diff options
| author | marcel <marcel@FreeBSD.org> | 2002-08-22 03:56:57 +0000 |
|---|---|---|
| committer | marcel <marcel@FreeBSD.org> | 2002-08-22 03:56:57 +0000 |
| commit | 68f14f0597e4f61a564e748b21c7a8926b7b97da (patch) | |
| tree | 752ff720d6d554670aa263da15f53725645354f3 /libexec | |
| parent | 242b6ef47601924e466ee708df4ff70153c8390c (diff) | |
| download | FreeBSD-src-68f14f0597e4f61a564e748b21c7a8926b7b97da.zip FreeBSD-src-68f14f0597e4f61a564e748b21c7a8926b7b97da.tar.gz | |
Fix a nasty memory corruption bug caused by having a bogus pointer
for the DT_IA64_PLT_RESERVE dynamic table entry. When a shared object
does not have any PLT relocations, the linker apparently doesn't find
it necessary to actually reserve the space for the BOR (Bind On
Reference) entries as pointed to by the DTE. As a result, relocatable
data in the PLT was overwritten, causing some unexpected control flow
with annoyingly predictable outcome: coredump.
To reproduce:
% echo 'int main() { return 0; }' > foo.c
% cc -o foo foo.c -lxpg4
Diffstat (limited to 'libexec')
| -rw-r--r-- | libexec/rtld-elf/ia64/reloc.c | 8 |
1 files changed, 8 insertions, 0 deletions
diff --git a/libexec/rtld-elf/ia64/reloc.c b/libexec/rtld-elf/ia64/reloc.c index ea58f07..7f8c166 100644 --- a/libexec/rtld-elf/ia64/reloc.c +++ b/libexec/rtld-elf/ia64/reloc.c @@ -482,6 +482,14 @@ init_pltgot(Obj_Entry *obj) Elf_Addr *pltres = 0; /* + * When there are no PLT relocations, the DT_IA64_PLT_RESERVE entry + * is bogus. Do not setup the BOR pointers in that case. An example + * of where this happens is /usr/lib/libxpg4.so.3. + */ + if (obj->pltrelasize == 0 && obj->pltrelsize == 0) + return; + + /* * Find the PLT RESERVE section. */ for (dynp = obj->dynamic; dynp->d_tag != DT_NULL; dynp++) { |
