fix crash/misbehavior from oob read in new dynamic tls installation

code introduced in commit 9d44b6460ab603487dab4d916342d9ba4467e6b9
wrongly attempted to read past the end of the currently-installed dtv
to determine if a dso provides new, not-already-installed tls. this
logic was probably leftover from an earlier draft of the code that
wrongly installed the new dtv before populating it.

it would work if we instead queried the new, not-yet-installed dtv,
but instead, replace the incorrect check with a simple range check
against old_cnt. this also catches modules that have no tls at all
with a single condition.

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index e2c3259f78a796cc7eb53e9f93381c2657d944fc..e499b40e623b37f3772d0241adac5ea020ed5570 100644 (file)
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -1374,7 +1374,7 @@ static void install_new_tls(void)
        }
        /* Install new dtls into the enlarged, uninstalled dtv copies. */
        for (p=head; ; p=p->next) {
-               if (!p->tls_id || self->dtv[p->tls_id]) continue;
+               if (p->tls_id <= old_cnt) continue;
                unsigned char *mem = p->new_tls;
                for (j=0; j<i; j++) {
                        unsigned char *new = mem;