This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

[Bug libc/22341] New: Uninitialized variable in inline function elf_get_dynamic_info in get-dynamic-info.h

            Bug ID: 22341
           Summary: Uninitialized variable in inline function
                    elf_get_dynamic_info in get-dynamic-info.h
           Product: glibc
           Version: 2.26
            Status: UNCONFIRMED
          Severity: critical
          Priority: P2
         Component: libc
          Assignee: unassigned at sourceware dot org
          Reporter: yueqichen.0x0 at gmail dot com
                CC: drepper.fsp at gmail dot com
  Target Milestone: ---

Created attachment 10552
crafted shared library file and poc.c

Uninitialized Variable in inline function elf_get_dynamic_info at source file
Tested on glibc-2.26 with address-sanitize on Linux ubuntu 4.13.0-16-generic
#19-Ubuntu SMP
gcc (Ubuntu 7.2.0-8ubuntu3) 7.2.0

Running Command: 
gcc -o poc poc.c -ldl -fsanitize=address

Function _dl_map_object_from_fd at Line 1006 in elf/dl-load.c
1006: l = _dl_new_object(realname, name, l_type, loader, mode, nsid);
/* allocate a mmeory region in heap for a new loaded object without
initializing l->l_info*/

Function _dl_map_object_from_fd at Line 1200 in elf/dl-load.c
1200: elf_get_dynamic_info(l, NULL);
/* call buggy function elf_get_dynamic_info,
   there is no initialization of l->l_info between dl-load.c:1006 and
dl-load.c:1200 */

Function elf_get_dynamic_info at Line 97 in elf/get-dynamic-info.h
46: info = l->l_info;
97: info[tag]->d_un.d_ptr += l_addr;
/* l->info[tag]->d_un.d_ptr is used without initialization till now. 
   Any value could be in l->info[tag]->d_un.d_ptr

We trigger this defect with poc compiled with AddressSanitizer and display the
output of Sanitizer as follows:
==2505==ERROR: AddressSanitizer: SEGV on unknown address 0x00000204 (pc
0xb7fee485 bp 0x00000000 sp 0xbffff180 T0)
==2505==The signal is caused by a READ memory access.
==2505==Hint: address points to the zero page.
    #0 0xb7fee484  (/lib/
    #1 0xb794fe2a in _dl_catch_error (/lib/i386-linux-gnu/
    #2 0xb7819421  (/lib/i386-linux-gnu/
    #3 0xb7818df7 in dlclose (/lib/i386-linux-gnu/
    #4 0xb7a233a5 in dlclose (/usr/lib/i386-linux-gnu/
    #5 0x40076b in main (/home/yueqi/poc+0x76b)
    #6 0xb7835985 in __libc_start_main (/lib/i386-linux-gnu/
    #7 0x400620  (/home/yueqi/poc+0x620)

AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV (/lib/ 

You are receiving this mail because:
You are on the CC list for the bug.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]