From: Rich Felker <dalias@libc.org>
To: musl@lists.openwall.com
Subject: Re: [musl] [PATCH 1/4] ldso: add option to rewrite the argv block
Date: Sat, 28 Mar 2020 22:54:36 -0400 [thread overview]
Message-ID: <20200329025436.GS11469@brightrain.aerifal.cx> (raw)
In-Reply-To: <1585441168-23444-1-git-send-email-rcombs@rcombs.me>
On Sat, Mar 28, 2020 at 07:19:25PM -0500, rcombs wrote:
> ---
> ldso/dynlink.c | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/ldso/dynlink.c b/ldso/dynlink.c
> index 6468f20..c378f00 100644
> --- a/ldso/dynlink.c
> +++ b/ldso/dynlink.c
> @@ -1698,6 +1698,7 @@ void __dls3(size_t *sp, size_t *auxv)
> char **argv = (void *)(sp+1);
> char **argv_orig = argv;
> char **envp = argv+argc+1;
> + int replace_argv = 0;
>
> /* Find aux vector just past environ[] and use it to initialize
> * global data that may be needed before we can make syscalls. */
> @@ -1771,6 +1772,8 @@ void __dls3(size_t *sp, size_t *auxv)
> if (opt[5]=='=') replace_argv0 = opt+6;
> else if (opt[5]) *argv = 0;
> else if (*argv) replace_argv0 = *argv++;
> + } else if (!memcmp(opt, "replace-argv", 12)) {
> + replace_argv = 1;
> } else {
> argv[0] = 0;
> }
> @@ -1949,6 +1952,22 @@ void __dls3(size_t *sp, size_t *auxv)
> debug.state = 0;
> _dl_debug_state();
>
> + if (replace_argv) {
> + char *argv_end = argv_orig[0];
> + char *orig_ptr = argv_orig[0];
> + int i;
> + for (i = 0; i < (int)(argc - (argv-argv_orig)); i++) {
> + char *src = (i == 0 && replace_argv0) ? replace_argv0 : argv[i];
> + int len = strlen(src) + 1;
> + memmove(orig_ptr, src, len);
> + argv_end = argv[i] + strlen(argv[i]);
> + argv[i] = orig_ptr;
> + orig_ptr += len;
> + }
> + for (; orig_ptr < argv_end; orig_ptr++)
> + *orig_ptr = 0;
> + }
> +
> if (replace_argv0) argv[0] = replace_argv0;
>
> errno = 0;
> --
> 2.7.4
Can you clarify what the purpose of this patch/option is? It seems
unrelated to the rest of the series and looks like it's doing
something really sketchy. It looks like it's making assumption about
the layout of the original strings, which is not an interface
contract, and like it happily overflows and clobbers unrelated memory
if replace_argv0 is longer than the original string pointed to by
argv[0].
Rich
prev parent reply other threads:[~2020-03-29 2:54 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-29 0:19 rcombs
2020-03-29 0:19 ` [musl] [PATCH 2/4] ldso: when run via CLI, set auxv as if the app was loaded by the kernel rcombs
2020-03-29 0:19 ` [musl] [PATCH 3/4] ldso: move (un)map_library functions to separate file rcombs
2020-03-29 3:07 ` Rich Felker
2020-03-29 0:19 ` [musl] [PATCH 4/4] crt: add dcrt1, with support for locating the dynamic loader at runtime rcombs
2020-03-29 2:54 ` Rich Felker [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200329025436.GS11469@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=musl@lists.openwall.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this public inbox
https://git.vuxu.org/mirror/musl/
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).