Bug 14594 - Testing a mangled pointer results in initializer not being called
Summary: Testing a mangled pointer results in initializer not being called
Status: NEW
Alias: None
Product: glibc
Classification: Unclassified
Component: locale (show other bugs)
Version: 2.17
: P2 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2012-09-19 13:34 UTC by law
Modified: 2015-08-27 21:57 UTC (History)
4 users (show)

See Also:
Last reconfirmed:
fweimer: security-

Consistently demangle (1.63 KB, patch)
2013-10-31 19:40 UTC, Carlos O'Donell
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description law 2012-09-19 13:34:47 UTC
If a gconv module's init function has an address that is the same as the pointer guard value, then the gconv module's init function will not be called.

The problem is find_module tests the *mangled* pointer against NULL and if that test is false, then the initializer is called.

Obviously with the mangling function being a simple xor, if the function's address is the same as the pointer guard, the mangled value will be zero and the initializer doesn't get called.

Inspection shows similar problems gconv_db.c.  There's also an instance in btowc.c, but in that case the test is just controlling an optimization and as far as I can tell doesn't result in incorrect operation.
Comment 1 Ondrej Bilka 2013-10-31 19:01:01 UTC
If function is xor then we could set last bit of guard to 1. As function pointers are aligned a result cannot be zero.
Comment 2 Carlos O'Donell 2013-10-31 19:39:58 UTC
Fedora has a fix for this already I think, which is just unconditionally demangle and *then* check for null.

There is almost not performance benefit to checking the mangled value for null, demangling if it is, and then calling the function.
Comment 3 Carlos O'Donell 2013-10-31 19:40:45 UTC
Created attachment 7263 [details]
Consistently demangle
Comment 4 Florian Weimer 2014-06-17 04:28:10 UTC
(In reply to Carlos O'Donell from comment #3)
> Created attachment 7263 [details]
> Consistently demangle

Does this really work? Are these pointers never initialized to NULL?