This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Add more checks for valid ld.so.cache file (bug 18093)
- From: Andreas Schwab <schwab at suse dot de>
- To: Florian Weimer <fweimer at redhat dot com>
- Cc: libc-alpha at sourceware dot org
- Date: Tue, 23 Oct 2018 14:34:44 +0200
- Subject: Re: [PATCH] Add more checks for valid ld.so.cache file (bug 18093)
- References: <mvm7ei8swnb.fsf@suse.de> <87bm7kvof1.fsf@oldenburg.str.redhat.com>
On Okt 23 2018, Florian Weimer <fweimer@redhat.com> wrote:
>> diff --git a/elf/dl-cache.c b/elf/dl-cache.c
>> index 6ee5153ff9..0f5d035213 100644
>> --- a/elf/dl-cache.c
>> +++ b/elf/dl-cache.c
>> @@ -204,7 +204,10 @@ _dl_load_cache_lookup (const char *name)
>> - only the new format
>> The following checks if the cache contains any of these formats. */
>> if (file != MAP_FAILED && cachesize > sizeof *cache
>> - && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0)
>> + && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0
>> + /* Check for overflow. */
>> + && ((cachesize - sizeof *cache) / sizeof (struct file_entry)
>> + >= ((struct cache_file *) file)->nlibs))
>
>
> Should the new check be nested inside the if statement, so that we do
> not fall through to the CACHEMAGIC_VERSION_NEW check?
We want to fall through to the last alternative that unmaps the file.
Andreas.
--
Andreas Schwab, SUSE Labs, schwab@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."