summaryrefslogtreecommitdiffstats
path: root/libexec
diff options
context:
space:
mode:
authormarcel <marcel@FreeBSD.org>2002-08-22 03:56:57 +0000
committermarcel <marcel@FreeBSD.org>2002-08-22 03:56:57 +0000
commit68f14f0597e4f61a564e748b21c7a8926b7b97da (patch)
tree752ff720d6d554670aa263da15f53725645354f3 /libexec
parent242b6ef47601924e466ee708df4ff70153c8390c (diff)
downloadFreeBSD-src-68f14f0597e4f61a564e748b21c7a8926b7b97da.zip
FreeBSD-src-68f14f0597e4f61a564e748b21c7a8926b7b97da.tar.gz
Fix a nasty memory corruption bug caused by having a bogus pointer
for the DT_IA64_PLT_RESERVE dynamic table entry. When a shared object does not have any PLT relocations, the linker apparently doesn't find it necessary to actually reserve the space for the BOR (Bind On Reference) entries as pointed to by the DTE. As a result, relocatable data in the PLT was overwritten, causing some unexpected control flow with annoyingly predictable outcome: coredump. To reproduce: % echo 'int main() { return 0; }' > foo.c % cc -o foo foo.c -lxpg4
Diffstat (limited to 'libexec')
-rw-r--r--libexec/rtld-elf/ia64/reloc.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/libexec/rtld-elf/ia64/reloc.c b/libexec/rtld-elf/ia64/reloc.c
index ea58f07..7f8c166 100644
--- a/libexec/rtld-elf/ia64/reloc.c
+++ b/libexec/rtld-elf/ia64/reloc.c
@@ -482,6 +482,14 @@ init_pltgot(Obj_Entry *obj)
Elf_Addr *pltres = 0;
/*
+ * When there are no PLT relocations, the DT_IA64_PLT_RESERVE entry
+ * is bogus. Do not setup the BOR pointers in that case. An example
+ * of where this happens is /usr/lib/libxpg4.so.3.
+ */
+ if (obj->pltrelasize == 0 && obj->pltrelsize == 0)
+ return;
+
+ /*
* Find the PLT RESERVE section.
*/
for (dynp = obj->dynamic; dynp->d_tag != DT_NULL; dynp++) {
OpenPOWER on IntegriCloud