From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <carlos@redhat.com>
Received: from us-smtp-delivery-124.mimecast.com
 (us-smtp-delivery-124.mimecast.com [216.205.24.124])
 by sourceware.org (Postfix) with ESMTP id 2C0B23857C73
 for <libc-alpha@sourceware.org>; Sun, 27 Jun 2021 22:16:00 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 2C0B23857C73
Received: from mail-qv1-f71.google.com (mail-qv1-f71.google.com
 [209.85.219.71]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-539-_LRUCZp_MnyOsCvPeuiUpg-1; Sun, 27 Jun 2021 18:15:55 -0400
X-MC-Unique: _LRUCZp_MnyOsCvPeuiUpg-1
Received: by mail-qv1-f71.google.com with SMTP id
 y17-20020ad445b10000b029027389e9530fso16005927qvu.4
 for <libc-alpha@sourceware.org>; Sun, 27 Jun 2021 15:15:55 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20161025;
 h=x-gm-message-state:subject:to:references:from:organization
 :message-id:date:user-agent:mime-version:in-reply-to
 :content-language:content-transfer-encoding;
 bh=FAcSjaahKUl7Vug9HaPsfEVzcjFyu3NUyX7pS/ShtBs=;
 b=Rwx3AzGtO4pzF0Od7xd2JckWN9GAyRB1eXbjti6kPNo0EWYeTqeWxiVQTtDy3iHUNo
 41lMNqgevRKP2jBu8jqbszrFX8JgTcfeAKOp8sNMjv2SnEtKSwGBIxjmkaQIpTRQQL1P
 MrS9OhWjhBqECNMGimt+SQTasD+tEyRz3Y6Kq6EEEoRMWxhcldC6BM9MPNwZwYSztoTY
 QBHbgVUpLGDtpLvrIflaC0UP7tcpamu9mYLvZqY0PcmvPYn8sb3vDJYQH9tb9qff0WEI
 6G1DWByjFSvhWN0SCQNLp3PbxodUZJHYs6HMZEJopVvrKoZqtJO8gm4jvlki6n5v2xRz
 B/6w==
X-Gm-Message-State: AOAM53325jOMVWgHqq4I8hwjPneOgK4/gulCz65+sHoFWXzAA2EqaIFw
 ifHM9wxLzpLknRoS05jgwUhuexg4LwiKbnw6osnfPbEMZJ6lNviLv6C0D8ScwZAVhca4NcS8XBl
 EuxK16JxOnRMhBYxDZPzj06vooQ6T2CpIbKWqYwZAv7BWBArlc3iRxxqSmcVzp613Bf+m1g==
X-Received: by 2002:ad4:5908:: with SMTP id ez8mr5831644qvb.2.1624832154534;
 Sun, 27 Jun 2021 15:15:54 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyyK6dftM2yVJIz9L7kOW75Mz41sK0G3jRTz6pTp0xiG8XkUn729+dyhi1oqVzh9O4Ac0cE2A==
X-Received: by 2002:ad4:5908:: with SMTP id ez8mr5831633qvb.2.1624832154324;
 Sun, 27 Jun 2021 15:15:54 -0700 (PDT)
Received: from [192.168.1.16] (198-84-214-74.cpe.teksavvy.com. [198.84.214.74])
 by smtp.gmail.com with ESMTPSA id k6sm7534872qtg.78.2021.06.27.15.15.53
 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
 Sun, 27 Jun 2021 15:15:53 -0700 (PDT)
Subject: Re: [PATCH] elf: Assert range of ns argument in _dl_debug_initialize
To: Florian Weimer <fweimer@redhat.com>, libc-alpha@sourceware.org
References: <87y2b04us6.fsf@oldenburg.str.redhat.com>
From: Carlos O'Donell <carlos@redhat.com>
Organization: Red Hat
Message-ID: <1517d682-9f16-6daf-b2b3-ab716a222a0b@redhat.com>
Date: Sun, 27 Jun 2021 18:15:52 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101
 Thunderbird/78.10.1
MIME-Version: 1.0
In-Reply-To: <87y2b04us6.fsf@oldenburg.str.redhat.com>
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset=utf-8
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-12.9 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH,
 DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, KAM_SHORT,
 NICE_REPLY_A, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL,
 SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Sun, 27 Jun 2021 22:16:01 -0000

On 6/23/21 8:42 AM, Florian Weimer via Libc-alpha wrote:
> This does not fix any bugs as such, but makes it more obvious
> if _dl_debug_initialize is called with invalid arguments
> (which would otherwise cause the function to clobber unrelated
> data).
> 
> Tested on i686-linux-gnu and x86_64-linux-gnu.

I know I'm expanding the scope here to include _dl_map_object,
but it's another place where we have a similar check, and so
I'm just thinking that for consistency we should make both
robust in the same way.

I'm not asking you to fix what appears to be a problem in
dl_open_worker that we appear to do *no* validation of nsid
which is user controlled as input to dlopen :>
 
> ---
>  elf/dl-debug.c | 8 +++++++-
>  1 file changed, 7 insertions(+), 1 deletion(-)
> 
> diff --git a/elf/dl-debug.c b/elf/dl-debug.c
> index 2cd5f09753..85b087455e 100644
> --- a/elf/dl-debug.c
> +++ b/elf/dl-debug.c
> @@ -16,6 +16,8 @@
>     License along with the GNU C Library; if not, see
>     <https://www.gnu.org/licenses/>.  */
>  
> +#include <array_length.h>
> +#include <assert.h>
>  #include <ldsodefs.h>
>  
>  
> @@ -49,7 +51,11 @@ _dl_debug_initialize (ElfW(Addr) ldbase, Lmid_t ns)
>    if (ns == LM_ID_BASE)
>      r = &_r_debug;
>    else
> -    r = &GL(dl_ns)[ns]._ns_debug;
> +    {
> +      assert (ns >= 0);
> +      assert (ns < array_length (GL (dl_ns)));

The check in _dl_map_object is:
  assert (nsid >= 0);
  assert (nsid < GL(dl_nns));

Should we be consistent one way or the other?

> +      r = &GL(dl_ns)[ns]._ns_debug;
> +    }
>  
>    if (r->r_map == NULL || ldbase != 0)
>      {
> 


-- 
Cheers,
Carlos.