This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/24692] New: pldd should fail on >1 PT_INTERP or >1 PT_DYNAMIC entries.
- From: "carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Mon, 17 Jun 2019 16:22:34 +0000
- Subject: [Bug libc/24692] New: pldd should fail on >1 PT_INTERP or >1 PT_DYNAMIC entries.
- Auto-submitted: auto-generated
https://sourceware.org/bugzilla/show_bug.cgi?id=24692
Bug ID: 24692
Summary: pldd should fail on >1 PT_INTERP or >1 PT_DYNAMIC
entries.
Product: glibc
Version: unspecified
Status: NEW
Severity: normal
Priority: P2
Component: libc
Assignee: unassigned at sourceware dot org
Reporter: carlos at redhat dot com
CC: drepper.fsp at gmail dot com
Target Milestone: ---
pldd should immediately fail if it sees more than one PT_INTERP or PT_DYNAMIC
segment. A crafted in-memory binary could potentially alter these things and we
should just double check for them. It makes pldd more robust against errors.
e.g.
diff --git a/elf/pldd-xx.c b/elf/pldd-xx.c
index 756f6d7a1c..298b6ad086 100644
--- a/elf/pldd-xx.c
+++ b/elf/pldd-xx.c
@@ -119,10 +119,14 @@ E(find_maps) (const char *exe, int memfd, pid_t pid, void
*auxv,
EW(Addr) list = 0;
char *interp = NULL;
+ EW(Dyn) *dyn = NULL;
for (unsigned int i = 0; i < phnum; ++i)
if (p[i].p_type == PT_DYNAMIC)
{
- EW(Dyn) *dyn = xmalloc (p[i].p_filesz);
+ if (dyn != NULL)
+ error (EXIT_FAILURE, 0, gettext ("more than one dyanmic section not
supported"));
+
+ dyn = xmalloc (p[i].p_filesz);
if (pread (memfd, dyn, p[i].p_filesz, offset + p[i].p_vaddr)
!= p[i].p_filesz)
error (EXIT_FAILURE, 0, gettext ("cannot read dynamic section"));
@@ -143,11 +147,13 @@ E(find_maps) (const char *exe, int memfd, pid_t pid, void
*auxv,
}
}
- free (dyn);
break;
}
else if (p[i].p_type == PT_INTERP)
{
+ if (interp != NULL)
+ error (EXIT_FAILURE, 0, gettext ("more than one interpreter not
supported"));
+
interp = xmalloc (p[i].p_filesz);
if (pread (memfd, interp, p[i].p_filesz, offset + p[i].p_vaddr)
!= p[i].p_filesz)
@@ -167,6 +173,7 @@ E(find_maps) (const char *exe, int memfd, pid_t pid, void
*auxv,
}
free (p);
+ free (dyn);
free (interp);
/* Print the PID and program name first. */
---
Needs testing and submission.
--
You are receiving this mail because:
You are on the CC list for the bug.