This is the mail archive of the libc-alpha@sourceware.org mailing list for the glibc project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Fwd: [PATCH] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG


On Mon, Aug 10, 2015 at 10:49 AM, Andreas Schwab <schwab@suse.de> wrote:
> Alex <alexinbeijing@gmail.com> writes:
>
>> On Mon, Aug 10, 2015 at 1:01 AM, Andreas Schwab <schwab@linux-m68k.org> wrote:
>>> Alex Dowad <alexinbeijing@gmail.com> writes:
>>>
>>>> diff --git a/elf/rtld.c b/elf/rtld.c
>>>> index 6dcbabc..ee194a6 100644
>>>> --- a/elf/rtld.c
>>>> +++ b/elf/rtld.c
>>>> @@ -2408,6 +2408,8 @@ process_dl_debug (const char *dl_debug)
>>>>             char *copy = strndupa (dl_debug, len);
>>>>             _dl_error_printf ("\
>>>>  warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy);
>>>
>>> Use %.*s instead.
>>
>> Thanks for your reply. That would help to avoid potentially voluminous
>> output to the console, but doesn't fix the (potential) security hole
>> of copying an arbitrary, attacker-supplied string onto the stack.
>
> You don't need the copy any more.

Andreas, I'm a bit slow here so please help me out: why is the copy
needed *even if* printf("%s", ...) is used? I've been trying to figure
out why the original author used strndupa in the first place but
haven't wrapped my mind around it yet.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]