From nobody Tue May  6 22:15:33 2025
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZsXlV327pz5vXcC;
	Tue, 06 May 2025 22:15:34 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R11" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZsXlV0MyLz3d6X;
	Tue, 06 May 2025 22:15:34 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1746569734;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6Sz7iyIdrKn20wv+Tf/vX3vpgwczsDEveCZo8bic8aQ=;
	b=uUdLeOKmNp3zcweHwn0xIQFhl8hsVE0iDf7lpmQj6zH720RaW9NOhsbBh+3Q3cI14GmZGF
	pKXEkkuWwECLq+dPP+c6mjS3TrdCfugvvdVQoRBrYpZSDqLpKwGaARWQjgPYwVPPvHsJup
	kVxubccqRs9CLZyWSOqOoRqZHkA8An/zZ9ud8N/Y12Mrhee3nRTERKWeMy+3JOyCj3jdEm
	iFKgDRcdeuejeATV6Mi7ANnDMt5Ew+VyWmxDZChOo+88Se4ULwnnWhW23HIzvDD48jJz8X
	Zq9s66CbIr5TUcKdvgAHgwV0Zv83qNRouQMS2r4X6p9mvZeZzjrPrIiDnv6nhg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1746569734;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=6Sz7iyIdrKn20wv+Tf/vX3vpgwczsDEveCZo8bic8aQ=;
	b=u4egH7kkPIy+wp0zz+Z0R8LTRnEce/VR0VyFhMTtpjoDOqt+UE2Uz8m8iXHr3fig8seeIa
	QXK7nwIWnFXpaKLFbh2kbGWcDwYrqQSlJ2N9854tjADvbVo1P+AFJO3mzFjq20tH8w9T+f
	zJU/0BKx2ONkVEoXR2DjKU/vYTDXlTRBKuiNcvi2Fm4mux6pnJ0EIFYYx6HvOu9wc9L2g1
	jqJt+QzPo23sgEPN+KSvhb4FVR3Wd5LUsRcjAnE2CK5fCXNzsTsBQVEFa6JNZDN03B+HTf
	9Dxh314Izib6XUMBNxV/s4TS845zMEDD/80IL2W1pnLgHyOHJfT+FhWVMnh1Tg==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1746569734; a=rsa-sha256; cv=none;
	b=i5lKWEZwFJJ8+Xa2XHSJYUN0wB4X1wxMB/5y+yDXAHKBPt/tQfP3eDud8xpXlUqVOVn2g3
	pT2Hl24e1bwsN87KY7I+tsfT98vyG0OZUxJyuGYFN0t/fYctdVxWAaq8SYXU3YuJ2NyyFP
	XbnAJvZoejsbG4xp5tRQ59T7R8k3hCCDQWTvOFdN/GJZiIwnhBzxd6N6llnr4VKVDcwDc6
	0r7rcxOoAiUXMZdVXBYTSK4n+0UWG+/s7ddUICrvsh8DDA8mQtIM4wGotFaenkcEnURDGs
	QOm4mEZfuIzhshW3BKMf478+oVsdjsxoLaNCVbqWEKCUDi1UIDkgqBZabs+bHg==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4ZsXlT6f3Rz1GvM;
	Tue, 06 May 2025 22:15:33 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.18.1/8.18.1) with ESMTP id 546MFXuk063038;
	Tue, 6 May 2025 22:15:33 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.18.1/8.18.1/Submit) id 546MFXkq063035;
	Tue, 6 May 2025 22:15:33 GMT
	(envelope-from git)
Date: Tue, 6 May 2025 22:15:33 GMT
Message-Id: <202505062215.546MFXkq063035@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Jessica Clarke <jrtc27@FreeBSD.org>
Subject: git: 2b04ba6e08b9 - main - rtld-elf: Fix UB for direct
  exec with no extra rtld arguments
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-main@freebsd.org
Sender: owner-dev-commits-src-main@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jrtc27
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 2b04ba6e08b983d8756552286846059507bca7a3
Auto-Submitted: auto-generated

The branch main has been updated by jrtc27:

URL: https://cgit.FreeBSD.org/src/commit/?id=2b04ba6e08b983d8756552286846059507bca7a3

commit 2b04ba6e08b983d8756552286846059507bca7a3
Author:     Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2025-05-06 22:14:51 +0000
Commit:     Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2025-05-06 22:14:51 +0000

    rtld-elf: Fix UB for direct exec with no extra rtld arguments
    
    If no extra rtld arguments are provided, rtld_argc will be 1 (for
    argv[0] and so we are shifting the entire memory range down by a single
    pointer. However, unlike argv and envp, auxp's entries are two pointers
    in size, not one, and so in this case the source and destination
    overlap, meaning simple assignment is UB (C99 6.5.16.1p3). On many
    architectures this ends up being harmless as the compiler will emit
    double machine word loads and stores, or if it splits them it may still
    schedule them such that it works in this case, but our RISC-V baseline
    does not include such instructions and LLVM ends up picking a schedule
    that copies the second word before the first word, thereby replacing the
    first word with a copy of the second word. This results in direct exec
    mode segfaulting on RISC-V when given no arguments.
    
    Fix this by using a temporary in the source and let the compiler safely
    elide its use.
    
    Reviewed by:    kib
    Fixes:          0fc65b0ab82c ("Make ld-elf.so.1 directly executable.")
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D50185
---
 libexec/rtld-elf/rtld.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c
index e4e14edbb5c8..d7ac1e36d70f 100644
--- a/libexec/rtld-elf/rtld.c
+++ b/libexec/rtld-elf/rtld.c
@@ -496,7 +496,7 @@ rtld_trunc_page(uintptr_t x)
 func_ptr_type
 _rtld(Elf_Addr *sp, func_ptr_type *exit_proc, Obj_Entry **objp)
 {
-	Elf_Auxinfo *aux, *auxp, *auxpf, *aux_info[AT_COUNT];
+	Elf_Auxinfo *aux, *auxp, *auxpf, *aux_info[AT_COUNT], auxtmp;
 	Objlist_Entry *entry;
 	Obj_Entry *last_interposer, *obj, *preload_tail;
 	const Elf_Phdr *phdr;
@@ -673,7 +673,12 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_proc, Obj_Entry **objp)
 				 * present
 				 */
 				for (;; auxp++, auxpf++) {
-					*auxp = *auxpf;
+					/*
+					 * NB: Use a temporary since *auxpf and
+					 * *auxp overlap if rtld_argc is 1
+					 */
+					auxtmp = *auxpf;
+					*auxp = auxtmp;
 					if (auxp->a_type == AT_NULL)
 						break;
 				}