lib/glibc
1
0
Fork 0
mirror of https://sourceware.org/git/glibc.git synced 2025-08-10 05:03:06 +03:00
Code Activity

elf: Earlier missing dynamic segment check in _dl_map_object_from_fd

Browse Source 
Separated debuginfo files have PT_DYNAMIC with p_filesz == 0.  We
need to check for that before the _dl_map_segments call because
that could attempt to write to mappings that extend beyond the end
of the file, resulting in SIGBUS.

Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
This commit is contained in:
Florian Weimer
2021-11-05 17:01:24 +01:00
parent ff012870b2
commit ea32ec354c
1 changed files with 12 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
elf/dl-load.c
View File

@@ -1135,6 +1135,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
struct loadcmd loadcmds[l->l_phnum]; struct loadcmd loadcmds[l->l_phnum];
size_t nloadcmds = 0; size_t nloadcmds = 0;
bool has_holes = false; bool has_holes = false;
bool empty_dynamic = false;
/* The struct is initialized to zero so this is not necessary: /* The struct is initialized to zero so this is not necessary:
l->l_ld = 0; l->l_ld = 0;
@@ -1147,7 +1148,9 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
segments are mapped in. We record the addresses it says segments are mapped in. We record the addresses it says
verbatim, and later correct for the run-time load address. */ verbatim, and later correct for the run-time load address. */
case PT_DYNAMIC: case PT_DYNAMIC:
if (ph->p_filesz) if (ph->p_filesz == 0)
empty_dynamic = true; /* Usually separate debuginfo. */
else
{ {
/* Debuginfo only files from "objcopy --only-keep-debug" /* Debuginfo only files from "objcopy --only-keep-debug"
contain a PT_DYNAMIC segment with p_filesz == 0. Skip contain a PT_DYNAMIC segment with p_filesz == 0. Skip
@@ -1270,6 +1273,13 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
goto lose; goto lose;
} }
/* This check recognizes most separate debuginfo files. */
if (__glibc_unlikely ((l->l_ld == 0 && type == ET_DYN) || empty_dynamic))
{
errstring = N_("object file has no dynamic section");
goto lose;
}
/* Length of the sections to be loaded. */ /* Length of the sections to be loaded. */
maplength = loadcmds[nloadcmds - 1].allocend - loadcmds[0].mapstart; maplength = loadcmds[nloadcmds - 1].allocend - loadcmds[0].mapstart;
@@ -1287,15 +1297,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
} }
} }
if (l->l_ld == 0) if (l->l_ld != 0)
{
if (__glibc_unlikely (type == ET_DYN))
{
errstring = N_("object file has no dynamic section");
goto lose;
}
}
else
l->l_ld = (ElfW(Dyn) *) ((ElfW(Addr)) l->l_ld + l->l_addr); l->l_ld = (ElfW(Dyn) *) ((ElfW(Addr)) l->l_ld + l->l_addr);
elf_get_dynamic_info (l, false, false); elf_get_dynamic_info (l, false, false);