| Message ID | 1711806052-117857-1-git-send-email-xiaojiangfeng@huawei.com |
|---|---|
| State | New |
| Headers | show |
| Series | elf: handle NULL input to fatal_error | expand |
_dl_signal_error used to set objname to "" if it is null, it should continue to do so (this has been removed in commit 2449ae7b2d). It still sanitizes errstring, so nothing needs to be done about that.
On 2024/3/30 23:47, Andreas Schwab wrote: > _dl_signal_error used to set objname to "" if it is null, it should > continue to do so (this has been removed in commit 2449ae7b2d). It > still sanitizes errstring, so nothing needs to be done about that. > Thank you very much, it sounds good to me. I'm going to submit a patch to sanitize objname in _dl_signal_error, just like early code.
diff --git a/elf/dl-catch.c b/elf/dl-catch.c index 2109516..05a41d1 100644 --- a/elf/dl-catch.c +++ b/elf/dl-catch.c @@ -83,8 +83,8 @@ fatal_error (int errcode, const char *objname, const char *occasion, _dl_fatal_printf ("%s: %s: %s%s%s%s%s\n", RTLD_PROGNAME, occasion ?: N_("error while loading shared libraries"), - objname, *objname ? ": " : "", - errstring, errcode ? ": " : "", + objname ? objname : "", objname ? ": " : "", + errstring ? errstring : "", errcode ? ": " : "", (errcode ? __strerror_r (errcode, buffer, sizeof buffer) : ""));
"dlopen_doit" may execute "_dl_signal_error (0, NULL, NULL, ...)", which cause a segmentation fault. The call stack is as follows: Program received signal SIGSEGV, Segmentation fault. fatal_error (errcode=errcode@entry=0, objname=0x0, occasion=0x0, errstring=errstring@entry=0xf7c90518 "invalid mode parameter") (gdb) bt @0 fatal_error (errcode=errcode@entry=0, objname=0x0, occasion=0x0, errstring=errstring@entry=0xf7c90518 "invalid mode parameter") @1 0xf7de5260 in __GI__dl_signal_error (errcode=0, objname=0x0, occation=0x0, errstring=0xf7c90518 "invalid mode parameter") @2 0xf7d0e204 in dlopen_doit (a=a@entry=0xfffefa94) When objname is NULL, referencing *objname accesses a null pointer. Therefore, *objname is changed to objname. After this bug is fixed, if objname is NULL, the "strlen" in _dl_fatal_printf->_dl_debug_vdprintf will produce another segmentation fault. The call stack is as follows: Program received signal SIGSEGV, Segmentation fault. strlen () at ../sysdeps/arm/armv6t2/strlen.S:85 (gdb) bt @0 strlen () at ../sysdeps/arm/armv6t2/strlen.S:85 @1 0xf7d7fd40 in _dl_debug_vdprintf (fd=2, tag_p=0, fmt=0xf7ab83ab "s%s%s%s%s\n", arg=...) @2 0xf7d8006c in __GI__dl_fatal_printf (fmt=0xf7ab83a2 "%s: %s: %s%s%s%s%s\n") @3 0xf7c0b204 in fatal_error (errcode@entry=0, objname=0x0, occasion=0x0, errstring=errstring@entry=0xf7ab6518 "invalid mode parameter") @4 0xf7c0b258 in __GI__dl_signal_error (errcode=0, objname=0x0, occation=0x0 errstring=0xf7ab6518 "invalid mode parameter") @5 0xf7b34204 in dlopen_doit (a=a@entry=0xff9f7434) Therefore, null check are required for "objname" and "errstring". Fixes: 2449ae7b2da24 ("ld.so: Introduce struct dl_exception") Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com> --- elf/dl-catch.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)