* [PATCH] bfd: alpha: Fix crash caused by double free
@ 2016-12-31 12:33 James Clarke
2017-01-02 5:14 ` Alan Modra
0 siblings, 1 reply; 4+ messages in thread
From: James Clarke @ 2016-12-31 12:33 UTC (permalink / raw)
To: binutils; +Cc: James Clarke, John Paul Adrian Glaubitz, Michael Cree
Without this, ld has been seen to crash in libc when freeing tsec_free:
*** Error in `/usr/bin/ld': double free or corruption (!prev): 0x0000000120ceb6a0 ***
Since _bfd_elf_link_read_relocs caches the return value when keep_memory
is set, tsec_free cannot always be freed; the cached value ends up being
returned on another invocation and subsequently freed again.
bfd/
* elf64-alpha.c (elf64_alpha_relax_opt_call): Don't free
tsec_free if it has been cached inside tsec's section data.
---
bfd/elf64-alpha.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/bfd/elf64-alpha.c b/bfd/elf64-alpha.c
index 44f2cfe004..dfbc73a833 100644
--- a/bfd/elf64-alpha.c
+++ b/bfd/elf64-alpha.c
@@ -3228,11 +3228,13 @@ elf64_alpha_relax_opt_call (struct alpha_relax_info *info, bfd_vma symval)
if (!gpdisp || gpdisp->r_addend != 4)
{
- if (tsec_free)
+ if (tsec_free != NULL
+ && elf_section_data (info->tsec)->relocs != tsec_free)
free (tsec_free);
return 0;
}
- if (tsec_free)
+ if (tsec_free != NULL
+ && elf_section_data (info->tsec)->relocs != tsec_free)
free (tsec_free);
}
--
2.11.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH] bfd: alpha: Fix crash caused by double free
2016-12-31 12:33 [PATCH] bfd: alpha: Fix crash caused by double free James Clarke
@ 2017-01-02 5:14 ` Alan Modra
2017-01-03 16:15 ` [PATCH v2] bfd: alpha: Fix crash caused by double free with --no-keep-memory James Clarke
0 siblings, 1 reply; 4+ messages in thread
From: Alan Modra @ 2017-01-02 5:14 UTC (permalink / raw)
To: James Clarke; +Cc: binutils, John Paul Adrian Glaubitz, Michael Cree
On Sat, Dec 31, 2016 at 12:32:18PM +0000, James Clarke wrote:
> @@ -3228,11 +3228,13 @@ elf64_alpha_relax_opt_call (struct alpha_relax_info *info, bfd_vma symval)
>
> if (!gpdisp || gpdisp->r_addend != 4)
> {
> - if (tsec_free)
> + if (tsec_free != NULL
> + && elf_section_data (info->tsec)->relocs != tsec_free)
> free (tsec_free);
> return 0;
> }
> - if (tsec_free)
> + if (tsec_free != NULL
> + && elf_section_data (info->tsec)->relocs != tsec_free)
> free (tsec_free);
> }
>
Please move the new test to the assignment of tsec_free. OK with that
change, thanks!
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH v2] bfd: alpha: Fix crash caused by double free with --no-keep-memory
2017-01-02 5:14 ` Alan Modra
@ 2017-01-03 16:15 ` James Clarke
2017-01-03 22:31 ` Alan Modra
0 siblings, 1 reply; 4+ messages in thread
From: James Clarke @ 2017-01-03 16:15 UTC (permalink / raw)
To: binutils, Alan Modra
Cc: James Clarke, John Paul Adrian Glaubitz, Michael Cree
Without this, ld has been seen to crash in libc when freeing tsec_free:
*** Error in `/usr/bin/ld': double free or corruption (!prev): 0x0000000120ceb6a0 ***
_bfd_elf_link_read_relocs will always return the cached value if
present, even if keep_memory is false, therefore setting tsec_free to
NULL only when keep_memory is true is not sufficient.
bfd/
* elf64-alpha.c (elf64_alpha_relax_opt_call): Don't free
tsec_free if it is cached inside tsec's section data.
---
bfd/elf64-alpha.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/bfd/elf64-alpha.c b/bfd/elf64-alpha.c
index 44f2cfe004..4c31a07ad0 100644
--- a/bfd/elf64-alpha.c
+++ b/bfd/elf64-alpha.c
@@ -3215,7 +3215,9 @@ elf64_alpha_relax_opt_call (struct alpha_relax_info *info, bfd_vma symval)
if (tsec_relocs == NULL)
return 0;
tsec_relend = tsec_relocs + info->tsec->reloc_count;
- tsec_free = (info->link_info->keep_memory ? NULL : tsec_relocs);
+ tsec_free = (elf_section_data (info->tsec)->relocs == tsec_relocs
+ ? NULL
+ : tsec_relocs);
}
/* Recover the symbol's offset within the section. */
--
2.11.0
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH v2] bfd: alpha: Fix crash caused by double free with --no-keep-memory
2017-01-03 16:15 ` [PATCH v2] bfd: alpha: Fix crash caused by double free with --no-keep-memory James Clarke
@ 2017-01-03 22:31 ` Alan Modra
0 siblings, 0 replies; 4+ messages in thread
From: Alan Modra @ 2017-01-03 22:31 UTC (permalink / raw)
To: James Clarke; +Cc: binutils, John Paul Adrian Glaubitz, Michael Cree
On Tue, Jan 03, 2017 at 04:15:15PM +0000, James Clarke wrote:
> * elf64-alpha.c (elf64_alpha_relax_opt_call): Don't free
> tsec_free if it is cached inside tsec's section data.
Thanks, applied.
--
Alan Modra
Australia Development Lab, IBM
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2017-01-03 22:31 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-31 12:33 [PATCH] bfd: alpha: Fix crash caused by double free James Clarke
2017-01-02 5:14 ` Alan Modra
2017-01-03 16:15 ` [PATCH v2] bfd: alpha: Fix crash caused by double free with --no-keep-memory James Clarke
2017-01-03 22:31 ` Alan Modra
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).