From patchwork Mon Apr 23 19:23:56 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Pluzhnikov X-Patchwork-Id: 26911 Received: (qmail 63182 invoked by alias); 23 Apr 2018 19:24:36 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 63092 invoked by uid 89); 23 Apr 2018 19:24:28 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-33.6 required=5.0 tests=AWL, BAYES_00, ENV_AND_HDR_SPF_MATCH, GIT_PATCH_0, GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3, KAM_SHORT, RCVD_IN_DNSWL_NONE, SPF_PASS, USER_IN_DEF_SPF_WL autolearn=ham version=3.3.2 spammy= X-HELO: mail-wr0-f176.google.com X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=3/oY3eKZaZjWlO/WpBs1Nk8KGsyBc9eCIWMJ8m4fFSQ=; b=KecAJ9YZaDTPQ/YjpQHHKOhvIA8qasWQupnU0yIHLLuP40MxF8I6eUVAVQ0KVl4r8+ N9IjpQA5PQLo7QFngFYJ9Qec626Mis6W7qaNEOMMVJgYIG2KdCQIJGzQerrovlhu4t8G +ympDCJ5k4eZCsotfKjzBO6zoyb3rRRmlePY4VHrRdbdHqlqVo0BvLTOH7MJ2Lm2uhlz vQWVFHSlcH9lbwslqF/uIn/LAYprFUEqPExzHZ7DMYKffttJfZTfmcDaQ58lzb7HL9TL Ka1M6lunEMi2+kbC0pZWmuZtpJOiZup9C5Hqbic8ggj+gtyL+VSCzCJCq4OoiRz0yuTM jmGA== X-Gm-Message-State: ALQs6tAzETAcXu8X3eyfF9hdCypzrV2r4q3KlDdDmOO0zS9S0he3mxe6 QmJO6cxyTF20mwDqru3E6tZbh1sLyurArKcb/ypB6U2Vpck= X-Google-Smtp-Source: AIpwx49cce2FDriHyidk2oo1vGMSpv1UuLVvPcIXpM9n8ZyOVP3dW8IgOEgQdzNDwKq83T5huIaLyHbVDYeR3Q1TI/s= X-Received: by 2002:adf:dfcc:: with SMTP id q12-v6mr13339946wrn.68.1524511462793; Mon, 23 Apr 2018 12:24:22 -0700 (PDT) MIME-Version: 1.0 From: Paul Pluzhnikov Date: Mon, 23 Apr 2018 19:23:56 +0000 Message-ID: Subject: [patch] Fix BZ 20419 -- stack overflow with huge PT_NOTE segment To: GLIBC Devel Greetings, Attached patch fixes BZ 20419 and adds a test case for it. Thanks, 2018-04-23 Paul Pluzhnikov [BZ #20419] * elf/dl-load.c (open_verify): Fix stack overflow. * elf/Makefile (tst-big-note): New test. * elf/tst-big-note-lib.S: New. * elf/tst-big-note.c: New. diff --git a/elf/Makefile b/elf/Makefile index e658928305..2dcd2b88e0 100644 --- a/elf/Makefile +++ b/elf/Makefile @@ -186,7 +186,7 @@ tests += restest1 preloadtest loadfail multiload origtest resolvfail \ tst-tlsalign tst-tlsalign-extern tst-nodelete-opened \ tst-nodelete2 tst-audit11 tst-audit12 tst-dlsym-error tst-noload \ tst-latepthread tst-tls-manydynamic tst-nodelete-dlclose \ - tst-debug1 tst-main1 tst-absolute-sym + tst-debug1 tst-main1 tst-absolute-sym tst-big-note # reldep9 tests-internal += loadtest unload unload2 circleload1 \ neededtest neededtest2 neededtest3 neededtest4 \ @@ -272,7 +272,9 @@ modules-names = testobj1 testobj2 testobj3 testobj4 testobj5 testobj6 \ tst-audit12mod1 tst-audit12mod2 tst-audit12mod3 tst-auditmod12 \ tst-latepthreadmod $(tst-tls-many-dynamic-modules) \ tst-nodelete-dlclose-dso tst-nodelete-dlclose-plugin \ - tst-main1mod tst-libc_dlvsym-dso tst-absolute-sym-lib + tst-main1mod tst-libc_dlvsym-dso tst-absolute-sym-lib \ + tst-big-note-lib + ifeq (yes,$(have-mtls-dialect-gnu2)) tests += tst-gnu2-tls1 modules-names += tst-gnu2-tls1mod @@ -1450,3 +1452,5 @@ $(objpfx)tst-libc_dlvsym-static: $(common-objpfx)dlfcn/libdl.a tst-libc_dlvsym-static-ENV = \ LD_LIBRARY_PATH=$(objpfx):$(common-objpfx):$(common-objpfx)dlfcn $(objpfx)tst-libc_dlvsym-static.out: $(objpfx)tst-libc_dlvsym-dso.so + +$(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so diff --git a/elf/dl-load.c b/elf/dl-load.c index a5e3a25462..496b7c3cb6 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -16,6 +16,7 @@ License along with the GNU C Library; if not, see . */ +#include #include #include #include @@ -1462,6 +1463,7 @@ open_verify (const char *name, int fd, ElfW(Ehdr) *ehdr; ElfW(Phdr) *phdr, *ph; ElfW(Word) *abi_note; + ElfW(Word) *abi_note_malloced = NULL; unsigned int osversion; size_t maplength; @@ -1633,10 +1635,22 @@ open_verify (const char *name, int fd, abi_note = (void *) (fbp->buf + ph->p_offset); else { - abi_note = alloca (size); + /* Note: __libc_use_alloca is not usable here, because + thread info may not have been set up yet. */ + if (size < __MAX_ALLOCA_CUTOFF) + abi_note = alloca (size); + else + { + abi_note_malloced = abi_note = malloc (size); + if (abi_note == NULL) + goto read_error; + } __lseek (fd, ph->p_offset, SEEK_SET); if (__libc_read (fd, (void *) abi_note, size) != size) - goto read_error; + { + free (abi_note_malloced); + goto read_error; + } } while (memcmp (abi_note, &expected_note, sizeof (expected_note))) @@ -1671,6 +1685,7 @@ open_verify (const char *name, int fd, break; } + free (abi_note_malloced); } return fd; diff --git a/elf/tst-big-note-lib.S b/elf/tst-big-note-lib.S new file mode 100644 index 0000000000..6b514a03cc --- /dev/null +++ b/elf/tst-big-note-lib.S @@ -0,0 +1,26 @@ +/* Bug 20419: test for stack overflow in elf/dl-load.c open_verify() + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* This creates a .so with 8MiB PT_NOTE segment. + On a typical Linux system with 8MiB "ulimit -s", that was enough + to trigger stack overflow in open_verify. */ + +.pushsection .note.big,"a" +.balign 4 +.fill 8*1024*1024, 1, 0 +.popsection diff --git a/elf/tst-big-note.c b/elf/tst-big-note.c new file mode 100644 index 0000000000..fcd2b0ed82 --- /dev/null +++ b/elf/tst-big-note.c @@ -0,0 +1,26 @@ +/* Bug 20419: test for stack overflow in elf/dl-load.c open_verify() + Copyright (C) 2018 Free Software Foundation, Inc. + This file is part of the GNU C Library. + + The GNU C Library is free software; you can redistribute it and/or + modify it under the terms of the GNU Lesser General Public + License as published by the Free Software Foundation; either + version 2.1 of the License, or (at your option) any later version. + + The GNU C Library is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public + License along with the GNU C Library; if not, see + . */ + +/* This file must be run from within a directory called "elf". */ + +int main (int argc, char *argv[]) +{ + /* Nothing to do here: merely linking against tst-big-note-lib.so triggers + the bug. */ + return 0; +}