This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug dynamic-link/22851] ld library ELF load error
- From: "rschiron at redhat dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sourceware dot org
- Date: Fri, 29 Nov 2019 16:12:48 +0000
- Subject: [Bug dynamic-link/22851] ld library ELF load error
- Auto-submitted: auto-generated
- References: <bug-22851-131@http.sourceware.org/bugzilla/>
https://sourceware.org/bugzilla/show_bug.cgi?id=22851
rschiron at redhat dot com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |rschiron at redhat dot com
--- Comment #6 from rschiron at redhat dot com ---
Copying from https://bugzilla.redhat.com/show_bug.cgi?id=1773916#c4 from
completeness:
glibc assumes loadable segment entries (PT_LOAD) in the program header table
appear in ascending order, sorted on the p_vaddr member. While loading a
library, function _dl_map_segments() in dl-map-segments.h lets the kernel map
the first segment of the library anywhere it likes, but it requires a large
enough chunk of memory to include all the loadable segment entries. Considering
how mmap works, the allocation happens to be close to other libraries and to
the ld-linux loader segments.
However, if a library is created such that the first loadable segment entry is
not the one with the lowest Virtual Address or the last loadable segment entry
is not the one with the highest End Virtual Address, it is possible to make
ld-linux wrongly compute the overall size required to load the library in the
process' memory. When this happens, the malicious library can easily overwrite
other libraries that were already loaded.
While a malicious library can already easily execute code (e.g. with
constructors) when a program uses it, it should not be possible to execute code
while listing the dependencies of an ELF file.
--
You are receiving this mail because:
You are on the CC list for the bug.