This is the mail archive of the glibc-bugs@sourceware.org mailing list for the glibc project.

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]
Other format:	[Raw text]

[Bug libc/2792] New: Overflow in dl-deps.c : expand_dst() with patch

From: "dgreiman at google dot com" <sourceware-bugzilla at sourceware dot org>
To: glibc-bugs at sources dot redhat dot com
Date: 16 Jun 2006 22:04:55 -0000
Subject: [Bug libc/2792] New: Overflow in dl-deps.c : expand_dst() with patch
Reply-to: sourceware-bugzilla at sourceware dot org

The expand_dst() macro calls the DL_DST_REQUIRED() macro.  They both use a
variable __cnt which leads to the following source line after preprocessing:
  size_t __cnt = (__cnt);
Thus __cnt is not initialized properly.  __cnt is later used to compute the size
of an array, which may not be long enough to hold the strings written into the
array.

This bug manifests as sporadic segmentation faults in ld.so when loading ELF
executables which have DT_NEEDED entries containing the strings $ORIGIN or
$PLATFORM.

Linux 2.4.22-gg13
gcc version 3.2.2 20030222
GNU ld version 2.13.90.0.18 20030206

Fix is to rename one of the two variables:

--- glibc-2.3.5/elf/dl-deps.c.orig      2006-06-16 14:47:50.000000000 -0700
+++ glibc-2.3.5/elf/dl-deps.c   2006-06-16 14:48:06.000000000 -0700
@@ -101,9 +101,9 @@
   ({                                                                         \
     const char *__str = (str);                                               \
     const char *__result = __str;                                            \
-    size_t __cnt = DL_DST_COUNT(__str, 0);                                   \
+    size_t __dst_cnt = DL_DST_COUNT(__str, 0);                               \
                                                                              \
-    if (__cnt != 0)                                                          \
+    if (__dst_cnt != 0)                                                       
      \
       {                                                                       
      \
        char *__newp;                                                         \
                                                                              \
@@ -113,7 +113,7 @@
 DST not allowed in SUID/SGID programs"));                                    \
                                                                              \
        __newp = (char *) alloca (DL_DST_REQUIRED (l, __str, strlen (__str),  \
-                                                  __cnt));                   \
+                                                  __dst_cnt));               \
                                                                              \
        __result = _dl_dst_substitute (l, __str, __newp, 0);          \

-- 
           Summary: Overflow in dl-deps.c : expand_dst() with patch
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: normal
          Priority: P2
         Component: libc
        AssignedTo: drepper at redhat dot com
        ReportedBy: dgreiman at google dot com
                CC: glibc-bugs at sources dot redhat dot com
  GCC host triplet: i686-pc-linux-gnu
GCC target triplet: i686-pc-linux-gnu


http://sourceware.org/bugzilla/show_bug.cgi?id=2792

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.

Follow-Ups:
- [Bug libc/2792] Overflow in dl-deps.c : expand_dst() with patch
  - From: drepper at redhat dot com

Index Nav:	[Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav:	[Date Prev] [Date Next]	[Thread Prev] [Thread Next]