From owner-freebsd-bugs@FreeBSD.ORG  Thu Jul 28 00:20:20 2005
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 8A1DE16A41F
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 28 Jul 2005 00:20:20 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 0EEF643D46
	for <freebsd-bugs@hub.freebsd.org>;
	Thu, 28 Jul 2005 00:20:20 +0000 (GMT)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id j6S0KJ28015949
	for <freebsd-bugs@freefall.freebsd.org>; Thu, 28 Jul 2005 00:20:19 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.3/8.13.1/Submit) id j6S0KJlS015948;
	Thu, 28 Jul 2005 00:20:19 GMT (envelope-from gnats)
Resent-Date: Thu, 28 Jul 2005 00:20:19 GMT
Resent-Message-Id: <200507280020.j6S0KJlS015948@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	William Josephson <freebsd-D20050727@morphisms.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 3A95516A41F
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 28 Jul 2005 00:14:41 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [216.136.204.117])
	by mx1.FreeBSD.org (Postfix) with ESMTP id 000C243D45
	for <freebsd-gnats-submit@FreeBSD.org>;
	Thu, 28 Jul 2005 00:14:40 +0000 (GMT)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.13.1/8.13.1) with ESMTP id j6S0EeAx095298
	for <freebsd-gnats-submit@FreeBSD.org>; Thu, 28 Jul 2005 00:14:40 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.13.1/8.13.1/Submit) id j6S0EeDr095297;
	Thu, 28 Jul 2005 00:14:40 GMT (envelope-from nobody)
Message-Id: <200507280014.j6S0EeDr095297@www.freebsd.org>
Date: Thu, 28 Jul 2005 00:14:40 GMT
From: William Josephson <freebsd-D20050727@morphisms.net>
To: freebsd-gnats-submit@FreeBSD.org
X-Send-Pr-Version: www-2.3
Cc: 
Subject: misc/84199: dlinfo in libexec/elf-rtld/rtld.c does not handle
	RTLD_DI_SERINFOSIZE properly
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2005 00:20:20 -0000


>Number:         84199
>Category:       misc
>Synopsis:       dlinfo in libexec/elf-rtld/rtld.c does not handle RTLD_DI_SERINFOSIZE properly
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Thu Jul 28 00:20:19 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     William Josephson
>Release:        
>Organization:
>Environment:
FreeBSD 4.x and 5.4, presumably 6 and -CURRENT, too.
>Description:
I've run across a bug in the ELF dynamic linker in FreeBSD 4.x
and FreeBSD 5.4.  Although I haven't had a chance to compile or
install FreeBSD 6 yet, the bug appears to be in the ELF dynamic
linker in at least FreeBSD 4 through -CURRENT.  The problem is
that do_search_info in libexec/rtld-elf/rtld.c does not account
for the space required by Dl_serpath structures with either the
RTLD_DI_SERINFOSIZE, or the RTLD_DI_SERINFO requests.  The
example program in the dlinfo man page happens to work, but a
simple loop copying the path strings into a buffer allocated with
malloc will corrupt the heap.  The program below illustrates the
problem.  Given that the arithmetic in do_search_info is easily
fixed, it might be worth patching before the upcoming release.

	#include <link.h>
	#include <dlfcn.h>
	#include <stdio.h>
	#include <stdlib.h>
	
	int
	main(int argc, char *argv[])
	{
		char *s;
		Dl_serinfo *p;
		Dl_serinfo info;
	
		memset(&info, 0, sizeof(info));
		dlinfo(RTLD_SELF, RTLD_DI_SERINFOSIZE, (void*)&info);
		p = malloc(info.dls_size);
		memset(p, 0, info.dls_size);
		p->dls_cnt = info.dls_cnt;
		p->dls_size = info.dls_size;
		dlinfo(RTLD_SELF, RTLD_DI_SERINFO, (void*)p);
		s = p->dls_serpath[p->dls_cnt-1].dls_name;
		s += strlen(s)+1;
		printf("%d %d %d %d %d\n", info.dls_size, (char*)s-(char*)p,
			((char*)s-(char*)p)-info.dls_size, sizeof(Dl_serpath),
			info.dls_cnt*sizeof(Dl_serpath));
		return 0;
	}

>How-To-Repeat:
Run the above program.
>Fix:
Fix arithmetic in do_search_info as described above.
>Release-Note:
>Audit-Trail:
>Unformatted: