Bug 11615

Summary: ld.so segfaults when RLD_MAP is 0
Product: glibc Reporter: Aurelien Jarno <aurelien>
Component: portsAssignee: Not yet assigned to anyone <unassigned>
Status: RESOLVED WONTFIX    
Severity: normal CC: glibc-bugs, neleai
Priority: P2 Flags: fweimer: security-
Version: unspecified   
Target Milestone: ---   
Host: mipsel-unknown-linux-gnu Target: mipsel-unknown-linux-gnu
Build: mipsel-unknown-linux-gnu Last reconfirmed:
Attachments: proposed patch

Description Aurelien Jarno 2010-05-20 12:51:21 UTC 
Broken ELF binaries that have RLD_MAP equals to 0 (it seems to be possible to
generate them linking it with --version-script) are causing a segfault of ld.so,
even in --list or --verify mode. While this is obviously a bug in the ELF
binary, ld.so should not segfault in this case.
Comment 1 Aurelien Jarno 2010-05-20 12:52:29 UTC 
Created attachment 4805 [details]
proposed patch
Comment 2 Joseph Myers 2012-02-15 22:04:41 UTC 
My impression when I looked at another issue relating to ldd and its use of ld.so was that ld.so is not expected to do anything sensible with broken binaries or libraries in any mode, as an architecture-independent matter, and running with them may involve arbitrary code execution (so you mustn't use ld.so on possibly hostile code).  Maybe we should generically fix this so that ldd of hostile code is safe, but then you'd also need to allow for arbitrary values that are not 0 but still involve writing somewhere inappropriate - that is, somehow check the address for sanity.
Comment 3 Aurelien Jarno 2012-02-15 22:19:27 UTC 
Note that the problem is not only with ldd, it also segfaults while calling the binary. For the record, the original bug report is the following:

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=579917
Comment 4 joseph@codesourcery.com 2012-02-15 22:50:56 UTC 
On Wed, 15 Feb 2012, aurelien at aurel32 dot net wrote:

> Note that the problem is not only with ldd, it also segfaults while 
> calling the binary. For the record, the original bug report is the 
> following:

Segfaulting while calling invalid binaries is certainly to be expected 
(there's no way you can sensibly expect to execute them safely, at most 
you might detect some conditions and give an error message), whereas you 
can argue that ldd should handle them safely.  The binutils bug creating 
such binaries has been fixed:

http://sourceware.org/ml/binutils/2011-12/msg00112.html
Comment 5 Ondrej Bilka 2013-10-13 05:48:20 UTC 
Closing as binutils were fixed two years ago.