This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/16368] New: _dl_debug_initialize(, __LM_ID_CALLER) if _dl_open catches error
- From: "jreiser at BitWagon dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 24 Dec 2013 15:59:52 +0000
- Subject: [Bug dynamic-link/16368] New: _dl_debug_initialize(, __LM_ID_CALLER) if _dl_open catches error
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=16368
Bug ID: 16368
Summary: _dl_debug_initialize(, __LM_ID_CALLER) if _dl_open
catches error
Product: glibc
Version: 2.18
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: jreiser at BitWagon dot com
_dl_debug_initialize might be called with ns < 0, which is out-of-bounds for
indexing the global array GL(dl_ns). In particular, dl_ns[__LM_ID_CALLER]
often lies in the RELRO area, so assigning to its members causes SIGSEGV.
----- elf/dl-open.c [gitweb HEAD 2013-12-24]
int errcode = _dl_catch_error (&objname, &errstring, &malloced,
dl_open_worker, &args);
#if defined USE_LDCONFIG && !defined MAP_COPY
/* We must unmap the cache file. */
_dl_unload_cache ();
#endif
/* See if an error occurred during loading. */
if (__builtin_expect (errstring != NULL, 0))
{
[[snip]]
assert (_dl_debug_initialize (0, args.nsid)->r_state == RT_CONSISTENT);
-----
When _dl_catch_error detects an error, then args.nsid [and perhaps other
args.*] should be sanitized. Also _dl_debug_initialize should bounds check its
'ns' argument, probably using 0 instead of any out-of-bounds index, or perhaps
ignoring the operation entirely.
This problem was found by a fuzzer which broke RETURN_ADDRESS(0) during a
user-level call to dlopen(). _dl_open_worker and __check_caller detected
N_("invalid caller"), then the recovery called _dl_debug_initialize(,
__LM_ID_CALLER).
--
You are receiving this mail because:
You are on the CC list for the bug.