This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
- From: "stefanus dot dutoit at rapidmind dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: 26 Oct 2007 18:47:28 -0000
- Subject: [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
- Reply-to: sourceware-bugzilla at sourceware dot org
The size returned in the dls_size field is incorrect, causing subsequent calls of dlinfo() into a buffer of
that size to buffer overflow (hence marked as critical).
The bug is quite obvious in this change:
http://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-load.c.diff?
r1=1.286&r2=1.287&cvsroot=glibc&f=h
Note the line:
si->dls_size += r->dirnamelen < 2 ? r->dirnamelen : 2;
The < should clearly be a > (or >=) instead.
The following test case demonstrates this:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
#include <link.h>
#include <limits.h>
int main()
{
void* h = dlopen(NULL, RTLD_LAZY);
Dl_serinfo info;
dlinfo(h, RTLD_DI_SERINFOSIZE, &info);
{
Dl_serinfo* pinfo = NULL;
unsigned int alloc_size = info.dls_size + 10000;
int location;
pinfo = (Dl_serinfo*)malloc(alloc_size);
memset(pinfo, 0xff, alloc_size);
pinfo->dls_size = info.dls_size;
pinfo->dls_cnt = info.dls_cnt;
dlinfo(h, RTLD_DI_SERINFO, (void *)pinfo);
for (location = alloc_size - 1; location >= 0; --location) {
char* c = (char*)pinfo;
if (c[location] != (char)0xff) break;
}
printf("dls_size = %d, actual = %d\n", pinfo->dls_size, location + 1);
}
}
On an older glibc this prints:
dls_size = 98, actual = 98
On a new glibc (in this case from Ubuntu 7.10), this prints:
dls_size = 48, actual = 98
--
Summary: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an
incorrect dls_size value, causing buffer overflows
Product: glibc
Version: 2.4
Status: NEW
Severity: critical
Priority: P2
Component: libc
AssignedTo: drepper at redhat dot com
ReportedBy: stefanus dot dutoit at rapidmind dot com
CC: glibc-bugs at sources dot redhat dot com
http://sourceware.org/bugzilla/show_bug.cgi?id=5222
------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.