This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Avoid mapping past end of shared object (BZ #18685)
- From: "H.J. Lu" <hjl dot tools at gmail dot com>
- To: Siddhesh Poyarekar <siddhesh at redhat dot com>
- Cc: GNU C Library <libc-alpha at sourceware dot org>, Roland McGrath <roland at hack dot frob dot com>
- Date: Thu, 16 Jul 2015 20:15:17 -0700
- Subject: Re: [PATCH] Avoid mapping past end of shared object (BZ #18685)
- Authentication-results: sourceware.org; auth=none
- References: <1437033625-13561-1-git-send-email-siddhesh at redhat dot com>
On Thu, Jul 16, 2015 at 1:00 AM, Siddhesh Poyarekar <siddhesh@redhat.com> wrote:
> Some valid ELF objects, like .debug files may refer to sections
> outside themselves since they're loaded and patched up to their parent
> ELF. Calling ldd on them may result in a segfault since it may try to
> read beyond the end of the mapping. Red Hat bz:
>
> https://bugzilla.redhat.com/show_bug.cgi?id=741105
>
> has an example, although I haven't been able to find a sample
> reproducer file immediately. This patch has been carried in Fedora
> and RHEL for a couple of years now. Also tested on x86_64 to verify
> that there are no regressions.
>
> [BZ #18685]
> * sysdeps/generic/dl-fileid.h (_dl_get_file_id): Accept
> pointer to a struct stat64.
> * sysdeps/posix/dl-fileid.h (_dl_get_file_id): Likewise.
> * elf/dl-load.c (_dl_map_object_from_fd): Avoid mapping past
> end of ELF file.
If I understand it correctly, ld.so crashes on an ELF file with segment headers
where file offset is larger than the file itself. Isn't it the same
as a corrupted
ELF file with segment headers where file offset is larger than the file itself?
I can create such a file with a binary editor.
How should ld.so deal with such ELF files?
H.J.