Fix BZ 20419. A PT_NOTE in a binary could be arbitratily large, so using
alloca for it may cause stack overflow. If the note is larger than __MAX_ALLOCA_CUTOFF, use dynamically allocated memory to read it in. 2018-05-05 Paul Pluzhnikov <ppluzhnikov@google.com> [BZ #20419] * elf/dl-load.c (open_verify): Fix stack overflow. * elf/Makefile (tst-big-note): New test. * elf/tst-big-note-lib.S: New. * elf/tst-big-note.c: New.
This commit is contained in:
parent
b289cd9db8
commit
0065aaaaae
|
@ -1,3 +1,11 @@
|
||||||
|
2018-05-05 Paul Pluzhnikov <ppluzhnikov@google.com>
|
||||||
|
|
||||||
|
[BZ #20419]
|
||||||
|
* elf/dl-load.c (open_verify): Fix stack overflow.
|
||||||
|
* elf/Makefile (tst-big-note): New test.
|
||||||
|
* elf/tst-big-note-lib.S: New.
|
||||||
|
* elf/tst-big-note.c: New.
|
||||||
|
|
||||||
2018-05-04 Joseph Myers <joseph@codesourcery.com>
|
2018-05-04 Joseph Myers <joseph@codesourcery.com>
|
||||||
|
|
||||||
* scripts/abilist.awk: Ignore absolute symbols.
|
* scripts/abilist.awk: Ignore absolute symbols.
|
||||||
|
|
|
@ -186,7 +186,7 @@ tests += restest1 preloadtest loadfail multiload origtest resolvfail \
|
||||||
tst-tlsalign tst-tlsalign-extern tst-nodelete-opened \
|
tst-tlsalign tst-tlsalign-extern tst-nodelete-opened \
|
||||||
tst-nodelete2 tst-audit11 tst-audit12 tst-dlsym-error tst-noload \
|
tst-nodelete2 tst-audit11 tst-audit12 tst-dlsym-error tst-noload \
|
||||||
tst-latepthread tst-tls-manydynamic tst-nodelete-dlclose \
|
tst-latepthread tst-tls-manydynamic tst-nodelete-dlclose \
|
||||||
tst-debug1 tst-main1 tst-absolute-sym
|
tst-debug1 tst-main1 tst-absolute-sym tst-big-note
|
||||||
# reldep9
|
# reldep9
|
||||||
tests-internal += loadtest unload unload2 circleload1 \
|
tests-internal += loadtest unload unload2 circleload1 \
|
||||||
neededtest neededtest2 neededtest3 neededtest4 \
|
neededtest neededtest2 neededtest3 neededtest4 \
|
||||||
|
@ -272,7 +272,9 @@ modules-names = testobj1 testobj2 testobj3 testobj4 testobj5 testobj6 \
|
||||||
tst-audit12mod1 tst-audit12mod2 tst-audit12mod3 tst-auditmod12 \
|
tst-audit12mod1 tst-audit12mod2 tst-audit12mod3 tst-auditmod12 \
|
||||||
tst-latepthreadmod $(tst-tls-many-dynamic-modules) \
|
tst-latepthreadmod $(tst-tls-many-dynamic-modules) \
|
||||||
tst-nodelete-dlclose-dso tst-nodelete-dlclose-plugin \
|
tst-nodelete-dlclose-dso tst-nodelete-dlclose-plugin \
|
||||||
tst-main1mod tst-libc_dlvsym-dso tst-absolute-sym-lib
|
tst-main1mod tst-libc_dlvsym-dso tst-absolute-sym-lib \
|
||||||
|
tst-big-note-lib
|
||||||
|
|
||||||
ifeq (yes,$(have-mtls-dialect-gnu2))
|
ifeq (yes,$(have-mtls-dialect-gnu2))
|
||||||
tests += tst-gnu2-tls1
|
tests += tst-gnu2-tls1
|
||||||
modules-names += tst-gnu2-tls1mod
|
modules-names += tst-gnu2-tls1mod
|
||||||
|
@ -1450,3 +1452,5 @@ $(objpfx)tst-libc_dlvsym-static: $(common-objpfx)dlfcn/libdl.a
|
||||||
tst-libc_dlvsym-static-ENV = \
|
tst-libc_dlvsym-static-ENV = \
|
||||||
LD_LIBRARY_PATH=$(objpfx):$(common-objpfx):$(common-objpfx)dlfcn
|
LD_LIBRARY_PATH=$(objpfx):$(common-objpfx):$(common-objpfx)dlfcn
|
||||||
$(objpfx)tst-libc_dlvsym-static.out: $(objpfx)tst-libc_dlvsym-dso.so
|
$(objpfx)tst-libc_dlvsym-static.out: $(objpfx)tst-libc_dlvsym-dso.so
|
||||||
|
|
||||||
|
$(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so
|
||||||
|
|
|
@ -1462,6 +1462,7 @@ open_verify (const char *name, int fd,
|
||||||
ElfW(Ehdr) *ehdr;
|
ElfW(Ehdr) *ehdr;
|
||||||
ElfW(Phdr) *phdr, *ph;
|
ElfW(Phdr) *phdr, *ph;
|
||||||
ElfW(Word) *abi_note;
|
ElfW(Word) *abi_note;
|
||||||
|
ElfW(Word) *abi_note_malloced = NULL;
|
||||||
unsigned int osversion;
|
unsigned int osversion;
|
||||||
size_t maplength;
|
size_t maplength;
|
||||||
|
|
||||||
|
@ -1633,10 +1634,25 @@ open_verify (const char *name, int fd,
|
||||||
abi_note = (void *) (fbp->buf + ph->p_offset);
|
abi_note = (void *) (fbp->buf + ph->p_offset);
|
||||||
else
|
else
|
||||||
{
|
{
|
||||||
abi_note = alloca (size);
|
/* Note: __libc_use_alloca is not usable here, because
|
||||||
|
thread info may not have been set up yet. */
|
||||||
|
if (size < __MAX_ALLOCA_CUTOFF)
|
||||||
|
abi_note = alloca (size);
|
||||||
|
else
|
||||||
|
{
|
||||||
|
/* There could be multiple PT_NOTEs. */
|
||||||
|
abi_note_malloced = realloc (abi_note_malloced, size);
|
||||||
|
if (abi_note_malloced == NULL)
|
||||||
|
goto read_error;
|
||||||
|
|
||||||
|
abi_note = abi_note_malloced;
|
||||||
|
}
|
||||||
__lseek (fd, ph->p_offset, SEEK_SET);
|
__lseek (fd, ph->p_offset, SEEK_SET);
|
||||||
if (__libc_read (fd, (void *) abi_note, size) != size)
|
if (__libc_read (fd, (void *) abi_note, size) != size)
|
||||||
goto read_error;
|
{
|
||||||
|
free (abi_note_malloced);
|
||||||
|
goto read_error;
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
while (memcmp (abi_note, &expected_note, sizeof (expected_note)))
|
while (memcmp (abi_note, &expected_note, sizeof (expected_note)))
|
||||||
|
@ -1671,6 +1687,7 @@ open_verify (const char *name, int fd,
|
||||||
|
|
||||||
break;
|
break;
|
||||||
}
|
}
|
||||||
|
free (abi_note_malloced);
|
||||||
}
|
}
|
||||||
|
|
||||||
return fd;
|
return fd;
|
||||||
|
|
|
@ -0,0 +1,26 @@
|
||||||
|
/* Bug 20419: test for stack overflow in elf/dl-load.c open_verify()
|
||||||
|
Copyright (C) 2018 Free Software Foundation, Inc.
|
||||||
|
This file is part of the GNU C Library.
|
||||||
|
|
||||||
|
The GNU C Library is free software; you can redistribute it and/or
|
||||||
|
modify it under the terms of the GNU Lesser General Public
|
||||||
|
License as published by the Free Software Foundation; either
|
||||||
|
version 2.1 of the License, or (at your option) any later version.
|
||||||
|
|
||||||
|
The GNU C Library is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
Lesser General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU Lesser General Public
|
||||||
|
License along with the GNU C Library; if not, see
|
||||||
|
<http://www.gnu.org/licenses/>. */
|
||||||
|
|
||||||
|
/* This creates a .so with 8MiB PT_NOTE segment.
|
||||||
|
On a typical Linux system with 8MiB "ulimit -s", that was enough
|
||||||
|
to trigger stack overflow in open_verify. */
|
||||||
|
|
||||||
|
.pushsection .note.big,"a"
|
||||||
|
.balign 4
|
||||||
|
.fill 8*1024*1024, 1, 0
|
||||||
|
.popsection
|
|
@ -0,0 +1,26 @@
|
||||||
|
/* Bug 20419: test for stack overflow in elf/dl-load.c open_verify()
|
||||||
|
Copyright (C) 2018 Free Software Foundation, Inc.
|
||||||
|
This file is part of the GNU C Library.
|
||||||
|
|
||||||
|
The GNU C Library is free software; you can redistribute it and/or
|
||||||
|
modify it under the terms of the GNU Lesser General Public
|
||||||
|
License as published by the Free Software Foundation; either
|
||||||
|
version 2.1 of the License, or (at your option) any later version.
|
||||||
|
|
||||||
|
The GNU C Library is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||||
|
Lesser General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU Lesser General Public
|
||||||
|
License along with the GNU C Library; if not, see
|
||||||
|
<http://www.gnu.org/licenses/>. */
|
||||||
|
|
||||||
|
/* This file must be run from within a directory called "elf". */
|
||||||
|
|
||||||
|
int main (int argc, char *argv[])
|
||||||
|
{
|
||||||
|
/* Nothing to do here: merely linking against tst-big-note-lib.so triggers
|
||||||
|
the bug. */
|
||||||
|
return 0;
|
||||||
|
}
|
Loading…
Reference in New Issue