This is the mail archive of the
mailing list for the glibc project.
Re: [PATCH] Mangle NULL pointers in iconv/gconv [BZ #22025]
On 08/29/2017 10:13 AM, Florian Weimer wrote:
> Right after pushing I realized that the entire premise of this patch is
The premise is not wrong.
The idea is to simplify the existing code to always mangle/demangle
function pointers without exception.
What you have found is a way to manipulate the mangling, which was
not considered in the original patch.
> Code like this:
> /* Get the conversion functions. */
> fcts = get_gconv_fcts (_NL_CURRENT_DATA (LC_CTYPE));
> __gconv_btowc_fct btowc_fct = fcts->towc->__btowc_fct;
> #ifdef PTR_DEMANGLE
> if (fcts->towc->__shlib_handle != NULL)
> PTR_DEMANGLE (btowc_fct);
> if (__builtin_expect (fcts->towc_nsteps == 1, 1)
> && __builtin_expect (btowc_fct != NULL, 1))
> /* Use the shortcut function. */
> return DL_CALL_FCT (btowc_fct, (fcts->towc, (unsigned char) c));
> provides a reasonably straightforward way for bypassing pointer
> mangling, simply by setting __shlib_handle to NULL.
Sure, but that also has other consequences. There are several loops
which look for __shlib_handle != NULL and those loops would do nothing
if you set __shlib_handle to NULL?
> I'll try to come up with a different fix.
You do not need to come up with a different fix.
I suggest you review Andreas' comments, fixup the existing implementation,
and file a bug about the way in which the __shlib_handle might be abusable.
Don't go down the rabbit hole ;-)