From 708bc7c7b486efd3b1a9f6baaca1c0005cfd969b Mon Sep 17 00:00:00 2001 From: Marcel Moolenaar Date: Thu, 22 Aug 2002 03:56:57 +0000 Subject: [PATCH] Fix a nasty memory corruption bug caused by having a bogus pointer for the DT_IA64_PLT_RESERVE dynamic table entry. When a shared object does not have any PLT relocations, the linker apparently doesn't find it necessary to actually reserve the space for the BOR (Bind On Reference) entries as pointed to by the DTE. As a result, relocatable data in the PLT was overwritten, causing some unexpected control flow with annoyingly predictable outcome: coredump. To reproduce: % echo 'int main() { return 0; }' > foo.c % cc -o foo foo.c -lxpg4 --- libexec/rtld-elf/ia64/reloc.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/libexec/rtld-elf/ia64/reloc.c b/libexec/rtld-elf/ia64/reloc.c index ea58f079c36..7f8c1663af4 100644 --- a/libexec/rtld-elf/ia64/reloc.c +++ b/libexec/rtld-elf/ia64/reloc.c @@ -481,6 +481,14 @@ init_pltgot(Obj_Entry *obj) const Elf_Dyn *dynp; Elf_Addr *pltres = 0; + /* + * When there are no PLT relocations, the DT_IA64_PLT_RESERVE entry + * is bogus. Do not setup the BOR pointers in that case. An example + * of where this happens is /usr/lib/libxpg4.so.3. + */ + if (obj->pltrelasize == 0 && obj->pltrelsize == 0) + return; + /* * Find the PLT RESERVE section. */