Date: Mon, 11 Mar 2024 13:57:27 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 277629] ldd (ld-elf.so.1) uses p_vaddr without checking Message-ID: <bug-277629-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D277629 Bug ID: 277629 Summary: ldd (ld-elf.so.1) uses p_vaddr without checking Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 249091 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D249091&action= =3Dedit corrupt elf file that causes ldd to crash due to its use of p_vaddr When ldd calls dlopen(..., RTLD_TRACE), ld-elf.so.1's map_object() sets obj->dynamic from a p_vaddr without checking: case PT_DYNAMIC: phdyn =3D phdr; ...; obj->dynamic =3D (const Elf_Dyn *)(obj->relocbase + phdyn->p_vaddr); and digest_dynamic1() dereferences it: dynp =3D obj->dynamic; ...; for (; dynp->d_tag !=3D DT_NULL; dynp++) { I've attached a corrupt elf file with the relevant p_vaddr set to 0x7ffffffff9699fff. This example happens to cause ldd to crash only on a riscv machine (not amd64). # uname -a FreeBSD 15.0-CURRENT FreeBSD 15.0-CURRENT #270 main-n250982-48b12cb79520-dirty: Sat Mar 9 08:36:40 EST 2024=20=20=20=20 rtm@zika:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv # objdump -x ./ldd7a.exe | grep 0x7fff DYNAMIC off 0x0000000000000000 vaddr 0x7ffffffff9699fff paddr 0x0000000000000000 align 2**64 # ldd ./ldd7a.exe=20 ./ldd7a.exe: pid 136 (ldd), jid 0, uid 0: exited on signal 11 (core dumped) --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-277629-227>