diff options
author | Andreas Schwab <schwab@redhat.com> | 2012-06-22 11:10:31 -0700 |
---|---|---|
committer | Carlos O'Donell <carlos@redhat.com> | 2014-01-30 13:05:40 -0500 |
commit | 1ba48eb07a72690406c0ffda642a963c88639752 (patch) | |
tree | d6922f43d9556e0a6285a53b10c90271928b2be3 | |
parent | e8b5394afb420449dde0b4cbefd4032936d96a25 (diff) | |
download | glibc-1ba48eb07a72690406c0ffda642a963c88639752.tar.gz glibc-1ba48eb07a72690406c0ffda642a963c88639752.tar.xz glibc-1ba48eb07a72690406c0ffda642a963c88639752.zip |
Fix invalid memory access in do_lookup_x.
[BZ #13579] Do not free l_initfini and allow it to be reused on subsequent dl_open calls for the same library. This fixes the invalid memory access in do_lookup_x when the previously free'd l_initfini was accessed through l_searchlist when a library had been opened for the second time. (cherry picked from commit 0479b305c5b7c8e3fa8e3002982cf8cac02b842e)
-rw-r--r-- | ChangeLog | 11 | ||||
-rw-r--r-- | NEWS | 3 | ||||
-rw-r--r-- | elf/dl-close.c | 15 | ||||
-rw-r--r-- | elf/dl-deps.c | 7 | ||||
-rw-r--r-- | elf/dl-libc.c | 9 | ||||
-rw-r--r-- | elf/rtld.c | 2 | ||||
-rw-r--r-- | include/link.h | 8 |
7 files changed, 32 insertions, 23 deletions
diff --git a/ChangeLog b/ChangeLog index 9654d0ac4a..82d343df4d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,14 @@ +2012-06-22 Andreas Schwab <schwab@redhat.com> + + [BZ #13579] + * include/link.h (struct link_map): Add l_free_initfini. + * elf/dl-deps.c (_dl_map_object_deps): Set it when assigning + l_initfini. + * elf/dl-close.c (_dl_close_worker): Don't free l_initfini. + * elf/rtld.c (dl_main): Clear it on all objects loaded on startup. + * elf/dl-libc.c (free_mem): Free l_initfini if l_free_initfini is + set. + 2012-02-24 Ulrich Drepper <drepper@gmail.com> * stdlib/fmtmsg.c (fmtmsg): Lock around use of severity list. diff --git a/NEWS b/NEWS index 63cf1d15ca..1abe378f17 100644 --- a/NEWS +++ b/NEWS @@ -11,7 +11,8 @@ Version 2.15.1 411, 2547, 2548, 11261, 11365, 11494, 13583, 13618, 13731, 13732, 13733, 13747, 13748, 13749, 13753, 13754, 13756, 13765, 13771, 13773, 13774, - 13786, 14048, 14059, 14167, 14273, 14459, 14621, 14648, 14040, 15073 + 13786, 14048, 14059, 14167, 14273, 14284, 14459, 14621, 14648, 14040, + 15073 Version 2.15 diff --git a/elf/dl-close.c b/elf/dl-close.c index 8fb55d0fbc..76af878485 100644 --- a/elf/dl-close.c +++ b/elf/dl-close.c @@ -1,5 +1,5 @@ /* Close a shared object opened by `_dl_open'. - Copyright (C) 1996-2007, 2009, 2010, 2011 Free Software Foundation, Inc. + Copyright (C) 1996-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -119,17 +119,8 @@ _dl_close_worker (struct link_map *map) if (map->l_direct_opencount > 0 || map->l_type != lt_loaded || dl_close_state != not_pending) { - if (map->l_direct_opencount == 0) - { - if (map->l_type == lt_loaded) - dl_close_state = rerun; - else if (map->l_type == lt_library) - { - struct link_map **oldp = map->l_initfini; - map->l_initfini = map->l_orig_initfini; - _dl_scope_free (oldp); - } - } + if (map->l_direct_opencount == 0 && map->l_type == lt_loaded) + dl_close_state = rerun; /* There are still references to this object. Do nothing more. */ if (__builtin_expect (GLRO(dl_debug_mask) & DL_DEBUG_FILES, 0)) diff --git a/elf/dl-deps.c b/elf/dl-deps.c index 565a339331..912c4fc7a3 100644 --- a/elf/dl-deps.c +++ b/elf/dl-deps.c @@ -1,6 +1,5 @@ /* Load the dependencies of a mapped object. - Copyright (C) 1996-2003, 2004, 2005, 2006, 2007, 2010, 2011 - Free Software Foundation, Inc. + Copyright (C) 1996-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -489,6 +488,7 @@ _dl_map_object_deps (struct link_map *map, nneeded * sizeof needed[0]); atomic_write_barrier (); l->l_initfini = l_initfini; + l->l_free_initfini = 1; } /* If we have no auxiliary objects just go on to the next map. */ @@ -689,6 +689,7 @@ Filters not supported with LD_TRACE_PRELINKING")); l_initfini[nlist] = NULL; atomic_write_barrier (); map->l_initfini = l_initfini; + map->l_free_initfini = 1; if (l_reldeps != NULL) { atomic_write_barrier (); @@ -697,7 +698,7 @@ Filters not supported with LD_TRACE_PRELINKING")); _dl_scope_free (old_l_reldeps); } if (old_l_initfini != NULL) - map->l_orig_initfini = old_l_initfini; + _dl_scope_free (old_l_initfini); if (errno_reason) _dl_signal_error (errno_reason == -1 ? 0 : errno_reason, objname, diff --git a/elf/dl-libc.c b/elf/dl-libc.c index f44fa10e0e..0a1921c064 100644 --- a/elf/dl-libc.c +++ b/elf/dl-libc.c @@ -1,6 +1,5 @@ /* Handle loading and unloading shared objects for internal libc purposes. - Copyright (C) 1999-2002,2004-2006,2009,2010,2011 - Free Software Foundation, Inc. + Copyright (C) 1999-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. Contributed by Zack Weinberg <zack@rabi.columbia.edu>, 1999. @@ -270,13 +269,13 @@ libc_freeres_fn (free_mem) for (Lmid_t ns = 0; ns < GL(dl_nns); ++ns) { - /* Remove all additional names added to the objects. */ for (l = GL(dl_ns)[ns]._ns_loaded; l != NULL; l = l->l_next) { struct libname_list *lnp = l->l_libname->next; l->l_libname->next = NULL; + /* Remove all additional names added to the objects. */ while (lnp != NULL) { struct libname_list *old = lnp; @@ -284,6 +283,10 @@ libc_freeres_fn (free_mem) if (! old->dont_free) free (old); } + + /* Free the initfini dependency list. */ + if (l->l_free_initfini) + free (l->l_initfini); } if (__builtin_expect (GL(dl_ns)[ns]._ns_global_scope_alloc, 0) != 0 diff --git a/elf/rtld.c b/elf/rtld.c index e4e413f601..ba4aa74238 100644 --- a/elf/rtld.c +++ b/elf/rtld.c @@ -2276,6 +2276,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n", lnp->dont_free = 1; lnp = lnp->next; } + /* Also allocated with the fake malloc(). */ + l->l_free_initfini = 0; if (l != &GL(dl_rtld_map)) _dl_relocate_object (l, l->l_scope, GLRO(dl_lazy) ? RTLD_LAZY : 0, diff --git a/include/link.h b/include/link.h index e877104641..27686a4993 100644 --- a/include/link.h +++ b/include/link.h @@ -1,6 +1,6 @@ /* Data structure for communication from the run-time dynamic linker for loaded ELF shared objects. - Copyright (C) 1995-2006, 2007, 2009, 2010, 2011 Free Software Foundation, Inc. + Copyright (C) 1995-2012 Free Software Foundation, Inc. This file is part of the GNU C Library. The GNU C Library is free software; you can redistribute it and/or @@ -192,6 +192,9 @@ struct link_map during LD_TRACE_PRELINKING=1 contains any DT_SYMBOLIC libraries. */ + unsigned int l_free_initfini:1; /* Nonzero if l_initfini can be + freed, ie. not allocated with + the dummy malloc in ld.so. */ /* Collected information about own RPATH directories. */ struct r_search_path_struct l_rpath_dirs; @@ -240,9 +243,6 @@ struct link_map /* List of object in order of the init and fini calls. */ struct link_map **l_initfini; - /* The init and fini list generated at startup, saved when the - object is also loaded dynamically. */ - struct link_map **l_orig_initfini; /* List of the dependencies introduced through symbol binding. */ struct link_map_reldeps |