From mboxrd@z Thu Jan 1 00:00:00 1970 X-Spam-Checker-Version: SpamAssassin 3.4.4 (2020-01-24) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=-3.2 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FROM,MAILING_LIST_MULTI,NICE_REPLY_A, RCVD_IN_MSPIKE_H2 autolearn=ham autolearn_force=no version=3.4.4 Received: (qmail 19325 invoked from network); 27 Sep 2022 09:10:05 -0000 Received: from second.openwall.net (193.110.157.125) by inbox.vuxu.org with ESMTPUTF8; 27 Sep 2022 09:10:05 -0000 Received: (qmail 17699 invoked by uid 550); 27 Sep 2022 09:10:02 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: musl@lists.openwall.com Received: (qmail 17655 invoked from network); 27 Sep 2022 09:10:01 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id:from :to:cc:subject:date; bh=ZzSvZJ8zGnebCuT6tSO81KswalxWf8CxOis5ivrtuxg=; b=C1LgK6tw0+ohLQ/2/MfT7ivviafu0R9oZLoNdsXnYrkV/PBwg4o1ylkEyamhhpxX4o Lg2cVY5+U2/zj9R1KWGMFeR5w2265uX/QQmSnKhGSc+mDof037dpwWyQ7FIiAdGmA84C Z31Em3LqMYuehVSmyb8P3wOqL5DwYoDDKLbjNf/I8REQuw0/BKIIzPichjkOLh2igfhu GuRQ4lij+2zgP1KrZQxDkxZAVAIQKXB9nmMUDkmLoLhcNlLk/q0MVBfSGWpH0QvgGPB2 JTnEX9B/DpwFTw/nXWXepg6CO9epkMyGs1y9TlbRud/czSP8R6ZkUcenGIakSU/LfWJH vL4Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:in-reply-to:from:content-language :references:to:subject:user-agent:mime-version:date:message-id :x-gm-message-state:from:to:cc:subject:date; bh=ZzSvZJ8zGnebCuT6tSO81KswalxWf8CxOis5ivrtuxg=; b=AhIomU2EbecnpezN1p7+qFbfxcJtf0ng+3J7RAGIclr86TiYKxEu7yLLeeokkCiCB6 lDwErcZWkys7qTDg65rdPpg0tjW95p77pibT+zie53dmM9xlRRc0hErE/I9HEDeP44o4 9AHHgq8yAAgTdy7hZI8xGlkCI4Kmw2+QxVzRPtqVpO7YF2NQ3AxgFIREO5x+RTFcOD86 F+7Q0qEn9w5CBP9nrS4PSJf5TtmhMo4t9Z78XRSWdVcumdDZfwaB2Lp1RwBz3+RamXRt mAZoOMPAIfVRAUQfwa9iz9YX5/Ftaiwd2L6v1OZCWQT/Cz1iEd4uUPRHkPhkNoMRcf3T Frqw== X-Gm-Message-State: ACrzQf3Nczu6PsB1wBIDnaSOzy7E5R0qdZihye/paKC5Mej1ICJ/rTTd 6mtUjPH5DDqmgN9k2JG1yHjimrjSC8b0Pg== X-Google-Smtp-Source: AMsMyM7nkN+L/Mn+RiEAhfN3UXG2OGr/IHg30c2GmfN+nwh6fg2NLeBgMJGLG2tdg9WvqgnQAQQB5w== X-Received: by 2002:a1c:4b15:0:b0:3b4:9a81:5f7b with SMTP id y21-20020a1c4b15000000b003b49a815f7bmr1717292wma.95.1664269789776; Tue, 27 Sep 2022 02:09:49 -0700 (PDT) Message-ID: Date: Tue, 27 Sep 2022 11:09:48 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Thunderbird/102.3.0 To: musl@lists.openwall.com, Rich Felker References: <20220926010339.GA9709@brightrain.aerifal.cx> <20220926220449.GE9709@brightrain.aerifal.cx> Content-Language: en-US From: Gabriel Ravier In-Reply-To: <20220926220449.GE9709@brightrain.aerifal.cx> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: [musl] Revisiting LFS64 removal On 9/27/22 00:04, Rich Felker wrote: > On Sun, Sep 25, 2022 at 09:03:40PM -0400, Rich Felker wrote: >> [...] >> Of course these interfaces should not be used, and we never intended >> for them to be used just there for linking-compat. So, I've wanted to >> get rid of them for a long time now. >> >> I believe the simplest short-term way is probably going to be just >> having the dynamic linker symbol lookup error path make one final >> check before bailing out with an error: >> >> - If the symbol to lookup ends in "64".. >> - ..and it's in a hard-coded list of LFS64-compat symbols.. >> - ..and looking up the name with the "64" removed in libc succeeds.. >> >> Then use the version without the "64" suffix and go on with relocation >> processing. > Proposed patch attached. > Looks at though the patch contains a buffer overflow to me, as the length of `name` appears to be unbounded, but it's then copied into `buf` which has its size limited to 16, all without checking for `l >= sizeof buf` until after the copying is done (which might just even get optimized out by GCC since it knows `l` can't be larger than buf without UB occuring)