From patchwork Tue Oct 23 11:57:44 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Andreas Schwab <schwab@suse.de>
X-Patchwork-Id: 29849
Received: (qmail 41278 invoked by alias); 23 Oct 2018 11:57:48 -0000
Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <libc-alpha.sourceware.org>
List-Unsubscribe: <mailto:libc-alpha-unsubscribe-##L=##H@sourceware.org>
List-Subscribe: <mailto:libc-alpha-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-help@sourceware.org>,
	<http://sourceware.org/ml/#faqs>
Sender: libc-alpha-owner@sourceware.org
Delivered-To: mailing list libc-alpha@sourceware.org
Received: (qmail 41267 invoked by uid 89); 23 Oct 2018 11:57:48 -0000
Authentication-Results: sourceware.org; auth=none
X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00, GIT_PATCH_0,
	GIT_PATCH_1, GIT_PATCH_2, GIT_PATCH_3,
	SPF_PASS autolearn=ham version=3.3.2 spammy=
X-HELO: mx1.suse.de
From: Andreas Schwab <schwab@suse.de>
To: libc-alpha@sourceware.org
Subject: [PATCH] Add more checks for valid ld.so.cache file (bug 18093)
X-Yow: TAPPING?  You POLITICIANS!  Don't you realize that the END of the
	``Wash Cycle'' is a TREASURED MOMENT for most people?!
Date: Tue, 23 Oct 2018 13:57:44 +0200
Message-ID: <mvm7ei8swnb.fsf@suse.de>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0

[BZ #18093]
	* elf/dl-cache.c (_dl_load_cache_lookup): Check for truncated old
	format cache.
	* elf/cache.c (print_cache): Likewise.
---
 elf/cache.c    | 5 +++++
 elf/dl-cache.c | 5 ++++-
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/elf/cache.c b/elf/cache.c
index e63979da7d..83de25484b 100644
--- a/elf/cache.c
+++ b/elf/cache.c
@@ -199,6 +199,11 @@ print_cache (const char *cache_name)
     }
   else
     {
+      /* Check for overflow.  */
+      if ((cache_size - sizeof (struct cache_file)) / sizeof (struct file_entry)
+	  < cache->nlibs)
+	error (EXIT_FAILURE, 0, _("File is not a cache file.\n"));
+
       size_t offset = ALIGN_CACHE (sizeof (struct cache_file)
 				   + (cache->nlibs
 				      * sizeof (struct file_entry)));
diff --git a/elf/dl-cache.c b/elf/dl-cache.c
index 6ee5153ff9..0f5d035213 100644
--- a/elf/dl-cache.c
+++ b/elf/dl-cache.c
@@ -204,7 +204,10 @@ _dl_load_cache_lookup (const char *name)
 	 - only the new format
 	 The following checks if the cache contains any of these formats.  */
       if (file != MAP_FAILED && cachesize > sizeof *cache
-	  && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0)
+	  && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0
+	  /* Check for overflow.  */
+	  && ((cachesize - sizeof *cache) / sizeof (struct file_entry)
+	      >= ((struct cache_file *) file)->nlibs))
 	{
 	  size_t offset;
 	  /* Looks ok.  */