mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-24 11:29:10 +00:00
Fix a nasty memory corruption bug caused by having a bogus pointer
for the DT_IA64_PLT_RESERVE dynamic table entry. When a shared object does not have any PLT relocations, the linker apparently doesn't find it necessary to actually reserve the space for the BOR (Bind On Reference) entries as pointed to by the DTE. As a result, relocatable data in the PLT was overwritten, causing some unexpected control flow with annoyingly predictable outcome: coredump. To reproduce: % echo 'int main() { return 0; }' > foo.c % cc -o foo foo.c -lxpg4
This commit is contained in:
parent
eb238d0692
commit
708bc7c7b4
Notes:
svn2git
2020-12-20 02:59:44 +00:00
svn path=/head/; revision=102249
@ -481,6 +481,14 @@ init_pltgot(Obj_Entry *obj)
|
||||
const Elf_Dyn *dynp;
|
||||
Elf_Addr *pltres = 0;
|
||||
|
||||
/*
|
||||
* When there are no PLT relocations, the DT_IA64_PLT_RESERVE entry
|
||||
* is bogus. Do not setup the BOR pointers in that case. An example
|
||||
* of where this happens is /usr/lib/libxpg4.so.3.
|
||||
*/
|
||||
if (obj->pltrelasize == 0 && obj->pltrelsize == 0)
|
||||
return;
|
||||
|
||||
/*
|
||||
* Find the PLT RESERVE section.
|
||||
*/
|
||||
|
Loading…
Reference in New Issue
Block a user