Bug 15309 - dl_open_worker doesn't fully initialize seen array during init sort
Summary: dl_open_worker doesn't fully initialize seen array during init sort
Alias: None
Product: glibc
Classification: Unclassified
Component: dynamic-link (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: ---
Assignee: Carlos O'Donell
Depends on:
Blocks: 15310
  Show dependency treegraph
Reported: 2013-03-27 07:46 UTC by Don Hatch
Modified: 2019-04-14 11:16 UTC (History)
4 users (show)

See Also:
Last reconfirmed:
fweimer: security-


Note You need to log in before you can comment on or make changes to this bug.
Description Don Hatch 2013-03-27 07:46:18 UTC
In elf/dl-open.c, in dl_open_worker(), the "seen" array was recently changed
from a char[] to uint16_t[], but the initialization wasn't changed to match:
    28363bbf (Jeff Law           2012-06-21 09:26:41 -0600 346)       uint16_t seen[nmaps];
    6ee65ed6 (Ulrich Drepper     2012-01-27 15:05:19 -0500 347)       memset (seen, '\0', nmaps);
It should be: 
    memset (seen, '\0', nmaps * sizeof(seen[0]));

Theoretically this could cause some loops in this sorting routine
to terminate prematurely, resulting in an incorrect sort.
Not sure whether this ever happens in practice.
Comment 1 Carlos O'Donell 2013-03-27 13:16:39 UTC
I'm fixing this.
Comment 2 Don Hatch 2013-03-28 10:23:22 UTC
declared this to be blocking bug 15310 -- see note I added there for explanation.
it would be good to get this 1-line fix into master pretty quick if possible.
Comment 3 Carlos O'Donell 2013-04-06 21:07:34 UTC
Fixed by this commit.

commit 7208a313b93a42e3cef61c4249a59b4b32a5850b
Author: Carlos O'Donell <carlos@redhat.com>
Date:   Sat Apr 6 17:00:02 2013 -0400

    dl_open_worker: Memset all of seen array.
    The seen array was doubled in size recently, but the memset to clear
    the array was not adjusted. We adjust the memset to always be correct
    regardless of the size of seen.
    2013-04-06  Carlos O'Donell  <carlos@redhat.com>
    	[BZ #15309]
    	* elf/dl-open.c (dl_open_worker): memset all of seen array.