[PATCH] elf: handle NULL input to fatal_error

Jiangfeng Xiao xiaojiangfeng@huawei.com
Sat Mar 30 13:40:52 GMT 2024 

"dlopen_doit" may execute
"_dl_signal_error (0, NULL, NULL, ...)",
which cause a segmentation fault.

The call stack is as follows:

Program received signal SIGSEGV, Segmentation fault.
fatal_error (errcode=errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7c90518 "invalid mode parameter")
(gdb) bt
@0  fatal_error (errcode=errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7c90518 "invalid mode parameter")
@1  0xf7de5260 in __GI__dl_signal_error (errcode=0, objname=0x0, occation=0x0,
    errstring=0xf7c90518 "invalid mode parameter")
@2  0xf7d0e204 in dlopen_doit (a=a@entry=0xfffefa94)

When objname is NULL, referencing *objname accesses a null pointer.
Therefore, *objname is changed to objname.

After this bug is fixed, if objname is NULL, the "strlen"
in _dl_fatal_printf->_dl_debug_vdprintf will produce
another segmentation fault.

The call stack is as follows:

Program received signal SIGSEGV, Segmentation fault.
strlen () at ../sysdeps/arm/armv6t2/strlen.S:85
(gdb) bt
@0  strlen () at ../sysdeps/arm/armv6t2/strlen.S:85
@1  0xf7d7fd40 in _dl_debug_vdprintf (fd=2, tag_p=0, fmt=0xf7ab83ab "s%s%s%s%s\n", arg=...)
@2  0xf7d8006c in __GI__dl_fatal_printf (fmt=0xf7ab83a2 "%s: %s: %s%s%s%s%s\n")
@3  0xf7c0b204 in fatal_error (errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7ab6518 "invalid mode parameter")
@4  0xf7c0b258 in __GI__dl_signal_error (errcode=0, objname=0x0,
    occation=0x0 errstring=0xf7ab6518 "invalid mode parameter")
@5  0xf7b34204 in dlopen_doit (a=a@entry=0xff9f7434)

Therefore, null check are required for "objname" and "errstring".

Fixes: 2449ae7b2da24 ("ld.so: Introduce struct dl_exception")

Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
---
 elf/dl-catch.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/elf/dl-catch.c b/elf/dl-catch.c
index 2109516..05a41d1 100644
--- a/elf/dl-catch.c
+++ b/elf/dl-catch.c
@@ -83,8 +83,8 @@ fatal_error (int errcode, const char *objname, const char *occasion,
   _dl_fatal_printf ("%s: %s: %s%s%s%s%s\n",
 		    RTLD_PROGNAME,
 		    occasion ?: N_("error while loading shared libraries"),
-		    objname, *objname ? ": " : "",
-		    errstring, errcode ? ": " : "",
+		    objname ? objname : "", objname ? ": " : "",
+		    errstring ? errstring : "", errcode ? ": " : "",
 		    (errcode
 		     ? __strerror_r (errcode, buffer, sizeof buffer)
 		     : ""));
-- 
1.8.5.6

More information about the Libc-alpha mailing list