Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 1 Aug 2005 15:14:13 -0400
From:      John Baldwin <jhb@FreeBSD.org>
To:        freebsd-current@freebsd.org
Cc:        William Josephson <freebsd-D20050727@morphisms.net>
Subject:   Re: dlinfo/rtld.c bug
Message-ID:  <200508011514.14346.jhb@FreeBSD.org>
In-Reply-To: <20050728000152.871E026@mero.morphisms.net>
References:  <20050728000152.871E026@mero.morphisms.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Wednesday 27 July 2005 08:01 pm, William Josephson wrote:
> I've run across a bug in the ELF dynamic linker in FreeBSD 4.x
> and FreeBSD 5.4.  Although I haven't had a chance to compile or
> install FreeBSD 6 yet, the bug appears to be in the ELF dynamic
> linker in at least FreeBSD 4 through -CURRENT.  The problem is
> that do_search_info in libexec/rtld-elf/rtld.c does not account
> for the space required by Dl_serpath structures with either the
> RTLD_DI_SERINFOSIZE, or the RTLD_DI_SERINFO requests.  The
> example program in the dlinfo man page happens to work, but a
> simple loop copying the path strings into a buffer allocated with
> malloc will corrupt the heap.  The program below illustrates the
> problem.  Given that the arithmetic in do_search_info is easily
> fixed, it might be worth patching before the upcoming release.
>
> 	#include <link.h>
> 	#include <dlfcn.h>
> 	#include <stdio.h>
> 	#include <stdlib.h>
>
> 	int
> 	main(int argc, char *argv[])
> 	{
> 		char *s;
> 		Dl_serinfo *p;
> 		Dl_serinfo info;
>
> 		memset(&info, 0, sizeof(info));
> 		dlinfo(RTLD_SELF, RTLD_DI_SERINFOSIZE, (void*)&info);
> 		p = malloc(info.dls_size);
> 		memset(p, 0, info.dls_size);
> 		p->dls_cnt = info.dls_cnt;
> 		p->dls_size = info.dls_size;
> 		dlinfo(RTLD_SELF, RTLD_DI_SERINFO, (void*)p);
> 		s = p->dls_serpath[p->dls_cnt-1].dls_name;
> 		s += strlen(s)+1;
> 		printf("%d %d %d %d %d\n", info.dls_size, (char*)s-(char*)p,
> 			((char*)s-(char*)p)-info.dls_size, sizeof(Dl_serpath),
> 			info.dls_cnt*sizeof(Dl_serpath));
> 		return 0;
> 	}

Do you have a patch for this?

-- 
John Baldwin <jhb@FreeBSD.org>  <><  http://www.FreeBSD.org/~jhb/
"Power Users Use the Power to Serve"  =  http://www.FreeBSD.org

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200508011514.14346.jhb>