eglibc-nativesdk: Fix buffer overrun with a relocated SDK

When ld-linux-*.so.2 is relocated to a path that is longer than the original fixed location, the dynamic loader will crash in open_path because it implicitly assumes that max_dirnamelen is a fixed size that never changes. The allocated buffer will not be large enough to contain the directory path string which is larger than the fixed location provided at build time. (From OE-Core rev: 8ebd85d29eb1a9c0c0d3cd79e7dda8b857c27bbb) Signed-off-by: Jason Wessel <jason.wessel@windriver.com> Signed-off-by: Mark Hatle <mark.hatle@windriver.com> Signed-off-by: Saul Wold <sgw@linux.intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
2013-01-10 12:55:11 -06:00 · 2013-01-10 12:55:11 -06:00 · eef73b4489
parent 981bd3a297
commit eef73b4489
2 changed files with 43 additions and 1 deletions
--- a/meta/recipes-core/eglibc/eglibc-2.17/relocatable_sdk_fix_openpath.patch
+++ b/meta/recipes-core/eglibc/eglibc-2.17/relocatable_sdk_fix_openpath.patch
@ -0,0 +1,41 @@
+Upstream-Status: Inappropriate [SDK specific]
+
+eglibc-nativesdk: Fix buffer overrun with a relocated SDK
+
+When ld-linux-*.so.2 is relocated to a path that is longer than the
+original fixed location, the dynamic loader will crash in open_path
+because it implicitly assumes that max_dirnamelen is a fixed size that
+never changes.
+
+The allocated buffer will not be large enough to contain the directory
+path string which is larger than the fixed location provided at build
+time.
+
+Signed-off-by: Jason Wessel <jason.wessel@windriver.com>
+
+---
+ elf/dl-load.c |   12 ++++++++++++
+ 1 file changed, 12 insertions(+)
+
+--- a/elf/dl-load.c
+++ b/elf/dl-load.c
+@@ -1919,7 +1919,19 @@ open_path (const char *name, size_t name
+        given on the command line when rtld is run directly.  */
+     return -1;
+ 
+  do
+    {
+      struct r_search_path_elem *this_dir = *dirs;
+      if (this_dir->dirnamelen > max_dirnamelen)
+	{
+	  max_dirnamelen = this_dir->dirnamelen;
+	}
+    }
+  while (*++dirs != NULL);
+
+   buf = alloca (max_dirnamelen + max_capstrlen + namelen);
+
+  dirs = sps->dirs;
+   do
+     {
+       struct r_search_path_elem *this_dir = *dirs;
--- a/meta/recipes-core/eglibc/eglibc_2.17.bb
+++ b/meta/recipes-core/eglibc/eglibc_2.17.bb
@ -1,6 +1,6 @@
 require eglibc.inc

-PR = "r2"
+PR = "r3"

 DEPENDS += "gperf-native kconfig-frontends-native"

@ -45,6 +45,7 @@ LIC_FILES_CHKSUM = "file://LICENSES;md5=e9a558e243b36d3209f380deb394b213 \

 SRC_URI_append_class-nativesdk = " file://ld-search-order.patch \
            file://relocatable_sdk.patch \
+            file://relocatable_sdk_fix_openpath.patch \
            "
 S = "${WORKDIR}/eglibc-${PV}/libc"
 B = "${WORKDIR}/build-${TARGET_SYS}"