From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=lYKr=LE=huawei.com=xiaojiangfeng@sourceware.org>
Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189])
	by sourceware.org (Postfix) with ESMTPS id 68A653858D1E
	for <libc-alpha@sourceware.org>; Sat, 30 Mar 2024 14:05:39 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 68A653858D1E
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none) header.from=huawei.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=huawei.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 68A653858D1E
Authentication-Results: server2.sourceware.org; arc=none smtp.remote-ip=45.249.212.189
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711807541; cv=none;
	b=WhVOKk5MpUMo4wR9CGR5YgDZpycliRV9gHSbWMgq6SeJZPcVLmsEMvFQ6L1Kq4w/dBzrrSmOt8VVB5PZSBG+MeU269WBa0wwUAn9BdF+88McjstJNOErPoQU5TzkE/e+RzGj9QvDeYjp68ZKcfpHmhfsbMGmvr712mgxVxIqdH0=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
	t=1711807541; c=relaxed/simple;
	bh=2+a7YGYRYdss17tQpuEawcaahWOzb6n2EoXxZdwzs1Q=;
	h=From:To:Subject:Date:Message-ID:MIME-Version; b=Mus4xUMwluRSU7ChL2t9NwVPpKAHa4bKpBP6o9/vYJJxoNvM7DsUAvsTbWuUl172+L/RwwI2WOAbV7mb7d6ITC/Hzeh/+07CHrZy0ktjYI/VoCPwCVpaUu0ML/uOaojyAbWUusrUnRSEST9ru/WHQziZ5bTdV76soodZWMIGC0U=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from mail.maildlp.com (unknown [172.19.163.174])
	by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4V6Jrt0R7YzNmYH
	for <libc-alpha@sourceware.org>; Sat, 30 Mar 2024 22:03:10 +0800 (CST)
Received: from canpemm500010.china.huawei.com (unknown [7.192.105.118])
	by mail.maildlp.com (Postfix) with ESMTPS id 5FB8B140156
	for <libc-alpha@sourceware.org>; Sat, 30 Mar 2024 22:05:14 +0800 (CST)
Received: from huawei.com (10.67.189.167) by canpemm500010.china.huawei.com
 (7.192.105.118) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Sat, 30 Mar
 2024 22:05:14 +0800
From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
To: <libc-alpha@sourceware.org>
CC: <xiaojiangfeng@huawei.com>, <nixiaoming@huawei.com>,
	<douzhaolei@huawei.com>, <wangbing6@huawei.com>, <wangfangpeng1@huawei.com>
Subject: [PATCH] elf: handle NULL input to fatal_error
Date: Sat, 30 Mar 2024 21:40:52 +0800
Message-ID: <1711806052-117857-1-git-send-email-xiaojiangfeng@huawei.com>
X-Mailer: git-send-email 1.8.5.6
MIME-Version: 1.0
Content-Type: text/plain
X-Originating-IP: [10.67.189.167]
X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To
 canpemm500010.china.huawei.com (7.192.105.118)
X-Spam-Status: No, score=-13.7 required=5.0 tests=BAYES_00,GIT_PATCH_0,KAM_DMARC_STATUS,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

"dlopen_doit" may execute
"_dl_signal_error (0, NULL, NULL, ...)",
which cause a segmentation fault.

The call stack is as follows:

Program received signal SIGSEGV, Segmentation fault.
fatal_error (errcode=errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7c90518 "invalid mode parameter")
(gdb) bt
@0  fatal_error (errcode=errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7c90518 "invalid mode parameter")
@1  0xf7de5260 in __GI__dl_signal_error (errcode=0, objname=0x0, occation=0x0,
    errstring=0xf7c90518 "invalid mode parameter")
@2  0xf7d0e204 in dlopen_doit (a=a@entry=0xfffefa94)

When objname is NULL, referencing *objname accesses a null pointer.
Therefore, *objname is changed to objname.

After this bug is fixed, if objname is NULL, the "strlen"
in _dl_fatal_printf->_dl_debug_vdprintf will produce
another segmentation fault.

The call stack is as follows:

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/arm/armv6t2/strlen.S:85
(gdb) bt
@0  strlen () at ../sysdeps/arm/armv6t2/strlen.S:85
@1  0xf7d7fd40 in _dl_debug_vdprintf (fd=2, tag_p=0, fmt=0xf7ab83ab "s%s%s%s%s\n", arg=...)
@2  0xf7d8006c in __GI__dl_fatal_printf (fmt=0xf7ab83a2 "%s: %s: %s%s%s%s%s\n")
@3  0xf7c0b204 in fatal_error (errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7ab6518 "invalid mode parameter")
@4  0xf7c0b258 in __GI__dl_signal_error (errcode=0, objname=0x0,
    occation=0x0 errstring=0xf7ab6518 "invalid mode parameter")
@5  0xf7b34204 in dlopen_doit (a=a@entry=0xff9f7434)

Therefore, null check are required for "objname" and "errstring".

Fixes: 2449ae7b2da24 ("ld.so: Introduce struct dl_exception")

Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
---
 elf/dl-catch.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/elf/dl-catch.c b/elf/dl-catch.c
index 2109516..05a41d1 100644
--- a/elf/dl-catch.c
+++ b/elf/dl-catch.c
@@ -83,8 +83,8 @@ fatal_error (int errcode, const char *objname, const char *occasion,
   _dl_fatal_printf ("%s: %s: %s%s%s%s%s\n",
 		    RTLD_PROGNAME,
 		    occasion ?: N_("error while loading shared libraries"),
-		    objname, *objname ? ": " : "",
-		    errstring, errcode ? ": " : "",
+		    objname ? objname : "", objname ? ": " : "",
+		    errstring ? errstring : "", errcode ? ": " : "",
 		    (errcode
 		     ? __strerror_r (errcode, buffer, sizeof buffer)
 		     : ""));
-- 
1.8.5.6