[Bug 277629] ldd (ld-elf.so.1) uses p_vaddr without checking

Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: <bugzilla-noreply_at_freebsd.org>
Date: Mon, 11 Mar 2024 13:57:27 UTC

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=277629

            Bug ID: 277629
           Summary: ldd (ld-elf.so.1) uses p_vaddr without checking
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Some People
          Priority: ---
         Component: bin
          Assignee: bugs@FreeBSD.org
          Reporter: rtm@lcs.mit.edu

Created attachment 249091
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=249091&action=edit
corrupt elf file that causes ldd to crash due to its use of p_vaddr

When ldd calls dlopen(..., RTLD_TRACE), ld-elf.so.1's map_object()
sets obj->dynamic from a p_vaddr without checking:

        case PT_DYNAMIC:
            phdyn = phdr;
    ...;
    obj->dynamic = (const Elf_Dyn *)(obj->relocbase + phdyn->p_vaddr);

and digest_dynamic1() dereferences it:

    dynp = obj->dynamic;
    ...;
    for (;  dynp->d_tag != DT_NULL;  dynp++) {

I've attached a corrupt elf file with the relevant p_vaddr set to
0x7ffffffff9699fff. This example happens to cause ldd to crash only on
a riscv machine (not amd64).

# uname -a
FreeBSD  15.0-CURRENT FreeBSD 15.0-CURRENT #270
main-n250982-48b12cb79520-dirty: Sat Mar  9 08:36:40 EST 2024    
rtm@zika:/usr/obj/usr/rtm/symbsd/src/riscv.riscv64/sys/RTM riscv
# objdump -x ./ldd7a.exe | grep 0x7fff
 DYNAMIC off    0x0000000000000000 vaddr 0x7ffffffff9699fff paddr
0x0000000000000000 align 2**64
# ldd ./ldd7a.exe 
./ldd7a.exe:
pid 136 (ldd), jid 0, uid 0: exited on signal 11 (core dumped)

-- 
You are receiving this mail because:
You are the assignee for the bug.