From nobody Mon Dec 15 17:00:25 2025
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4dVRBx4trnz6L1pS
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Mon, 15 Dec 2025 17:00:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R12" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4dVRBx38TQz3pgH
	for <dev-commits-src-all@FreeBSD.org>; Mon, 15 Dec 2025 17:00:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1765818025;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Xx3hcXcrrfdbIOWfHu8koWnnUARaHznAO69sjXA7mIg=;
	b=nmRPenjVXAZidIctLcYeJ4O+YbVXv9uj3lNNRQFWuT52Txqaxe6mksendQaB1LHPjMw3Fs
	t2epAHVg89jQfukCPxXgtMIhROYnXocRICTSI8NkokN+hnq22uOBBF7A1ikoUW5Svp8a8O
	6MmP5tir5WnCyeFt+nAaKj978NskiDRVTv/keMXSXCBSDMsasM+p26/jRswgEb2/OSavtL
	Y0SJXQXJBjbBxiffEJpFgQII02+DKOzzBokNAgYNKqzMBpTj2jORSv2YYppG5PrHY+Wui2
	BjZfulgrenOnXpp+W3PXRXQjb2wUo2C91TFd94iTZ42jiSOo1Nk9cQgtRTZBTw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1765818025;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=Xx3hcXcrrfdbIOWfHu8koWnnUARaHznAO69sjXA7mIg=;
	b=kYycbTdMitwy6ycCNPRrWAn91gdqsSS45aPiBOeTeG6cDleVuhy3l7MbVlelfmHnZG2Y/R
	Isa5/h2S2bvEB0lXfsGHYQnUFZAZpHYsDsfM1ENBmkW1LwdxmfM1Ka97NTf1hhTM1GCwP7
	gHNDDt94BRDVoYG8Z1xmgzrc96qpggRf2j3FSPTMpu+OnFX8+wgDtDCEk1AWgWQJ+GN0kn
	w+nofslvyPfMpB0dk8aIq0n3e6Fs7kVaPVEuaeHqaYzEzbwUWFiU+nOyx+sf6JIfMxiGYp
	u9iuEbQh6OFo0P9tvCH8dOk2S10Y3kRPdZi3i0Du9wHB3InKQcJgyOfBlS1MaQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1765818025; a=rsa-sha256; cv=none;
	b=SoaV++3gMkvLYmD3qtH99I5W5F8YS80q5kFk/OAromJshTbdfkj+aC1hLhvtnfLxRiNwMl
	W7OFqX1SBd2zbZuxLwZqveI3gdt+0YDS7ViY0p57FZx2IYEGmWi+ej/mcBUex2Ic9H+eCC
	0lKMJrarW8tlDSeSem6Ue9fT0+/u20n/WywPz+Gey9Q9DcKo6UWkgw2mZdut2CnlmyLvZM
	HEpYOu0jHLp2gJFDyqSyMkR6hltimVu/bQAYTkOyOkorTfuW8/yH7rXW1tOHQFIOeGHHHr
	kiGje0WoADgnxIUbRfAKfkWbcTHGgfmONQPdLLRj61Zw//vP4k87KENUaQs7vw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4dVRBx2gw2zCYg
	for <dev-commits-src-all@FreeBSD.org>; Mon, 15 Dec 2025 17:00:25 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id d0d2
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Mon, 15 Dec 2025 17:00:25 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
From: Jessica Clarke <jrtc27@FreeBSD.org>
Subject: git: f1344d0aa816 - stable/14 - rtld-elf: Fix UB for direct exec with no extra rtld arguments
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jrtc27
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/14
X-Git-Reftype: branch
X-Git-Commit: f1344d0aa816d0a2e9b316d4bd28b5f478b5d3da
Auto-Submitted: auto-generated
Date: Mon, 15 Dec 2025 17:00:25 +0000
Message-Id: <69403ea9.d0d2.199bac4@gitrepo.freebsd.org>

The branch stable/14 has been updated by jrtc27:

URL: https://cgit.FreeBSD.org/src/commit/?id=f1344d0aa816d0a2e9b316d4bd28b5f478b5d3da

commit f1344d0aa816d0a2e9b316d4bd28b5f478b5d3da
Author:     Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2025-05-06 22:14:51 +0000
Commit:     Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2025-12-15 16:58:44 +0000

    rtld-elf: Fix UB for direct exec with no extra rtld arguments
    
    If no extra rtld arguments are provided, rtld_argc will be 1 (for
    argv[0] and so we are shifting the entire memory range down by a single
    pointer. However, unlike argv and envp, auxp's entries are two pointers
    in size, not one, and so in this case the source and destination
    overlap, meaning simple assignment is UB (C99 6.5.16.1p3). On many
    architectures this ends up being harmless as the compiler will emit
    double machine word loads and stores, or if it splits them it may still
    schedule them such that it works in this case, but our RISC-V baseline
    does not include such instructions and LLVM ends up picking a schedule
    that copies the second word before the first word, thereby replacing the
    first word with a copy of the second word. This results in direct exec
    mode segfaulting on RISC-V when given no arguments.
    
    Fix this by using a temporary in the source and let the compiler safely
    elide its use.
    
    Reviewed by:    kib
    Fixes:          0fc65b0ab82c ("Make ld-elf.so.1 directly executable.")
    MFC after:      1 week
    Differential Revision:  https://reviews.freebsd.org/D50185
    
    (cherry picked from commit 2b04ba6e08b983d8756552286846059507bca7a3)
---
 libexec/rtld-elf/rtld.c | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c
index a44a5e303dcc..1a5cb0a6fce9 100644
--- a/libexec/rtld-elf/rtld.c
+++ b/libexec/rtld-elf/rtld.c
@@ -498,7 +498,7 @@ rtld_trunc_page(uintptr_t x)
 func_ptr_type
 _rtld(Elf_Addr *sp, func_ptr_type *exit_proc, Obj_Entry **objp)
 {
-    Elf_Auxinfo *aux, *auxp, *auxpf, *aux_info[AT_COUNT];
+    Elf_Auxinfo *aux, *auxp, *auxpf, *aux_info[AT_COUNT], auxtmp;
     Objlist_Entry *entry;
     Obj_Entry *last_interposer, *obj, *preload_tail;
     const Elf_Phdr *phdr;
@@ -663,7 +663,12 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_proc, Obj_Entry **objp)
 		dbg("move aux from %p to %p", auxpf, aux);
 		/* XXXKIB insert place for AT_EXECPATH if not present */
 		for (;; auxp++, auxpf++) {
-		    *auxp = *auxpf;
+		    /*
+		     * NB: Use a temporary since *auxpf and
+		     * *auxp overlap if rtld_argc is 1
+		     */
+		    auxtmp = *auxpf;
+		    *auxp = auxtmp;
 		    if (auxp->a_type == AT_NULL)
 			    break;
 		}