From: Andreas Jaeger <aj@suse.de>
To: libc-hacker@sources.redhat.com
Subject: BZ 5222: Fix for elf/dl-load.c
Date: Sun, 28 Oct 2007 05:42:00 -0000 [thread overview]
Message-ID: <87myu3g5hd.fsf@suse.de> (raw)
[-- Attachment #1: Type: text/plain, Size: 2287 bytes --]
Revision 1.287 introduces a bug, the reporter says
"The size returned in the dls_size field is incorrect, causing
subsequent calls of dlinfo() into a buffer of that size to buffer
overflow (hence marked as critical)."
diff -u -p -r1.286 -r1.287
--- elf/dl-load.c 30 Jun 2007 17:01:07 -0000 1.286
+++ elf/dl-load.c 12 Jul 2007 18:15:27 -0000 1.287
@@ -2273,14 +2273,17 @@ _dl_rtld_di_serinfo (struct link_map *lo
if (counting)
{
si->dls_cnt++;
- si->dls_size += r->dirnamelen;
+ si->dls_size += r->dirnamelen < 2 ? r->dirnamelen : 2;
}
else
{
Dl_serpath *const sp = &si->dls_serpath[idx++];
sp->dls_name = allocptr;
- allocptr = __mempcpy (allocptr,
- r->dirname, r->dirnamelen - 1);
+ if (r->dirnamelen < 2)
+ *allocptr++ = r->dirnamelen ? '/' : '.';
+ else
+ allocptr = __mempcpy (allocptr,
+ r->dirname, r->dirnamelen - 1);
*allocptr++ = '\0';
sp->dls_flags = flags;
}
Ok to commit the appended fix? I would like to add it for both 2.7 and
head,
Andreas
2007-10-28 Andreas Jaeger <aj@suse.de>
[BZ #5222]
* elf/dl-load.c (_dl_rtld_di_serinfo): Correctly compute dls_size.
Reported by Stefanus Du Toit <stefanus.dutoit@rapidmind.com>.
============================================================
Index: elf/dl-load.c
--- elf/dl-load.c 3 Aug 2007 15:50:24 -0000 1.288
+++ elf/dl-load.c 28 Oct 2007 05:41:48 -0000
@@ -2274,7 +2274,7 @@ _dl_rtld_di_serinfo (struct link_map *lo
if (counting)
{
si->dls_cnt++;
- si->dls_size += r->dirnamelen < 2 ? r->dirnamelen : 2;
+ si->dls_size += r->dirnamelen > 2 ? r->dirnamelen : 2;
}
else
{
--
Andreas Jaeger, Director Platform / openSUSE, aj@suse.de
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
Maxfeldstr. 5, 90409 Nürnberg, Germany
GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
[-- Attachment #2: Type: application/pgp-signature, Size: 193 bytes --]
next reply other threads:[~2007-10-28 5:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-10-28 5:42 Andreas Jaeger [this message]
2007-10-28 8:25 ` Ulrich Drepper
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87myu3g5hd.fsf@suse.de \
--to=aj@suse.de \
--cc=libc-hacker@sources.redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).