From patchwork Mon Sep 4 17:03:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Peter Edwards X-Patchwork-Id: 75232 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 841D7385800C for ; Mon, 4 Sep 2023 17:04:01 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 841D7385800C DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1693847041; bh=mP3VVhfMZOf7wv8+d8sx6LGMhIqbERyU5gJftbSo+cg=; h=To:Cc:Subject:Date:List-Id:List-Unsubscribe:List-Archive: List-Post:List-Help:List-Subscribe:From:Reply-To:From; b=K1DTToZz9/hH4unmLxEyg+vTXqlua94YGR8Bplux4zNLyGxoETuXq2knp0NBF9Cn+ pzF02hu/KZHkVznxVjPpNV7Q0YoC/ZqjBYUNq0mFiafhzXH/0WMRWC3JOEkJiISIQE W7i6vFR2L1NaNyLSCXM+0G4Y6yExCmgDPWZAC6pg= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from mail-wm1-x32b.google.com (mail-wm1-x32b.google.com [IPv6:2a00:1450:4864:20::32b]) by sourceware.org (Postfix) with ESMTPS id 6ED3B3858C30 for ; Mon, 4 Sep 2023 17:03:36 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 6ED3B3858C30 Received: by mail-wm1-x32b.google.com with SMTP id 5b1f17b1804b1-401da71b7faso17072285e9.2 for ; Mon, 04 Sep 2023 10:03:36 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693847015; x=1694451815; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=mP3VVhfMZOf7wv8+d8sx6LGMhIqbERyU5gJftbSo+cg=; b=dVXxZK15Eyglv2JXExpZyxAHihuh62vf517i49C47XGF0lUHcXcTGyHaHn3tWOWmEr h44R2y4I/SOD6EaJPiUIbKj4LuBCy27lelBduwNjUNexvn2haglJvIXwV5rpNUGXeDdM Wwy3yhuLeFq7E9Jhqyab9Jg8YMmpKcP9F4HPbYQrgvCMCvVFxtM5OgWby7+vbtJTSoKF 2oQ7aINOohmMhIQmL35Fo00j1q48BG6Mz8WKF3j9TmJKvRPgqp3VT7qcB8ZvAwItkzv1 mLBvexMXALCqD1BL31kOD+oGiZkeP5tJJqiDMuMBDeFbJGRauafPsF3O95sYTycZx/4j By5Q== X-Gm-Message-State: AOJu0Yz0W59SiHTLxrw2TXeDRYH8bSD0nbVrCVIycSKHkkMQfLWf0VxP 9jMo0At9ZBUURzT+Ei+h35YSGp0eXAIbqudTZGE= X-Google-Smtp-Source: AGHT+IGCOwEPckbDYZzBJAXyokNnZyA0x9COFjPlnvgm32HF2sRXjyAdCK3zcXuvnbtRrAl8GtIdLw== X-Received: by 2002:a7b:c412:0:b0:3fe:db1b:8c39 with SMTP id k18-20020a7bc412000000b003fedb1b8c39mr8512709wmi.41.1693847014746; Mon, 04 Sep 2023 10:03:34 -0700 (PDT) Received: from AWAVAUATUSH.aristanetworks.com ([46.7.23.185]) by smtp.gmail.com with ESMTPSA id h9-20020a05600c260900b003fff96bb62csm14288639wma.16.2023.09.04.10.03.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 Sep 2023 10:03:34 -0700 (PDT) To: libc-alpha@sourceware.org Cc: schwab@suse.de, Peter Edwards Subject: [PATCH v2] elf: Avoid pointer-arithmetic underflow in ldconfig Date: Mon, 4 Sep 2023 18:03:32 +0100 Message-ID: <20230904170332.398424-1-peadar@arista.com> X-Mailer: git-send-email 2.42.0.111.gd814540bb7 MIME-Version: 1.0 X-Spam-Status: No, score=-11.5 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_NONE, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.30 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Peter Edwards via Libc-alpha From: Peter Edwards Reply-To: Peter Edwards Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" For a 64-bit ldconfig, running on a 32-bit library, if the p_vaddr field of the segment containing the dynamic strings is less than it's p_offset, then using ElfW(Off) for the arithmetic leads to a truncated unsigned value for pointer arithmetic. Instead, use intptr_t for loadoff, and cast the p_vaddr and p_offset fields to same. Also, given negative values are possible, use INTPTR_MAX instead of -1 as a better sentinel to indicate the value is unset. Expected behaviour: 64-bit `ldconfig` runs silently, updating cache Observed behaviour: `ldconfig` reports ``` ldconfig: file is truncated ``` ... for any 32-bit ELF libs with dynamic strings in a segment with p_vaddr > p_offset Signed-off-by: Peter Edwards --- elf/readelflib.c | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/elf/readelflib.c b/elf/readelflib.c index f5b8c80e38..efab08ce3c 100644 --- a/elf/readelflib.c +++ b/elf/readelflib.c @@ -203,7 +203,7 @@ done: { /* Find the file offset of the segment containing the dynamic string table. */ - ElfW(Off) loadoff = -1; + intptr_t loadoff = INTPTR_MAX; for (i = 0, segment = elf_pheader; i < elf_header->e_phnum; i++, segment++) { @@ -212,11 +212,15 @@ done: && (dyn_entry->d_un.d_val - segment->p_vaddr < segment->p_filesz)) { - loadoff = segment->p_vaddr - segment->p_offset; + /* Note loadoff may be negative - the ELF headers may not be + in a loadable segment, and the first loadable segment + may be at a p_offset > 0, but p_vaddr == 0 */ + loadoff = (intptr_t)segment->p_vaddr - + (intptr_t)segment->p_offset; break; } } - if (loadoff == (ElfW(Off)) -1) + if (loadoff == INTPTR_MAX) { /* Very strange. */ loadoff = 0;