2012-06-21 Jeff Law <law@redhat.com>

        [BZ #13882]
        * elf/dl-deps.c (_dl_map_object_deps): Fix cycle detection.  Use
        uint16_t for elements in the "seen" array to avoid char overflows.
        * elf/dl-fini.c (_dl_sort_fini): Likewise.
        * elf/dl-open.c (dl_open_worker): Likewise.

diff --git a/ChangeLog b/ChangeLog
index 0a70e8bdecdfa519119259cab70db02d5e2aabff..01bb5c49af4e660b7a2f86a267a86226ec4fdc9a 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,11 @@
+2012-06-21  Jeff Law  <law@redhat.com>
+
+       [BZ #13882]
+       * elf/dl-deps.c (_dl_map_object_deps): Fix cycle detection.  Use
+       uint16_t for elements in the "seen" array to avoid char overflows.
+        * elf/dl-fini.c (_dl_sort_fini): Likewise.
+       * elf/dl-open.c (dl_open_worker): Likewise.
+
 2012-06-21  Carlos O'Donell  <carlos_odonell@mentor.com>
 
        * scripts/list-sources.sh: Scan PORTS for translations.

diff --git a/NEWS b/NEWS
index 97ab8fead94ff4870355210530b41b5d233b18c3..f758700b636bf453b22ce87162dcd9cb237bef80 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -23,14 +23,14 @@ Version 2.16
   13691, 13695, 13704, 13705, 13706, 13718, 13726, 13738, 13739, 13743,
   13750, 13758, 13760, 13761, 13775, 13786, 13787, 13792, 13806, 13824,
   13840, 13841, 13844, 13846, 13848, 13851, 13852, 13854, 13871, 13872,
-  13873, 13879, 13883, 13884, 13885, 13886, 13892, 13895, 13908, 13910,
-  13911, 13912, 13913, 13914, 13915, 13916, 13917, 13918, 13919, 13920,
-  13921, 13922, 13923, 13924, 13926, 13927, 13928, 13938, 13941, 13942,
-  13954, 13955, 13956, 13963, 13967, 13968, 13970, 13973, 13979, 13983,
-  13986, 13996, 14012, 14027, 14033, 14034, 14036, 14040, 14043, 14044,
-  14048, 14049, 14050, 14053, 14055, 14059, 14064, 14075, 14080, 14083,
-  14103, 14104, 14109, 14112, 14117, 14122, 14123, 14134, 14153, 14183,
-  14188, 14199, 14210, 14218, 14229, 14241
+  13873, 13879, 13882, 13883, 13884, 13885, 13886, 13892, 13895, 13908,
+  13910, 13911, 13912, 13913, 13914, 13915, 13916, 13917, 13918, 13919,
+  13920, 13921, 13922, 13923, 13924, 13926, 13927, 13928, 13938, 13941,
+  13942, 13954, 13955, 13956, 13963, 13967, 13968, 13970, 13973, 13979,
+  13983, 13986, 13996, 14012, 14027, 14033, 14034, 14036, 14040, 14043,
+  14044, 14048, 14049, 14050, 14053, 14055, 14059, 14064, 14075, 14080,
+  14083, 14103, 14104, 14109, 14112, 14117, 14122, 14123, 14134, 14153,
+  14183, 14188, 14199, 14210, 14218, 14229, 14241
 
 * Support for the x32 ABI on x86-64 added.  The x32 target is selected by
   configuring glibc with:

diff --git a/elf/dl-deps.c b/elf/dl-deps.c
index fb1c3058c09228c6a0379786251c711981f8b187..69aec461fb929bd51792a2b3ada64ef1cf6a91bb 100644 (file)
--- a/elf/dl-deps.c
+++ b/elf/dl-deps.c
@@ -1,5 +1,5 @@
 /* Load the dependencies of a mapped object.
-   Copyright (C) 1996-2003, 2004, 2005, 2006, 2007, 2010, 2011
+   Copyright (C) 1996-2003, 2004-2007, 2010-2012
    Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -632,7 +632,7 @@ Filters not supported with LD_TRACE_PRELINKING"));
       /* We can skip looking for the binary itself which is at the front
         of the search list.  */
       i = 1;
-      char seen[nlist];
+      uint16_t seen[nlist];
       memset (seen, 0, nlist * sizeof (seen[0]));
       while (1)
        {
@@ -658,13 +658,13 @@ Filters not supported with LD_TRACE_PRELINKING"));
                               (k - i) * sizeof (l_initfini[0]));
                      l_initfini[k] = thisp;
 
-                     if (seen[i + 1] > 1)
+                     if (seen[i + 1] > nlist - i)
                        {
                          ++i;
                          goto next_clear;
                        }
 
-                     char this_seen = seen[i];
+                     uint16_t this_seen = seen[i];
                      memmove (&seen[i], &seen[i + 1],
                               (k - i) * sizeof (seen[0]));
                      seen[k] = this_seen;

diff --git a/elf/dl-fini.c b/elf/dl-fini.c
index 05146b37950f22b4b64ceb910dd7c7453a98c716..87cf2f1d3396b2f61e5093c848ea476889b67ccf 100644 (file)
--- a/elf/dl-fini.c
+++ b/elf/dl-fini.c
@@ -1,5 +1,5 @@
 /* Call the termination functions of loaded shared objects.
-   Copyright (C) 1995,96,1998-2002,2004-2005,2009,2011
+   Copyright (C) 1995, 1996, 1998-2002, 2004-2005, 2009, 2011-2012
    Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
@@ -38,7 +38,7 @@ _dl_sort_fini (struct link_map **maps, size_t nmaps, char *used, Lmid_t ns)
   /* We can skip looking for the binary itself which is at the front
      of the search list for the main namespace.  */
   unsigned int i = ns == LM_ID_BASE;
-  char seen[nmaps];
+  uint16_t seen[nmaps];
   memset (seen, 0, nmaps * sizeof (seen[0]));
   while (1)
     {
@@ -78,13 +78,13 @@ _dl_sort_fini (struct link_map **maps, size_t nmaps, char *used, Lmid_t ns)
                      used[k] = here_used;
                    }
 
-                 if (seen[i + 1] > 1)
+                 if (seen[i + 1] > nmaps - i)
                    {
                      ++i;
                      goto next_clear;
                    }
 
-                 char this_seen = seen[i];
+                 uint16_t this_seen = seen[i];
                  memmove (&seen[i], &seen[i + 1], (k - i) * sizeof (seen[0]));
                  seen[k] = this_seen;
 

diff --git a/elf/dl-open.c b/elf/dl-open.c
index 570c5f879195f0a58b12212a59e89d98d74ce952..9fe0a7ff6ac29f5da94ce7ee7f64fac04336fc2c 100644 (file)
--- a/elf/dl-open.c
+++ b/elf/dl-open.c
@@ -1,5 +1,5 @@
 /* Load a shared object at runtime, relocate it, and run its initializer.
-   Copyright (C) 1996-2007, 2009, 2010, 2011, 2012 Free Software Foundation, Inc.
+   Copyright (C) 1996-2007, 2009-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -325,7 +325,7 @@ dl_open_worker (void *a)
   while (l != NULL);
   if (nmaps > 1)
     {
-      char seen[nmaps];
+      uint16_t seen[nmaps];
       memset (seen, '\0', nmaps);
       size_t i = 0;
       while (1)
@@ -351,13 +351,13 @@ dl_open_worker (void *a)
                               (k - i) * sizeof (maps[0]));
                      maps[k] = thisp;
 
-                     if (seen[i + 1] > 1)
+                     if (seen[i + 1] > nmaps - i)
                        {
                          ++i;
                          goto next_clear;
                        }
 
-                     char this_seen = seen[i];
+                     uint16_t this_seen = seen[i];
                      memmove (&seen[i], &seen[i + 1],
                               (k - i) * sizeof (seen[0]));
                      seen[k] = this_seen;