This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows

From: "stefanus dot dutoit at rapidmind dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: 26 Oct 2007 18:47:28 -0000
Subject: [Bug libc/5222] New: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
Reply-to: sourceware-bugzilla at sourceware dot org

The size returned in the dls_size field is incorrect, causing subsequent calls of dlinfo() into a buffer of 
that size to buffer overflow (hence marked as critical).

The bug is quite obvious in this change:

http://www.sourceware.org/cgi-bin/cvsweb.cgi/libc/elf/dl-load.c.diff?
r1=1.286&r2=1.287&cvsroot=glibc&f=h

Note the line:

                   si->dls_size += r->dirnamelen < 2 ? r->dirnamelen : 2;

The < should clearly be a > (or >=) instead.

The following test case demonstrates this:
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <dlfcn.h>
#include <link.h>
#include <limits.h>

int main()
{
  void* h = dlopen(NULL, RTLD_LAZY);
  Dl_serinfo info;
  dlinfo(h, RTLD_DI_SERINFOSIZE, &info);
  {
    Dl_serinfo* pinfo = NULL;
    unsigned int alloc_size = info.dls_size + 10000;
    int location;
    pinfo = (Dl_serinfo*)malloc(alloc_size);
    memset(pinfo, 0xff, alloc_size); 
    pinfo->dls_size = info.dls_size;
    pinfo->dls_cnt = info.dls_cnt;
    dlinfo(h, RTLD_DI_SERINFO, (void *)pinfo);

    for (location = alloc_size - 1; location >= 0; --location) {
      char* c = (char*)pinfo;
      if (c[location] != (char)0xff) break;
    }
    printf("dls_size = %d, actual = %d\n", pinfo->dls_size, location + 1);
  }
}

On an older glibc this prints:
dls_size = 98, actual = 98

On a new glibc (in this case from Ubuntu 7.10), this prints:
dls_size = 48, actual = 98

-- 
           Summary: dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an
                    incorrect dls_size value, causing buffer overflows
           Product: glibc
           Version: 2.4
            Status: NEW
          Severity: critical
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: stefanus dot dutoit at rapidmind dot com
                CC: glibc-bugs at sources dot redhat dot com


http://sourceware.org/bugzilla/show_bug.cgi?id=5222

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Follow-Ups:
- [Bug libc/5222] dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
  - From: stefanus dot dutoit at rapidmind dot com
- [Bug libc/5222] dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
  - From: drepper at redhat dot com
- [Bug libc/5222] dlinfo(..., RTLD_DI_SERINFOSIZE, ...) produces an incorrect dls_size value, causing buffer overflows
  - From: stefanus dot dutoit at rapidmind dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]