diff options
| author | Florian Weimer <fweimer@redhat.com> | 2021-11-05 17:01:24 +0100 |
|---|---|---|
| committer | Aurelien Jarno <aurelien@aurel32.net> | 2022-07-09 10:45:39 +0200 |
| commit | 1916c5f0626a0127882aa3c60a91f47bafde8bbd (patch) | |
| tree | 9971140e4d348ab427d41f1bfda70b64b5328a3c | |
| parent | d44e1a0740066416d3c331a3022ead5a7c4155ad (diff) | |
| download | glibc-1916c5f0626a0127882aa3c60a91f47bafde8bbd.tar glibc-1916c5f0626a0127882aa3c60a91f47bafde8bbd.tar.gz glibc-1916c5f0626a0127882aa3c60a91f47bafde8bbd.tar.bz2 glibc-1916c5f0626a0127882aa3c60a91f47bafde8bbd.zip | |
elf: Earlier missing dynamic segment check in _dl_map_object_from_fd
Separated debuginfo files have PT_DYNAMIC with p_filesz == 0. We
need to check for that before the _dl_map_segments call because
that could attempt to write to mappings that extend beyond the end
of the file, resulting in SIGBUS.
Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
(cherry picked from commit ea32ec354c65ddad11b82ca9d057010df13a9cea)
| -rw-r--r-- | elf/dl-load.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/elf/dl-load.c b/elf/dl-load.c index 2f760503c5..639d78083c 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -1114,6 +1114,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, struct loadcmd loadcmds[l->l_phnum]; size_t nloadcmds = 0; bool has_holes = false; + bool empty_dynamic = false; /* The struct is initialized to zero so this is not necessary: l->l_ld = 0; @@ -1126,7 +1127,9 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, segments are mapped in. We record the addresses it says verbatim, and later correct for the run-time load address. */ case PT_DYNAMIC: - if (ph->p_filesz) + if (ph->p_filesz == 0) + empty_dynamic = true; /* Usually separate debuginfo. */ + else { /* Debuginfo only files from "objcopy --only-keep-debug" contain a PT_DYNAMIC segment with p_filesz == 0. Skip @@ -1248,6 +1251,13 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, goto lose; } + /* This check recognizes most separate debuginfo files. */ + if (__glibc_unlikely ((l->l_ld == 0 && type == ET_DYN) || empty_dynamic)) + { + errstring = N_("object file has no dynamic section"); + goto lose; + } + /* Length of the sections to be loaded. */ maplength = loadcmds[nloadcmds - 1].allocend - loadcmds[0].mapstart; @@ -1265,15 +1275,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, } } - if (l->l_ld == 0) - { - if (__glibc_unlikely (type == ET_DYN)) - { - errstring = N_("object file has no dynamic section"); - goto lose; - } - } - else + if (l->l_ld != 0) l->l_ld = (ElfW(Dyn) *) ((ElfW(Addr)) l->l_ld + l->l_addr); elf_get_dynamic_info (l, NULL); |