aboutsummaryrefslogtreecommitdiffstats
path: root/main/musl/0007-fix-invalid-library-phdr-pointers-passed-to-callback.patch
blob: 39049963caea7648d6c911f59a94dfb0d882c79b (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
From 0ccea50c697512b4bcbe76780260dfba09450327 Mon Sep 17 00:00:00 2001
From: Rich Felker <dalias@aerifal.cx>
Date: Wed, 10 Jul 2013 14:38:20 -0400
Subject: [PATCH 07/10] fix invalid library phdr pointers passed to callback
 from dl_iterate_phdr

map_library was saving pointers to an automatic-storage buffer rather
than pointers into the mapping. this should be a fairly simple fix,
but the patch here is slightly complicated by two issues:

1. supporting gratuitously obfuscated ELF files where the program
headers are not right at the beginning of the file.

2. cleaning up the map_library function so that data isn't clobbered
by the time we need it.
---
 src/ldso/dynlink.c | 25 ++++++++++++++++---------
 1 file changed, 16 insertions(+), 9 deletions(-)

diff --git a/src/ldso/dynlink.c b/src/ldso/dynlink.c
index 7031d03..ff5b738 100644
--- a/src/ldso/dynlink.c
+++ b/src/ldso/dynlink.c
@@ -309,7 +309,7 @@ static void *map_library(int fd, struct dso *dso)
 	size_t this_min, this_max;
 	off_t off_start;
 	Ehdr *eh;
-	Phdr *ph;
+	Phdr *ph, *ph0;
 	unsigned prot;
 	unsigned char *map, *base;
 	size_t dyn;
@@ -324,11 +324,10 @@ static void *map_library(int fd, struct dso *dso)
 	if (eh->e_phoff + phsize > l) {
 		l = pread(fd, buf+1, phsize, eh->e_phoff);
 		if (l != phsize) return 0;
-		eh->e_phoff = sizeof *eh;
+		ph = ph0 = (void *)(buf + 1);
+	} else {
+		ph = ph0 = (void *)((char *)buf + eh->e_phoff);
 	}
-	ph = (void *)((char *)buf + eh->e_phoff);
-	dso->phdr = ph;
-	dso->phnum = eh->e_phnum;
 	for (i=eh->e_phnum; i; i--, ph=(void *)((char *)ph+eh->e_phentsize)) {
 		if (ph->p_type == PT_DYNAMIC)
 			dyn = ph->p_vaddr;
@@ -363,9 +362,18 @@ static void *map_library(int fd, struct dso *dso)
 	map = mmap((void *)addr_min, map_len, prot, MAP_PRIVATE, fd, off_start);
 	if (map==MAP_FAILED) return 0;
 	base = map - addr_min;
-	ph = (void *)((char *)buf + eh->e_phoff);
-	for (i=eh->e_phnum; i; i--, ph=(void *)((char *)ph+eh->e_phentsize)) {
+	dso->phdr = 0;
+	dso->phnum = 0;
+	for (ph=ph0, i=eh->e_phnum; i; i--, ph=(void *)((char *)ph+eh->e_phentsize)) {
 		if (ph->p_type != PT_LOAD) continue;
+		/* Check if the programs headers are in this load segment, and
+		 * if so, record the address for use by dl_iterate_phdr. */
+		if (!dso->phdr && eh->e_phoff >= ph->p_offset
+		    && eh->e_phoff+phsize <= ph->p_offset+ph->p_filesz) {
+			dso->phdr = (void *)(base + ph->p_vaddr
+				+ (eh->e_phoff-ph->p_offset));
+			dso->phnum = eh->e_phnum;
+		}
 		/* Reuse the existing mapping for the lowest-address LOAD */
 		if ((ph->p_vaddr & -PAGE_SIZE) == addr_min) continue;
 		this_min = ph->p_vaddr & -PAGE_SIZE;
@@ -390,8 +398,7 @@ static void *map_library(int fd, struct dso *dso)
 				goto error;
 			break;
 		}
-	if (!runtime) reclaim_gaps(base, (void *)((char *)buf + eh->e_phoff),
-		eh->e_phentsize, eh->e_phnum);
+	if (!runtime) reclaim_gaps(base, ph0, eh->e_phentsize, eh->e_phnum);
 	dso->map = map;
 	dso->map_len = map_len;
 	dso->base = base;
-- 
1.8.3.2