This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Fwd: [PATCH] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
- From: Alex <alexinbeijing at gmail dot com>
- To: libc-alpha at sourceware dot org
- Date: Mon, 10 Aug 2015 09:04:07 +0200
- Subject: Fwd: [PATCH] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
- Authentication-results: sourceware.org; auth=none
- References: <1439153945-22973-1-git-send-email-alexinbeijing at gmail dot com> <87fv3s83td dot fsf at igel dot home> <CACsECNf6dB8cAG4EHpox=tg8=+SbeWTb9J=T4zArLtmdQjqkHQ at mail dot gmail dot com>
On Mon, Aug 10, 2015 at 1:01 AM, Andreas Schwab <schwab@linux-m68k.org> wrote:
> Alex Dowad <alexinbeijing@gmail.com> writes:
>
>> diff --git a/elf/rtld.c b/elf/rtld.c
>> index 6dcbabc..ee194a6 100644
>> --- a/elf/rtld.c
>> +++ b/elf/rtld.c
>> @@ -2408,6 +2408,8 @@ process_dl_debug (const char *dl_debug)
>> char *copy = strndupa (dl_debug, len);
>> _dl_error_printf ("\
>> warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy);
>
> Use %.*s instead.
Thanks for your reply. That would help to avoid potentially voluminous
output to the console, but doesn't fix the (potential) security hole
of copying an arbitrary, attacker-supplied string onto the stack. Do
you think there is any reason to copy the string at all? It seems like
it should be possible to just print it from whereever it originally
happened to be in memory.
Thanks, Alex