string: strerror, strsignal cannot use buffer after dlmopen (bug 32026)

Secondary namespaces have a different malloc. Allocating the buffer in one namespace and freeing it another results in heap corruption. Fix this by using a static string (potentially translated) in secondary namespaces. It would also be possible to use the malloc from the initial namespace to manage the buffer, but these functions would still not be safe to use in auditors etc. because a call to strerror could still free a buffer while it is used by the application. Another approach could use proper initial-exec TLS, duplicated in secondary namespaces, but that would need a callback interface for freeing libc resources in namespaces on thread exit, which does not exist today. Reviewed-by: Adhemerval Zanella <adhemerval.zanella@linaro.org>
2024-09-18 23:49:57 +00:00 · 2024-08-19 15:48:03 +02:00 · 2024-08-19 15:48:03 +02:00 · 25a5eb4010
commit 25a5eb4010
parent e7c14e542d
2 changed files with 45 additions and 24 deletions
--- a/string/strerror_l.c
+++ b/string/strerror_l.c
@ -20,7 +20,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <tls-internal.h>
-
+#include <libc-internal.h>

 static const char *
 translate (const char *str, locale_t loc)
@ -31,6 +31,12 @@ translate (const char *str, locale_t loc)
  return res;
 }

+static char *
+unknown_error (locale_t loc)
+{
+  return (char *) translate ("Unknown error", loc);
+}
+

 /* Return a string describing the errno code in ERRNUM.  */
 char *
@ -39,6 +45,8 @@ __strerror_l (int errnum, locale_t loc)
  int saved_errno = errno;
  char *err = (char *) __get_errlist (errnum);
  if (__glibc_unlikely (err == NULL))
+    {
+      if (__libc_initial)
 	{
 	  struct tls_internal_t *tls_internal = __glibc_tls_internal ();
 	  free (tls_internal->strerror_l_buf);
@ -50,9 +58,14 @@ __strerror_l (int errnum, locale_t loc)
 	      /* The memory was freed above.  */
 	      tls_internal->strerror_l_buf = NULL;
 	      /* Provide a fallback translation.  */
-	  err = (char *) translate ("Unknown error", loc);
+	      err = unknown_error (loc);
 	    }
 	}
+      else
+	/* Secondary namespaces use a different malloc, so cannot
+	   participate in the buffer management.  */
+	err = unknown_error (loc);
+    }
  else
    err = (char *) translate (err, loc);

--- a/string/strsignal.c
+++ b/string/strsignal.c
@ -21,6 +21,7 @@
 #include <string.h>
 #include <libintl.h>
 #include <tls-internal.h>
+#include <libc-internal.h>

 /* Return a string describing the meaning of the signal number SIGNUM.  */
 char *
@ -30,6 +31,8 @@ strsignal (int signum)
  if (desc != NULL)
    return _(desc);

+  if (__libc_initial)
+    {
      struct tls_internal_t *tls_internal = __glibc_tls_internal ();
      free (tls_internal->strsignal_buf);

@ -43,8 +46,13 @@ strsignal (int signum)
 	r = __asprintf (&tls_internal->strsignal_buf, _("Unknown signal %d"),
 			signum);

-  if (r == -1)
-    tls_internal->strsignal_buf = NULL;
-
+      if (r >= 0)
 	return tls_internal->strsignal_buf;
+      else
+	tls_internal->strsignal_buf = NULL;
+    }
+  /* Fall through on asprintf error, and for !__libc_initial:
+     secondary namespaces use a different malloc and cannot
+     participate in the buffer management.  */
+  return _("Unknown signal");
 }