diff options
author | Florian Weimer <fweimer@redhat.com> | 2021-11-05 17:01:24 +0100 |
---|---|---|
committer | Florian Weimer <fweimer@redhat.com> | 2021-11-05 19:34:16 +0100 |
commit | ea32ec354c65ddad11b82ca9d057010df13a9cea (patch) | |
tree | ecc543a6270d1ab51b1ac4b27a720f0577be8046 | |
parent | ff012870b2c02a62598c04daa1e54632e020fd7d (diff) | |
download | glibc-ea32ec354c65ddad11b82ca9d057010df13a9cea.zip glibc-ea32ec354c65ddad11b82ca9d057010df13a9cea.tar.gz glibc-ea32ec354c65ddad11b82ca9d057010df13a9cea.tar.bz2 |
elf: Earlier missing dynamic segment check in _dl_map_object_from_fd
Separated debuginfo files have PT_DYNAMIC with p_filesz == 0. We
need to check for that before the _dl_map_segments call because
that could attempt to write to mappings that extend beyond the end
of the file, resulting in SIGBUS.
Reviewed-by: H.J. Lu <hjl.tools@gmail.com>
-rw-r--r-- | elf/dl-load.c | 22 |
1 files changed, 12 insertions, 10 deletions
diff --git a/elf/dl-load.c b/elf/dl-load.c index a1f1682..9f4fa96 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -1135,6 +1135,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, struct loadcmd loadcmds[l->l_phnum]; size_t nloadcmds = 0; bool has_holes = false; + bool empty_dynamic = false; /* The struct is initialized to zero so this is not necessary: l->l_ld = 0; @@ -1147,7 +1148,9 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, segments are mapped in. We record the addresses it says verbatim, and later correct for the run-time load address. */ case PT_DYNAMIC: - if (ph->p_filesz) + if (ph->p_filesz == 0) + empty_dynamic = true; /* Usually separate debuginfo. */ + else { /* Debuginfo only files from "objcopy --only-keep-debug" contain a PT_DYNAMIC segment with p_filesz == 0. Skip @@ -1270,6 +1273,13 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, goto lose; } + /* This check recognizes most separate debuginfo files. */ + if (__glibc_unlikely ((l->l_ld == 0 && type == ET_DYN) || empty_dynamic)) + { + errstring = N_("object file has no dynamic section"); + goto lose; + } + /* Length of the sections to be loaded. */ maplength = loadcmds[nloadcmds - 1].allocend - loadcmds[0].mapstart; @@ -1287,15 +1297,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, } } - if (l->l_ld == 0) - { - if (__glibc_unlikely (type == ET_DYN)) - { - errstring = N_("object file has no dynamic section"); - goto lose; - } - } - else + if (l->l_ld != 0) l->l_ld = (ElfW(Dyn) *) ((ElfW(Addr)) l->l_ld + l->l_addr); elf_get_dynamic_info (l, false, false); |