| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 11 Dec 2020 09:32:56 +0000
From: Szabolcs Nagy <szabolcs.nagy@....com>
To: Adhemerval Zanella <adhemerval.zanella@...aro.org>
Cc: libc-alpha@...rceware.org, Mark Rutland <mark.rutland@....com>,
kernel-hardening@...ts.openwall.com,
Catalin Marinas <catalin.marinas@....com>,
linux-kernel@...r.kernel.org,
Jeremy Linton <jeremy.linton@....com>,
Mark Brown <broonie@...nel.org>,
Topi Miettinen <toiwoton@...il.com>,
Will Deacon <will@...nel.org>,
linux-arm-kernel@...ts.infradead.org
Subject: Re: [PATCH v2 3/6] elf: Fix failure handling in
_dl_map_object_from_fd
The 12/10/2020 15:25, Adhemerval Zanella wrote:
> On 27/11/2020 10:20, Szabolcs Nagy via Libc-alpha wrote:
> > There are many failure paths that call lose to do local cleanups
> > in _dl_map_object_from_fd, but it did not clean everything.
> >
> > Handle l_phdr, l_libname and mapped segments in the common failure
> > handling code.
> >
> > There are various bits that may not be cleaned properly on failure
> > (e.g. executable stack, tlsid, incomplete dl_map_segments).
> > ---
> > elf/dl-load.c | 24 +++++++++++++++---------
> > 1 file changed, 15 insertions(+), 9 deletions(-)
> >
> > diff --git a/elf/dl-load.c b/elf/dl-load.c
> > index 21e55deb19..9c71b7562c 100644
> > --- a/elf/dl-load.c
> > +++ b/elf/dl-load.c
> > @@ -914,8 +914,15 @@ lose (int code, int fd, const char *name, char *realname, struct link_map *l,
> > /* The file might already be closed. */
> > if (fd != -1)
> > (void) __close_nocancel (fd);
> > + if (l != NULL && l->l_map_start != 0)
> > + _dl_unmap_segments (l);
> > if (l != NULL && l->l_origin != (char *) -1l)
> > free ((char *) l->l_origin);
> > + if (l != NULL && !l->l_libname->dont_free)
> > + free (l->l_libname);
> > + if (l != NULL && l->l_phdr_allocated)
> > + free ((void *) l->l_phdr);
> > +
> > free (l);
> > free (realname);
> >
> > @@ -1256,7 +1263,11 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
> > errstring = _dl_map_segments (l, fd, header, type, loadcmds, nloadcmds,
> > maplength, has_holes, loader);
> > if (__glibc_unlikely (errstring != NULL))
> > - goto call_lose;
> > + {
> > + /* Mappings can be in an inconsistent state: avoid unmap. */
> > + l->l_map_start = l->l_map_end = 0;
> > + goto call_lose;
> > + }
> >
> > /* Process program headers again after load segments are mapped in
> > case processing requires accessing those segments. Scan program
>
> In this case I am failing to see who would be responsible to unmap
> l_map_start int the type == ET_DYN where first mmap succeeds but
> with a later mmap failure in any load command.
failures are either cleaned up locally in this function
via lose or after a clean return via dlclose.
failures that are not cleaned up will leak resources.
_dl_map_segments failure is not cleaned up (the mappings
are in an unknown state). however after a successful
_dl_map_segments later failures can clean the mappings
and that's what i fixed here.
i did not try to fix transitive design bugs (such as
leaks in _dl_map_segments) that would require interface
change or local cleanups in those other functions.
> > @@ -1294,14 +1305,6 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
> > || (__glibc_unlikely (l->l_flags_1 & DF_1_PIE)
> > && __glibc_unlikely ((mode & __RTLD_OPENEXEC) == 0)))
> > {
> > - /* We are not supposed to load this object. Free all resources. */
> > - _dl_unmap_segments (l);
> > -
> > - if (!l->l_libname->dont_free)
> > - free (l->l_libname);
> > -
> > - if (l->l_phdr_allocated)
> > - free ((void *) l->l_phdr);
> >
> > if (l->l_flags_1 & DF_1_PIE)
> > errstring
> > @@ -1392,6 +1395,9 @@ cannot enable executable stack as shared object requires");
> > /* Signal that we closed the file. */
> > fd = -1;
> >
> > + /* Failures before this point are handled locally via lose.
> > + No more failures are allowed in this function until return. */
> > +
> > /* If this is ET_EXEC, we should have loaded it as lt_executable. */
> > assert (type != ET_EXEC || l->l_type == lt_executable);
> >
> >
>
> Ok.
Powered by blists - more mailing lists