mirror/glibc
2
0
Fork 0
mirror of git://sourceware.org/git/glibc.git synced 2025-03-01 13:17:19 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix invalid memory access in do_lookup_x.

Browse Source 
[BZ #13579] Do not free l_initfini and allow it to be reused
on subsequent dl_open calls for the same library. This fixes
the invalid memory access in do_lookup_x when the previously
free'd l_initfini was accessed through l_searchlist when a
library had been opened for the second time.

(cherry picked from commit 0479b305c5)
This commit is contained in:
Andreas Schwab 2012-06-22 11:10:31 -07:00 committed by Carlos O'Donell
parent e8b5394afb
commit 1ba48eb07a
7 changed files with 32 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
ChangeLog
View File

@ -1,3 +1,14 @@
2012-06-22 Andreas Schwab <schwab@redhat.com>
[BZ #13579]
* include/link.h (struct link_map): Add l_free_initfini.
* elf/dl-deps.c (_dl_map_object_deps): Set it when assigning
l_initfini.
* elf/dl-close.c (_dl_close_worker): Don't free l_initfini.
* elf/rtld.c (dl_main): Clear it on all objects loaded on startup.
* elf/dl-libc.c (free_mem): Free l_initfini if l_free_initfini is
set.
2012-02-24 Ulrich Drepper <drepper@gmail.com>
* stdlib/fmtmsg.c (fmtmsg): Lock around use of severity list.

3
NEWS
View File

@ -11,7 +11,8 @@ Version 2.15.1
411, 2547, 2548, 11261, 11365, 11494, 13583, 13618, 13731, 13732, 13733,
13747, 13748, 13749, 13753, 13754, 13756, 13765, 13771, 13773, 13774,
13786, 14048, 14059, 14167, 14273, 14459, 14621, 14648, 14040, 15073
13786, 14048, 14059, 14167, 14273, 14284, 14459, 14621, 14648, 14040,
15073
Version 2.15

15
elf/dl-close.c
View File

@ -1,5 +1,5 @@
/* Close a shared object opened by `_dl_open'.
Copyright (C) 1996-2007, 2009, 2010, 2011 Free Software Foundation, Inc.
Copyright (C) 1996-2012 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
@ -119,17 +119,8 @@ _dl_close_worker (struct link_map *map)
if (map->l_direct_opencount > 0 || map->l_type != lt_loaded
|| dl_close_state != not_pending)
{
if (map->l_direct_opencount == 0)
{
if (map->l_type == lt_loaded)
dl_close_state = rerun;
else if (map->l_type == lt_library)
{
struct link_map **oldp = map->l_initfini;
map->l_initfini = map->l_orig_initfini;
_dl_scope_free (oldp);
}
}
if (map->l_direct_opencount == 0 && map->l_type == lt_loaded)
dl_close_state = rerun;
/* There are still references to this object. Do nothing more. */
if (__builtin_expect (GLRO(dl_debug_mask) & DL_DEBUG_FILES, 0))

7
elf/dl-deps.c
View File

@ -1,6 +1,5 @@
/* Load the dependencies of a mapped object.
Copyright (C) 1996-2003, 2004, 2005, 2006, 2007, 2010, 2011
Free Software Foundation, Inc.
Copyright (C) 1996-2012 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
@ -489,6 +488,7 @@ _dl_map_object_deps (struct link_map *map,
nneeded * sizeof needed[0]);
atomic_write_barrier ();
l->l_initfini = l_initfini;
l->l_free_initfini = 1;
}
/* If we have no auxiliary objects just go on to the next map. */
@ -689,6 +689,7 @@ Filters not supported with LD_TRACE_PRELINKING"));
l_initfini[nlist] = NULL;
atomic_write_barrier ();
map->l_initfini = l_initfini;
map->l_free_initfini = 1;
if (l_reldeps != NULL)
{
atomic_write_barrier ();
@ -697,7 +698,7 @@ Filters not supported with LD_TRACE_PRELINKING"));
_dl_scope_free (old_l_reldeps);
}
if (old_l_initfini != NULL)
map->l_orig_initfini = old_l_initfini;
_dl_scope_free (old_l_initfini);
if (errno_reason)
_dl_signal_error (errno_reason == -1 ? 0 : errno_reason, objname,

9
elf/dl-libc.c
View File

@ -1,6 +1,5 @@
/* Handle loading and unloading shared objects for internal libc purposes.
Copyright (C) 1999-2002,2004-2006,2009,2010,2011
Free Software Foundation, Inc.
Copyright (C) 1999-2012 Free Software Foundation, Inc.
This file is part of the GNU C Library.
Contributed by Zack Weinberg <zack@rabi.columbia.edu>, 1999.
@ -270,13 +269,13 @@ libc_freeres_fn (free_mem)
for (Lmid_t ns = 0; ns < GL(dl_nns); ++ns)
{
/* Remove all additional names added to the objects. */
for (l = GL(dl_ns)[ns]._ns_loaded; l != NULL; l = l->l_next)
{
struct libname_list *lnp = l->l_libname->next;
l->l_libname->next = NULL;
/* Remove all additional names added to the objects. */
while (lnp != NULL)
{
struct libname_list *old = lnp;
@ -284,6 +283,10 @@ libc_freeres_fn (free_mem)
if (! old->dont_free)
free (old);
}
/* Free the initfini dependency list. */
if (l->l_free_initfini)
free (l->l_initfini);
}
if (__builtin_expect (GL(dl_ns)[ns]._ns_global_scope_alloc, 0) != 0

2
elf/rtld.c
View File

@ -2276,6 +2276,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
lnp->dont_free = 1;
lnp = lnp->next;
}
/* Also allocated with the fake malloc(). */
l->l_free_initfini = 0;
if (l != &GL(dl_rtld_map))
_dl_relocate_object (l, l->l_scope, GLRO(dl_lazy) ? RTLD_LAZY : 0,

8
include/link.h
View File

@ -1,6 +1,6 @@
/* Data structure for communication from the run-time dynamic linker for
loaded ELF shared objects.
Copyright (C) 1995-2006, 2007, 2009, 2010, 2011 Free Software Foundation, Inc.
Copyright (C) 1995-2012 Free Software Foundation, Inc.
This file is part of the GNU C Library.
The GNU C Library is free software; you can redistribute it and/or
@ -192,6 +192,9 @@ struct link_map
during LD_TRACE_PRELINKING=1
contains any DT_SYMBOLIC
libraries. */
unsigned int l_free_initfini:1; /* Nonzero if l_initfini can be
freed, ie. not allocated with
the dummy malloc in ld.so. */
/* Collected information about own RPATH directories. */
struct r_search_path_struct l_rpath_dirs;
@ -240,9 +243,6 @@ struct link_map
/* List of object in order of the init and fini calls. */
struct link_map **l_initfini;
/* The init and fini list generated at startup, saved when the
object is also loaded dynamically. */
struct link_map **l_orig_initfini;
/* List of the dependencies introduced through symbol binding. */
struct link_map_reldeps