From patchwork Mon Apr  1 02:45:09 2024
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
X-Patchwork-Id: 1918397
Return-Path: <libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=sourceware.org
 (client-ip=8.43.85.97; helo=server2.sourceware.org;
 envelope-from=libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org;
 receiver=patchwork.ozlabs.org)
Received: from server2.sourceware.org (server2.sourceware.org [8.43.85.97])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4V7GGK0h6Mz1yYH
	for <incoming@patchwork.ozlabs.org>; Mon,  1 Apr 2024 14:10:01 +1100 (AEDT)
Received: from server2.sourceware.org (localhost [IPv6:::1])
	by sourceware.org (Postfix) with ESMTP id 6595B3858C33
	for <incoming@patchwork.ozlabs.org>; Mon,  1 Apr 2024 03:09:59 +0000 (GMT)
X-Original-To: libc-alpha@sourceware.org
Delivered-To: libc-alpha@sourceware.org
Received: from szxga05-in.huawei.com (szxga05-in.huawei.com [45.249.212.191])
 by sourceware.org (Postfix) with ESMTPS id 5F9BE3858CDA
 for <libc-alpha@sourceware.org>; Mon,  1 Apr 2024 03:09:42 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 5F9BE3858CDA
Authentication-Results: sourceware.org; dmarc=pass (p=quarantine dis=none)
 header.from=huawei.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=huawei.com
ARC-Filter: OpenARC Filter v1.0.0 sourceware.org 5F9BE3858CDA
Authentication-Results: server2.sourceware.org;
 arc=none smtp.remote-ip=45.249.212.191
ARC-Seal: i=1; a=rsa-sha256; d=sourceware.org; s=key; t=1711940984; cv=none;
 b=TUOEnPqvnQ7WHLm3yLgZ3mSn6KYQjFjZUJ9ryYkgYhQCLJEulGPhnUwUaqgR2Iuuy9Tz53hoeHiw7omy2gBlb3+DPqvjAU1rw/+7hSKYuhevMKPbTjn+998PKfgmfCb1P022ZHg/047z0w2trsM8FsG4+mASeBKBUhrYKlKRd8w=
ARC-Message-Signature: i=1; a=rsa-sha256; d=sourceware.org; s=key;
 t=1711940984; c=relaxed/simple;
 bh=F3H9LXgYPpJr44WQC0LrcwvLyKmE7uRywLB7orpeaok=;
 h=From:To:Subject:Date:Message-ID:MIME-Version;
 b=SOfRvJuHgtPTscDATpBrDP9S0838DyTRQ8sM4nqC8Yk1sjzWOd6j7FqvU20DIR0ocIc4BJ1HWhMEnVR0TQDn7CBsr9gAKtx8RhpONo0rw4+7aiRqGMKnG1zLBaBwcpf4docpZpqo16u6CMGyGemep5hz1O35H2HGWI6BJNAK3mU=
ARC-Authentication-Results: i=1; server2.sourceware.org
Received: from mail.maildlp.com (unknown [172.19.163.44])
 by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4V7GBl63y9z1h519;
 Mon,  1 Apr 2024 11:06:55 +0800 (CST)
Received: from canpemm500010.china.huawei.com (unknown [7.192.105.118])
 by mail.maildlp.com (Postfix) with ESMTPS id 5814A1402D0;
 Mon,  1 Apr 2024 11:09:39 +0800 (CST)
Received: from huawei.com (10.67.189.167) by canpemm500010.china.huawei.com
 (7.192.105.118) with Microsoft SMTP Server (version=TLS1_2,
 cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.1.2507.35; Mon, 1 Apr
 2024 11:09:39 +0800
From: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
To: <xiaojiangfeng@huawei.com>
CC: <libc-alpha@sourceware.org>, <schwab@linux-m68k.org>,
 <nixiaoming@huawei.com>, <douzhaolei@huawei.com>, <wangbing6@huawei.com>,
 <wangfangpeng1@huawei.com>
Subject: [PATCH] elf: sanitize objname in _dl_signal_error
Date: Mon, 1 Apr 2024 10:45:09 +0800
Message-ID: <1711939509-1411-1-git-send-email-xiaojiangfeng@huawei.com>
X-Mailer: git-send-email 1.8.5.6
In-Reply-To: <1711806052-117857-1-git-send-email-xiaojiangfeng@huawei.com>
References: <1711806052-117857-1-git-send-email-xiaojiangfeng@huawei.com>
MIME-Version: 1.0
X-Originating-IP: [10.67.189.167]
X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To
 canpemm500010.china.huawei.com (7.192.105.118)
X-Spam-Status: No, score=-12.6 required=5.0 tests=BAYES_00, GIT_PATCH_0,
 KAM_DMARC_STATUS, RCVD_IN_MSPIKE_H4, RCVD_IN_MSPIKE_WL, SPF_HELO_NONE,
 SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
 server2.sourceware.org
X-BeenThere: libc-alpha@sourceware.org
X-Mailman-Version: 2.1.30
Precedence: list
List-Id: Libc-alpha mailing list <libc-alpha.sourceware.org>
List-Unsubscribe: <https://sourceware.org/mailman/options/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/libc-alpha/>
List-Post: <mailto:libc-alpha@sourceware.org>
List-Help: <mailto:libc-alpha-request@sourceware.org?subject=help>
List-Subscribe: <https://sourceware.org/mailman/listinfo/libc-alpha>,
 <mailto:libc-alpha-request@sourceware.org?subject=subscribe>
Errors-To: libc-alpha-bounces+incoming=patchwork.ozlabs.org@sourceware.org

"dlopen_doit" may execute
"_dl_signal_error (0, NULL, NULL, ...)",
which cause a segmentation fault.

The call stack is as follows:

Program received signal SIGSEGV, Segmentation fault.
fatal_error (errcode=errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7c90518 "invalid mode parameter")
(gdb) bt
@0  fatal_error (errcode=errcode@entry=0, objname=0x0, occasion=0x0,
    errstring=errstring@entry=0xf7c90518 "invalid mode parameter")
@1  0xf7de5260 in __GI__dl_signal_error (errcode=0, objname=0x0, occation=0x0,
    errstring=0xf7c90518 "invalid mode parameter")
@2  0xf7d0e204 in dlopen_doit (a=a@entry=0xfffefa94)

When objname is NULL, referencing *objname will accesses
a null pointer. As a result, a segmentation fault occurs.

_dl_signal_error used to set objname to "" if it is null,
it should continue to do so (this has been removed in commit 2449ae7b2d)

Fixes: 2449ae7b2da24 ("ld.so: Introduce struct dl_exception")

Suggested-by: Andreas Schwab <schwab@linux-m68k.org>
Link: https://public-inbox.org/libc-alpha/1711806052-117857-1-git-send-email-xiaojiangfeng@huawei.com/
Signed-off-by: Jiangfeng Xiao <xiaojiangfeng@huawei.com>
---
 elf/dl-catch.c | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/elf/dl-catch.c b/elf/dl-catch.c
index 2109516..92f0654 100644
--- a/elf/dl-catch.c
+++ b/elf/dl-catch.c
@@ -117,6 +117,9 @@ _dl_signal_error (int errcode, const char *objname, const char *occasion,
   if (! errstring)
     errstring = N_("DYNAMIC LINKER BUG!!!");
 
+  if (! objname)
+    objname = "";
+
   if (lcatch != NULL)
     {
       _dl_exception_create (lcatch->exception, objname, errstring);