This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH v2] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
- From: OndÅej BÃlka <neleai at seznam dot cz>
- To: Andreas Schwab <schwab at suse dot de>
- Cc: Alex Dowad <alexinbeijing at gmail dot com>, libc-alpha at sourceware dot org
- Date: Mon, 10 Aug 2015 23:41:24 +0200
- Subject: Re: [PATCH v2] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG
- Authentication-results: sourceware.org; auth=none
- References: <1439209865-17030-1-git-send-email-alexinbeijing at gmail dot com> <mvma8tzmgsf dot fsf at hawking dot suse dot de>
On Mon, Aug 10, 2015 at 03:09:20PM +0200, Andreas Schwab wrote:
> Alex Dowad <alexinbeijing@gmail.com> writes:
>
> > diff --git a/elf/rtld.c b/elf/rtld.c
> > index 6dcbabc..e10293a 100644
> > --- a/elf/rtld.c
> > +++ b/elf/rtld.c
> > @@ -2405,9 +2405,8 @@ process_dl_debug (const char *dl_debug)
> > {
> > /* Display a warning and skip everything until next
> > separator. */
> > - char *copy = strndupa (dl_debug, len);
> > _dl_error_printf ("\
> > -warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy);
> > +warning: debug option `%.*s' unknown; try LD_DEBUG=help\n", len, dl_debug);
>
> len is size_t, but .* expects int.
>
would cast suffice as we don't care about printing only part of 1gb+
strings instead entire string?
Otherwise patch looks sensible for me. I would be even stricter and
disallow LD_DEBUG for suid programs. Now it doesn't seem to write
something that could be clasiffied as data leak but its better to be
safe.