From patchwork Mon Aug 10 15:38:21 2015 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Eggert X-Patchwork-Id: 505695 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from sourceware.org (server1.sourceware.org [209.132.180.131]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 8829914018C for ; Tue, 11 Aug 2015 01:38:34 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (1024-bit key; secure) header.d=sourceware.org header.i=@sourceware.org header.b=LjyisFLd; dkim-atps=neutral DomainKey-Signature: a=rsa-sha1; c=nofws; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type; q=dns; s=default; b=p2Qc41 Xo+Yez7uCYkNQFXU12ni9lQz02aONi+1Xq26bGPeCR8VpHna3+HvdRshTMfl6Je7 M5V6rVANVqQ8LyVVjGsAaLXt98cw/ISrDhNz1coycqBugABEiHSrCDEmj2FnDddQ j86Pn9wfJ9qMc0RkA9EZxvYpY6Rbx1BIRFQ/Y= DKIM-Signature: v=1; a=rsa-sha1; c=relaxed; d=sourceware.org; h=list-id :list-unsubscribe:list-subscribe:list-archive:list-post :list-help:sender:message-id:date:from:mime-version:to:subject :references:in-reply-to:content-type; s=default; bh=iSIuTcUx3QV9 dREWpc9DIuCULKQ=; b=LjyisFLdLVangvQPztbR2Obl6EKEF2s2GMphCZDpsoto Otl1myO3sGhd6ruzC/xrc4g80q2MAY8Wz53TeGC9B1S5GULwK6KVAJxxNV5t9OHC ktgEsWnum9s0arkKTgnYJvIy3J8BqjPMD/egFMa5CpsUNOndyysjpWRffbGRLFw= Received: (qmail 38052 invoked by alias); 10 Aug 2015 15:38:28 -0000 Mailing-List: contact libc-alpha-help@sourceware.org; run by ezmlm Precedence: bulk List-Id: List-Unsubscribe: List-Subscribe: List-Archive: List-Post: List-Help: , Sender: libc-alpha-owner@sourceware.org Delivered-To: mailing list libc-alpha@sourceware.org Received: (qmail 38037 invoked by uid 89); 10 Aug 2015 15:38:28 -0000 Authentication-Results: sourceware.org; auth=none X-Virus-Found: No X-Spam-SWARE-Status: No, score=-1.5 required=5.0 tests=AWL, BAYES_00, RP_MATCHES_RCVD, SPF_PASS autolearn=ham version=3.3.2 X-HELO: zimbra.cs.ucla.edu Message-ID: <55C8C56D.6080805@cs.ucla.edu> Date: Mon, 10 Aug 2015 08:38:21 -0700 From: Paul Eggert User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.8.0 MIME-Version: 1.0 To: Alex Dowad , libc-alpha@sourceware.org Subject: Re: [PATCH v3] Don't allow attackers to inject arbitrary data into stack through LD_DEBUG References: <1439216132-18146-1-git-send-email-alexinbeijing@gmail.com> In-Reply-To: <1439216132-18146-1-git-send-email-alexinbeijing@gmail.com> Alex Dowad wrote: > _dl_error_printf ("\ > warning: debug option `%.*s' unknown; try LD_DEBUG=help\n", (int)len, dl_debug); Since this patch is about security, I suggest truncating the diagnostic a bit less randomly (as the above code will do if len exceeds INT_MAX). It can cause trouble to the user to get gigabyte-long diagnostics, and nothing after the first few bytes is helpful for diagnosis anyway. Plus, while we're at it, the indenting should be fixed and we shouldn't quote with grave accent. Something like the attached (untested) patch, perhaps. diff --git a/elf/rtld.c b/elf/rtld.c index 6bcf224..a6e81ce 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -2504,9 +2504,10 @@ process_dl_debug (const char *dl_debug) { /* Display a warning and skip everything until next separator. */ - char *copy = strndupa (dl_debug, len); - _dl_error_printf ("\ -warning: debug option `%s' unknown; try LD_DEBUG=help\n", copy); + int deblen = MIN (len, 100); + _dl_error_printf (("warning: debug option '%.*s'%s unknown;" + " try LD_DEBUG=help\n"), + deblen, dl_debug, len < 100 ? "" : "..."); } dl_debug += len;