fix crash/out-of-bound read in sscanf

[musl] / ldso / dynlink.c

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index a2f059c..46c5b5f 100644 (file)
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -30,6 +30,7 @@ static void error(const char *, ...);
 #define ALIGN(x,y) ((x)+(y)-1 & -(y))
 
 #define container_of(p,t,m) ((t*)((char *)(p)-offsetof(t,m)))
+#define countof(a) ((sizeof (a))/(sizeof (a)[0]))
 
 struct debug {
        int ver;
@@ -133,6 +134,9 @@ static size_t tls_cnt, tls_offset, tls_align = MIN_TLS_ALIGN;
 static size_t static_tls_cnt;
 static pthread_mutex_t init_fini_lock;
 static pthread_cond_t ctor_cond;
+static struct dso *builtin_deps[2];
+static struct dso *const no_deps[1];
+static struct dso *builtin_ctor_queue[4];
 static struct dso **main_ctor_queue;
 static struct fdpic_loadmap *app_loadmap;
 static struct fdpic_dummy_loadmap app_dummy_loadmap;
@@ -1152,6 +1156,7 @@ static struct dso *load_library(const char *name, struct dso *needed_by)
 static void load_direct_deps(struct dso *p)
 {
        size_t i, cnt=0;
+
        if (p->deps) return;
        /* For head, all preloads are direct pseudo-dependencies.
         * Count and include them now to avoid realloc later. */
@@ -1159,7 +1164,10 @@ static void load_direct_deps(struct dso *p)
                cnt++;
        for (i=0; p->dynv[i]; i+=2)
                if (p->dynv[i] == DT_NEEDED) cnt++;
-       p->deps = calloc(cnt+1, sizeof *p->deps);
+       /* Use builtin buffer for apps with no external deps, to
+        * preserve property of no runtime failure paths. */
+       p->deps = (p==head && cnt<2) ? builtin_deps :
+               calloc(cnt+1, sizeof *p->deps);
        if (!p->deps) {
                error("Error loading dependencies for %s", p->name);
                if (runtime) longjmp(*rtld_fail, 1);
@@ -1195,8 +1203,10 @@ static void extend_bfs_deps(struct dso *p)
        struct dso **tmp;
 
        /* Can't use realloc if the original p->deps was allocated at
-        * program entry and malloc has been replaced. */
-       int no_realloc = __malloc_replaced && !p->runtime_loaded;
+        * program entry and malloc has been replaced, or if it's
+        * the builtin non-allocated trivial main program deps array. */
+       int no_realloc = (__malloc_replaced && !p->runtime_loaded)
+               || p->deps == builtin_deps;
 
        if (p->bfs_built) return;
        ndeps_all = p->ndeps_direct;
@@ -1397,7 +1407,10 @@ static struct dso **queue_ctors(struct dso *dso)
                        p->mark = 0;
        }
        cnt++; /* termination slot */
-       stack = queue = calloc(cnt, sizeof *queue);
+       if (dso==head && cnt <= countof(builtin_ctor_queue))
+               queue = builtin_ctor_queue;
+       else
+               queue = calloc(cnt, sizeof *queue);
 
        if (!queue) {
                error("Error allocating constructor queue: %m\n");
@@ -1408,6 +1421,7 @@ static struct dso **queue_ctors(struct dso *dso)
        /* Opposite ends of the allocated buffer serve as an output queue
         * and a working stack. Setup initial stack with just the argument
         * dso and initial queue empty... */
+       stack = queue;
        qpos = 0;
        spos = cnt;
        stack[--spos] = dso;
@@ -1479,7 +1493,8 @@ static void do_init_fini(struct dso **queue)
 void __libc_start_init(void)
 {
        do_init_fini(main_ctor_queue);
-       if (!__malloc_replaced) free(main_ctor_queue);
+       if (!__malloc_replaced && main_ctor_queue != builtin_ctor_queue)
+               free(main_ctor_queue);
        main_ctor_queue = 0;
 }
 
@@ -1813,6 +1828,7 @@ _Noreturn void __dls3(size_t *sp)
        reclaim_gaps(&ldso);
 
        /* Load preload/needed libraries, add symbols to global namespace. */
+       ldso.deps = (struct dso **)no_deps;
        if (env_preload) load_preload(env_preload);
        load_deps(&app);
        for (struct dso *p=head; p; p=p->next)
@@ -1834,6 +1850,7 @@ _Noreturn void __dls3(size_t *sp)
                vdso.name = "";
                vdso.shortname = "linux-gate.so.1";
                vdso.relocated = 1;
+               vdso.deps = (struct dso **)no_deps;
                decode_dyn(&vdso);
                vdso.prev = tail;
                tail->next = &vdso;
@@ -1983,8 +2000,9 @@ void *dlopen(const char *file, int mode)
                        free(p->deps);
                        unmap_library(p);
                        free(p);
-                       free(ctor_queue);
                }
+               free(ctor_queue);
+               ctor_queue = 0;
                if (!orig_tls_tail) libc.tls_head = 0;
                tls_tail = orig_tls_tail;
                if (tls_tail) tls_tail->next = 0;