* relent->sym_ptr_ptr memory stale refs question
@ 2010-10-15 9:54 Jan Kratochvil
2010-10-21 13:46 ` Alan Modra
0 siblings, 1 reply; 2+ messages in thread
From: Jan Kratochvil @ 2010-10-15 9:54 UTC (permalink / raw)
To: binutils
Hi,
there has been a GDB thread about stale memory reference / crashes:
Re: [patch] Fix ELF stale reference
http://sourceware.org/ml/gdb-patches/2010-09/msg00192.html
http://sourceware.org/ml/gdb-patches/2010-10/msg00244.html
elfcode.h:elf_slurp_reloc_table_from_section contains:
ps = symbols + ELF_R_SYM (rela.r_info) - 1;
relent->sym_ptr_ptr = ps;
This way it embeds references to the memory area passed as DYNSYMS to
bfd_get_synthetic_symtab persistently into abfd. But the application does not
know when it can already free the DYNSYMS pointers array memory as the same
abfd can be used from various places - reference counted by GDB now, sure GDB
could make its own association of that memory block with abfd.
FYI binutils/ nm never frees the memory. objdump frees it also prematurely in
dump_bfd - although it is not exploitable as the program immediately exits
afterwards. By duplicating the dump_bfd calls twice we get for `objdump -d':
Invalid read of size 8
at 0x5A4710: _bfd_elf_get_synthetic_symtab (elf.c:9336)
by 0x4091D9: dump_bfd (objdump.c:3082)
by 0x409459: display_bfd (objdump.c:3160)
by 0x409657: display_file (objdump.c:3242)
by 0x409E6D: main (objdump.c:3504)
Address 0x58143b8 is 8 bytes inside a block of size 24 free'd
at 0x4C25D72: free (vg_replace_malloc.c:325)
by 0x4093C1: dump_bfd (objdump.c:3137)
by 0x40944D: display_bfd (objdump.c:3159)
by 0x409657: display_file (objdump.c:3242)
by 0x409E6D: main (objdump.c:3504)
I find this too fragile.
Application can also use bfd_alloc but its declaration is in libbfd.h:
/* libbfd.h -- Declarations used by bfd library *implementation*.
(This include file is not for users of the library.)
Also bfd_alloc would mean the memory is not freeable during multiple executions
of bfd_get_synthetic_symtab. The passed memory gets no longer used during 2nd
and further runs as asect->relocation != NULL in elf_slurp_reloc_table.
Do you suggest a way to change the bfd/ API or is GDB free to use bfd_alloc?
Thanks,
Jan
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: relent->sym_ptr_ptr memory stale refs question
2010-10-15 9:54 relent->sym_ptr_ptr memory stale refs question Jan Kratochvil
@ 2010-10-21 13:46 ` Alan Modra
0 siblings, 0 replies; 2+ messages in thread
From: Alan Modra @ 2010-10-21 13:46 UTC (permalink / raw)
To: Jan Kratochvil; +Cc: binutils
On Fri, Oct 15, 2010 at 11:54:20AM +0200, Jan Kratochvil wrote:
> Do you suggest a way to change the bfd/ API or is GDB free to use bfd_alloc?
Perhaps move objdump's slurp_symtab into bfd?
long
bfd_slurp_symtab (bfd *abfd, asymbol ***syms)
{
long storage;
*syms = NULL;
if (!(bfd_get_file_flags (abfd) & HAS_SYMS))
return 0;
storage = bfd_get_symtab_upper_bound (abfd);
if (storage < 0)
return storage;
if (storage)
{
*syms = (asymbol **) bfd_alloc (abfd, storage);
if (*syms == NULL)
return -1;
}
return bfd_canonicalize_symtab (abfd, *syms);
}
And something similar for slurp_dynamic_symtab.
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-10-21 13:46 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-10-15 9:54 relent->sym_ptr_ptr memory stale refs question Jan Kratochvil
2010-10-21 13:46 ` Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).