fix crash/misbehavior from oob read in new dynamic tls installation

code introduced in commit 9d44b6460ab603487dab4d916342d9ba4467e6b9
wrongly attempted to read past the end of the currently-installed dtv
to determine if a dso provides new, not-already-installed tls. this
logic was probably leftover from an earlier draft of the code that
wrongly installed the new dtv before populating it.

it would work if we instead queried the new, not-yet-installed dtv,
but instead, replace the incorrect check with a simple range check
against old_cnt. this also catches modules that have no tls at all
with a single condition.

diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index e2c3259..e499b40 100644 (file)
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -1374,7 +1374,7 @@ static void install_new_tls(void)
        }
        /* Install new dtls into the enlarged, uninstalled dtv copies. */
        for (p=head; ; p=p->next) {
-               if (!p->tls_id || self->dtv[p->tls_id]) continue;
+               if (p->tls_id <= old_cnt) continue;
                unsigned char *mem = p->new_tls;
                for (j=0; j<i; j++) {
                        unsigned char *new = mem;