From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=I8jd=EU=arista.com=peadar@sourceware.org>
Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b])
	by sourceware.org (Postfix) with ESMTPS id 6ED3B3858C30
	for <libc-alpha@sourceware.org>; Mon,  4 Sep 2023 17:03:36 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6ED3B3858C30
Authentication-Results: sourceware.org; dmarc=pass (p=reject dis=none) header.from=arista.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=arista.com
Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-401da71b7faso17072285e9.2
        for <libc-alpha@sourceware.org>; Mon, 04 Sep 2023 10:03:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=arista.com; s=google; t=1693847015; x=1694451815; darn=sourceware.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=mP3VVhfMZOf7wv8+d8sx6LGMhIqbERyU5gJftbSo+cg=;
        b=b3Q7Cpc6KQKs6o0PBenCnLTRFij2gGPh6F5oMkQ+e4D1MvDBiumJ/YRbdur6DFzArM
         n0MA7bm3qtSR1rKeXQBJBuo6Mj4e0qTfNSuplKbveC/Exw7loqmzoMflzZivu30BU+YE
         91ZfsLYB9P03hKllqx46TjEUvZx+R/8pt3R9C8qBXCcK3lj68vDTdeJEtTD3ajWRR7Ci
         VsO0hRj3hodMfoKM2OcojHoNDdYQ8eYYd0IiWyWg067U9W2Sf04qhRwR8SfxiJzGyFPm
         d9diy8uFCbbXuwMBKA7qlzHZJsXooOUiC2jBFy3dH34edQK6aqkuoOJ8H/ZbkBsS/D99
         iVpA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20221208; t=1693847015; x=1694451815;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
         :reply-to;
        bh=mP3VVhfMZOf7wv8+d8sx6LGMhIqbERyU5gJftbSo+cg=;
        b=dVXxZK15Eyglv2JXExpZyxAHihuh62vf517i49C47XGF0lUHcXcTGyHaHn3tWOWmEr
         h44R2y4I/SOD6EaJPiUIbKj4LuBCy27lelBduwNjUNexvn2haglJvIXwV5rpNUGXeDdM
         Wwy3yhuLeFq7E9Jhqyab9Jg8YMmpKcP9F4HPbYQrgvCMCvVFxtM5OgWby7+vbtJTSoKF
         2oQ7aINOohmMhIQmL35Fo00j1q48BG6Mz8WKF3j9TmJKvRPgqp3VT7qcB8ZvAwItkzv1
         mLBvexMXALCqD1BL31kOD+oGiZkeP5tJJqiDMuMBDeFbJGRauafPsF3O95sYTycZx/4j
         By5Q==
X-Gm-Message-State: AOJu0Yz0W59SiHTLxrw2TXeDRYH8bSD0nbVrCVIycSKHkkMQfLWf0VxP
	9jMo0At9ZBUURzT+Ei+h35YSGp0eXAIbqudTZGE=
X-Google-Smtp-Source: AGHT+IGCOwEPckbDYZzBJAXyokNnZyA0x9COFjPlnvgm32HF2sRXjyAdCK3zcXuvnbtRrAl8GtIdLw==
X-Received: by 2002:a7b:c412:0:b0:3fe:db1b:8c39 with SMTP id k18-20020a7bc412000000b003fedb1b8c39mr8512709wmi.41.1693847014746;
        Mon, 04 Sep 2023 10:03:34 -0700 (PDT)
Received: from AWAVAUATUSH.aristanetworks.com ([46.7.23.185])
        by smtp.gmail.com with ESMTPSA id h9-20020a05600c260900b003fff96bb62csm14288639wma.16.2023.09.04.10.03.33
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 04 Sep 2023 10:03:34 -0700 (PDT)
From: Peter Edwards <peadar@arista.com>
To: libc-alpha@sourceware.org
Cc: schwab@suse.de,
	Peter Edwards <peadar@arista.com>
Subject: [PATCH v2] elf: Avoid pointer-arithmetic underflow in ldconfig
Date: Mon,  4 Sep 2023 18:03:32 +0100
Message-ID: <20230904170332.398424-1-peadar@arista.com>
X-Mailer: git-send-email 2.42.0.111.gd814540bb7
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_NONE,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <libc-alpha.sourceware.org>

For a 64-bit ldconfig, running on a 32-bit library, if the p_vaddr field
of the segment containing the dynamic strings is less than it's
p_offset, then using ElfW(Off) for the arithmetic leads to a truncated
unsigned value for pointer arithmetic.

Instead, use intptr_t for loadoff, and cast the p_vaddr and p_offset
fields to same.

Also, given negative values are possible, use INTPTR_MAX instead of -1
as a better sentinel to indicate the value is unset.

Expected behaviour: 64-bit `ldconfig` runs silently, updating cache

Observed behaviour: `ldconfig` reports
```
ldconfig: file <filename> is truncated
```
... for any 32-bit ELF libs with dynamic strings in a segment with
p_vaddr > p_offset

Signed-off-by: Peter Edwards <peadar@arista.com>
---
 elf/readelflib.c | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/elf/readelflib.c b/elf/readelflib.c
index f5b8c80e38..efab08ce3c 100644
--- a/elf/readelflib.c
+++ b/elf/readelflib.c
@@ -203,7 +203,7 @@ done:
 	{
 	  /* Find the file offset of the segment containing the dynamic
 	     string table.  */
-	  ElfW(Off) loadoff = -1;
+	  intptr_t loadoff = INTPTR_MAX;
 	  for (i = 0, segment = elf_pheader;
 	       i < elf_header->e_phnum; i++, segment++)
 	    {
@@ -212,11 +212,15 @@ done:
 		  && (dyn_entry->d_un.d_val - segment->p_vaddr
 		      < segment->p_filesz))
 		{
-		  loadoff = segment->p_vaddr - segment->p_offset;
+		  /* Note loadoff may be negative - the ELF headers may not be
+		     in a loadable segment, and the first loadable segment
+		     may be at a p_offset > 0, but p_vaddr == 0 */
+		  loadoff = (intptr_t)segment->p_vaddr -
+		      (intptr_t)segment->p_offset;
 		  break;
 		}
 	    }
-	  if (loadoff == (ElfW(Off)) -1)
+	  if (loadoff == INTPTR_MAX)
 	    {
 	      /* Very strange. */
 	      loadoff = 0;
-- 
2.42.0.111.gd814540bb7