diff options
author | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2024-05-06 13:18:45 -0300 |
---|---|---|
committer | Adhemerval Zanella <adhemerval.zanella@linaro.org> | 2024-05-07 12:16:36 -0300 |
commit | bcae44ea8536b30a7119c0986ff5692bddacb672 (patch) | |
tree | 3ad07f5e12524dda7c6ce8ef971baae455eeca50 /sysdeps/sparc/sparc64 | |
parent | 143ef68b2aded7c794956beddad495af8c7d3251 (diff) | |
download | glibc-bcae44ea8536b30a7119c0986ff5692bddacb672.tar.gz glibc-bcae44ea8536b30a7119c0986ff5692bddacb672.tar.xz glibc-bcae44ea8536b30a7119c0986ff5692bddacb672.zip |
elf: Only process multiple tunable once (BZ 31686)
The 680c597e9c3 commit made loader reject ill-formatted strings by first tracking all set tunables and then applying them. However, it does not take into consideration if the same tunable is set multiple times, where parse_tunables_string appends the found tunable without checking if it was already in the list. It leads to a stack-based buffer overflow if the tunable is specified more than the total number of tunables. For instance: GLIBC_TUNABLES=glibc.malloc.check=2:... (repeat over the number of total support for different tunable). Instead, use the index of the tunable list to get the expected tunable entry. Since now the initial list is zero-initialized, the compiler might emit an extra memset and this requires some minor adjustment on some ports. Checked on x86_64-linux-gnu and aarch64-linux-gnu. Reported-by: Yuto Maeda <maeda@cyberdefense.jp> Reported-by: Yutaro Shimizu <shimizu@cyberdefense.jp> Reviewed-by: Siddhesh Poyarekar <siddhesh@sourceware.org>
Diffstat (limited to 'sysdeps/sparc/sparc64')
-rw-r--r-- | sysdeps/sparc/sparc64/rtld-memset.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/sysdeps/sparc/sparc64/rtld-memset.c b/sysdeps/sparc/sparc64/rtld-memset.c index 55f3835790..a19202a620 100644 --- a/sysdeps/sparc/sparc64/rtld-memset.c +++ b/sysdeps/sparc/sparc64/rtld-memset.c @@ -1 +1,4 @@ #include <string/memset.c> +#if IS_IN(rtld) +strong_alias (memset, __memset_ultra1) +#endif |