From patchwork Tue Oct 23 11:57:44 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: Add more checks for valid ld.so.cache file (bug 18093) X-Patchwork-Submitter: Andreas Schwab X-Patchwork-Id: 11230 Message-Id: To: libc-alpha@sourceware.org Date: Tue, 23 Oct 2018 13:57:44 +0200 From: Andreas Schwab List-Id: [BZ #18093] * elf/dl-cache.c (_dl_load_cache_lookup): Check for truncated old format cache. * elf/cache.c (print_cache): Likewise. --- elf/cache.c | 5 +++++ elf/dl-cache.c | 5 ++++- 2 files changed, 9 insertions(+), 1 deletion(-) -- 2.19.1 -- Andreas Schwab, SUSE Labs, schwab@suse.de GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7 "And now for something completely different." diff --git a/elf/cache.c b/elf/cache.c index e63979da7d..83de25484b 100644 --- a/elf/cache.c +++ b/elf/cache.c @@ -199,6 +199,11 @@ print_cache (const char *cache_name) } else { + /* Check for overflow. */ + if ((cache_size - sizeof (struct cache_file)) / sizeof (struct file_entry) + < cache->nlibs) + error (EXIT_FAILURE, 0, _("File is not a cache file.\n")); + size_t offset = ALIGN_CACHE (sizeof (struct cache_file) + (cache->nlibs * sizeof (struct file_entry))); diff --git a/elf/dl-cache.c b/elf/dl-cache.c index 6ee5153ff9..0f5d035213 100644 --- a/elf/dl-cache.c +++ b/elf/dl-cache.c @@ -204,7 +204,10 @@ _dl_load_cache_lookup (const char *name) - only the new format The following checks if the cache contains any of these formats. */ if (file != MAP_FAILED && cachesize > sizeof *cache - && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0) + && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0 + /* Check for overflow. */ + && ((cachesize - sizeof *cache) / sizeof (struct file_entry) + >= ((struct cache_file *) file)->nlibs)) { size_t offset; /* Looks ok. */