYN) || empty_dynamic)) + { + errstring = N_("object file has no dynamic section"); + goto lose; + } + /* Length of the sections to be loaded. */ maplength = loadcmds[nloadcmds - 1].allocend - loadcmds[0].mapstart; @@ -1265,15 +1275,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, } } - if (l->l_ld == 0) - { - if (__glibc_unlikely (type == ET_DYN)) - { - errstring = N_("object file has no dynamic section"); - goto lose; - } - } - else + if (l->l_ld != 0) l->l_ld = (ElfW(Dyn) *) ((ElfW(Addr)) l->l_ld + l->l_addr); elf_get_dynamic_info (l, NULL);
reply other threads:[~2022-07-09 8:46 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20220709084616.5C5083858430@sourceware.org \ --to=aurel32@sourceware.org \ --cc=glibc-cvs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).