This is the mail archive of the
libc-alpha@sources.redhat.com
mailing list for the glibc project.
[kon@iki.fi: Bug#80485: glibc-2.2/elf/dl-open.c (_dl_open): suspicious objname handling]
- To: GNU C Library <libc-alpha at sourceware dot cygnus dot com>
- Subject: [kon@iki.fi: Bug#80485: glibc-2.2/elf/dl-open.c (_dl_open): suspicious objname handling]
- From: Ben Collins <bcollins at debian dot org>
- Date: Wed, 27 Dec 2000 09:37:18 -0500
The original Debian bug report is below. I've attached a patch to fix
this. I think this is probably responsible for another bug report I had
concerning the symbol/library not being shown in dlerror() when
dlopen'ing a library/module with RTLD_NOW, and a symbol not being
resolved.
2000-12-27 Ben Collins <bcollins@debian.org>
* elf/dl-open.c:_dl_open: correctly set the new objname pointer
when reallocating the error strings. Bug reported by Kalle
Olavi Niemitalo <kon@iki.fi>
----- Forwarded message from Kalle Olavi Niemitalo <kon@iki.fi> -----
Subject: Bug#80485: glibc-2.2/elf/dl-open.c (_dl_open): suspicious objname handling
Reply-To: Kalle Olavi Niemitalo <kon@iki.fi>, 80485-maintonly@bugs.debian.org
From: Kalle Olavi Niemitalo <kon@iki.fi>
Date: 25 Dec 2000 23:51:49 +0200
Package: glibc
Version: 2.2-6
Severity: wishlist
The following code in glibc-2.2/elf/dl-open.c looks suspicious:
/* Make a local copy of the error string so that we can release the
memory allocated for it. */
len_errstring = strlen (errstring) + 1;
if (objname == errstring + len_errstring)
{
len_errstring += strlen (objname) + 1;
local_errstring = alloca (len_errstring);
memcpy (local_errstring, errstring, len_errstring);
objname = local_errstring + len_errstring;
}
else
If errstring and objname point to adjacent strings in memory,
this code should apparently copy both strings to the stack and
change the pointers to point to the new location. However, the
pointer stored in objname will actually point to memory beyond
the strings, because len_errstring has already been incremented
when objname is computed. I believe the objname assignment
should be changed to:
objname = local_errstring + strlen(local_errstring) + 1;
Alternatively, another local variable could be defined to hold
the combined length of the strings, so that len_errstring would
retain its original value.
I'm setting the severity to wishlist because I haven't seen the
bug in action and I might have missed something that makes the
code correct after all. Please let me know if I shouldn't send
reports like this to the Debian BTS.
----- End forwarded message -----
--
-----------=======-=-======-=========-----------=====------------=-=------
/ Ben Collins -- ...on that fantastic voyage... -- Debian GNU/Linux \
` bcollins@debian.org -- bcollins@openldap.org -- bcollins@linux.com '
`---=========------=======-------------=-=-----=-===-======-------=--=---'