Created attachment 10552 [details] crafted shared library file recovered.so and poc.c Uninitialized Variable in inline function elf_get_dynamic_info at source file elf/get-dynamic-info.h Tested on glibc-2.26 with address-sanitize on Linux ubuntu 4.13.0-16-generic #19-Ubuntu SMP gcc (Ubuntu 7.2.0-8ubuntu3) 7.2.0 Running Command: unzip PoC.zip gcc -o poc poc.c -ldl -fsanitize=address ./poc Function _dl_map_object_from_fd at Line 1006 in elf/dl-load.c 1006: l = _dl_new_object(realname, name, l_type, loader, mode, nsid); /* allocate a mmeory region in heap for a new loaded object without initializing l->l_info*/ Function _dl_map_object_from_fd at Line 1200 in elf/dl-load.c 1200: elf_get_dynamic_info(l, NULL); /* call buggy function elf_get_dynamic_info, there is no initialization of l->l_info between dl-load.c:1006 and dl-load.c:1200 */ Function elf_get_dynamic_info at Line 97 in elf/get-dynamic-info.h 46: info = l->l_info; 97: info[tag]->d_un.d_ptr += l_addr; /* l->info[tag]->d_un.d_ptr is used without initialization till now. Any value could be in l->info[tag]->d_un.d_ptr */ We trigger this defect with poc compiled with AddressSanitizer and display the output of Sanitizer as follows: ASAN:DEADLYSIGNAL ================================================================= ==2505==ERROR: AddressSanitizer: SEGV on unknown address 0x00000204 (pc 0xb7fee485 bp 0x00000000 sp 0xbffff180 T0) ==2505==The signal is caused by a READ memory access. ==2505==Hint: address points to the zero page. #0 0xb7fee484 (/lib/ld-linux.so.2+0x15484) #1 0xb794fe2a in _dl_catch_error (/lib/i386-linux-gnu/libc.so.6+0x132e2a) #2 0xb7819421 (/lib/i386-linux-gnu/libdl.so.2+0x1421) #3 0xb7818df7 in dlclose (/lib/i386-linux-gnu/libdl.so.2+0xdf7) #4 0xb7a233a5 in dlclose (/usr/lib/i386-linux-gnu/libasan.so.4+0x303a5) #5 0x40076b in main (/home/yueqi/poc+0x76b) #6 0xb7835985 in __libc_start_main (/lib/i386-linux-gnu/libc.so.6+0x18985) #7 0x400620 (/home/yueqi/poc+0x620) AddressSanitizer can not provide additional info. SUMMARY: AddressSanitizer: SEGV (/lib/ld-linux.so.2+0x15484) ==2505==ABORTING
The object contains invalid entries in the dynamic section. The values are initialized from loading the object.
In that case, we probably need a verification before using entries in dynamic section. Do you have a quick patch for us to test? Thanks