diff options
author | Roland McGrath <roland@hack.frob.com> | 2015-04-17 12:11:58 -0700 |
---|---|---|
committer | Roland McGrath <roland@hack.frob.com> | 2015-04-17 12:11:58 -0700 |
commit | 328c44c3670ebf6c1bd790acddce65a12998cd6c (patch) | |
tree | 2f90e586472eb62163d4340df5fa5060e7aee1b1 | |
parent | aa4980fc31e9ce176fe954bd0f29bcd65a61556a (diff) | |
download | glibc-328c44c3670ebf6c1bd790acddce65a12998cd6c.tar.gz glibc-328c44c3670ebf6c1bd790acddce65a12998cd6c.tar.xz glibc-328c44c3670ebf6c1bd790acddce65a12998cd6c.zip |
Fuller check for invalid NSID in _dl_open.
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | elf/dl-open.c | 12 |
2 files changed, 15 insertions, 3 deletions
diff --git a/ChangeLog b/ChangeLog index 411ef3dcc3..967a8c85ea 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,9 @@ +2015-04-17 Roland McGrath <roland@hack.frob.com> + + * elf/dl-open.c (_dl_open): Use __glibc_unlikely in invalid namespace + check. Reject NSID < 0 and NSID >= dl_nns, and check for DL_NNS==1, + before using NSID as an index. + 2015-04-17 Il'ya Malakhov <ilmalakhov@yandex.ru> [BZ #17825] diff --git a/elf/dl-open.c b/elf/dl-open.c index 0dbe07fb68..2d0e082271 100644 --- a/elf/dl-open.c +++ b/elf/dl-open.c @@ -211,7 +211,7 @@ dl_open_worker (void *a) struct link_map *l = _dl_find_dso_for_object ((ElfW(Addr)) caller_dlopen); if (l) - call_map = l; + call_map = l; if (args->nsid == __LM_ID_CALLER) args->nsid = call_map->l_ns; @@ -619,8 +619,14 @@ no more namespaces available for dlmopen()")); /* Never allow loading a DSO in a namespace which is empty. Such direct placements is only causing problems. Also don't allow loading into a namespace used for auditing. */ - else if (__builtin_expect (nsid != LM_ID_BASE && nsid != __LM_ID_CALLER, 0) - && (GL(dl_ns)[nsid]._ns_nloaded == 0 + else if (__glibc_unlikely (nsid != LM_ID_BASE && nsid != __LM_ID_CALLER) + && (__glibc_unlikely (nsid < 0 || nsid >= GL(dl_nns)) + /* This prevents the [NSID] index expressions from being + evaluated, so the compiler won't think that we are + accessing an invalid index here in the !SHARED case where + DL_NNS is 1 and so any NSID != 0 is invalid. */ + || DL_NNS == 1 + || GL(dl_ns)[nsid]._ns_nloaded == 0 || GL(dl_ns)[nsid]._ns_loaded->l_auditing)) _dl_signal_error (EINVAL, file, NULL, N_("invalid target namespace in dlmopen()")); |