From owner-freebsd-current@FreeBSD.ORG  Thu Jul 28 00:00:35 2005
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
X-Original-To: freebsd-current@FreeBSD.org
Delivered-To: freebsd-current@FreeBSD.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id F1FF216A41F
	for <freebsd-current@FreeBSD.org>; Thu, 28 Jul 2005 00:00:35 +0000 (GMT)
	(envelope-from freebsd-D20050727@morphisms.net)
Received: from holo.morphisms.net (holo.morphisms.net [66.93.84.55])
	by mx1.FreeBSD.org (Postfix) with ESMTP id A8C5E43D55
	for <freebsd-current@FreeBSD.org>; Thu, 28 Jul 2005 00:00:35 +0000 (GMT)
	(envelope-from freebsd-D20050727@morphisms.net)
Received: from mero.morphisms.net (mero.morphisms.net [66.93.84.246])
	by holo.morphisms.net (Postfix) with ESMTP id 8D73A24FA9
	for <freebsd-current@FreeBSD.org>; Wed, 27 Jul 2005 20:01:52 -0400 (EDT)
Received: by mero.morphisms.net (Postfix, from userid 0)
	id 871E026; Wed, 27 Jul 2005 20:01:52 -0400 (EDT)
From: William Josephson <freebsd-D20050727@morphisms.net>
To: freebsd-current@FreeBSD.org
Message-Id: <20050728000152.871E026@mero.morphisms.net>
Date: Wed, 27 Jul 2005 20:01:52 -0400 (EDT)
X-Mailman-Approved-At: Thu, 28 Jul 2005 11:52:24 +0000
Cc: 
Subject: dlinfo/rtld.c bug
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>, 
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2005 00:00:36 -0000

I've run across a bug in the ELF dynamic linker in FreeBSD 4.x
and FreeBSD 5.4.  Although I haven't had a chance to compile or
install FreeBSD 6 yet, the bug appears to be in the ELF dynamic
linker in at least FreeBSD 4 through -CURRENT.  The problem is
that do_search_info in libexec/rtld-elf/rtld.c does not account
for the space required by Dl_serpath structures with either the
RTLD_DI_SERINFOSIZE, or the RTLD_DI_SERINFO requests.  The
example program in the dlinfo man page happens to work, but a
simple loop copying the path strings into a buffer allocated with
malloc will corrupt the heap.  The program below illustrates the
problem.  Given that the arithmetic in do_search_info is easily
fixed, it might be worth patching before the upcoming release.

	#include <link.h>
	#include <dlfcn.h>
	#include <stdio.h>
	#include <stdlib.h>
	
	int
	main(int argc, char *argv[])
	{
		char *s;
		Dl_serinfo *p;
		Dl_serinfo info;
	
		memset(&info, 0, sizeof(info));
		dlinfo(RTLD_SELF, RTLD_DI_SERINFOSIZE, (void*)&info);
		p = malloc(info.dls_size);
		memset(p, 0, info.dls_size);
		p->dls_cnt = info.dls_cnt;
		p->dls_size = info.dls_size;
		dlinfo(RTLD_SELF, RTLD_DI_SERINFO, (void*)p);
		s = p->dls_serpath[p->dls_cnt-1].dls_name;
		s += strlen(s)+1;
		printf("%d %d %d %d %d\n", info.dls_size, (char*)s-(char*)p,
			((char*)s-(char*)p)-info.dls_size, sizeof(Dl_serpath),
			info.dls_cnt*sizeof(Dl_serpath));
		return 0;
	}