diff options
Diffstat (limited to 'elf-Earlier-missing-dynamic-segment-check-in-_dl_map.patch')
| -rw-r--r-- | elf-Earlier-missing-dynamic-segment-check-in-_dl_map.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/elf-Earlier-missing-dynamic-segment-check-in-_dl_map.patch b/elf-Earlier-missing-dynamic-segment-check-in-_dl_map.patch new file mode 100644 index 0000000..3d5bd60 --- /dev/null +++ b/elf-Earlier-missing-dynamic-segment-check-in-_dl_map.patch @@ -0,0 +1,73 @@ +From ea32ec354c65ddad11b82ca9d057010df13a9cea Mon Sep 17 00:00:00 2001 +From: Florian Weimer <fweimer@redhat.com> +Date: Fri, 5 Nov 2021 17:01:24 +0100 +Subject: [PATCH] elf: Earlier missing dynamic segment check in + _dl_map_object_from_fd + +Separated debuginfo files have PT_DYNAMIC with p_filesz == 0. We +need to check for that before the _dl_map_segments call because +that could attempt to write to mappings that extend beyond the end +of the file, resulting in SIGBUS. + +Reviewed-by: H.J. Lu <hjl.tools@gmail.com> +--- + elf/dl-load.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +diff --git a/elf/dl-load.c b/elf/dl-load.c +index a1f1682..9f4fa96 100644 +--- a/elf/dl-load.c ++++ b/elf/dl-load.c +@@ -1135,6 +1135,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, + struct loadcmd loadcmds[l->l_phnum]; + size_t nloadcmds = 0; + bool has_holes = false; ++ bool empty_dynamic = false; + + /* The struct is initialized to zero so this is not necessary: + l->l_ld = 0; +@@ -1147,7 +1148,9 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, + segments are mapped in. We record the addresses it says + verbatim, and later correct for the run-time load address. */ + case PT_DYNAMIC: +- if (ph->p_filesz) ++ if (ph->p_filesz == 0) ++ empty_dynamic = true; /* Usually separate debuginfo. */ ++ else + { + /* Debuginfo only files from "objcopy --only-keep-debug" + contain a PT_DYNAMIC segment with p_filesz == 0. Skip +@@ -1270,6 +1273,13 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, + goto lose; + } + ++ /* This check recognizes most separate debuginfo files. */ ++ if (__glibc_unlikely ((l->l_ld == 0 && type == ET_DYN) || empty_dynamic)) ++ { ++ errstring = N_("object file has no dynamic section"); ++ goto lose; ++ } ++ + /* Length of the sections to be loaded. */ + maplength = loadcmds[nloadcmds - 1].allocend - loadcmds[0].mapstart; + +@@ -1287,15 +1297,7 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, + } + } + +- if (l->l_ld == 0) +- { +- if (__glibc_unlikely (type == ET_DYN)) +- { +- errstring = N_("object file has no dynamic section"); +- goto lose; +- } +- } +- else ++ if (l->l_ld != 0) + l->l_ld = (ElfW(Dyn) *) ((ElfW(Addr)) l->l_ld + l->l_addr); + + elf_get_dynamic_info (l); +-- +1.8.3.1 + |