Bug 22341 - Uninitialized variable in inline function elf_get_dynamic_info in get-dynamic-info.h
Summary: Uninitialized variable in inline function elf_get_dynamic_info in get-dynamic...
Status: UNCONFIRMED
Alias: None
Product: glibc
Classification: Unclassified
Component: dynamic-link (show other bugs)
Version: 2.26
: P3 normal
Target Milestone: ---
Assignee: Not yet assigned to anyone
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-24 01:13 UTC by yueqichen.0x0
Modified: 2017-12-20 22:54 UTC (History)
1 user (show)

See Also:
Host:
Target:
Build:
Last reconfirmed:
fweimer: security-

Attachments
crafted shared library file recovered.so and poc.c (13.62 KB, application/zip)
2017-10-24 01:13 UTC, yueqichen.0x0 		Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description yueqichen.0x0 2017-10-24 01:13:36 UTC 
Created attachment 10552 [details]
crafted shared library file recovered.so and poc.c

Uninitialized Variable in inline function elf_get_dynamic_info at source file elf/get-dynamic-info.h
Tested on glibc-2.26 with address-sanitize on Linux ubuntu 4.13.0-16-generic #19-Ubuntu SMP
gcc (Ubuntu 7.2.0-8ubuntu3) 7.2.0

Running Command: 
unzip PoC.zip
gcc -o poc poc.c -ldl -fsanitize=address
./poc

Function _dl_map_object_from_fd at Line 1006 in elf/dl-load.c
1006: l = _dl_new_object(realname, name, l_type, loader, mode, nsid);
/* allocate a mmeory region in heap for a new loaded object without initializing l->l_info*/

Function _dl_map_object_from_fd at Line 1200 in elf/dl-load.c
1200: elf_get_dynamic_info(l, NULL);
/* call buggy function elf_get_dynamic_info,
   there is no initialization of l->l_info between dl-load.c:1006 and dl-load.c:1200 */

Function elf_get_dynamic_info at Line 97 in elf/get-dynamic-info.h
46: info = l->l_info;
97: info[tag]->d_un.d_ptr += l_addr;
/* l->info[tag]->d_un.d_ptr is used without initialization till now. 
   Any value could be in l->info[tag]->d_un.d_ptr
*/

We trigger this defect with poc compiled with AddressSanitizer and display the output of Sanitizer as follows:
ASAN:DEADLYSIGNAL
=================================================================
==2505==ERROR: AddressSanitizer: SEGV on unknown address 0x00000204 (pc 0xb7fee485 bp 0x00000000 sp 0xbffff180 T0)
==2505==The signal is caused by a READ memory access.
==2505==Hint: address points to the zero page.
    #0 0xb7fee484  (/lib/ld-linux.so.2+0x15484)
    #1 0xb794fe2a in _dl_catch_error (/lib/i386-linux-gnu/libc.so.6+0x132e2a)
    #2 0xb7819421  (/lib/i386-linux-gnu/libdl.so.2+0x1421)
    #3 0xb7818df7 in dlclose (/lib/i386-linux-gnu/libdl.so.2+0xdf7)
    #4 0xb7a233a5 in dlclose (/usr/lib/i386-linux-gnu/libasan.so.4+0x303a5)
    #5 0x40076b in main (/home/yueqi/poc+0x76b)
    #6 0xb7835985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985)
    #7 0x400620  (/home/yueqi/poc+0x620)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/ld-linux.so.2+0x15484) 
==2505==ABORTING
Comment 1 Andreas Schwab 2017-11-07 11:56:39 UTC 
The object contains invalid entries in the dynamic section.  The values are initialized from loading the object.
Comment 2 yueqichen.0x0 2017-11-16 22:35:55 UTC 
In that case, we probably need a verification before using entries in dynamic section. Do you have a quick patch for us to test? Thanks