[BusyBox] insmod problems HINT -- possible patch.
Erik Andersen
andersen at lineo.com
Thu Jun 28 15:36:11 UTC 2001
On Wed Jun 27, 2001 at 06:10:20PM -0400, Ralph Siemsen wrote:
> The main problem lies in new_create_this_module(), which makes a call to
> obj_add_symbol() with the third arg (symidx) of explicit value -1. This
> gets interpreted in obj_add_symbol() as an unsigned array index for
> f->local_symtab[]. Clearly no array can be 4TB in size. What actually
> happens is that the write obliterates the end of the strtab section,
> which holds ELF symbol names. Then name lookups start to fail, and
> ultimately a null pointer is passed for intsym (as Andreas found) which
> results in the crash.
Yipe!
> new_create_this_module(...)
> {
> ...
> obj_add_symbol(f, "__this_module", -1,
> ELFW(ST_INFO) (STB_LOCAL, STT_OBJECT), sec->idx, 0,
> sizeof(struct new_module));
> ...
> }
>
> obj_add_symbol (...)
> {
> ...
> if (ELFW(ST_BIND) (info) == STB_LOCAL)
> f->local_symtab[symidx] = sym; <--- symidx == -1
> }
>
> If I make the assignment conditional to (symidx != -1) then insmod
> suddenly works like it should, and there do not appear to be any side
> effects from failing to update local_symtab[] array.
>
> The code is clearly incorrect as written; -1 cannot be used as an array
> index. However I'm not entirely if this fix is right - maybe the call
> to obj_add_symbol should pass 0 instead of -1, for example.
>
You are completely correct in your analysis. This is a horrible
hard to spot bug. Excellent work tracking this down! This little
bit of code _should_ read something like the following:
if (ELFW(ST_BIND)(info) == STB_LOCAL && symidx != -1) {
if (symidx >= f->local_symtab_size)
error_msg("local symbol %s with index %ld exceeds local_symtab_size %ld",
name, (long) symidx, (long) f->local_symtab_size);
else
f->local_symtab[symidx] = sym;
}
-Erik
--
Erik B. Andersen email: andersen at lineo.com
--This message was written using 73% post-consumer electrons--
More information about the busybox
mailing list