This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/22341] New: Uninitialized variable in inline function elf_get_dynamic_info in get-dynamic-info.h
- From: "yueqichen.0x0 at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Tue, 24 Oct 2017 01:13:36 +0000
- Subject: [Bug libc/22341] New: Uninitialized variable in inline function elf_get_dynamic_info in get-dynamic-info.h
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=22341
Bug ID: 22341
Summary: Uninitialized variable in inline function
elf_get_dynamic_info in get-dynamic-info.h
Product: glibc
Version: 2.26
Status: UNCONFIRMED
Severity: critical
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: yueqichen.0x0 at gmail dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
Created attachment 10552
--> https://sourceware.org/bugzilla/attachment.cgi?id=10552&action=edit
crafted shared library file recovered.so and poc.c
Uninitialized Variable in inline function elf_get_dynamic_info at source file
elf/get-dynamic-info.h
Tested on glibc-2.26 with address-sanitize on Linux ubuntu 4.13.0-16-generic
#19-Ubuntu SMP
gcc (Ubuntu 7.2.0-8ubuntu3) 7.2.0
Running Command:
unzip PoC.zip
gcc -o poc poc.c -ldl -fsanitize=address
./poc
Function _dl_map_object_from_fd at Line 1006 in elf/dl-load.c
1006: l = _dl_new_object(realname, name, l_type, loader, mode, nsid);
/* allocate a mmeory region in heap for a new loaded object without
initializing l->l_info*/
Function _dl_map_object_from_fd at Line 1200 in elf/dl-load.c
1200: elf_get_dynamic_info(l, NULL);
/* call buggy function elf_get_dynamic_info,
there is no initialization of l->l_info between dl-load.c:1006 and
dl-load.c:1200 */
Function elf_get_dynamic_info at Line 97 in elf/get-dynamic-info.h
46: info = l->l_info;
97: info[tag]->d_un.d_ptr += l_addr;
/* l->info[tag]->d_un.d_ptr is used without initialization till now.
Any value could be in l->info[tag]->d_un.d_ptr
*/
We trigger this defect with poc compiled with AddressSanitizer and display the
output of Sanitizer as follows:
ASAN:DEADLYSIGNAL
=================================================================
==2505==ERROR: AddressSanitizer: SEGV on unknown address 0x00000204 (pc
0xb7fee485 bp 0x00000000 sp 0xbffff180 T0)
==2505==The signal is caused by a READ memory access.
==2505==Hint: address points to the zero page.
#0 0xb7fee484 (/lib/ld-linux.so.2+0x15484)
#1 0xb794fe2a in _dl_catch_error (/lib/i386-linux-gnu/libc.so.6+0x132e2a)
#2 0xb7819421 (/lib/i386-linux-gnu/libdl.so.2+0x1421)
#3 0xb7818df7 in dlclose (/lib/i386-linux-gnu/libdl.so.2+0xdf7)
#4 0xb7a233a5 in dlclose (/usr/lib/i386-linux-gnu/libasan.so.4+0x303a5)
#5 0x40076b in main (/home/yueqi/poc+0x76b)
#6 0xb7835985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985)
#7 0x400620 (/home/yueqi/poc+0x620)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/ld-linux.so.2+0x15484)
==2505==ABORTING
--
You are receiving this mail because:
You are on the CC list for the bug.