This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/24692] New: pldd should fail on >1 PT_INTERP or >1 PT_DYNAMIC entries.

From: "carlos at redhat dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sourceware dot org
Date: Mon, 17 Jun 2019 16:22:34 +0000
Subject: [Bug libc/24692] New: pldd should fail on >1 PT_INTERP or >1 PT_DYNAMIC entries.
Auto-submitted: auto-generated

https://sourceware.org/bugzilla/show_bug.cgi?id=24692

            Bug ID: 24692
           Summary: pldd should fail on >1 PT_INTERP or >1 PT_DYNAMIC
                    entries.
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: carlos at redhat dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

pldd should immediately fail if it sees more than one PT_INTERP or PT_DYNAMIC
segment. A crafted in-memory binary could potentially alter these things and we
should just double check for them. It makes pldd more robust against errors.

e.g.

diff --git a/elf/pldd-xx.c b/elf/pldd-xx.c
index 756f6d7a1c..298b6ad086 100644
--- a/elf/pldd-xx.c
+++ b/elf/pldd-xx.c
@@ -119,10 +119,14 @@ E(find_maps) (const char *exe, int memfd, pid_t pid, void
*auxv,

   EW(Addr) list = 0;
   char *interp = NULL;
+  EW(Dyn) *dyn = NULL;
   for (unsigned int i = 0; i < phnum; ++i)
     if (p[i].p_type == PT_DYNAMIC)
       {
-       EW(Dyn) *dyn = xmalloc (p[i].p_filesz);
+       if (dyn != NULL)
+         error (EXIT_FAILURE, 0, gettext ("more than one dyanmic section not
supported"));
+
+       dyn = xmalloc (p[i].p_filesz);
        if (pread (memfd, dyn, p[i].p_filesz, offset + p[i].p_vaddr)
            != p[i].p_filesz)
          error (EXIT_FAILURE, 0, gettext ("cannot read dynamic section"));
@@ -143,11 +147,13 @@ E(find_maps) (const char *exe, int memfd, pid_t pid, void
*auxv,
                }
            }

-       free (dyn);
        break;
       }
     else if (p[i].p_type == PT_INTERP)
       {
+       if (interp != NULL)
+         error (EXIT_FAILURE, 0, gettext ("more than one interpreter not
supported"));
+
        interp = xmalloc (p[i].p_filesz);
        if (pread (memfd, interp, p[i].p_filesz, offset + p[i].p_vaddr)
            != p[i].p_filesz)
@@ -167,6 +173,7 @@ E(find_maps) (const char *exe, int memfd, pid_t pid, void
*auxv,
     }

   free (p);
+  free (dyn);
   free (interp);

   /* Print the PID and program name first.  */
---

Needs testing and submission.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]