Message ID | 134bf8c7-51ac-2615-7ce3-a144a5fd315f@gmail.com |
---|---|
State | New |
Headers | show |
Series | avoid -Wuse-after-free [BZ #26779] | expand |
On 1/24/22 19:57, Martin Sebor via Libc-alpha wrote: > On 1/24/22 17:52, Martin Sebor wrote: >> This is a repost of the original patch but broken down by source >> file and with some suppression done by #pragma GCC diagnostic >> instead of conversion to intptr_t. It also adds fixes for >> the same problem in the test suite that I overlooked before. > > The attached patch suppresses the -Wuse-after-free instance in > elf/ldconfig.c. > >> >> On 1/15/22 17:21, Martin Sebor wrote: >>> GCC 12 features a couple of new warnings designed to detect uses >>> of pointers made invalid by the pointees lifetimes having ended. >>> Building Glibc with the enhanced GCC exposes a few such uses, >>> mostly after successful calls to realloc. The attached patch >>> avoids the new warnings by converting the pointers to uintptr_t >>> first and using the converted integers instead. >>> >>> The patch suppresses all instances of the warning at the strictest >>> setting (-Wuse-after-free=3), which includes even uses in equality >>> expressions. The default setting approved for GCC 12 is >>> -Wuse-after-free=2, which doesn't warn on such uses to accommodate >>> the pointer-adjustment-after-realloc idiom. At the default setting, >>> the changes to ldconfig.c and setenv are not necessary. >>> >>> Martin >> OK for glibc 2.35, please push this commit. Expected commit message (three lines): ~~~ elf: Fix use-after-free in ldconfig [BZ #26779] Reviewed-by: Carlos O'Donell <carlos@redhat.com> ~~~ Reviewed-by: Carlos O'Donell <carlos@redhat.com> > diff --git a/elf/ldconfig.c b/elf/ldconfig.c > index d14633f5ec..57bb95ebc3 100644 > --- a/elf/ldconfig.c > +++ b/elf/ldconfig.c > @@ -735,9 +735,9 @@ manual_link (char *library) > create_links (real_path, path, libname, soname); > free (soname); > out: OK. real_path is set if opt_chroot is non-NULL, and is a distinct pointer from path in that case and must be freed (since chroot_canon was malloc'd). > - free (path); > if (path != real_path) > free (real_path); > + free (path); OK. This is correct, and is the only case I can see where we touch path after freeing it. > } > >
diff --git a/elf/ldconfig.c b/elf/ldconfig.c index d14633f5ec..57bb95ebc3 100644 --- a/elf/ldconfig.c +++ b/elf/ldconfig.c @@ -735,9 +735,9 @@ manual_link (char *library) create_links (real_path, path, libname, soname); free (soname); out: - free (path); if (path != real_path) free (real_path); + free (path); }