[PATCH] bfd: alpha: Fix crash caused by double free

public inbox for binutils@sourceware.org
 help / color / mirror / Atom feed

* [PATCH] bfd: alpha: Fix crash caused by double free
@ 2016-12-31 12:33 James Clarke
  2017-01-02  5:14 ` Alan Modra
  0 siblings, 1 reply; 4+ messages in thread
From: James Clarke @ 2016-12-31 12:33 UTC (permalink / raw)
  To: binutils; +Cc: James Clarke, John Paul Adrian Glaubitz, Michael Cree

Without this, ld has been seen to crash in libc when freeing tsec_free:

*** Error in `/usr/bin/ld': double free or corruption (!prev): 0x0000000120ceb6a0 ***

Since _bfd_elf_link_read_relocs caches the return value when keep_memory
is set, tsec_free cannot always be freed; the cached value ends up being
returned on another invocation and subsequently freed again.

bfd/
	* elf64-alpha.c (elf64_alpha_relax_opt_call): Don't free
	tsec_free if it has been cached inside tsec's section data.
---
 bfd/elf64-alpha.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/bfd/elf64-alpha.c b/bfd/elf64-alpha.c
index 44f2cfe004..dfbc73a833 100644
--- a/bfd/elf64-alpha.c
+++ b/bfd/elf64-alpha.c
@@ -3228,11 +3228,13 @@ elf64_alpha_relax_opt_call (struct alpha_relax_info *info, bfd_vma symval)
 
       if (!gpdisp || gpdisp->r_addend != 4)
 	{
-	  if (tsec_free)
+	  if (tsec_free != NULL
+	      && elf_section_data (info->tsec)->relocs != tsec_free)
 	    free (tsec_free);
 	  return 0;
 	}
-      if (tsec_free)
+      if (tsec_free != NULL
+          && elf_section_data (info->tsec)->relocs != tsec_free)
         free (tsec_free);
     }
 
-- 
2.11.0

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] bfd: alpha: Fix crash caused by double free
  2016-12-31 12:33 [PATCH] bfd: alpha: Fix crash caused by double free James Clarke
@ 2017-01-02  5:14 ` Alan Modra
  2017-01-03 16:15   ` [PATCH v2] bfd: alpha: Fix crash caused by double free with --no-keep-memory James Clarke
  0 siblings, 1 reply; 4+ messages in thread
From: Alan Modra @ 2017-01-02  5:14 UTC (permalink / raw)
  To: James Clarke; +Cc: binutils, John Paul Adrian Glaubitz, Michael Cree

On Sat, Dec 31, 2016 at 12:32:18PM +0000, James Clarke wrote:
> @@ -3228,11 +3228,13 @@ elf64_alpha_relax_opt_call (struct alpha_relax_info *info, bfd_vma symval)
>  
>        if (!gpdisp || gpdisp->r_addend != 4)
>  	{
> -	  if (tsec_free)
> +	  if (tsec_free != NULL
> +	      && elf_section_data (info->tsec)->relocs != tsec_free)
>  	    free (tsec_free);
>  	  return 0;
>  	}
> -      if (tsec_free)
> +      if (tsec_free != NULL
> +          && elf_section_data (info->tsec)->relocs != tsec_free)
>          free (tsec_free);
>      }
>  

Please move the new test to the assignment of tsec_free.  OK with that
change, thanks!

-- 
Alan Modra
Australia Development Lab, IBM

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [PATCH v2] bfd: alpha: Fix crash caused by double free with --no-keep-memory
  2017-01-02  5:14 ` Alan Modra
@ 2017-01-03 16:15   ` James Clarke
  2017-01-03 22:31     ` Alan Modra
  0 siblings, 1 reply; 4+ messages in thread
From: James Clarke @ 2017-01-03 16:15 UTC (permalink / raw)
  To: binutils, Alan Modra
  Cc: James Clarke, John Paul Adrian Glaubitz, Michael Cree

Without this, ld has been seen to crash in libc when freeing tsec_free:

*** Error in `/usr/bin/ld': double free or corruption (!prev): 0x0000000120ceb6a0 ***

_bfd_elf_link_read_relocs will always return the cached value if
present, even if keep_memory is false, therefore setting tsec_free to
NULL only when keep_memory is true is not sufficient.

bfd/
	* elf64-alpha.c (elf64_alpha_relax_opt_call): Don't free
	tsec_free if it is cached inside tsec's section data.
---
 bfd/elf64-alpha.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/bfd/elf64-alpha.c b/bfd/elf64-alpha.c
index 44f2cfe004..4c31a07ad0 100644
--- a/bfd/elf64-alpha.c
+++ b/bfd/elf64-alpha.c
@@ -3215,7 +3215,9 @@ elf64_alpha_relax_opt_call (struct alpha_relax_info *info, bfd_vma symval)
 	  if (tsec_relocs == NULL)
 	    return 0;
 	  tsec_relend = tsec_relocs + info->tsec->reloc_count;
-	  tsec_free = (info->link_info->keep_memory ? NULL : tsec_relocs);
+	  tsec_free = (elf_section_data (info->tsec)->relocs == tsec_relocs
+		       ? NULL
+		       : tsec_relocs);
 	}
 
       /* Recover the symbol's offset within the section.  */
-- 
2.11.0

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v2] bfd: alpha: Fix crash caused by double free with --no-keep-memory
  2017-01-03 16:15   ` [PATCH v2] bfd: alpha: Fix crash caused by double free with --no-keep-memory James Clarke
@ 2017-01-03 22:31     ` Alan Modra
  0 siblings, 0 replies; 4+ messages in thread
From: Alan Modra @ 2017-01-03 22:31 UTC (permalink / raw)
  To: James Clarke; +Cc: binutils, John Paul Adrian Glaubitz, Michael Cree

On Tue, Jan 03, 2017 at 04:15:15PM +0000, James Clarke wrote:
> 	* elf64-alpha.c (elf64_alpha_relax_opt_call): Don't free
> 	tsec_free if it is cached inside tsec's section data.

Thanks, applied.

-- 
Alan Modra
Australia Development Lab, IBM

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2017-01-03 22:31 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-12-31 12:33 [PATCH] bfd: alpha: Fix crash caused by double free James Clarke
2017-01-02  5:14 ` Alan Modra
2017-01-03 16:15   ` [PATCH v2] bfd: alpha: Fix crash caused by double free with --no-keep-memory James Clarke
2017-01-03 22:31     ` Alan Modra

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).