blob: a8e625d24cbdcb98c4aeacdf3a0a3ee7259f87de (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
|
From aa8393bff257e4badfd208b88473ead175c69362 Mon Sep 17 00:00:00 2001
From: Khem Raj <raj.khem@gmail.com>
Date: Wed, 18 Mar 2015 01:50:00 +0000
Subject: [PATCH] nativesdk-glibc: Fix buffer overrun with a relocated SDK
When ld-linux-*.so.2 is relocated to a path that is longer than the
original fixed location, the dynamic loader will crash in open_path
because it implicitly assumes that max_dirnamelen is a fixed size that
never changes.
The allocated buffer will not be large enough to contain the directory
path string which is larger than the fixed location provided at build
time.
Upstream-Status: Inappropriate [OE SDK specific]
Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
Signed-off-by: Khem Raj <raj.khem@gmail.com>
---
elf/dl-load.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/elf/dl-load.c b/elf/dl-load.c
index ad01674027..f455207e79 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -1871,7 +1871,19 @@ open_path (const char *name, size_t namelen, int mode,
given on the command line when rtld is run directly. */
return -1;
+ do
+ {
+ struct r_search_path_elem *this_dir = *dirs;
+ if (this_dir->dirnamelen > max_dirnamelen)
+ {
+ max_dirnamelen = this_dir->dirnamelen;
+ }
+ }
+ while (*++dirs != NULL);
+
buf = alloca (max_dirnamelen + max_capstrlen + namelen);
+
+ dirs = sps->dirs;
do
{
struct r_search_path_elem *this_dir = *dirs;
|
