From: Roland McGrath Date: Wed, 14 Apr 2010 19:54:45 +0000 (-0700) Subject: Prevent infinite iteration on link_map list clobbered into circularity. X-Git-Tag: elfutils-0.146~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=be1393031d9db8504d7d651c1da514be3766e7fa;p=thirdparty%2Felfutils.git Prevent infinite iteration on link_map list clobbered into circularity. --- diff --git a/libdwfl/ChangeLog b/libdwfl/ChangeLog index 5205bdc9a..54ac53fac 100644 --- a/libdwfl/ChangeLog +++ b/libdwfl/ChangeLog @@ -1,3 +1,8 @@ +2010-04-14 Roland McGrath + + * link_map.c (report_r_debug): Limit iterations on the l_next chain to + an upper bound on sane possible number of elements. + 2010-03-11 Roland McGrath * link_map.c (auxv_format_probe): Fix scanning loop, so we really scan diff --git a/libdwfl/link_map.c b/libdwfl/link_map.c index 5991a1128..fe7f40cee 100644 --- a/libdwfl/link_map.c +++ b/libdwfl/link_map.c @@ -329,7 +329,13 @@ report_r_debug (uint_fast8_t elfclass, uint_fast8_t elfdata, Dwfl_Module **lastmodp = &dwfl->modulelist; int result = 0; - while (next != 0) + + /* There can't be more elements in the link_map list than there are + segments. DWFL->lookup_elts is probably twice that number, so it + is certainly above the upper bound. If we iterate too many times, + there must be a loop in the pointers due to link_map clobberation. */ + size_t iterations = 0; + while (next != 0 && ++iterations < dwfl->lookup_elts) { if (read_addrs (next, 4)) return release_buffer (-1); @@ -798,7 +804,7 @@ dwfl_link_map_report (Dwfl *dwfl, const void *auxv, size_t auxv_size, ? elf32_xlatetom : elf64_xlatetom) (&out, &in, elfdata) != NULL)) { - /* We are looking for PT_DYNAMIC. */ + /* We are looking for DT_DEBUG. */ const union { Elf32_Dyn d32[dyn_filesz / sizeof (Elf32_Dyn)];