diff options
author | Miod Vallat <miod@cvs.openbsd.org> | 2013-01-11 21:17:08 +0000 |
---|---|---|
committer | Miod Vallat <miod@cvs.openbsd.org> | 2013-01-11 21:17:08 +0000 |
commit | a34a312227f258b9fc792f1787b6b53a601fafdf (patch) | |
tree | 9c9807ca86bdad11bd61759822ce7383176346ad | |
parent | 928cdc820ca5e0e2ca999efb63a34c6057daee79 (diff) |
Proper bounds checking for DT_xxx values in _dl_boot_bind(). Turned out to be
harmless because we have full control over the array being processed, and none
of the values we set up may trigger the bug; yet this may change in the future.
ok drahn matthew@
-rw-r--r-- | libexec/ld.so/loader.c | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/libexec/ld.so/loader.c b/libexec/ld.so/loader.c index 7f8457e1b61..de24e6e83fc 100644 --- a/libexec/ld.so/loader.c +++ b/libexec/ld.so/loader.c @@ -1,4 +1,4 @@ -/* $OpenBSD: loader.c,v 1.129 2012/06/12 20:32:17 matthew Exp $ */ +/* $OpenBSD: loader.c,v 1.130 2013/01/11 21:17:07 miod Exp $ */ /* * Copyright (c) 1998 Per Fogelstrom, Opsycon AB @@ -394,8 +394,8 @@ _dl_boot(const char **argv, char **envp, const long dyn_loff, long *dl_data) #define TRUNC_PG(x) ((x) & ~(align)) /* - * now that GOT and PLT has been relocated, and we know - * page size, protect it from modification + * now that GOT and PLT have been relocated, and we know + * page size, protect them from modification */ #ifndef RTLD_NO_WXORX { @@ -726,10 +726,10 @@ _dl_boot_bind(const long sp, long *dl_data, Elf_Dyn *dynamicp) table[i++] = DT_NULL; for (i = 0; table[i] != DT_NULL; i++) { val = table[i]; - if (val > DT_HIPROC) /* ??? */ + if (val >= DT_LOPROC && val < DT_LOPROC + DT_PROCNUM) + val = val - DT_LOPROC + DT_NUM; + else if (val >= DT_NUM) continue; - if (val > DT_LOPROC) - val -= DT_LOPROC + DT_NUM; if (dynld.Dyn.info[val] != 0) dynld.Dyn.info[val] += loff; } |