[v3] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
Commit Message
Alex Dowad wrote:
> _dl_error_printf ("\
> warning: debug option `%.*s' unknown; try LD_DEBUG=help\n", (int)len, dl_debug);
Since this patch is about security, I suggest truncating the diagnostic a bit
less randomly (as the above code will do if len exceeds INT_MAX). It can cause
trouble to the user to get gigabyte-long diagnostics, and nothing after the
first few bytes is helpful for diagnosis anyway. Plus, while we're at it, the
indenting should be fixed and we shouldn't quote with grave accent. Something
like the attached (untested) patch, perhaps.
@@ -2504,9 +2504,10 @@ process_dl_debug (const char *dl_debug)
{
/* Display a warning and skip everything until next
separator. */
- char *copy = strndupa (dl_debug, len);
- _dl_error_printf ("\
-warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy);
+ int deblen = MIN (len, 100);
+ _dl_error_printf (("warning: debug option '%.*s'%s unknown;"
+ " try LD_DEBUG=help\n"),
+ deblen, dl_debug, len < 100 ? "" : "...");
}
dl_debug += len;