This is the mail archive of the libc-hacker@sourceware.org mailing list for the glibc project.

Note that libc-hacker is a closed list. You may look at the archives of this list, but subscription and posting are not open.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

BZ 5222: Fix for elf/dl-load.c


Revision 1.287 introduces a bug, the reporter says

"The size returned in the dls_size field is incorrect, causing
subsequent calls of dlinfo() into a buffer of that size to buffer
overflow (hence marked as critical)."

diff -u -p -r1.286 -r1.287
--- elf/dl-load.c       30 Jun 2007 17:01:07 -0000      1.286
+++ elf/dl-load.c       12 Jul 2007 18:15:27 -0000      1.287
@@ -2273,14 +2273,17 @@ _dl_rtld_di_serinfo (struct link_map *lo
              if (counting)
                {
                  si->dls_cnt++;
-                 si->dls_size += r->dirnamelen;
+                 si->dls_size += r->dirnamelen < 2 ? r->dirnamelen : 2;
                }
              else
                {
                  Dl_serpath *const sp = &si->dls_serpath[idx++];
                  sp->dls_name = allocptr;
-                 allocptr = __mempcpy (allocptr,
-                                       r->dirname, r->dirnamelen - 1);
+                 if (r->dirnamelen < 2)
+                   *allocptr++ = r->dirnamelen ? '/' : '.';
+                 else
+                   allocptr = __mempcpy (allocptr,
+                                         r->dirname, r->dirnamelen - 1);
                  *allocptr++ = '\0';
                  sp->dls_flags = flags;
                }


Ok to commit the appended fix?  I would like to add it for both 2.7 and
head,

Andreas

2007-10-28  Andreas Jaeger  <aj@suse.de>

	[BZ #5222]
	* elf/dl-load.c (_dl_rtld_di_serinfo): Correctly compute dls_size.
	Reported by Stefanus Du Toit <stefanus.dutoit@rapidmind.com>.

============================================================
Index: elf/dl-load.c
--- elf/dl-load.c	3 Aug 2007 15:50:24 -0000	1.288
+++ elf/dl-load.c	28 Oct 2007 05:41:48 -0000
@@ -2274,7 +2274,7 @@ _dl_rtld_di_serinfo (struct link_map *lo
 	      if (counting)
 		{
 		  si->dls_cnt++;
-		  si->dls_size += r->dirnamelen < 2 ? r->dirnamelen : 2;
+		  si->dls_size += r->dirnamelen > 2 ? r->dirnamelen : 2;
 		}
 	      else
 		{

-- 
 Andreas Jaeger, Director Platform / openSUSE, aj@suse.de
  SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg)
   Maxfeldstr. 5, 90409 Nürnberg, Germany
    GPG fingerprint = 93A3 365E CE47 B889 DF7F  FED1 389A 563C C272 A126

Attachment: pgp00000.pgp
Description: PGP signature


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]