Add more checks for valid ld.so.cache file (bug 18093)

diff --git a/ChangeLog b/ChangeLog
index 9b44e8d..d6c5be9 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,10 @@
+2018-10-24  Andreas Schwab  <schwab@suse.de>
+
+       [BZ #18093]
+       * elf/dl-cache.c (_dl_load_cache_lookup): Check for truncated old
+       format cache.
+       * elf/cache.c (print_cache): Likewise.
+
 2018-10-24  Albert ARIBAUD <albert.aribaud@3adev.fr>
 
        * bits/timesize.h: New file.

diff --git a/elf/cache.c b/elf/cache.c
index e63979d..c4cd825 100644 (file)
--- a/elf/cache.c
+++ b/elf/cache.c
@@ -199,6 +199,11 @@ print_cache (const char *cache_name)
     }
   else
     {
+      /* Check for corruption, avoiding overflow.  */
+      if ((cache_size - sizeof (struct cache_file)) / sizeof (struct file_entry)
+         < cache->nlibs)
+       error (EXIT_FAILURE, 0, _("File is not a cache file.\n"));
+
       size_t offset = ALIGN_CACHE (sizeof (struct cache_file)
                                   + (cache->nlibs
                                      * sizeof (struct file_entry)));

diff --git a/elf/dl-cache.c b/elf/dl-cache.c
index 6ee5153..6dd99a3 100644 (file)
--- a/elf/dl-cache.c
+++ b/elf/dl-cache.c
@@ -204,7 +204,10 @@ _dl_load_cache_lookup (const char *name)
         - only the new format
         The following checks if the cache contains any of these formats.  */
       if (file != MAP_FAILED && cachesize > sizeof *cache
-         && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0)
+         && memcmp (file, CACHEMAGIC, sizeof CACHEMAGIC - 1) == 0
+         /* Check for corruption, avoiding overflow.  */
+         && ((cachesize - sizeof *cache) / sizeof (struct file_entry)
+             >= ((struct cache_file *) file)->nlibs))
        {
          size_t offset;
          /* Looks ok.  */