Date: Thu, 28 Jul 2005 00:14:40 GMT From: William Josephson <freebsd-D20050727@morphisms.net> To: freebsd-gnats-submit@FreeBSD.org Subject: misc/84199: dlinfo in libexec/elf-rtld/rtld.c does not handle RTLD_DI_SERINFOSIZE properly Message-ID: <200507280014.j6S0EeDr095297@www.freebsd.org> Resent-Message-ID: <200507280020.j6S0KJlS015948@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 84199
>Category: misc
>Synopsis: dlinfo in libexec/elf-rtld/rtld.c does not handle RTLD_DI_SERINFOSIZE properly
>Confidential: no
>Severity: serious
>Priority: low
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Thu Jul 28 00:20:19 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator: William Josephson
>Release:
>Organization:
>Environment:
FreeBSD 4.x and 5.4, presumably 6 and -CURRENT, too.
>Description:
I've run across a bug in the ELF dynamic linker in FreeBSD 4.x
and FreeBSD 5.4. Although I haven't had a chance to compile or
install FreeBSD 6 yet, the bug appears to be in the ELF dynamic
linker in at least FreeBSD 4 through -CURRENT. The problem is
that do_search_info in libexec/rtld-elf/rtld.c does not account
for the space required by Dl_serpath structures with either the
RTLD_DI_SERINFOSIZE, or the RTLD_DI_SERINFO requests. The
example program in the dlinfo man page happens to work, but a
simple loop copying the path strings into a buffer allocated with
malloc will corrupt the heap. The program below illustrates the
problem. Given that the arithmetic in do_search_info is easily
fixed, it might be worth patching before the upcoming release.
#include <link.h>
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>
int
main(int argc, char *argv[])
{
char *s;
Dl_serinfo *p;
Dl_serinfo info;
memset(&info, 0, sizeof(info));
dlinfo(RTLD_SELF, RTLD_DI_SERINFOSIZE, (void*)&info);
p = malloc(info.dls_size);
memset(p, 0, info.dls_size);
p->dls_cnt = info.dls_cnt;
p->dls_size = info.dls_size;
dlinfo(RTLD_SELF, RTLD_DI_SERINFO, (void*)p);
s = p->dls_serpath[p->dls_cnt-1].dls_name;
s += strlen(s)+1;
printf("%d %d %d %d %d\n", info.dls_size, (char*)s-(char*)p,
((char*)s-(char*)p)-info.dls_size, sizeof(Dl_serpath),
info.dls_cnt*sizeof(Dl_serpath));
return 0;
}
>How-To-Repeat:
Run the above program.
>Fix:
Fix arithmetic in do_search_info as described above.
>Release-Note:
>Audit-Trail:
>Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200507280014.j6S0EeDr095297>