From patchwork Fri Nov 5 16:28:35 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Florian Weimer X-Patchwork-Id: 47124 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 519EC385842A for ; Fri, 5 Nov 2021 16:29:35 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 519EC385842A DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1636129775; bh=y0MmvkH+/nqu40+JW7VUh18Xu2eaFpxdA4v5ApjUlBc=; h=To:Subject:Date:List-Id:List-Unsubscribe:List-Archive:List-Post: List-Help:List-Subscribe:From:Reply-To:From; b=hntwjZdPl9OibI6IpYpmGYGB799x/vt39aUMBnmQxTf+WxbrB+k5ut9Cwks/8/mxw +XoF3d+qZ8IsKluWh1sc5EeO6Q4iCufHYJncwQ9+Sc1QIiyJZavYaRT4Qlq9t5tRFz vb0NXheI80wtOAEOBLXdxvE4OB+4qpVzyTAFMJUI= X-Original-To: libc-alpha@sourceware.org Delivered-To: libc-alpha@sourceware.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by sourceware.org (Postfix) with ESMTPS id DE6E83858D35 for ; Fri, 5 Nov 2021 16:29:13 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org DE6E83858D35 Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-49-ZoW4yfWjMPmQ68bXn1I_Nw-1; Fri, 05 Nov 2021 12:29:10 -0400 X-MC-Unique: ZoW4yfWjMPmQ68bXn1I_Nw-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.phx2.redhat.com [10.5.11.14]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id A409518A2250 for ; Fri, 5 Nov 2021 16:28:37 +0000 (UTC) Received: from oldenburg.str.redhat.com (unknown [10.39.192.25]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 04A885D9D3 for ; Fri, 5 Nov 2021 16:28:36 +0000 (UTC) To: libc-alpha@sourceware.org Subject: [PATCH] elf: Earlier missing dynamic segment check in _dl_map_object_from_fd Date: Fri, 05 Nov 2021 17:28:35 +0100 Message-ID: <877ddmtvm4.fsf@oldenburg.str.redhat.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.14 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, DKIMWL_WL_HIGH, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, GIT_PATCH_0, RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE, SPF_NONE, TXREP autolearn=ham autolearn_force=no version=3.4.4 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on server2.sourceware.org X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Florian Weimer via Libc-alpha From: Florian Weimer Reply-To: Florian Weimer Errors-To: libc-alpha-bounces+patchwork=sourceware.org@sourceware.org Sender: "Libc-alpha" Separated debuginfo files have PT_DYNAMIC with p_filesz == 0. We need to check for that before the _dl_map_segments call because that could attempt to write to mappings that extend beyond the end of the file, resulting in SIGBUS. Tested on i686-linux-gnu, x86_64-linux-gnu. It fixes the elf/tst-debug1 failure on aarch64 for me, too. build-many-glibcs.py is still running, but initial results look good. Thanks, Florian --- elf/dl-load.c | 22 ++++++++++++---------- 1 file changed, 12 insertions(+), 10 deletions(-) diff --git a/elf/dl-load.c b/elf/dl-load.c index a1f1682188..a51b115a84 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -1135,6 +1135,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, struct loadcmd loadcmds[l->l_phnum]; size_t nloadcmds = 0; bool has_holes = false; + bool empty_dynamic = false; /* The struct is initialized to zero so this is not necessary: l->l_ld = 0; @@ -1147,7 +1148,9 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, segments are mapped in. We record the addresses it says verbatim, and later correct for the run-time load address. */ case PT_DYNAMIC: - if (ph->p_filesz) + if (ph->p_filesz == 0) + empty_dynamic = true; /* Usually separate debuginfo. */ + else { /* Debuginfo only files from "objcopy --only-keep-debug" contain a PT_DYNAMIC segment with p_filesz == 0. Skip @@ -1270,6 +1273,13 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, goto lose; } + /* This check recognizes most separate debuginfo files. */ + if (__glibc_unlikely (l->l_ld == 0 && type == ET_DYN) || empty_dynamic) + { + errstring = N_("object file has no dynamic section"); + goto lose; + } + /* Length of the sections to be loaded. */ maplength = loadcmds[nloadcmds - 1].allocend - loadcmds[0].mapstart; @@ -1287,15 +1297,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, } } - if (l->l_ld == 0) - { - if (__glibc_unlikely (type == ET_DYN)) - { - errstring = N_("object file has no dynamic section"); - goto lose; - } - } - else + if (l->l_ld != 0) l->l_ld = (ElfW(Dyn) *) ((ElfW(Addr)) l->l_ld + l->l_addr); elf_get_dynamic_info (l, false, false);