From: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date: Tue, 24 Nov 2020 12:34:39 +0000 (+0000)
Subject: elf: Fix failure handling in _dl_map_object_from_fd
X-Git-Tag: glibc-2.33~188
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c6b016532705e158a330c31697e9dd4826aa68af;p=thirdparty%2Fglibc.git

elf: Fix failure handling in _dl_map_object_from_fd

The failure paths in _dl_map_object_from_fd did not clean every
potentially allocated resource up.

Handle l_phdr, l_libname and mapped segments in the common failure
handling code.

There are various bits that may not be cleaned properly on failure
(e.g. executable stack, incomplete dl_map_segments) fixing those
need further changes.

Reviewed-by: Adhemerval Zanella  <adhemerval.zanella@linaro.org>
---

diff --git a/elf/dl-load.c b/elf/dl-load.c
index b1865a17d54..21c29203969 100644
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -955,8 +955,14 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
 	  /* The file might already be closed.  */
 	  if (fd != -1)
 	    __close_nocancel (fd);
+	  if (l != NULL && l->l_map_start != 0)
+	    _dl_unmap_segments (l);
 	  if (l != NULL && l->l_origin != (char *) -1l)
 	    free ((char *) l->l_origin);
+	  if (l != NULL && !l->l_libname->dont_free)
+	    free (l->l_libname);
+	  if (l != NULL && l->l_phdr_allocated)
+	    free ((void *) l->l_phdr);
 	  free (l);
 	  free (realname);
 
@@ -1251,7 +1257,11 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
     errstring = _dl_map_segments (l, fd, header, type, loadcmds, nloadcmds,
 				  maplength, has_holes, loader);
     if (__glibc_unlikely (errstring != NULL))
-      goto lose;
+      {
+	/* Mappings can be in an inconsistent state: avoid unmap.  */
+	l->l_map_start = l->l_map_end = 0;
+	goto lose;
+      }
   }
 
   if (l->l_ld == 0)
@@ -1274,15 +1284,6 @@ _dl_map_object_from_fd (const char *name, const char *origname, int fd,
       || (__glibc_unlikely (l->l_flags_1 & DF_1_PIE)
 	  && __glibc_unlikely ((mode & __RTLD_OPENEXEC) == 0)))
     {
-      /* We are not supposed to load this object.  Free all resources.  */
-      _dl_unmap_segments (l);
-
-      if (!l->l_libname->dont_free)
-	free (l->l_libname);
-
-      if (l->l_phdr_allocated)
-	free ((void *) l->l_phdr);
-
       if (l->l_flags_1 & DF_1_PIE)
 	errstring
 	  = N_("cannot dynamically load position-independent executable");
@@ -1387,6 +1388,10 @@ cannot enable executable stack as shared object requires");
   /* Signal that we closed the file.  */
   fd = -1;
 
+  /* Failures before this point are handled locally via lose.
+     There are no more failures in this function until return,
+     to change that the cleanup handling needs to be updated.  */
+
   /* If this is ET_EXEC, we should have loaded it as lt_executable.  */
   assert (type != ET_EXEC || l->l_type == lt_executable);