I've run across a bug in the ELF dynamic linker in FreeBSD 4.x and FreeBSD 5.4. Although I haven't had a chance to compile or install FreeBSD 6 yet, the bug appears to be in the ELF dynamic linker in at least FreeBSD 4 through -CURRENT. The problem is that do_search_info in libexec/rtld-elf/rtld.c does not account for the space required by Dl_serpath structures with either the RTLD_DI_SERINFOSIZE, or the RTLD_DI_SERINFO requests. The example program in the dlinfo man page happens to work, but a simple loop copying the path strings into a buffer allocated with malloc will corrupt the heap. The program below illustrates the problem. Given that the arithmetic in do_search_info is easily fixed, it might be worth patching before the upcoming release. #include <link.h> #include <dlfcn.h> #include <stdio.h> #include <stdlib.h> int main(int argc, char *argv[]) { char *s; Dl_serinfo *p; Dl_serinfo info; memset(&info, 0, sizeof(info)); dlinfo(RTLD_SELF, RTLD_DI_SERINFOSIZE, (void*)&info); p = malloc(info.dls_size); memset(p, 0, info.dls_size); p->dls_cnt = info.dls_cnt; p->dls_size = info.dls_size; dlinfo(RTLD_SELF, RTLD_DI_SERINFO, (void*)p); s = p->dls_serpath[p->dls_cnt-1].dls_name; s += strlen(s)+1; printf("%d %d %d %d %d\n", info.dls_size, (char*)s-(char*)p, ((char*)s-(char*)p)-info.dls_size, sizeof(Dl_serpath), info.dls_cnt*sizeof(Dl_serpath)); return 0; }Received on Wed Jul 27 2005 - 22:00:35 UTC
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:38:40 UTC