This is the mail archive of the
mailing list for the glibc project.
Re: Fwd: [PATCH] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
- From: Alex <alexinbeijing at gmail dot com>
- To: Andreas Schwab <schwab at suse dot de>
- Cc: libc-alpha at sourceware dot org
- Date: Mon, 10 Aug 2015 10:58:27 +0200
- Subject: Re: Fwd: [PATCH] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
- Authentication-results: sourceware.org; auth=none
- References: <1439153945-22973-1-git-send-email-alexinbeijing at gmail dot com> <87fv3s83td dot fsf at igel dot home> <CACsECNf6dB8cAG4EHpox=tg8=+SbeWTb9J=T4zArLtmdQjqkHQ at mail dot gmail dot com> <CACsECNeWcACbJ50wYcrWL804G9o7T8eZT57oFZWS17jVZ98SxA at mail dot gmail dot com> <mvmzj1zmssr dot fsf at hawking dot suse dot de>
On Mon, Aug 10, 2015 at 10:49 AM, Andreas Schwab <email@example.com> wrote:
> Alex <firstname.lastname@example.org> writes:
>> On Mon, Aug 10, 2015 at 1:01 AM, Andreas Schwab <email@example.com> wrote:
>>> Alex Dowad <firstname.lastname@example.org> writes:
>>>> diff --git a/elf/rtld.c b/elf/rtld.c
>>>> index 6dcbabc..ee194a6 100644
>>>> --- a/elf/rtld.c
>>>> +++ b/elf/rtld.c
>>>> @@ -2408,6 +2408,8 @@ process_dl_debug (const char *dl_debug)
>>>> char *copy = strndupa (dl_debug, len);
>>>> _dl_error_printf ("\
>>>> warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy);
>>> Use %.*s instead.
>> Thanks for your reply. That would help to avoid potentially voluminous
>> output to the console, but doesn't fix the (potential) security hole
>> of copying an arbitrary, attacker-supplied string onto the stack.
> You don't need the copy any more.
Andreas, I'm a bit slow here so please help me out: why is the copy
needed *even if* printf("%s", ...) is used? I've been trying to figure
out why the original author used strndupa in the first place but
haven't wrapped my mind around it yet.