fluencelabs/musl
1
0
Fork 0
mirror of https://github.com/fluencelabs/musl synced 2025-06-13 15:01:39 +00:00
Code Issues Projects Releases Wiki Activity

fix invalid library phdr pointers passed to callback from dl_iterate_phdr

Browse Source 
map_library was saving pointers to an automatic-storage buffer rather
than pointers into the mapping. this should be a fairly simple fix,
but the patch here is slightly complicated by two issues:

1. supporting gratuitously obfuscated ELF files where the program
headers are not right at the beginning of the file.

2. cleaning up the map_library function so that data isn't clobbered
by the time we need it.
This commit is contained in:
Rich Felker
2013-07-10 14:38:20 -04:00
parent c713d87978
commit 30763fd01b
1 changed files with 16 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
src/ldso/dynlink.c
View File

@ -309,7 +309,7 @@ static void *map_library(int fd, struct dso *dso)
size_t this_min, this_max; size_t this_min, this_max;
off_t off_start; off_t off_start;
Ehdr *eh; Ehdr *eh;
Phdr *ph; Phdr *ph, *ph0;
unsigned prot; unsigned prot;
unsigned char *map, *base; unsigned char *map, *base;
size_t dyn; size_t dyn;
@ -324,11 +324,10 @@ static void *map_library(int fd, struct dso *dso)
if (eh->e_phoff + phsize > l) { if (eh->e_phoff + phsize > l) {
l = pread(fd, buf+1, phsize, eh->e_phoff); l = pread(fd, buf+1, phsize, eh->e_phoff);
if (l != phsize) return 0; if (l != phsize) return 0;
eh->e_phoff = sizeof *eh; ph = ph0 = (void *)(buf + 1);
} else {
ph = ph0 = (void *)((char *)buf + eh->e_phoff);
} }
ph = (void *)((char *)buf + eh->e_phoff);
dso->phdr = ph;
dso->phnum = eh->e_phnum;
for (i=eh->e_phnum; i; i--, ph=(void *)((char *)ph+eh->e_phentsize)) { for (i=eh->e_phnum; i; i--, ph=(void *)((char *)ph+eh->e_phentsize)) {
if (ph->p_type == PT_DYNAMIC) if (ph->p_type == PT_DYNAMIC)
dyn = ph->p_vaddr; dyn = ph->p_vaddr;
@ -363,9 +362,18 @@ static void *map_library(int fd, struct dso *dso)
map = mmap((void *)addr_min, map_len, prot, MAP_PRIVATE, fd, off_start); map = mmap((void *)addr_min, map_len, prot, MAP_PRIVATE, fd, off_start);
if (map==MAP_FAILED) return 0; if (map==MAP_FAILED) return 0;
base = map - addr_min; base = map - addr_min;
ph = (void *)((char *)buf + eh->e_phoff); dso->phdr = 0;
for (i=eh->e_phnum; i; i--, ph=(void *)((char *)ph+eh->e_phentsize)) { dso->phnum = 0;
for (ph=ph0, i=eh->e_phnum; i; i--, ph=(void *)((char *)ph+eh->e_phentsize)) {
if (ph->p_type != PT_LOAD) continue; if (ph->p_type != PT_LOAD) continue;
/* Check if the programs headers are in this load segment, and
* if so, record the address for use by dl_iterate_phdr. */
if (!dso->phdr && eh->e_phoff >= ph->p_offset
&& eh->e_phoff+phsize <= ph->p_offset+ph->p_filesz) {
dso->phdr = (void *)(base + ph->p_vaddr
+ (eh->e_phoff-ph->p_offset));
dso->phnum = eh->e_phnum;
}
/* Reuse the existing mapping for the lowest-address LOAD */ /* Reuse the existing mapping for the lowest-address LOAD */
if ((ph->p_vaddr & -PAGE_SIZE) == addr_min) continue; if ((ph->p_vaddr & -PAGE_SIZE) == addr_min) continue;
this_min = ph->p_vaddr & -PAGE_SIZE; this_min = ph->p_vaddr & -PAGE_SIZE;
@ -390,8 +398,7 @@ static void *map_library(int fd, struct dso *dso)
goto error; goto error;
break; break;
} }
if (!runtime) reclaim_gaps(base, (void *)((char *)buf + eh->e_phoff), if (!runtime) reclaim_gaps(base, ph0, eh->e_phentsize, eh->e_phnum);
eh->e_phentsize, eh->e_phnum);
dso->map = map; dso->map = map;
dso->map_len = map_len; dso->map_len = map_len;
dso->base = base; dso->base = base;