This is the mail archive of the
libc-alpha@sourceware.org
mailing list for the glibc project.
[patch] Fix out-of-bounds access in _dl_show_auxv()
- From: ppluzhnikov at google dot com (Paul Pluzhnikov)
- To: libc-alpha at sourceware dot org
- Cc: ppluzhnikov at google dot com
- Date: Fri, 27 Apr 2012 15:10:51 -0700 (PDT)
- Subject: [patch] Fix out-of-bounds access in _dl_show_auxv()
Greetings,
In _dl_show_auxv(), when handling unknown a_type values, auxvars[] could
be accessed out of bounds and cause a crash.
Attached patch fixes that.
Tested on Linux/x86_64, no regressions.
Google ref: b/6412609
Thanks,
--
Paul Pluzhnikov
2012-04-27 Paul Pluzhnikov <ppluzhnikov@google.com>
* elf/dl-sysdep.c (_dl_show_auxv): Add bounds check.
diff --git a/elf/dl-sysdep.c b/elf/dl-sysdep.c
index 1cb4460..5e66c30 100644
--- a/elf/dl-sysdep.c
+++ b/elf/dl-sysdep.c
@@ -303,7 +303,9 @@ _dl_show_auxv (void)
};
unsigned int idx = (unsigned int) (av->a_type - 2);
- if ((unsigned int) av->a_type < 2u || auxvars[idx].form == ignore)
+ if ((unsigned int) av->a_type < 2u
+ || (idx < sizeof (auxvars) / sizeof (auxvars[0])
+ && auxvars[idx].form == ignore))
continue;
assert (AT_NULL == 0);