summaryrefslogtreecommitdiff
path: root/ldso/dynlink.c
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2019-02-27 12:02:49 -0500
committerRich Felker <dalias@aerifal.cx>2019-02-27 12:07:20 -0500
commit71db5dfaa9ddcb65e18ff128c9ed122790d72e2f (patch)
treef2d6bbd0010521d1c389611db85f9adba8326e30 /ldso/dynlink.c
parent6516282d2adfad2c7e66d854cde3357120c75dbd (diff)
downloadmusl-71db5dfaa9ddcb65e18ff128c9ed122790d72e2f.tar.gz
musl-71db5dfaa9ddcb65e18ff128c9ed122790d72e2f.tar.bz2
musl-71db5dfaa9ddcb65e18ff128c9ed122790d72e2f.tar.xz
musl-71db5dfaa9ddcb65e18ff128c9ed122790d72e2f.zip
fix crash/misbehavior from oob read in new dynamic tls installation
code introduced in commit 9d44b6460ab603487dab4d916342d9ba4467e6b9 wrongly attempted to read past the end of the currently-installed dtv to determine if a dso provides new, not-already-installed tls. this logic was probably leftover from an earlier draft of the code that wrongly installed the new dtv before populating it. it would work if we instead queried the new, not-yet-installed dtv, but instead, replace the incorrect check with a simple range check against old_cnt. this also catches modules that have no tls at all with a single condition.
Diffstat (limited to 'ldso/dynlink.c')
-rw-r--r--ldso/dynlink.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index e2c3259f..e499b40e 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -1374,7 +1374,7 @@ static void install_new_tls(void)
}
/* Install new dtls into the enlarged, uninstalled dtv copies. */
for (p=head; ; p=p->next) {
- if (!p->tls_id || self->dtv[p->tls_id]) continue;
+ if (p->tls_id <= old_cnt) continue;
unsigned char *mem = p->new_tls;
for (j=0; j<i; j++) {
unsigned char *new = mem;