This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/17411] New: calloc in dl-reloc.c computes size incorrectly
- From: "kg6fnk at gmail dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Thu, 18 Sep 2014 18:17:07 +0000
- Subject: [Bug dynamic-link/17411] New: calloc in dl-reloc.c computes size incorrectly
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=17411
Bug ID: 17411
Summary: calloc in dl-reloc.c computes size incorrectly
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: dynamic-link
Assignee: unassigned at sourceware dot org
Reporter: kg6fnk at gmail dot com
This bug was discovered by Matt LeGendre who works at LLNL. He pointed out the
problem and corrected my patch to the problem. It seems to exist in quite a
range of glibc versions. The problem was discovered in RHEL6's glibc and it
still exists in RHEL7 and upstream.
In elf/dl-reloc.c the AUDIT code does a calloc of a library's
DT_PLTRELSZ*sizeof(struct reloc_result) (this is the one we're seeing making
~300MB of allocations). It's treating the DT_PLTRELSZ as a count of PLTREL
entries, but DT_PLTRELSZ is the size in bytes of the PLTREL entries. So it's
doing a much larger memory allocation than necessary.
I looked and the code is the same in RHEL6,7, and upstream glibc.
He suggested a patch like:
diff --git a/elf/dl-reloc.c b/elf/dl-reloc.c
index d2c6dac..0c85f08 100644
--- a/elf/dl-reloc.c
+++ b/elf/dl-reloc.c
@@ -280,7 +280,8 @@ _dl_relocate_object (struct link_map *l, struct
r_scope_elem *scope[],
}
l->l_reloc_result = calloc (sizeof (l->l_reloc_result[0]),
- l->l_info[DT_PLTRELSZ]->d_un.d_val);
+ l->l_info[DT_PLTRELSZ]->d_un.d_val /
+ (l->l_info[DT_PLTREL]->d_un.d_val ==
DT_RELA ? sizeof(ElfW(Rela)) : sizeof(ElfW(Rel))));
if (l->l_reloc_result == NULL)
{
errstring = N_("\
--
You are receiving this mail because:
You are on the CC list for the bug.