This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
Re: [patch] Fix out-of-bounds access in _dl_show_auxv()
- From: Andreas Jaeger <aj at suse dot com>
- To: libc-alpha at sourceware dot org
- Cc: Paul Pluzhnikov <ppluzhnikov at google dot com>
- Date: Wed, 2 May 2012 14:29:45 +0200
- Subject: Re: [patch] Fix out-of-bounds access in _dl_show_auxv()
- References: <20120427221051.89138190AFD@elbrus2.mtv.corp.google.com>
On Saturday, April 28, 2012 00:10:51 Paul Pluzhnikov wrote:
> Greetings,
>
> In _dl_show_auxv(), when handling unknown a_type values, auxvars[] could
> be accessed out of bounds and cause a crash.
>
> Attached patch fixes that.
>
> Tested on Linux/x86_64, no regressions.
>
> Google ref: b/6412609
This looks fine to me.
As far as I understand our routines (please correct me if I'm wrong):
Please file a bugreport for this, reference this email, commit the patch and
close the bug again.
Thanks,
Andreas
> Thanks,
> --
> Paul Pluzhnikov
>
> 2012-04-27 Paul Pluzhnikov <ppluzhnikov@google.com>
>
> * elf/dl-sysdep.c (_dl_show_auxv): Add bounds check.
>
>
> diff --git a/elf/dl-sysdep.c b/elf/dl-sysdep.c
> index 1cb4460..5e66c30 100644
> --- a/elf/dl-sysdep.c
> +++ b/elf/dl-sysdep.c
> @@ -303,7 +303,9 @@ _dl_show_auxv (void)
> };
> unsigned int idx = (unsigned int) (av->a_type - 2);
>
> - if ((unsigned int) av->a_type < 2u || auxvars[idx].form ==
> ignore) + if ((unsigned int) av->a_type < 2u
> + || (idx < sizeof (auxvars) / sizeof (auxvars[0])
> + && auxvars[idx].form == ignore))
> continue;
>
> assert (AT_NULL == 0);
--
Andreas Jaeger aj@{suse.com,opensuse.org} Twitter/Identica: jaegerandi
SUSE LINUX Products GmbH, Maxfeldstr. 5, 90409 Nürnberg, Germany
GF: Jeff Hawn,Jennifer Guild,Felix Imendörffer,HRB16746 (AG Nürnberg)
GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126