Bug 21544 - memory overrun, elf/dl-load.c fillin_rpath()
memory overrun, elf/dl-load.c fillin_rpath()
Product: Red Hat Linux
Classification: Retired
Component: glibc (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Jakub Jelinek
Aaron Brown
Depends On:
  Show dependency treegraph
Reported: 2000-11-30 18:01 EST by John Reiser
Modified: 2016-11-24 09:48 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2000-12-08 10:26:37 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Reiser 2000-11-30 18:01:29 EST
If an ELF binary executable has a DT_RPATH that ends in a directory
that requires no dynamic token expansion, and does not have
a trailing '/', and is a directory not seen before,
then fillin_rpath() from glibc-2.2/elf/dl-load.c reads beyond the end
of a block that was allocated by malloc().

Subroutine decompose_rpath() calls at line 531:
  copy = expand_dynamic_string_token (l, rpath);
and at line 548:
  fillin_rpath (copy, result, ":", 0, what, where);
Then fillin_rpath() adds a trailing slash at line 388:
        cp[len++] = '/';
and reads beyond the end at line 422:
          memcpy ((char *) dirp->dirname, cp, len + 1);

One fix is to allocate 2 extra bytes (instead of just 1)
in expand_dynamic_string_token(), and set the last one to '\0'.
Comment 1 Jakub Jelinek 2000-12-19 04:33:44 EST
Fixed in glibc-2.2-9

Note You need to log in before you can comment on or make changes to this bug.