elf: Guard against __LM_ID_CALLER [BZ #27609]
Checks
Context |
Check |
Description |
dj/TryBot-apply_patch |
success
|
Patch applied to master at the time it was sent
|
dj/TryBot-32bit |
success
|
Build for i686
|
Commit Message
do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2). When _dl_open
fails in nptl/tst-setuid1 , we can reach
881 /* Avoid keeping around a dangling reference to the libc.so link
882 map in case it has been cached in libc_map. */
883 if (!args.libc_already_loaded)
884 GL(dl_ns)[nsid].libc_map = NULL;
885
with nsid == -2. Guard against __LM_ID_CALLER before updating libc_map
to avoid buffer underflow. This fixes BZ #27609.
---
elf/dl-open.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
Comments
On Tue, Aug 17, 2021 at 11:45 AM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2). When _dl_open
> fails in nptl/tst-setuid1 , we can reach
>
> 881 /* Avoid keeping around a dangling reference to the libc.so link
> 882 map in case it has been cached in libc_map. */
> 883 if (!args.libc_already_loaded)
> 884 GL(dl_ns)[nsid].libc_map = NULL;
> 885
>
> with nsid == -2. Guard against __LM_ID_CALLER before updating libc_map
> to avoid buffer underflow. This fixes BZ #27609.
> ---
> elf/dl-open.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/elf/dl-open.c b/elf/dl-open.c
> index e90287bc62..5c54df5b7f 100644
> --- a/elf/dl-open.c
> +++ b/elf/dl-open.c
> @@ -885,7 +885,7 @@ no more namespaces available for dlmopen()"));
> {
> /* Avoid keeping around a dangling reference to the libc.so link
> map in case it has been cached in libc_map. */
> - if (!args.libc_already_loaded)
> + if (!args.libc_already_loaded && nsid >= 0)
> GL(dl_ns)[nsid].libc_map = NULL;
>
> /* Remove the object from memory. It may be in an inconsistent
> --
> 2.31.1
>
PING.
On Mon, Sep 20, 2021 at 9:53 AM H.J. Lu <hjl.tools@gmail.com> wrote:
>
> On Tue, Aug 17, 2021 at 11:45 AM H.J. Lu <hjl.tools@gmail.com> wrote:
> >
> > do_dlopen calls _dl_open with nsid == __LM_ID_CALLER (-2). When _dl_open
> > fails in nptl/tst-setuid1 , we can reach
> >
> > 881 /* Avoid keeping around a dangling reference to the libc.so link
> > 882 map in case it has been cached in libc_map. */
> > 883 if (!args.libc_already_loaded)
> > 884 GL(dl_ns)[nsid].libc_map = NULL;
> > 885
> >
> > with nsid == -2. Guard against __LM_ID_CALLER before updating libc_map
> > to avoid buffer underflow. This fixes BZ #27609.
> > ---
> > elf/dl-open.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/elf/dl-open.c b/elf/dl-open.c
> > index e90287bc62..5c54df5b7f 100644
> > --- a/elf/dl-open.c
> > +++ b/elf/dl-open.c
> > @@ -885,7 +885,7 @@ no more namespaces available for dlmopen()"));
> > {
> > /* Avoid keeping around a dangling reference to the libc.so link
> > map in case it has been cached in libc_map. */
> > - if (!args.libc_already_loaded)
> > + if (!args.libc_already_loaded && nsid >= 0)
> > GL(dl_ns)[nsid].libc_map = NULL;
> >
> > /* Remove the object from memory. It may be in an inconsistent
> > --
> > 2.31.1
> >
>
> PING.
>
Any comments on this patch?
@@ -885,7 +885,7 @@ no more namespaces available for dlmopen()"));
{
/* Avoid keeping around a dangling reference to the libc.so link
map in case it has been cached in libc_map. */
- if (!args.libc_already_loaded)
+ if (!args.libc_already_loaded && nsid >= 0)
GL(dl_ns)[nsid].libc_map = NULL;
/* Remove the object from memory. It may be in an inconsistent