From owner-svn-src-head@freebsd.org Tue Jan 7 16:03:12 2020 Return-Path: Delivered-To: svn-src-head@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 21B911EBBC2; Tue, 7 Jan 2020 16:03:12 +0000 (UTC) (envelope-from rstone@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47scc0049Rz4HWK; Tue, 7 Jan 2020 16:03:12 +0000 (UTC) (envelope-from rstone@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id F1D28164B; Tue, 7 Jan 2020 16:03:11 +0000 (UTC) (envelope-from rstone@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id 007G3BjI056080; Tue, 7 Jan 2020 16:03:11 GMT (envelope-from rstone@FreeBSD.org) Received: (from rstone@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id 007G3B0S056079; Tue, 7 Jan 2020 16:03:11 GMT (envelope-from rstone@FreeBSD.org) Message-Id: <202001071603.007G3B0S056079@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: rstone set sender to rstone@FreeBSD.org using -f From: Ryan Stone Date: Tue, 7 Jan 2020 16:03:11 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r356444 - head/libexec/rtld-elf X-SVN-Group: head X-SVN-Commit-Author: rstone X-SVN-Commit-Paths: head/libexec/rtld-elf X-SVN-Commit-Revision: 356444 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jan 2020 16:03:12 -0000 Author: rstone Date: Tue Jan 7 16:03:11 2020 New Revision: 356444 URL: https://svnweb.freebsd.org/changeset/base/356444 Log: rtld: Fix segfault in direct exec mode When rtld is directly executed with arguments, it has to move the program arguments, environment and elf aux data up a few slots to remove its own arguments before the process being executed sees them. When copying the environment, rtld was incorrectly testing whether the location about to be written to currently contained NULL, when was supposed to check whether it had just copied the NULL terminator of the environment string. This had the result that the ELF aux data was mostly treated as environment variables, and rtld would quickly crash when it tried to access required ELF aux data that it didn't think was present. Differential Revision: https://reviews.freebsd.org/D23008 Reviewed by: kib MFC after: 1 month Modified: head/libexec/rtld-elf/rtld.c Modified: head/libexec/rtld-elf/rtld.c ============================================================================== --- head/libexec/rtld-elf/rtld.c Tue Jan 7 15:59:31 2020 (r356443) +++ head/libexec/rtld-elf/rtld.c Tue Jan 7 16:03:11 2020 (r356444) @@ -514,12 +514,13 @@ _rtld(Elf_Addr *sp, func_ptr_type *exit_proc, Obj_Entr argv[i] = argv[i + rtld_argc]; *argcp -= rtld_argc; environ = env = envp = argv + main_argc + 1; + dbg("move env from %p to %p", envp + rtld_argc, envp); do { *envp = *(envp + rtld_argc); - envp++; - } while (*envp != NULL); + } while (*envp++ != NULL); aux = auxp = (Elf_Auxinfo *)envp; auxpf = (Elf_Auxinfo *)(envp + rtld_argc); + dbg("move aux from %p to %p", auxpf, aux); /* XXXKIB insert place for AT_EXECPATH if not present */ for (;; auxp++, auxpf++) { *auxp = *auxpf;