Bug 25157 - Audit cookie for the dynamic loader is not initialized correctly
Summary: Audit cookie for the dynamic loader is not initialized correctly
Alias: None
Product: glibc
Classification: Unclassified
Component: dynamic-link (show other bugs)
Version: unspecified
: P2 normal
Target Milestone: 2.31
Assignee: Not yet assigned to anyone
Depends on:
Reported: 2019-11-02 20:26 UTC by Florian Weimer
Modified: 2019-11-15 12:28 UTC (History)
1 user (show)

See Also:
Last reconfirmed:
fweimer: security-


Note You need to log in before you can comment on or make changes to this bug.
Description Florian Weimer 2019-11-02 20:26:27 UTC
load_audit_module attempts to initialize the GL (dl_rtld_map).l_audit array, but uses the unrelated audit function index cnt for that, not the slot index for the audit module.

      /* Store the pointer.  */
      if (err_str == NULL && largs.result != NULL)
	  newp->fptr[cnt] = largs.result;

	  /* The dynamic linker link map is statically allocated,
	     initialize the data now.  */
	  GL(dl_rtld_map).l_audit[cnt].cookie = (intptr_t) &GL(dl_rtld_map);
	newp->fptr[cnt] = NULL;

Found while trying to fix bug 25097, but not actually related to the l_audit zero-length array. I think this is a bug present in the original implementation. It was not introduced in the load_audit_module refactoring.
Comment 1 cvs-commit@gcc.gnu.org 2019-11-15 12:24:29 UTC
The master branch has been updated by Florian Weimer <fw@sourceware.org>:


commit c7bf5ceab6ec776ac7350d3b0190776bf532ac54
Author: Florian Weimer <fweimer@redhat.com>
Date:   Sat Nov 2 21:55:35 2019 +0100

    Properly initialize audit cookie for the dynamic loader [BZ #25157]
    The l_audit array is indexed by audit module, not audit function.
    Change-Id: I180eb3573dc1c57433750f5d8cb18271460ba5f2
Comment 2 Florian Weimer 2019-11-15 12:28:36 UTC
Fixed in glibc 2.31.