diff mbox

[v3] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG

Message ID 55C8C56D.6080805@cs.ucla.edu
State Superseded
Headers show

Commit Message

Paul Eggert Aug. 10, 2015, 3:38 p.m. UTC
Alex Dowad wrote:

>   	      _dl_error_printf ("\
> warning: debug option `%.*s' unknown; try LD_DEBUG=help\n", (int)len, dl_debug);

Since this patch is about security, I suggest truncating the diagnostic a bit 
less randomly (as the above code will do if len exceeds INT_MAX).  It can cause 
trouble to the user to get gigabyte-long diagnostics, and nothing after the 
first few bytes is helpful for diagnosis anyway.  Plus, while we're at it, the 
indenting should be fixed and we shouldn't quote with grave accent.  Something 
like the attached (untested) patch, perhaps.
diff mbox


diff --git a/elf/rtld.c b/elf/rtld.c
index 6bcf224..a6e81ce 100644
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2504,9 +2504,10 @@  process_dl_debug (const char *dl_debug)
 	      /* Display a warning and skip everything until next
 		 separator.  */
-	      char *copy = strndupa (dl_debug, len);
-	      _dl_error_printf ("\
-warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy);
+	      int deblen = MIN (len, 100);
+	      _dl_error_printf (("warning: debug option '%.*s'%s unknown;"
+				 " try LD_DEBUG=help\n"),
+				deblen, dl_debug, len < 100 ? "" : "...");
 	  dl_debug += len;