Short description: Work ld.so --verify crash on debuginfo files. Author(s): Fedora glibc team Origin: PATCH Bug-RHEL: #741105, #767146 Upstream status: not-needed This change is designed to work around running ld.so on a debuginfo file. This is the wrong fix for this problem and should be dropped. The correct solution is to mark debuginfo files as new types of ELF files. diff --git a/elf/dl-load.c b/elf/dl-load.c index 24e2819345995bd9..007121144e71d9cf 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -880,6 +880,18 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, in this information for the executable in case of an explicit loader invocation. */ struct r_file_id id; + struct stat64 st; + + if (__glibc_unlikely (!_dl_get_file_id (fd, &id, &st))) + { + errstring = N_("cannot stat shared object"); + call_lose_errno: + errval = errno; + call_lose: + lose (errval, fd, name, realname, l, errstring, + make_consistent ? r : NULL, nsid); + } + if (mode & __RTLD_OPENEXEC) { assert (nsid == LM_ID_BASE); @@ -887,16 +899,6 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, } else { - if (__glibc_unlikely (!_dl_get_file_id (fd, &id))) - { - errstring = N_("cannot stat shared object"); - call_lose_errno: - errval = errno; - call_lose: - lose (errval, fd, name, realname, l, errstring, - make_consistent ? r : NULL, nsid); - } - /* Look again to see if the real name matched another already loaded. */ for (l = GL(dl_ns)[nsid]._ns_loaded; l != NULL; l = l->l_next) if (!l->l_removed && _dl_file_id_match_p (&l->l_file_id, &id)) @@ -1074,6 +1076,16 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd, = N_("ELF load command address/offset not properly aligned"); goto call_lose; } + if (__glibc_unlikely (ph->p_offset + ph->p_filesz > st.st_size)) + { + /* If the segment requires zeroing of part of its last + page, we'll crash when accessing the unmapped page. + There's still a possibility of a race, if the shared + object is truncated between the fxstat above and the + memset below. */ + errstring = N_("ELF load command past end of file"); + goto call_lose; + } struct loadcmd *c = &loadcmds[nloadcmds++]; c->mapstart = ALIGN_DOWN (ph->p_vaddr, GLRO(dl_pagesize)); diff --git a/sysdeps/generic/dl-fileid.h b/sysdeps/generic/dl-fileid.h index 6310d46c2a6efc60..209580b6c0b8524b 100644 --- a/sysdeps/generic/dl-fileid.h +++ b/sysdeps/generic/dl-fileid.h @@ -29,7 +29,8 @@ struct r_file_id On error, returns false, with errno set. */ static inline bool _dl_get_file_id (int fd __attribute__ ((unused)), - struct r_file_id *id __attribute__ ((unused))) + struct r_file_id *id __attribute__ ((unused)), + struct stat64_t *st __attribute__((unused))) { return true; } diff --git a/sysdeps/posix/dl-fileid.h b/sysdeps/posix/dl-fileid.h index ae88a350788a5999..baa17b90a292a4d9 100644 --- a/sysdeps/posix/dl-fileid.h +++ b/sysdeps/posix/dl-fileid.h @@ -27,18 +27,16 @@ struct r_file_id ino64_t ino; }; -/* Sample FD to fill in *ID. Returns true on success. +/* Sample FD to fill in *ID and *ST. Returns true on success. On error, returns false, with errno set. */ static inline bool -_dl_get_file_id (int fd, struct r_file_id *id) +_dl_get_file_id (int fd, struct r_file_id *id, struct stat64 *st) { - struct stat64 st; - - if (__glibc_unlikely (__fxstat64 (_STAT_VER, fd, &st) < 0)) + if (__glibc_unlikely (__fxstat64 (_STAT_VER, fd, st) < 0)) return false; - id->dev = st.st_dev; - id->ino = st.st_ino; + id->dev = st->st_dev; + id->ino = st->st_ino; return true; }