[Mono-dev] Possible security issue with Mono's dllmaps in etc/config
grendello at gmail.com
Mon Jan 8 06:17:28 EST 2007
Today while looking at the ODBC code in Mono, it occurred to me that
there might be a possible security problem with the way DLL maps are
specified in the default $prefix/etc/mono/config file. Given entries
<dllmap dll="libxslt.dll" target="libxslt.so" os="!windows"/>
<dllmap dll="libmySQL.dll" target="libmysqlclient.so" os="!windows" />
<dllmap dll="odbc32.dll" target="libodbc.so" os="!windows"/>
we may encounter two issues. First (not security related, just usage
annoyance) is that on some Linux distributions the lib*.so file won't
exist unless there are devel packages installed for the library in
question. So unless the mono library mapper automatically appends the
soversion to the .so name and looks for files of the lib*.so.X form,
the library map will fail and the corresponding managed code won't work.
Second issue, this time security related, is with the library ABI. Say
that managed code uses a C structure in libsome.so whose field
types/field order/whatnot were changed in the newer library versions,
which were not released when the managed code was created (for instance
managed code was created with libsome.so.1 being the released version,
while the current libsome.so symlink points to libsome.so.3 - new ABI).
Such situation can introduce the possibility for buffer overruns,
variable overwrites, stack destruction - with the smallest impact on the
application being segfaults. If I'm talking nonsense, just lart me and
ignore :), but if the above is correct reasoning, then I propose to add
a feature to <dllmap> to specify the expected soversion for the map,
1. Consider only libxslt.so.1
<dllmap dll="libxslt.dll" target="libxslt.so" soversion="1"
2. Consider several libxslt.so.X, in the order given
<dllmap dll="libxslt.dll" target="libxslt.so" soversion="1,2,3"
3. Consider any soversion, starting from 0 and counting upwards
<dllmap dll="libxslt.dll" target="libxslt.so" soversion="any"
4. Consider any soversion within the ranges (normal comparison
operators could also be used - eg. >4,<7)
<dllmap dll="libxslt.dll" target="libxslt.so" soversion="4-7,8-10"
What do you think about the idea? Does it make sense?
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: not available
Url : http://lists.ximian.com/pipermail/mono-devel-list/attachments/20070108/67ffe6ff/attachment.bin
More information about the Mono-devel-list