[PATCH] elf: handle NULL input to fatal_error

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
To: <libc-alpha@sourceware.org>
Cc: <xiaojiangfeng@huawei.com>, <nixiaoming@huawei.com>,
	<douzhaolei@huawei.com>, <wangbing6@huawei.com>,
	<wangfangpeng1@huawei.com>
Subject: [PATCH] elf: handle NULL input to fatal_error
Date: Sat, 30 Mar 2024 21:40:52 +0800	[thread overview]
Message-ID: <1711806052-117857-1-git-send-email-xiaojiangfeng@huawei.com> (raw)

"dlopen_doit" may execute
"_dl_signal_error (0, NULL, NULL, ...)",
which cause a segmentation fault.

The call stack is as follows:

Program received signal SIGSEGV, Segmentation fault.
fatal_error (errcode=errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7c90518 "invalid mode parameter")
(gdb) bt
@0  fatal_error (errcode=errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7c90518 "invalid mode parameter")
@1  0xf7de5260 in __GI__dl_signal_error (errcode=0, objname=0x0, occation=0x0,
    errstring=0xf7c90518 "invalid mode parameter")
@2  0xf7d0e204 in dlopen_doit (a=a@entry=0xfffefa94)

When objname is NULL, referencing *objname accesses a null pointer.
Therefore, *objname is changed to objname.

After this bug is fixed, if objname is NULL, the "strlen"
in _dl_fatal_printf->_dl_debug_vdprintf will produce
another segmentation fault.

The call stack is as follows:

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/arm/armv6t2/strlen.S:85
(gdb) bt
@0  strlen () at ../sysdeps/arm/armv6t2/strlen.S:85
@1  0xf7d7fd40 in _dl_debug_vdprintf (fd=2, tag_p=0, fmt=0xf7ab83ab "s%s%s%s%s\n", arg=...)
@2  0xf7d8006c in __GI__dl_fatal_printf (fmt=0xf7ab83a2 "%s: %s: %s%s%s%s%s\n")
@3  0xf7c0b204 in fatal_error (errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7ab6518 "invalid mode parameter")
@4  0xf7c0b258 in __GI__dl_signal_error (errcode=0, objname=0x0,
    occation=0x0 errstring=0xf7ab6518 "invalid mode parameter")
@5  0xf7b34204 in dlopen_doit (a=a@entry=0xff9f7434)

Therefore, null check are required for "objname" and "errstring".

Fixes: 2449ae7b2da24 ("ld.so: Introduce struct dl_exception")

Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
---
 elf/dl-catch.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/elf/dl-catch.c b/elf/dl-catch.c
index 2109516..05a41d1 100644
--- a/elf/dl-catch.c
+++ b/elf/dl-catch.c
@@ -83,8 +83,8 @@ fatal_error (int errcode, const char *objname, const char *occasion,
   _dl_fatal_printf ("%s: %s: %s%s%s%s%s\n",
 		    RTLD_PROGNAME,
 		    occasion ?: N_("error while loading shared libraries"),
-		    objname, *objname ? ": " : "",
-		    errstring, errcode ? ": " : "",
+		    objname ? objname : "", objname ? ": " : "",
+		    errstring ? errstring : "", errcode ? ": " : "",
 		    (errcode
 		     ? __strerror_r (errcode, buffer, sizeof buffer)
 		     : ""));
-- 
1.8.5.6

next             reply	other threads:[~2024-03-30 14:05 UTC|newest]

Thread overview: 13+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-03-30 13:40 Jiangfeng Xiao [this message]
2024-03-30 15:47 ` Andreas Schwab
2024-04-01  1:40   ` Jiangfeng Xiao
2024-04-01  2:45 ` [PATCH] elf: sanitize objname in _dl_signal_error Jiangfeng Xiao
2024-04-01 13:50   ` Adhemerval Zanella Netto
2024-04-02 14:37     ` Jiangfeng Xiao
2024-04-02 14:42       ` H.J. Lu
2024-04-02 14:54         ` Jiangfeng Xiao
2024-04-02 15:00           ` H.J. Lu
2024-04-02 15:06             ` Jiangfeng Xiao
2024-04-02 15:08               ` H.J. Lu
2024-04-02 15:21                 ` Jiangfeng Xiao
2024-04-02 15:50         ` Adhemerval Zanella Netto

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1711806052-117857-1-git-send-email-xiaojiangfeng@huawei.com \
    --to=xiaojiangfeng@huawei.com \
    --cc=douzhaolei@huawei.com \
    --cc=libc-alpha@sourceware.org \
    --cc=nixiaoming@huawei.com \
    --cc=wangbing6@huawei.com \
    --cc=wangfangpeng1@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).