Andrew Geissler | 635e0e4 | 2020-08-21 15:58:33 -0500 | [diff] [blame^] | 1 | From 258c44e4ecffd830cb89d0016d45b2bac765f559 Mon Sep 17 00:00:00 2001 |
Andrew Geissler | 82c905d | 2020-04-13 13:39:40 -0500 | [diff] [blame] | 2 | From: Khem Raj <raj.khem@gmail.com> |
| 3 | Date: Wed, 18 Mar 2015 01:50:00 +0000 |
Andrew Geissler | 635e0e4 | 2020-08-21 15:58:33 -0500 | [diff] [blame^] | 4 | Subject: [PATCH 04/29] nativesdk-glibc: Fix buffer overrun with a relocated |
| 5 | SDK |
Andrew Geissler | 82c905d | 2020-04-13 13:39:40 -0500 | [diff] [blame] | 6 | |
| 7 | When ld-linux-*.so.2 is relocated to a path that is longer than the |
| 8 | original fixed location, the dynamic loader will crash in open_path |
| 9 | because it implicitly assumes that max_dirnamelen is a fixed size that |
| 10 | never changes. |
| 11 | |
| 12 | The allocated buffer will not be large enough to contain the directory |
| 13 | path string which is larger than the fixed location provided at build |
| 14 | time. |
| 15 | |
| 16 | Upstream-Status: Inappropriate [OE SDK specific] |
| 17 | |
| 18 | Signed-off-by: Jason Wessel <jason.wessel@windriver.com> |
| 19 | Signed-off-by: Khem Raj <raj.khem@gmail.com> |
| 20 | --- |
| 21 | elf/dl-load.c | 12 ++++++++++++ |
| 22 | 1 file changed, 12 insertions(+) |
| 23 | |
| 24 | diff --git a/elf/dl-load.c b/elf/dl-load.c |
Andrew Geissler | 635e0e4 | 2020-08-21 15:58:33 -0500 | [diff] [blame^] | 25 | index 565b039b23..e1b3486549 100644 |
Andrew Geissler | 82c905d | 2020-04-13 13:39:40 -0500 | [diff] [blame] | 26 | --- a/elf/dl-load.c |
| 27 | +++ b/elf/dl-load.c |
Andrew Geissler | 635e0e4 | 2020-08-21 15:58:33 -0500 | [diff] [blame^] | 28 | @@ -1860,7 +1860,19 @@ open_path (const char *name, size_t namelen, int mode, |
Andrew Geissler | 82c905d | 2020-04-13 13:39:40 -0500 | [diff] [blame] | 29 | given on the command line when rtld is run directly. */ |
| 30 | return -1; |
| 31 | |
| 32 | + do |
| 33 | + { |
| 34 | + struct r_search_path_elem *this_dir = *dirs; |
| 35 | + if (this_dir->dirnamelen > max_dirnamelen) |
| 36 | + { |
| 37 | + max_dirnamelen = this_dir->dirnamelen; |
| 38 | + } |
| 39 | + } |
| 40 | + while (*++dirs != NULL); |
| 41 | + |
| 42 | buf = alloca (max_dirnamelen + max_capstrlen + namelen); |
| 43 | + |
| 44 | + dirs = sps->dirs; |
| 45 | do |
| 46 | { |
| 47 | struct r_search_path_elem *this_dir = *dirs; |
Andrew Geissler | 635e0e4 | 2020-08-21 15:58:33 -0500 | [diff] [blame^] | 48 | -- |
| 49 | 2.27.0 |
| 50 | |