dyld_all_image_infos::dyldPath is broken (not NUL-terminated)

Originator:mark
Number:rdar://26874643 Date Originated:2016-06-17
Status:Duplicate/27144242 Resolved:
Product:OS X Product Version:10.12dp1 16A201w
Classification:Serious Bug Reproducible:Always
 
Summary:
In macOS 10,12, dyldPath is a new member of dyld_all_image_infos, declared in <mach-o/dyld_images.h>.

In testing, I have found that dyld_all_image_infos is not NUL-terminated, rendering this field useless. I can consistently reproduce this when running a 32-bit executable at a relative path from a working directory whose path’s length is longer than dyld’s path’s length.

Steps to Reproduce:
dyld_path.cc is the attached test program.

$ mkdir xxxxxxxxxxxxxx
$ clang++ -arch i386 -std=c++11 dyld_path.cc -o xxxxxxxxxxxxxx/dyld_path
$ cd xxxxxxxxxxxxxx
$ pwd
/Users/litterbox/xxxxxxxxxxxxxx
$ ./dyld_path
/usr/lib/dyldbox/xxxxxxxxxxxxxx

Expected Results:
The test program should print the path to dyld, normally /usr/lib/dyld.

Actual Results:
The test program overwrites a buffer containing the working directory with the path to dyld, but does not NUL-terminate dyld’s path, so if the working directory’s path’s length is longer than dyld’s, trailing junk from the working directory’s path will appear appended to dyld’s. In the example, it prints /usr/lib/dyldbox/xxxxxxxxxxxxxx, which is not a valid path to anything, and certainly not dyld’s path.

Version:
10.12 16A201w

Configuration:
I have observed this bug in a 32-bit process when running the test program at a relative path.

I have not yet observed this bug in a 64-bit process or when running the test program at an absolute path, although I haven’t tried very hard to trigger the bug in those scenarios.

--
dyld_path.cc

// clang++ -arch i386 -std=c++11 dyld_path.cc -o dyld_path

#include <mach/mach.h>
#include <mach-o/dyld.h>
#include <mach-o/dyld_images.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

const dyld_all_image_infos* DyldGetAllImageInfos() {
  // This could call _dyld_get_all_image_infos(), but that's non-public.

  task_dyld_info_data_t dyld_info;
  mach_msg_type_number_t count = TASK_DYLD_INFO_COUNT;
  kern_return_t kr = task_info(mach_task_self(),
                               TASK_DYLD_INFO,
                               reinterpret_cast<task_info_t>(&dyld_info),
                               &count);
  if (kr != KERN_SUCCESS) {
    return nullptr;
  }

  return reinterpret_cast<dyld_all_image_infos*>(dyld_info.all_image_info_addr);
}

int main(int argc, char* argv[]) {
  const dyld_all_image_infos* dyld_image_infos = DyldGetAllImageInfos();

  bool success = false;
  if (dyld_image_infos->version >= 15) {
    printf("%s\n", dyld_image_infos->dyldPath);
    if (strcmp(dyld_image_infos->dyldPath, "/usr/lib/dyld") == 0) {
      success = true;
    }
  }

  return success ? EXIT_SUCCESS : EXIT_FAILURE;
}

Comments

Apple Developer Relations05-Aug-2016 11:13 AM

Thanks for contacting us.

If you still see the issue in that newer beta build, please file a new bug report.

We are leaving this report closed.

Please be sure to regularly check new Apple releases for any updates that might affect this issue.

By mark at Aug. 5, 2016, 11:38 p.m. (reply...)

04-Aug-2016 02:15 PM

This bug is still present in 10.12db4 16A270f.

By mark at Aug. 4, 2016, 6:15 p.m. (reply...)

Apple Developer Relations26-Jul-2016 12:00 PM

Thank you for contacting us.

The original report on this issue, Bug ID 27144242, is still under investigation.

Please note that you will not be able to directly view the original report in order to keep its information confidential.

We will do our best to keep you informed as new information becomes available. Please check release notes regularly for changes affecting this issue.

If you have further questions about this issue or wish to check on the status, please update your report again using the Apple Bug Reporter http://bugreport.apple.com.

By mark at July 27, 2016, 3:04 a.m. (reply...)

19-Jul-2016 02:26 PM

This bug is still present in 10.12db3 16A254g.

By mark at July 19, 2016, 6:28 p.m. (reply...)

Apple Developer Relations12-Jul-2016 02:04 AM

Engineering has determined that your bug report is a duplicate of another issue and will be closed.

The open or closed status of the original bug report your issue was duplicated to appears in the yellow "Duplicate of XXXXXXXX" section of the bug reporter user interface. This section appears near the top of the right column's bug detail view just under the bug number, title, state, product and rank.

By mark at July 12, 2016, 1:23 p.m. (reply...)

06-Jul-2016 01:14 PM

This bug is still present in 10.12dp2 16A239j.

By mark at July 6, 2016, 5:14 p.m. (reply...)

Please note: Reports posted here will not necessarily be seen by Apple. All problems should be submitted at bugreport.apple.com before they are posted here. Please only post information for Radars that you have filed yourself, and please do not include Apple confidential information in your posts. Thank you!