2012-06-21 Jeff Law <law@redhat.com>

[BZ #13882] * elf/dl-deps.c (_dl_map_object_deps): Fix cycle detection. Use uint16_t for elements in the "seen" array to avoid char overflows. * elf/dl-fini.c (_dl_sort_fini): Likewise. * elf/dl-open.c (dl_open_worker): Likewise.
2025-03-19 13:40:59 +08:00 · 2012-06-21 09:26:41 -06:00 · 2012-06-21 09:26:41 -06:00 · 28363bbf70
commit 28363bbf70
parent 09615db4a9
5 changed files with 28 additions and 20 deletions
--- a/8
+++ b/8
@ -1,3 +1,11 @@
+2012-06-21  Jeff Law  <law@redhat.com>
+
+	[BZ #13882]
+	* elf/dl-deps.c (_dl_map_object_deps): Fix cycle detection.  Use
+	uint16_t for elements in the "seen" array to avoid char overflows.
+        * elf/dl-fini.c (_dl_sort_fini): Likewise.
+	* elf/dl-open.c (dl_open_worker): Likewise.
+
 2012-06-21  Carlos O'Donell  <carlos_odonell@mentor.com>

 	* scripts/list-sources.sh: Scan PORTS for translations.
--- a/16
+++ b/16
@ -23,14 +23,14 @@ Version 2.16
  13691, 13695, 13704, 13705, 13706, 13718, 13726, 13738, 13739, 13743,
  13750, 13758, 13760, 13761, 13775, 13786, 13787, 13792, 13806, 13824,
  13840, 13841, 13844, 13846, 13848, 13851, 13852, 13854, 13871, 13872,
-  13873, 13879, 13883, 13884, 13885, 13886, 13892, 13895, 13908, 13910,
-  13911, 13912, 13913, 13914, 13915, 13916, 13917, 13918, 13919, 13920,
-  13921, 13922, 13923, 13924, 13926, 13927, 13928, 13938, 13941, 13942,
-  13954, 13955, 13956, 13963, 13967, 13968, 13970, 13973, 13979, 13983,
-  13986, 13996, 14012, 14027, 14033, 14034, 14036, 14040, 14043, 14044,
-  14048, 14049, 14050, 14053, 14055, 14059, 14064, 14075, 14080, 14083,
-  14103, 14104, 14109, 14112, 14117, 14122, 14123, 14134, 14153, 14183,
-  14188, 14199, 14210, 14218, 14229, 14241
+  13873, 13879, 13882, 13883, 13884, 13885, 13886, 13892, 13895, 13908,
+  13910, 13911, 13912, 13913, 13914, 13915, 13916, 13917, 13918, 13919,
+  13920, 13921, 13922, 13923, 13924, 13926, 13927, 13928, 13938, 13941,
+  13942, 13954, 13955, 13956, 13963, 13967, 13968, 13970, 13973, 13979,
+  13983, 13986, 13996, 14012, 14027, 14033, 14034, 14036, 14040, 14043,
+  14044, 14048, 14049, 14050, 14053, 14055, 14059, 14064, 14075, 14080,
+  14083, 14103, 14104, 14109, 14112, 14117, 14122, 14123, 14134, 14153,
+  14183, 14188, 14199, 14210, 14218, 14229, 14241

 * Support for the x32 ABI on x86-64 added.  The x32 target is selected by
  configuring glibc with:
--- a/elf/dl-deps.c
+++ b/elf/dl-deps.c
@ -1,5 +1,5 @@
 /* Load the dependencies of a mapped object.
-   Copyright (C) 1996-2003, 2004, 2005, 2006, 2007, 2010, 2011
+   Copyright (C) 1996-2003, 2004-2007, 2010-2012
   Free Software Foundation, Inc.
   This file is part of the GNU C Library.

@ -632,7 +632,7 @@ Filters not supported with LD_TRACE_PRELINKING"));
      /* We can skip looking for the binary itself which is at the front
 	 of the search list.  */
      i = 1;
-      char seen[nlist];
+      uint16_t seen[nlist];
      memset (seen, 0, nlist * sizeof (seen[0]));
      while (1)
 	{
@ -658,13 +658,13 @@ Filters not supported with LD_TRACE_PRELINKING"));
 			       (k - i) * sizeof (l_initfini[0]));
 		      l_initfini[k] = thisp;

-		      if (seen[i + 1] > 1)
+		      if (seen[i + 1] > nlist - i)
 			{
 			  ++i;
 			  goto next_clear;
 			}

-		      char this_seen = seen[i];
+		      uint16_t this_seen = seen[i];
 		      memmove (&seen[i], &seen[i + 1],
 			       (k - i) * sizeof (seen[0]));
 		      seen[k] = this_seen;
--- a/elf/dl-fini.c
+++ b/elf/dl-fini.c
@ -1,5 +1,5 @@
 /* Call the termination functions of loaded shared objects.
-   Copyright (C) 1995,96,1998-2002,2004-2005,2009,2011
+   Copyright (C) 1995, 1996, 1998-2002, 2004-2005, 2009, 2011-2012
   Free Software Foundation, Inc.
   This file is part of the GNU C Library.

@ -38,7 +38,7 @@ _dl_sort_fini (struct link_map **maps, size_t nmaps, char *used, Lmid_t ns)
  /* We can skip looking for the binary itself which is at the front
     of the search list for the main namespace.  */
  unsigned int i = ns == LM_ID_BASE;
-  char seen[nmaps];
+  uint16_t seen[nmaps];
  memset (seen, 0, nmaps * sizeof (seen[0]));
  while (1)
    {
@ -78,13 +78,13 @@ _dl_sort_fini (struct link_map **maps, size_t nmaps, char *used, Lmid_t ns)
 		      used[k] = here_used;
 		    }

-		  if (seen[i + 1] > 1)
+		  if (seen[i + 1] > nmaps - i)
 		    {
 		      ++i;
 		      goto next_clear;
 		    }

-		  char this_seen = seen[i];
+		  uint16_t this_seen = seen[i];
 		  memmove (&seen[i], &seen[i + 1], (k - i) * sizeof (seen[0]));
 		  seen[k] = this_seen;

--- a/elf/dl-open.c
+++ b/elf/dl-open.c
@ -1,5 +1,5 @@
 /* Load a shared object at runtime, relocate it, and run its initializer.
-   Copyright (C) 1996-2007, 2009, 2010, 2011, 2012 Free Software Foundation, Inc.
+   Copyright (C) 1996-2007, 2009-2012 Free Software Foundation, Inc.
   This file is part of the GNU C Library.

   The GNU C Library is free software; you can redistribute it and/or
@ -325,7 +325,7 @@ dl_open_worker (void *a)
  while (l != NULL);
  if (nmaps > 1)
    {
-      char seen[nmaps];
+      uint16_t seen[nmaps];
      memset (seen, '\0', nmaps);
      size_t i = 0;
      while (1)
@ -351,13 +351,13 @@ dl_open_worker (void *a)
 			       (k - i) * sizeof (maps[0]));
 		      maps[k] = thisp;

-		      if (seen[i + 1] > 1)
+		      if (seen[i + 1] > nmaps - i)
 			{
 			  ++i;
 			  goto next_clear;
 			}

-		      char this_seen = seen[i];
+		      uint16_t this_seen = seen[i];
 		      memmove (&seen[i], &seen[i + 1],
 			       (k - i) * sizeof (seen[0]));
 		      seen[k] = this_seen;