This is the mail archive of the mailing list for the glibc project.

Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: [PATCH] Mangle NULL pointers in iconv/gconv [BZ #22025]

On 08/29/2017 10:13 AM, Florian Weimer wrote:
> *sigh*
> Right after pushing I realized that the entire premise of this patch is
> bogus.

The premise is not wrong.

The idea is to simplify the existing code to always mangle/demangle
function pointers without exception.

What you have found is a way to manipulate the mangling, which was
not considered in the original patch.
> Code like this:
>   /* Get the conversion functions.  */
>   fcts = get_gconv_fcts (_NL_CURRENT_DATA (LC_CTYPE));
>   __gconv_btowc_fct btowc_fct = fcts->towc->__btowc_fct;
>   if (fcts->towc->__shlib_handle != NULL)
>     PTR_DEMANGLE (btowc_fct);
> #endif
>   if (__builtin_expect (fcts->towc_nsteps == 1, 1)
>       && __builtin_expect (btowc_fct != NULL, 1))
>     {
>       /* Use the shortcut function.  */
>       return DL_CALL_FCT (btowc_fct, (fcts->towc, (unsigned char) c));
> provides a reasonably straightforward way for bypassing pointer
> mangling, simply by setting __shlib_handle to NULL.

Sure, but that also has other consequences. There are several loops
which look for __shlib_handle != NULL and those loops would do nothing
if you set __shlib_handle to NULL?

> I'll try to come up with a different fix.

You do not need to come up with a different fix.

I suggest you review Andreas' comments, fixup the existing implementation,
and file a bug about the way in which the __shlib_handle might be abusable.

Don't go down the rabbit hole ;-)


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]