From patchwork Tue Aug 17 18:45:46 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "H.J. Lu" X-Patchwork-Id: 44683 X-Patchwork-Delegate: fweimer@redhat.com Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id C1540396E013 for ; Tue, 17 Aug 2021 18:46:19 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org C1540396E013 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1629225979; bh=5ijg66MsUH8DSReLEfNDPQvnjszNl0PtLRnDZBm61k8=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=CXcvyEHy4mMxaWt/7V9dxtThJ6/y/gZZhB0f8Ik08XOMrwY7yv2Xi0s8MI9Q0hjqy hDBODDgN7Kh1u4+o2+rAs30z4Ppcl4E8vPBriRtIxbJ7FvKw4YZr5RpRxU4g0DOHi1 FII2rEsiGXgOrfIgl0HJODur8Y0P8xKJw7LQ7ikw= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-pj1-x102b.google.com (mail-pj1-x102b.google.com [IPv6:2607:f8b0:4864:20::102b]) by sourceware.org (Postfix) with ESMTPS id 0ECA33861970 for ; Tue, 17 Aug 2021 18:45:49 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 0ECA33861970 Received: by mail-pj1-x102b.google.com with SMTP id u21-20020a17090a8915b02901782c36f543so6764902pjn.4 for ; Tue, 17 Aug 2021 11:45:49 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=5ijg66MsUH8DSReLEfNDPQvnjszNl0PtLRnDZBm61k8=; b=aeThiCJQW5D0IEOxwHk6uWNNyjFesao4WJZZiW7jXZPZbFvtsTWlAEp0PQNJzwC6K1 0VpbOBl4BHPoRFGYlw91Y7VQC2awK8QgBEQ+8tdHDIAoL2ydPTM4gjU+n9AeyG+4dXAU 2GkyZiWf7RFH4cIDjJv8vjIKmhBVpUrrUI5OXDjTnTK3D2cJpkE7Ak2ge+1oQbaOH2DE ZmCspdbJoDR1OGQIH6kHbQlJMJjx75eSthodABRNzvAnWtJqCuLQlI/YA1hThSc9EhWs 0YeI+6OYHQsYnGL8ePIyEu16BPK07q0pd5cjTl5a7rACUKQSCUnl4TCmvUa7IzYAXm26 IKsg== X-Gm-Message-State: AOAM530ya1itJHISKfHTpoBUvuqHcbJnaudun8lZBnzb+kJM16DpbaV1 QfMvP3DOpc8RnyACByDGeiU= X-Google-Smtp-Source: ABdhPJxRB1DGiFUiUvod5dkGLM8OIS7dAvOB0eHVZrxBxyLz23P9hC0g0Kl1IzCjn/uSmDPOe1T7yA== X-Received: by 2002:a17:902:6bc1:b0:12d:7f02:f780 with SMTP id m1-20020a1709026bc100b0012d7f02f780mr3942953plt.55.1629225948239; Tue, 17 Aug 2021 11:45:48 -0700 (PDT) Received: from gnu-cfl-2.localdomain ([172.58.38.240]) by smtp.gmail.com with ESMTPSA id z2sm4428061pgz.43.2021.08.17.11.45.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 17 Aug 2021 11:45:47 -0700 (PDT) Received: from gnu-cfl-2.. (localhost [IPv6:::1]) by gnu-cfl-2.localdomain (Postfix) with ESMTP id 6D1B4C027B; Tue, 17 Aug 2021 11:45:46 -0700 (PDT) To: libc-alpha@sourceware.org Subject: [PATCH] elf: Guard against __LM_ID_CALLER [BZ #27609] Date: Tue, 17 Aug 2021 11:45:46 -0700 Message-Id: <20210817184546.3330651-1-hjl.tools@gmail.com> X-Mailer: git-send-email 2.31.1 MIME-Version: 1.0 X-Spam-Status: No, score=-3032.6 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_PASS, TXREP, URIBL_BLACK autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: "H.J. Lu via Libc-alpha" From: "H.J. Lu" Reply-To: "H.J. Lu" Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2). When _dl_open fails in nptl/tst-setuid1 , we can reach 881 /* Avoid keeping around a dangling reference to the libc.so link 882 map in case it has been cached in libc_map. */ 883 if (!args.libc_already_loaded) 884 GL(dl_ns)[nsid].libc_map = NULL; 885 with nsid == -2. Guard against __LM_ID_CALLER before updating libc_map to avoid buffer underflow. This fixes BZ #27609. --- elf/dl-open.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/elf/dl-open.c b/elf/dl-open.c index e90287bc62..5c54df5b7f 100644 --- a/elf/dl-open.c +++ b/elf/dl-open.c @@ -885,7 +885,7 @@ no more namespaces available for dlmopen()")); { /* Avoid keeping around a dangling reference to the libc.so link map in case it has been cached in libc_map. */ - if (!args.libc_already_loaded) + if (!args.libc_already_loaded && nsid >= 0) GL(dl_ns)[nsid].libc_map = NULL; /* Remove the object from memory. It may be in an inconsistent