relent->sym_ptr_ptr memory stale refs question

public inbox for binutils@sourceware.org
 help / color / mirror / Atom feed

From: Jan Kratochvil <jan.kratochvil@redhat.com>
To: binutils@sourceware.org
Subject: relent->sym_ptr_ptr memory stale refs question
Date: Fri, 15 Oct 2010 09:54:00 -0000	[thread overview]
Message-ID: <20101015095420.GA17502@host1.dyn.jankratochvil.net> (raw)

Hi,

there has been a GDB thread about stale memory reference / crashes:
	Re: [patch] Fix ELF stale reference
	http://sourceware.org/ml/gdb-patches/2010-09/msg00192.html
	http://sourceware.org/ml/gdb-patches/2010-10/msg00244.html

elfcode.h:elf_slurp_reloc_table_from_section contains:
          ps = symbols + ELF_R_SYM (rela.r_info) - 1;
          relent->sym_ptr_ptr = ps;

This way it embeds references to the memory area passed as DYNSYMS to
bfd_get_synthetic_symtab persistently into abfd.  But the application does not
know when it can already free the DYNSYMS pointers array memory as the same
abfd can be used from various places  - reference counted by GDB now, sure GDB
could make its own association of that memory block with abfd.

FYI binutils/ nm never frees the memory.  objdump frees it also prematurely in
dump_bfd - although it is not exploitable as the program immediately exits
afterwards.  By duplicating the dump_bfd calls twice we get for `objdump -d':
	Invalid read of size 8
	   at 0x5A4710: _bfd_elf_get_synthetic_symtab (elf.c:9336)
	   by 0x4091D9: dump_bfd (objdump.c:3082)
	   by 0x409459: display_bfd (objdump.c:3160)
	   by 0x409657: display_file (objdump.c:3242)
	   by 0x409E6D: main (objdump.c:3504)
	 Address 0x58143b8 is 8 bytes inside a block of size 24 free'd
	   at 0x4C25D72: free (vg_replace_malloc.c:325)
	   by 0x4093C1: dump_bfd (objdump.c:3137)
	   by 0x40944D: display_bfd (objdump.c:3159)
	   by 0x409657: display_file (objdump.c:3242)
	   by 0x409E6D: main (objdump.c:3504)
I find this too fragile.

Application can also use bfd_alloc but its declaration is in libbfd.h:
/* libbfd.h -- Declarations used by bfd library *implementation*.
   (This include file is not for users of the library.)

Also bfd_alloc would mean the memory is not freeable during multiple executions
of bfd_get_synthetic_symtab.  The passed memory gets no longer used during 2nd
and further runs as asect->relocation != NULL in elf_slurp_reloc_table.

Do you suggest a way to change the bfd/ API or is GDB free to use bfd_alloc?

Thanks,
Jan

next             reply	other threads:[~2010-10-15  9:54 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2010-10-15  9:54 Jan Kratochvil [this message]
2010-10-21 13:46 ` Alan Modra

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20101015095420.GA17502@host1.dyn.jankratochvil.net \
    --to=jan.kratochvil@redhat.com \
    --cc=binutils@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).