From nobody Mon Mar 11 16:55:59 2024 X-Original-To: bugs@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4Ttjb415lRz5DL6J for ; Mon, 11 Mar 2024 16:56:00 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4Ttjb36FLXz4kf6 for ; Mon, 11 Mar 2024 16:55:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1710176159; a=rsa-sha256; cv=none; b=dVuNhVr29fNkOb+RtfIPPmocVzKadC8XELjWLelu0du/dTr41rjrPiAQtGpZQXJ2pEikbI kI0Tkljx+p2i/key4xk+rT3cnFgGtNrEobI0lQDtiHqYvjglOQdyoWDGoNE+3AFcQIvdiR SbQwAxUpHcNQhTsRPBuPjH0wecuAwit6H63pgkHERIYxR4NO97NimWIiJoRw93iQqlNYWT lVU0GhgKTNjVuuR4fz5SPfcMQITX9G/LDGxJPz06cTBeAkTXsafVDBeeeFm48Z5xmQUcZz td/CoCiJaqX2l4FCpuYUIQhuXv2MvbqWlhRwcJQ0Zayp+w/IgExnN4rkgL8HaA== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1710176159; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=DZ28HQtiG2R8dC4S/2qDiMo9ds0oaRNjNqzywF4Mmlg=; b=bH7n1n3twgFmUYyGY91jK6y5ddIevNwo3pxm8O8/UYsVL4fyuMjhPA6YSl5S+z8JkisMJ2 YLEdTMyWeK8Fv3Gubi+QjRNLM/FS6WQ8L3l7mhouE+uvbvnV4jnt0B9wkiXu71Lryv4h0o Ula/UnOPg56L1cPmzGzcgwaPg0eLzYZnWRStQCiimLRr5KcQyEULzgCxdhtszkvDc8VuFu 5/AXn3AobUtRdxkub8w8WONwQQqmzy0TIB5PTK4HQToLzq9ViYTUX89il7KkStqsxTO28r JYJgjXpeyizCBPoobpEZVrsr2RldS7PX4qvmK1x/ljCwXJjt+/9oDANpvTRN8Q== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Ttjb35l09zdks for ; Mon, 11 Mar 2024 16:55:59 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 42BGtxbM028737 for ; Mon, 11 Mar 2024 16:55:59 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from www@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 42BGtxDC028735 for bugs@FreeBSD.org; Mon, 11 Mar 2024 16:55:59 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 277635] ldd (ld-elf.so.1) integer wrap when computing mmap() argument Date: Mon, 11 Mar 2024 16:55:59 +0000 X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: bin X-Bugzilla-Version: CURRENT X-Bugzilla-Keywords: X-Bugzilla-Severity: Affects Some People X-Bugzilla-Who: rtm@lcs.mit.edu X-Bugzilla-Status: New X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: bugs@FreeBSD.org X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform op_sys bug_status bug_severity priority component assigned_to reporter attachments.created Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Bug reports List-Archive: https://lists.freebsd.org/archives/freebsd-bugs List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-bugs@freebsd.org MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D277635 Bug ID: 277635 Summary: ldd (ld-elf.so.1) integer wrap when computing mmap() argument Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Some People Priority: --- Component: bin Assignee: bugs@FreeBSD.org Reporter: rtm@lcs.mit.edu Created attachment 249097 --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D249097&action= =3Dedit elf with huge vaddr that causes ldd / ld.so integer wrap The attached elf file has a LOAD segment with a p_vaddr big enough that p_vaddr + p_filesz wraps. This causes rtld-elf's map_object.c to compute a huge size argument for a call to mmap() to map in the segment, which causes the segment to be mapped over something critical. This causes ld-elf.so.1 to crash when called by ldd. Specifically, data_vaddr ends up larger than data_vlimit in this map_object() code, so data_vlimit - data_vaddr wraps: for (i =3D 0; i <=3D nsegs; i++) { /* Overlay the segment onto the proper region. */ data_offset =3D rtld_trunc_page(segs[i]->p_offset); data_vaddr =3D rtld_trunc_page(segs[i]->p_vaddr); data_vlimit =3D rtld_round_page(segs[i]->p_vaddr + segs[i]->p_files= z); data_addr =3D mapbase + (data_vaddr - base_vaddr); ...; if (data_vlimit !=3D data_vaddr && mmap(data_addr, data_vlimit - data_vaddr, data_prot, data_flags | MAP_PREFAULT_READ, fd, data_offset) =3D=3D MAP_FAI= LED) { Similarly, clever choices of p_vaddr and p_filesz can cause the later clear_vaddr =3D segs[i]->p_vaddr + segs[i]->p_filesz; clear_addr =3D mapbase + (clear_vaddr - base_vaddr); ...; memset(clear_addr, 0, nclear); to write memory outside of mapbase..(mapbase+mapsize). The attached elf file demonstrates the first problem, though only on riscv. # objdump -x ldd1c.exe ... LOAD off 0x0000000000000700 vaddr 0xffffffffffec5701 paddr 0x0000000000001700 align 2**12 filesz 0x0000003fbffff0b2 memsz 0x00000000000001b0 flags --x # ldd ldd1c.exe ldd1c.exe: pid 35 (ld-elf.so.1), jid 0, uid 0: exited on signal 11 (core dumped) /ldd1c.exe: signal 11 --=20 You are receiving this mail because: You are the assignee for the bug.=