On Wednesday 27 July 2005 08:01 pm, William Josephson wrote: > I've run across a bug in the ELF dynamic linker in FreeBSD 4.x > and FreeBSD 5.4. Although I haven't had a chance to compile or > install FreeBSD 6 yet, the bug appears to be in the ELF dynamic > linker in at least FreeBSD 4 through -CURRENT. The problem is > that do_search_info in libexec/rtld-elf/rtld.c does not account > for the space required by Dl_serpath structures with either the > RTLD_DI_SERINFOSIZE, or the RTLD_DI_SERINFO requests. The > example program in the dlinfo man page happens to work, but a > simple loop copying the path strings into a buffer allocated with > malloc will corrupt the heap. The program below illustrates the > problem. Given that the arithmetic in do_search_info is easily > fixed, it might be worth patching before the upcoming release. > > #include <link.h> > #include <dlfcn.h> > #include <stdio.h> > #include <stdlib.h> > > int > main(int argc, char *argv[]) > { > char *s; > Dl_serinfo *p; > Dl_serinfo info; > > memset(&info, 0, sizeof(info)); > dlinfo(RTLD_SELF, RTLD_DI_SERINFOSIZE, (void*)&info); > p = malloc(info.dls_size); > memset(p, 0, info.dls_size); > p->dls_cnt = info.dls_cnt; > p->dls_size = info.dls_size; > dlinfo(RTLD_SELF, RTLD_DI_SERINFO, (void*)p); > s = p->dls_serpath[p->dls_cnt-1].dls_name; > s += strlen(s)+1; > printf("%d %d %d %d %d\n", info.dls_size, (char*)s-(char*)p, > ((char*)s-(char*)p)-info.dls_size, sizeof(Dl_serpath), > info.dls_cnt*sizeof(Dl_serpath)); > return 0; > } Do you have a patch for this? -- John Baldwin <jhb_at_FreeBSD.org> <>< http://www.FreeBSD.org/~jhb/ "Power Users Use the Power to Serve" = http://www.FreeBSD.orgReceived on Mon Aug 01 2005 - 18:16:56 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:40 UTC