This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [PATCH] Avoid mapping past end of shared object (BZ #18685)
- From: Siddhesh Poyarekar <siddhesh at redhat dot com>
- To: "Carlos O'Donell" <carlos at redhat dot com>
- Cc: libc-alpha at sourceware dot org, roland at hack dot frob dot com
- Date: Fri, 17 Jul 2015 08:58:46 +0530
- Subject: Re: [PATCH] Avoid mapping past end of shared object (BZ #18685)
- Authentication-results: sourceware.org; auth=none
- References: <1437033625-13561-1-git-send-email-siddhesh at redhat dot com> <55A7D4D6 dot 9030407 at redhat dot com>
On Thu, Jul 16, 2015 at 11:59:18AM -0400, Carlos O'Donell wrote:
> This is not the right fix for this problem. The right fix has not
> been attempted because it involves someone doing some real leg work
> to gather consensus. This fix adds complex checking in ld.so for
> minimal gain, and eventually you'll get a debuginfo file that is
> different again in some odd way.
This is not specifically about being able to read debug files, nor is
it about ldd. It just happens to be ldd (ld.so [--verify|--list])
that crashed, but the offending code is bang in the middle of generic
ld.so code that can potentially be exploited when running arbitrary
binaries. While it is true that one should not run arbitrary code
anyway, it shouldn't be an excuse for not fixing bugs. I don't see
the point of not adding such checks as they come up; performance is an
excuse made quite regularly, but what is the actual cost of such
checks?
To be clear, I am not against having an eu-ldd, but that shouldn't be
an excuse for not patching ld.so. Things that don't crash on eu-ldd,
should not crash on ld.so.
Oh, and did I mention that eu-ldd (and most of elfutils) should
ideally be written in an interpreted language (cough*python*cough) so
that we reduce the attack surface on them?
Siddhesh