| Message ID | 20210817184546.3330651-1-hjl.tools@gmail.com |
|---|---|
| State | Committed |
| Delegated to: | Florian Weimer |
| Headers |
Return-Path: <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id C1540396E013 for <patchwork@sourceware.org>; Tue, 17 Aug 2021 18:46:19 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C1540396E013 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1629225979; bh=5ijg66MsUH8DSReLEfNDPQvnjszNl0PtLRnDZBm61k8=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=CXcvyEHy4mMxaWt/7V9dxtThJ6/y/gZZhB0f8Ik08XOMrwY7yv2Xi0s8MI9Q0hjqy hDBODDgN7Kh1u4+o2+rAs30z4Ppcl4E8vPBriRtIxbJ7FvKw4YZr5RpRxU4g0DOHi1 FII2rEsiGXgOrfIgl0HJODur8Y0P8xKJw7LQ7ikw= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by sourceware.org (Postfix) with ESMTPS id 0ECA33861970 for <libc-alpha@sourceware.org>; Tue, 17 Aug 2021 18:45:49 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0ECA33861970 Received: by mail-pj1-x102b.google.com with SMTP id u21-20020a17090a8915b02901782c36f543so6764902pjn.4 for <libc-alpha@sourceware.org>; Tue, 17 Aug 2021 11:45:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=5ijg66MsUH8DSReLEfNDPQvnjszNl0PtLRnDZBm61k8=; b=aeThiCJQW5D0IEOxwHk6uWNNyjFesao4WJZZiW7jXZPZbFvtsTWlAEp0PQNJzwC6K1 0VpbOBl4BHPoRFGYlw91Y7VQC2awK8QgBEQ+8tdHDIAoL2ydPTM4gjU+n9AeyG+4dXAU 2GkyZiWf7RFH4cIDjJv8vjIKmhBVpUrrUI5OXDjTnTK3D2cJpkE7Ak2ge+1oQbaOH2DE ZmCspdbJoDR1OGQIH6kHbQlJMJjx75eSthodABRNzvAnWtJqCuLQlI/YA1hThSc9EhWs 0YeI+6OYHQsYnGL8ePIyEu16BPK07q0pd5cjTl5a7rACUKQSCUnl4TCmvUa7IzYAXm26 IKsg== X-Gm-Message-State: AOAM530ya1itJHISKfHTpoBUvuqHcbJnaudun8lZBnzb+kJM16DpbaV1 QfMvP3DOpc8RnyACByDGeiU= X-Google-Smtp-Source: ABdhPJxRB1DGiFUiUvod5dkGLM8OIS7dAvOB0eHVZrxBxyLz23P9hC0g0Kl1IzCjn/uSmDPOe1T7yA== X-Received: by 2002:a17:902:6bc1:b0:12d:7f02:f780 with SMTP id m1-20020a1709026bc100b0012d7f02f780mr3942953plt.55.1629225948239; Tue, 17 Aug 2021 11:45:48 -0700 (PDT) Received: from gnu-cfl-2.localdomain ([172.58.38.240]) by smtp.gmail.com with ESMTPSA id z2sm4428061pgz.43.2021.08.17.11.45.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Aug 2021 11:45:47 -0700 (PDT) Received: from gnu-cfl-2.. (localhost [IPv6:::1]) by gnu-cfl-2.localdomain (Postfix) with ESMTP id 6D1B4C027B; Tue, 17 Aug 2021 11:45:46 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH] elf: Guard against __LM_ID_CALLER [BZ #27609] Date: Tue, 17 Aug 2021 11:45:46 -0700 Message-Id: <20210817184546.3330651-1-hjl.tools@gmail.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-3032.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, URIBL_BLACK autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org> List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe> List-Archive: <https://sourceware.org/pipermail/libc-alpha/> List-Post: <mailto:libc-alpha@sourceware.org> List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help> List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>, <mailto:libc-alpha-request@sourceware.org?subject=subscribe> From: "H.J. Lu via Libc-alpha" <libc-alpha@sourceware.org> Reply-To: "H.J. Lu" <hjl.tools@gmail.com> Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" <libc-alpha-bounces+patchwork=sourceware.org@sourceware.org> |
| Series |
elf: Guard against __LM_ID_CALLER [BZ #27609]
|
|
Checks
| Context | Check | Description |
|---|---|---|
| dj/TryBot-apply_patch | success | Patch applied to master at the time it was sent |
| dj/TryBot-32bit | success | Build for i686 |
Commit Message
H.J. Lu
Aug. 17, 2021, 6:45 p.m. UTC
do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2). When _dl_open fails in nptl/tst-setuid1 , we can reach 881 /* Avoid keeping around a dangling reference to the libc.so link 882 map in case it has been cached in libc_map. */ 883 if (!args.libc_already_loaded) 884 GL(dl_ns)[nsid].libc_map = NULL; 885 with nsid == -2. Guard against __LM_ID_CALLER before updating libc_map to avoid buffer underflow. This fixes BZ #27609. --- elf/dl-open.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Tue, Aug 17, 2021 at 11:45 AM H.J. Lu <hjl.tools@gmail.com> wrote: > > do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2). When _dl_open > fails in nptl/tst-setuid1 , we can reach > > 881 /* Avoid keeping around a dangling reference to the libc.so link > 882 map in case it has been cached in libc_map. */ > 883 if (!args.libc_already_loaded) > 884 GL(dl_ns)[nsid].libc_map = NULL; > 885 > > with nsid == -2. Guard against __LM_ID_CALLER before updating libc_map > to avoid buffer underflow. This fixes BZ #27609. > --- > elf/dl-open.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/elf/dl-open.c b/elf/dl-open.c > index e90287bc62..5c54df5b7f 100644 > --- a/elf/dl-open.c > +++ b/elf/dl-open.c > @@ -885,7 +885,7 @@ no more namespaces available for dlmopen()")); > { > /* Avoid keeping around a dangling reference to the libc.so link > map in case it has been cached in libc_map. */ > - if (!args.libc_already_loaded) > + if (!args.libc_already_loaded && nsid >= 0) > GL(dl_ns)[nsid].libc_map = NULL; > > /* Remove the object from memory. It may be in an inconsistent > -- > 2.31.1 > PING.
On Mon, Sep 20, 2021 at 9:53 AM H.J. Lu <hjl.tools@gmail.com> wrote: > > On Tue, Aug 17, 2021 at 11:45 AM H.J. Lu <hjl.tools@gmail.com> wrote: > > > > do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2). When _dl_open > > fails in nptl/tst-setuid1 , we can reach > > > > 881 /* Avoid keeping around a dangling reference to the libc.so link > > 882 map in case it has been cached in libc_map. */ > > 883 if (!args.libc_already_loaded) > > 884 GL(dl_ns)[nsid].libc_map = NULL; > > 885 > > > > with nsid == -2. Guard against __LM_ID_CALLER before updating libc_map > > to avoid buffer underflow. This fixes BZ #27609. > > --- > > elf/dl-open.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/elf/dl-open.c b/elf/dl-open.c > > index e90287bc62..5c54df5b7f 100644 > > --- a/elf/dl-open.c > > +++ b/elf/dl-open.c > > @@ -885,7 +885,7 @@ no more namespaces available for dlmopen()")); > > { > > /* Avoid keeping around a dangling reference to the libc.so link > > map in case it has been cached in libc_map. */ > > - if (!args.libc_already_loaded) > > + if (!args.libc_already_loaded && nsid >= 0) > > GL(dl_ns)[nsid].libc_map = NULL; > > > > /* Remove the object from memory. It may be in an inconsistent > > -- > > 2.31.1 > > > > PING. > Any comments on this patch?
diff --git a/elf/dl-open.c b/elf/dl-open.c index e90287bc62..5c54df5b7f 100644 --- a/elf/dl-open.c +++ b/elf/dl-open.c @@ -885,7 +885,7 @@ no more namespaces available for dlmopen()")); { /* Avoid keeping around a dangling reference to the libc.so link map in case it has been cached in libc_map. */ - if (!args.libc_already_loaded) + if (!args.libc_already_loaded && nsid >= 0) GL(dl_ns)[nsid].libc_map = NULL; /* Remove the object from memory. It may be in an inconsistent