[PATCH] elf: Guard against __LM_ID

public inbox for libc-alpha@sourceware.org
 help / color / mirror / Atom feed

* [PATCH] elf: Guard against __LM_ID_CALLER [BZ #27609]
@ 2021-08-17 18:45 H.J. Lu
  2021-09-20 16:53 ` PIN^1 " H.J. Lu
  0 siblings, 1 reply; 3+ messages in thread
From: H.J. Lu @ 2021-08-17 18:45 UTC (permalink / raw)
  To: libc-alpha

do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2).  When _dl_open
fails in nptl/tst-setuid1 , we can reach

881       /* Avoid keeping around a dangling reference to the libc.so link
882          map in case it has been cached in libc_map.  */
883       if (!args.libc_already_loaded)
884         GL(dl_ns)[nsid].libc_map = NULL;
885

with nsid == -2.  Guard against __LM_ID_CALLER before updating libc_map
to avoid buffer underflow.  This fixes BZ #27609.
---
 elf/dl-open.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/elf/dl-open.c b/elf/dl-open.c
index e90287bc62..5c54df5b7f 100644
--- a/elf/dl-open.c
+++ b/elf/dl-open.c
@@ -885,7 +885,7 @@ no more namespaces available for dlmopen()"));
     {
       /* Avoid keeping around a dangling reference to the libc.so link
 	 map in case it has been cached in libc_map.  */
-      if (!args.libc_already_loaded)
+      if (!args.libc_already_loaded && nsid >= 0)
 	GL(dl_ns)[nsid].libc_map = NULL;
 
       /* Remove the object from memory.  It may be in an inconsistent
-- 
2.31.1


^ permalink raw reply	[flat|nested] 3+ messages in thread

* PIN^1 [PATCH] elf: Guard against __LM_ID_CALLER [BZ #27609]
  2021-08-17 18:45 [PATCH] elf: Guard against __LM_ID_CALLER [BZ #27609] H.J. Lu
@ 2021-09-20 16:53 ` H.J. Lu
  2021-09-29 16:57   ` PING^2 " H.J. Lu
  0 siblings, 1 reply; 3+ messages in thread
From: H.J. Lu @ 2021-09-20 16:53 UTC (permalink / raw)
  To: GNU C Library, Florian Weimer

On Tue, Aug 17, 2021 at 11:45 AM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2).  When _dl_open
> fails in nptl/tst-setuid1 , we can reach
>
> 881       /* Avoid keeping around a dangling reference to the libc.so link
> 882          map in case it has been cached in libc_map.  */
> 883       if (!args.libc_already_loaded)
> 884         GL(dl_ns)[nsid].libc_map = NULL;
> 885
>
> with nsid == -2.  Guard against __LM_ID_CALLER before updating libc_map
> to avoid buffer underflow.  This fixes BZ #27609.
> ---
>  elf/dl-open.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/elf/dl-open.c b/elf/dl-open.c
> index e90287bc62..5c54df5b7f 100644
> --- a/elf/dl-open.c
> +++ b/elf/dl-open.c
> @@ -885,7 +885,7 @@ no more namespaces available for dlmopen()"));
>      {
>        /* Avoid keeping around a dangling reference to the libc.so link
>          map in case it has been cached in libc_map.  */
> -      if (!args.libc_already_loaded)
> +      if (!args.libc_already_loaded && nsid >= 0)
>         GL(dl_ns)[nsid].libc_map = NULL;
>
>        /* Remove the object from memory.  It may be in an inconsistent
> --
> 2.31.1
>

PING.

-- 
H.J.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* PING^2 [PATCH] elf: Guard against __LM_ID_CALLER [BZ #27609]
  2021-09-20 16:53 ` PIN^1 " H.J. Lu
@ 2021-09-29 16:57   ` H.J. Lu
  0 siblings, 0 replies; 3+ messages in thread
From: H.J. Lu @ 2021-09-29 16:57 UTC (permalink / raw)
  To: GNU C Library, Florian Weimer

On Mon, Sep 20, 2021 at 9:53 AM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> On Tue, Aug 17, 2021 at 11:45 AM H.J. Lu <hjl.tools@gmail.com> wrote:
> >
> > do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2).  When _dl_open
> > fails in nptl/tst-setuid1 , we can reach
> >
> > 881       /* Avoid keeping around a dangling reference to the libc.so link
> > 882          map in case it has been cached in libc_map.  */
> > 883       if (!args.libc_already_loaded)
> > 884         GL(dl_ns)[nsid].libc_map = NULL;
> > 885
> >
> > with nsid == -2.  Guard against __LM_ID_CALLER before updating libc_map
> > to avoid buffer underflow.  This fixes BZ #27609.
> > ---
> >  elf/dl-open.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/elf/dl-open.c b/elf/dl-open.c
> > index e90287bc62..5c54df5b7f 100644
> > --- a/elf/dl-open.c
> > +++ b/elf/dl-open.c
> > @@ -885,7 +885,7 @@ no more namespaces available for dlmopen()"));
> >      {
> >        /* Avoid keeping around a dangling reference to the libc.so link
> >          map in case it has been cached in libc_map.  */
> > -      if (!args.libc_already_loaded)
> > +      if (!args.libc_already_loaded && nsid >= 0)
> >         GL(dl_ns)[nsid].libc_map = NULL;
> >
> >        /* Remove the object from memory.  It may be in an inconsistent
> > --
> > 2.31.1
> >
>
> PING.
>

Any comments on this patch?


-- 
H.J.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2021-09-29 16:58 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-08-17 18:45 [PATCH] elf: Guard against __LM_ID_CALLER [BZ #27609] H.J. Lu
2021-09-20 16:53 ` PIN^1 " H.J. Lu
2021-09-29 16:57   ` PING^2 " H.J. Lu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).