Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20160217152504.GD9349@brightrain.aerifal.cx>
Date: Wed, 17 Feb 2016 10:25:04 -0500
From: Rich Felker <dalias@...c.org>
To: musl@...ts.openwall.com
Subject: Re: dynlink.c: bug in reclaim_gaps leading to segfault in
 __libc_exit_fini

On Wed, Feb 17, 2016 at 04:15:33AM -0500, Hugues Bruant wrote:
> Finally figured it out:
> 
> 1. musl is reclaiming space from the executable starting at offset
> 0x224B20, i.e. at the end of the bss
> 2. this reclaimed space gets used for the dso struct of the first shared lib
> 3. the last variable in the bss appears to be scratch space for checksum
> computation
> 4. the code is assuming "unsigned long" to be 4 bytes, which isn't the case
> on 64bit platforms
> 5. the checksum code overflows out of the bss, corrupting the dso struct
> 6. this issue is masked in a glibc environment because the loader doesn't
> make the unused part of the program pages available to malloc.
> 7. valgrind doesn't catch the problem because it doesn't bound-check globals
> 
> Sorry about the noise.

No problem. Nice find though -- you caught a bug even valgrind
couldn't, and one that probably could have been nasty if the linker
happened to reorder bss differently such that the overflowed object
was no longer at the end. Have you sent a patch upstream?

Rich

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.