fix crash in dynamic linker when certain copy relocations are unsatisfied

STB_WEAK is only a weak reference for undefined symbols (those with a
section of SHN_UNDEF). otherwise, it's a weak definition. normally
this distinction would not matter, since a relocation referencing a
symbol that also provides a definition (not SHN_UNDEF) will always
succeed in finding the referenced symbol itself. however, in the case
of copy relocations, the referenced symbol itself is ignored in order
to search for another symbol to copy from, and thus it's possible that
no definition is found. in this case, if the symbol being resolved
happened to be a weak definition, it was misinterpreted as a weak
reference, suppressing the error path and causing a crash when the
copy relocation was performed with a null source pointer passed to
memcpy.

there are almost certainly still situations in which invalid
combinations of symbol and relocation types can cause the dynamic
linker to crash (this is pretty much inevitable), but the intent is
that crashes not be possible for symbol/relocation tables produced by
a valid linker.

diff --git a/src/ldso/dynlink.c b/src/ldso/dynlink.c
index 89e1260bc5a6510ec618ea9abe0b58d4577f5e70..a1bdf0fb1b3182494abef08e4f57aa096ed323cd 100644 (file)
--- a/src/ldso/dynlink.c
+++ b/src/ldso/dynlink.c
@@ -253,7 +253,8 @@ static void do_relocs(struct dso *dso, size_t *rel, size_t rel_size, size_t stri
                        name = strings + sym->st_name;
                        ctx = IS_COPY(type) ? head->next : head;
                        def = find_sym(ctx, name, IS_PLT(type));
-                       if (!def.sym && sym->st_info>>4 != STB_WEAK) {
+                       if (!def.sym && (sym->st_shndx != SHN_UNDEF
+                           || sym->st_info>>4 != STB_WEAK)) {
                                snprintf(errbuf, sizeof errbuf,
                                        "Error relocating %s: %s: symbol not found",
                                        dso->name, name);