|
|
00db10 |
commit 0065aaaaae51cd60210ec3a7e13dddd8e01ffe2c
|
|
|
00db10 |
Author: Paul Pluzhnikov <ppluzhnikov@google.com>
|
|
|
00db10 |
Date: Sat May 5 18:08:27 2018 -0700
|
|
|
00db10 |
|
|
|
00db10 |
Fix BZ 20419. A PT_NOTE in a binary could be arbitratily large, so using
|
|
|
00db10 |
alloca for it may cause stack overflow. If the note is larger than
|
|
|
00db10 |
__MAX_ALLOCA_CUTOFF, use dynamically allocated memory to read it in.
|
|
|
00db10 |
|
|
|
00db10 |
2018-05-05 Paul Pluzhnikov <ppluzhnikov@google.com>
|
|
|
00db10 |
|
|
|
00db10 |
[BZ #20419]
|
|
|
00db10 |
* elf/dl-load.c (open_verify): Fix stack overflow.
|
|
|
00db10 |
* elf/Makefile (tst-big-note): New test.
|
|
|
00db10 |
* elf/tst-big-note-lib.S: New.
|
|
|
00db10 |
* elf/tst-big-note.c: New.
|
|
|
00db10 |
|
|
|
00db10 |
Minor textual conflicts and elf/Makefile due to continued upstream
|
|
|
00db10 |
development.
|
|
|
00db10 |
|
|
|
00db10 |
diff --git a/elf/Makefile b/elf/Makefile
|
|
|
00db10 |
index dea66ca1c12e5c29..b46b3a0e3542a06f 100644
|
|
|
00db10 |
--- a/elf/Makefile
|
|
|
00db10 |
+++ b/elf/Makefile
|
|
|
00db10 |
@@ -151,7 +151,8 @@ tests += loadtest restest1 preloadtest loadfail multiload origtest resolvfail \
|
|
|
00db10 |
tst-audit1 tst-audit2 tst-audit8 tst-audit9 \
|
|
|
00db10 |
tst-stackguard1 tst-addr1 tst-thrlock \
|
|
|
00db10 |
tst-unique1 tst-unique2 tst-unique3 tst-unique4 \
|
|
|
00db10 |
- tst-initorder tst-initorder2 tst-relsort1 tst-ptrguard1
|
|
|
00db10 |
+ tst-initorder tst-initorder2 tst-relsort1 tst-ptrguard1 \
|
|
|
00db10 |
+ tst-big-note
|
|
|
00db10 |
# reldep9
|
|
|
00db10 |
test-srcs = tst-pathopt
|
|
|
00db10 |
selinux-enabled := $(shell cat /selinux/enforce 2> /dev/null)
|
|
|
00db10 |
@@ -223,7 +224,9 @@ modules-names = testobj1 testobj2 testobj3 testobj4 testobj5 testobj6 \
|
|
|
00db10 |
tst-relsort1mod1 tst-relsort1mod2 tst-array2dep \
|
|
|
00db10 |
tst-array5dep \
|
|
|
00db10 |
tst-audit11mod1 tst-audit11mod2 tst-auditmod11 \
|
|
|
00db10 |
- tst-audit12mod1 tst-audit12mod2 tst-audit12mod3 tst-auditmod12
|
|
|
00db10 |
+ tst-audit12mod1 tst-audit12mod2 tst-audit12mod3 tst-auditmod12 \
|
|
|
00db10 |
+ tst-big-note-lib
|
|
|
00db10 |
+
|
|
|
00db10 |
ifeq (yesyes,$(have-fpie)$(build-shared))
|
|
|
00db10 |
modules-names += tst-piemod1
|
|
|
00db10 |
tests += tst-pie1
|
|
|
00db10 |
@@ -1234,3 +1237,5 @@ $(objpfx)tst-audit12: $(libdl)
|
|
|
00db10 |
tst-audit12-ENV = LD_AUDIT=$(objpfx)tst-auditmod12.so
|
|
|
00db10 |
$(objpfx)tst-audit12mod1.so: $(objpfx)tst-audit12mod2.so
|
|
|
00db10 |
LDFLAGS-tst-audit12mod2.so = -Wl,--version-script=tst-audit12mod2.map
|
|
|
00db10 |
+
|
|
|
00db10 |
+$(objpfx)tst-big-note: $(objpfx)tst-big-note-lib.so
|
|
|
00db10 |
diff --git a/elf/dl-load.c b/elf/dl-load.c
|
|
|
00db10 |
index 7466b686244e55b2..013efdb3814700d3 100644
|
|
|
00db10 |
--- a/elf/dl-load.c
|
|
|
00db10 |
+++ b/elf/dl-load.c
|
|
|
00db10 |
@@ -1744,6 +1744,7 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader,
|
|
|
00db10 |
ElfW(Ehdr) *ehdr;
|
|
|
00db10 |
ElfW(Phdr) *phdr, *ph;
|
|
|
00db10 |
ElfW(Word) *abi_note;
|
|
|
00db10 |
+ ElfW(Word) *abi_note_malloced = NULL;
|
|
|
00db10 |
unsigned int osversion;
|
|
|
00db10 |
size_t maplength;
|
|
|
00db10 |
|
|
|
00db10 |
@@ -1889,10 +1890,25 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader,
|
|
|
00db10 |
abi_note = (void *) (fbp->buf + ph->p_offset);
|
|
|
00db10 |
else
|
|
|
00db10 |
{
|
|
|
00db10 |
- abi_note = alloca (size);
|
|
|
00db10 |
+ /* Note: __libc_use_alloca is not usable here, because
|
|
|
00db10 |
+ thread info may not have been set up yet. */
|
|
|
00db10 |
+ if (size < __MAX_ALLOCA_CUTOFF)
|
|
|
00db10 |
+ abi_note = alloca (size);
|
|
|
00db10 |
+ else
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ /* There could be multiple PT_NOTEs. */
|
|
|
00db10 |
+ abi_note_malloced = realloc (abi_note_malloced, size);
|
|
|
00db10 |
+ if (abi_note_malloced == NULL)
|
|
|
00db10 |
+ goto read_error;
|
|
|
00db10 |
+
|
|
|
00db10 |
+ abi_note = abi_note_malloced;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
__lseek (fd, ph->p_offset, SEEK_SET);
|
|
|
00db10 |
if (__libc_read (fd, (void *) abi_note, size) != size)
|
|
|
00db10 |
- goto read_error;
|
|
|
00db10 |
+ {
|
|
|
00db10 |
+ free (abi_note_malloced);
|
|
|
00db10 |
+ goto read_error;
|
|
|
00db10 |
+ }
|
|
|
00db10 |
}
|
|
|
00db10 |
|
|
|
00db10 |
while (memcmp (abi_note, &expected_note, sizeof (expected_note)))
|
|
|
00db10 |
@@ -1928,6 +1944,7 @@ open_verify (const char *name, struct filebuf *fbp, struct link_map *loader,
|
|
|
00db10 |
|
|
|
00db10 |
break;
|
|
|
00db10 |
}
|
|
|
00db10 |
+ free (abi_note_malloced);
|
|
|
00db10 |
}
|
|
|
00db10 |
|
|
|
00db10 |
return fd;
|
|
|
00db10 |
diff --git a/elf/tst-big-note-lib.S b/elf/tst-big-note-lib.S
|
|
|
00db10 |
new file mode 100644
|
|
|
00db10 |
index 0000000000000000..6b514a03cc686141
|
|
|
00db10 |
--- /dev/null
|
|
|
00db10 |
+++ b/elf/tst-big-note-lib.S
|
|
|
00db10 |
@@ -0,0 +1,26 @@
|
|
|
00db10 |
+/* Bug 20419: test for stack overflow in elf/dl-load.c open_verify()
|
|
|
00db10 |
+ Copyright (C) 2018 Free Software Foundation, Inc.
|
|
|
00db10 |
+ This file is part of the GNU C Library.
|
|
|
00db10 |
+
|
|
|
00db10 |
+ The GNU C Library is free software; you can redistribute it and/or
|
|
|
00db10 |
+ modify it under the terms of the GNU Lesser General Public
|
|
|
00db10 |
+ License as published by the Free Software Foundation; either
|
|
|
00db10 |
+ version 2.1 of the License, or (at your option) any later version.
|
|
|
00db10 |
+
|
|
|
00db10 |
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
|
00db10 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
00db10 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
00db10 |
+ Lesser General Public License for more details.
|
|
|
00db10 |
+
|
|
|
00db10 |
+ You should have received a copy of the GNU Lesser General Public
|
|
|
00db10 |
+ License along with the GNU C Library; if not, see
|
|
|
00db10 |
+ <http://www.gnu.org/licenses/>. */
|
|
|
00db10 |
+
|
|
|
00db10 |
+/* This creates a .so with 8MiB PT_NOTE segment.
|
|
|
00db10 |
+ On a typical Linux system with 8MiB "ulimit -s", that was enough
|
|
|
00db10 |
+ to trigger stack overflow in open_verify. */
|
|
|
00db10 |
+
|
|
|
00db10 |
+.pushsection .note.big,"a"
|
|
|
00db10 |
+.balign 4
|
|
|
00db10 |
+.fill 8*1024*1024, 1, 0
|
|
|
00db10 |
+.popsection
|
|
|
00db10 |
diff --git a/elf/tst-big-note.c b/elf/tst-big-note.c
|
|
|
00db10 |
new file mode 100644
|
|
|
00db10 |
index 0000000000000000..fcd2b0ed82cc1667
|
|
|
00db10 |
--- /dev/null
|
|
|
00db10 |
+++ b/elf/tst-big-note.c
|
|
|
00db10 |
@@ -0,0 +1,26 @@
|
|
|
00db10 |
+/* Bug 20419: test for stack overflow in elf/dl-load.c open_verify()
|
|
|
00db10 |
+ Copyright (C) 2018 Free Software Foundation, Inc.
|
|
|
00db10 |
+ This file is part of the GNU C Library.
|
|
|
00db10 |
+
|
|
|
00db10 |
+ The GNU C Library is free software; you can redistribute it and/or
|
|
|
00db10 |
+ modify it under the terms of the GNU Lesser General Public
|
|
|
00db10 |
+ License as published by the Free Software Foundation; either
|
|
|
00db10 |
+ version 2.1 of the License, or (at your option) any later version.
|
|
|
00db10 |
+
|
|
|
00db10 |
+ The GNU C Library is distributed in the hope that it will be useful,
|
|
|
00db10 |
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
00db10 |
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
00db10 |
+ Lesser General Public License for more details.
|
|
|
00db10 |
+
|
|
|
00db10 |
+ You should have received a copy of the GNU Lesser General Public
|
|
|
00db10 |
+ License along with the GNU C Library; if not, see
|
|
|
00db10 |
+ <http://www.gnu.org/licenses/>. */
|
|
|
00db10 |
+
|
|
|
00db10 |
+/* This file must be run from within a directory called "elf". */
|
|
|
00db10 |
+
|
|
|
00db10 |
+int main (int argc, char *argv[])
|
|
|
00db10 |
+{
|
|
|
00db10 |
+ /* Nothing to do here: merely linking against tst-big-note-lib.so triggers
|
|
|
00db10 |
+ the bug. */
|
|
|
00db10 |
+ return 0;
|
|
|
00db10 |
+}
|