From nobody Thu Apr 27 18:20:11 2023
X-Original-To: dev-commits-src-branches@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Q6kYS1pWgz47lvT;
	Thu, 27 Apr 2023 18:20:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Q6kYS0G06z42c0;
	Thu, 27 Apr 2023 18:20:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1682619612;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=gC+Yti2TFufnIXTOHwbTtKarcrQtrzWCcpRjq0kxiog=;
	b=FaOwtCSsoWxmox/uDi6g9L3EuePVBEkQQfCfkkKg8xKBKkHMegi8w52Mp5RE5/GLrUlWQz
	5LC7N5UFCzTiitfak0p+GHk47V/o3nx7FRYxm8vpHPbkPxO1bggtG5tWnWP3wLDBM0HFk4
	ZDen8A88aQsM+OXy1BfcKPDxxY5YOUdJ1LKKJEJrE9aKzM0bjjVHj0Tno7YasfZSnSyi9M
	ZvNAIFgfHbuVHt2RmvcDAxbKkmJAjpnc9sjSVyVgbaR39k5KzEQrMowvgzyhfYms2BRztD
	adaFzxZeGUKWR+zmSr44YmUFTjQHaSzzebs7ltealeR4EOXYgesNU+n41aKXXA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1682619612;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=gC+Yti2TFufnIXTOHwbTtKarcrQtrzWCcpRjq0kxiog=;
	b=S2O9a2S7DkBWR0KBzysicKJnY6LpE0KlCy6FRj67WqZZwDpTs37yGoCXk7sulxrEMjINTo
	xP6Bi1PfohQ64IPuyswZHMxMGBD6RNDY0DDn5tJJ3iFuTVbEVHZd3zhQulGijW9jWV0LUU
	BbfUqkB8u/AZSeiF+BSX7NbwFuOlV9v+UB9RxPB1tn5Jyo9thzC7HqBbmvsndVoTHmPmCN
	rgleWL3OMrb0q53yC9ZLlHARGTGZnkqkzdoEQmNQ0rJCCH7orcZ3q570jUOF0FJZOjDYDs
	KaDf8hexdpIQyphlBSZYEYWvBoNbgaKh0wWI1tyWHZWBINDgwLUYFrwoYl1bgw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1682619612; a=rsa-sha256; cv=none;
	b=C7ca2P/lBCHrfGvb4ebCkMvquqR+hQbgkuLTEtxmbZwKbAANH5wcGkGrA+R2+amAlMvc+5
	Ccel4DVFETOxnb40i5vV7/+8lq2X1NENOjITZgCoJUKiUU7jacCbsVZP1Cea4OIqWZP5XO
	TXOztuCxRR/iHatvrqAhnnhIafJDJiz65XVtDlM6whdIWGnl0/Qod/GqAPubUJ9r+RHmD2
	AeobCVL2F0tIodf8WXjFM8HstK+UtQuEoP6JIjl5WSTVtbtE/pYE6AvI+dI5zNwp3qRgVT
	0Ae8p9JbXEkRFfboWgCc9fkiDDA4IBxz6PJS+shvC5DjCU7SihoTnzTmD5pq6g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Q6kYR6R1BzShY;
	Thu, 27 Apr 2023 18:20:11 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 33RIKBlD069315;
	Thu, 27 Apr 2023 18:20:11 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 33RIKBR7069312;
	Thu, 27 Apr 2023 18:20:11 GMT
	(envelope-from git)
Date: Thu, 27 Apr 2023 18:20:11 GMT
Message-Id: <202304271820.33RIKBR7069312@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-branches@FreeBSD.org
From: Ed Maste <emaste@FreeBSD.org>
Subject: git: 26cc23c84e0e - stable/13 - rtld: fix SysV hash function overflow
List-Id: Commits to the stable branches of the FreeBSD src repository <dev-commits-src-branches.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-branches
List-Help: <mailto:dev-commits-src-branches+help@freebsd.org>
List-Post: <mailto:dev-commits-src-branches@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-branches+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-branches+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-branches@freebsd.org
X-BeenThere: dev-commits-src-branches@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: emaste
X-Git-Repository: src
X-Git-Refname: refs/heads/stable/13
X-Git-Reftype: branch
X-Git-Commit: 26cc23c84e0e8bfc6d32b7d802f3cb9598d6ef79
Auto-Submitted: auto-generated
X-ThisMailContainsUnwantedMimeParts: N

The branch stable/13 has been updated by emaste:

URL: https://cgit.FreeBSD.org/src/commit/?id=26cc23c84e0e8bfc6d32b7d802f3cb9598d6ef79

commit 26cc23c84e0e8bfc6d32b7d802f3cb9598d6ef79
Author:     Ed Maste <emaste@FreeBSD.org>
AuthorDate: 2023-04-12 15:07:26 +0000
Commit:     Ed Maste <emaste@FreeBSD.org>
CommitDate: 2023-04-27 17:05:22 +0000

    rtld: fix SysV hash function overflow
    
    Quoting from https://maskray.me/blog/2023-04-12-elf-hash-function:
    
    The System V Application Binary Interface (generic ABI) specifies the
    ELF object file format. When producing an output executable or shared
    object needing a dynamic symbol table (.dynsym), a linker generates a
    .hash section with type SHT_HASH to hold a symbol hash table. A DT_HASH
    tag is produced to hold the address of .hash.
    
    The function is supposed to return a value no larger than 0x0fffffff.
    Unfortunately, there is a bug. When unsigned long consists of more than
    32 bits, the return value may be larger than UINT32_MAX. For instance,
    elf_hash((const unsigned char *)"\xff\x0f\x0f\x0f\x0f\x0f\x12") returns
    0x100000002, which is clearly unintended, as the function should behave
    the same way regardless of whether long represents a 32-bit integer or
    a 64-bit integer.
    
    Reviewed by:    kib, Fangrui Song
    Sponsored by:   The FreeBSD Foundation
    Differential Revision: https://reviews.freebsd.org/D39517
    
    (cherry picked from commit 29e3a06510823edbb91667d21f530d3ec778116d)
---
 libexec/rtld-elf/rtld.c | 15 ++++++---------
 libexec/rtld-elf/rtld.h |  2 +-
 2 files changed, 7 insertions(+), 10 deletions(-)

diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c
index 49685508d4dc..dc8353ba6628 100644
--- a/libexec/rtld-elf/rtld.c
+++ b/libexec/rtld-elf/rtld.c
@@ -1837,23 +1837,20 @@ donelist_check(DoneList *dlp, const Obj_Entry *obj)
 }
 
 /*
- * Hash function for symbol table lookup.  Don't even think about changing
- * this.  It is specified by the System V ABI.
+ * SysV hash function for symbol table lookup.  It is a slightly optimized
+ * version of the hash specified by the System V ABI.
  */
-unsigned long
+Elf32_Word
 elf_hash(const char *name)
 {
 	const unsigned char *p = (const unsigned char *)name;
-	unsigned long h = 0;
-	unsigned long g;
+	Elf32_Word h = 0;
 
 	while (*p != '\0') {
 		h = (h << 4) + *p++;
-		if ((g = h & 0xf0000000) != 0)
-			h ^= g >> 24;
-		h &= ~g;
+		h ^= (h >> 24) & 0xf0;
 	}
-	return (h);
+	return (h & 0x0fffffff);
 }
 
 /*
diff --git a/libexec/rtld-elf/rtld.h b/libexec/rtld-elf/rtld.h
index 52ff8de911e2..e8e997753c6f 100644
--- a/libexec/rtld-elf/rtld.h
+++ b/libexec/rtld-elf/rtld.h
@@ -385,7 +385,7 @@ void dump_Elf_Rela(Obj_Entry *, const Elf_Rela *, u_long);
  */
 uintptr_t rtld_round_page(uintptr_t);
 uintptr_t rtld_trunc_page(uintptr_t);
-unsigned long elf_hash(const char *);
+Elf32_Word elf_hash(const char *);
 const Elf_Sym *find_symdef(unsigned long, const Obj_Entry *,
   const Obj_Entry **, int, SymCache *, struct Struct_RtldLockState *);
 void lockdflt_init(void);