From: Nick Alcock <nick.alcock@oracle.com>
To: binutils@sourceware.org
Subject: [PATCH 7/7] libctf: fix leak of entire dict when dict opening fails
Date: Fri, 26 Apr 2024 21:20:23 +0100 [thread overview]
Message-ID: <20240426202023.423064-8-nick.alcock@oracle.com> (raw)
In-Reply-To: <20240426202023.423064-1-nick.alcock@oracle.com>
Ever since commit 1fa7a0c24e78e7f ("libctf: sort out potential refcount
loops") ctf_dict_close has only freed anything if the refcount on entry
to the function is precisely 1. >1 obviously just decrements the
refcount, but the linker machinery can sometimes cause freeing to recurse
from a dict to another dict and then back to the first dict again, so
we interpret a refcount of 0 as an indication that this is a recursive call
and we should just return, because a caller is already freeing this dict.
Unfortunately there is one situation in which this is not true: the bad:
codepath in ctf_bufopen entered when opening fails. Because the refcount is
bumped only at the very end of ctf_bufopen, any failure causes
ctf_dict_close to be entered with a refcount of zero, and it frees nothing
and we leak the entire dict.
The solution is to bump the refcount to 1 right before freeing... but this
codepath is clearly delicate enough that we need to properly validate it,
so we add a test that uses malloc interposition to count allocations and
frees, creates a dict, writes it out, intentionally corrupts it (by setting
a bunch of bytes after the header to a value high enough that it is
definitely not a valid CTF type kind), then tries to open it again and
counts the malloc/free pairs to make sure they're matched. (Test run only
on *-linux-gnu, because malloc interposition is not a thing you can rely
upon working everywhere, and this test is not arch-dependent so if it
passes on one arch it can be assumed to pass on all of them.)
libctf/
* ctf-open.c (ctf_bufopen): Bump the refcount on failure.
* testsuite/libctf-regression/open-error-free.*: New test.
---
libctf/ctf-open.c | 4 +
.../libctf-regression/open-error-free.c | 185 ++++++++++++++++++
.../libctf-regression/open-error-free.lk | 5 +
3 files changed, 194 insertions(+)
create mode 100644 libctf/testsuite/libctf-regression/open-error-free.c
create mode 100644 libctf/testsuite/libctf-regression/open-error-free.lk
diff --git a/libctf/ctf-open.c b/libctf/ctf-open.c
index 03faf2d886f..59c6ed0622a 100644
--- a/libctf/ctf-open.c
+++ b/libctf/ctf-open.c
@@ -1724,6 +1724,10 @@ ctf_bufopen (const ctf_sect_t *ctfsect, const ctf_sect_t *symsect,
bad:
ctf_set_open_errno (errp, err);
ctf_err_warn_to_open (fp);
+ /* Without this, the refcnt is zero on entry and ctf_dict_close() won't
+ actually do anything on the grounds that this is a recursive call via
+ another dict being closed. */
+ fp->ctf_refcnt = 1;
ctf_dict_close (fp);
return NULL;
}
diff --git a/libctf/testsuite/libctf-regression/open-error-free.c b/libctf/testsuite/libctf-regression/open-error-free.c
new file mode 100644
index 00000000000..8319a09d5f5
--- /dev/null
+++ b/libctf/testsuite/libctf-regression/open-error-free.c
@@ -0,0 +1,185 @@
+/* Make sure that, on error, an opened dict is properly freed. */
+
+#define _GNU_SOURCE 1
+#include <dlfcn.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <ctf-api.h>
+#include <ctf.h>
+
+static unsigned long long malloc_count;
+static unsigned long long free_count;
+
+static void *(*real_malloc) (size_t size);
+static void (*real_free) (void *ptr);
+static void *(*real_realloc) (void *ptr, size_t size);
+static void *(*real_calloc) (size_t nmemb, size_t size);
+
+/* Interpose malloc/free functionss and count calls to spot unbalanced ones.
+ Extra complexity to deal with dlsym() calling dlerror() and thus calloc() --
+ luckily it handles malloc failure fine, so we can just always fail before the
+ hooks are installed. */
+
+static int in_hooks;
+
+static void hook_init (void)
+{
+ if (!real_calloc)
+ {
+ in_hooks = 1;
+ real_calloc = (void *(*) (size_t, size_t)) dlsym (RTLD_NEXT, "calloc");
+ real_malloc = (void *(*) (size_t)) dlsym (RTLD_NEXT, "malloc");
+ real_free = (void (*) (void *)) dlsym (RTLD_NEXT, "free");
+ real_realloc = (void *(*) (void *, size_t)) dlsym (RTLD_NEXT, "realloc");
+ if (!real_malloc || !real_free || !real_realloc || !real_calloc)
+ {
+ fprintf (stderr, "Cannot hook malloc\n");
+ exit(1);
+ }
+ in_hooks = 0;
+ }
+}
+
+void *malloc (size_t size)
+{
+ if (in_hooks)
+ return NULL;
+
+ hook_init();
+ malloc_count++;
+ return real_malloc (size);
+}
+
+void *realloc (void *ptr, size_t size)
+{
+ void *new_ptr;
+
+ if (in_hooks)
+ return NULL;
+
+ hook_init();
+ new_ptr = real_realloc (ptr, size);
+
+ if (!ptr)
+ malloc_count++;
+
+ if (size == 0)
+ free_count++;
+
+ return new_ptr;
+}
+
+void *calloc (size_t nmemb, size_t size)
+{
+ void *ptr;
+
+ if (in_hooks)
+ return NULL;
+
+ hook_init();
+ ptr = real_calloc (nmemb, size);
+
+ if (ptr)
+ malloc_count++;
+ return ptr;
+}
+
+void free (void *ptr)
+{
+ hook_init();
+
+ if (in_hooks)
+ return;
+
+ if (ptr != NULL)
+ free_count++;
+
+ return real_free (ptr);
+}
+
+int main (void)
+{
+ ctf_dict_t *fp;
+ ctf_encoding_t e = { CTF_INT_SIGNED, 0, sizeof (long) };
+ int err;
+ ctf_id_t type;
+ size_t i;
+ char *written;
+ size_t written_size;
+ char *foo;
+ ctf_next_t *it = NULL;
+ unsigned long long frozen_malloc_count, frozen_free_count;
+
+ if ((fp = ctf_create (&err)) == NULL)
+ goto open_err;
+
+ /* Define an integer, then a pile of unconnected pointers to it, just to
+ use up space.. */
+
+ if ((type = ctf_add_integer (fp, CTF_ADD_ROOT, "long", &e)) == CTF_ERR)
+ goto err;
+
+ for (i = 0; i < 100; i++)
+ {
+ if (ctf_add_pointer (fp, CTF_ADD_ROOT, type) == CTF_ERR)
+ goto err;
+ }
+
+ /* Write the dict out, uncompressed (to stop it failing to open due to decompression
+ failure after we corrupt it: the leak is only observable if the dict gets
+ malloced, which only happens after that point.) */
+
+ if ((written = ctf_write_mem (fp, &written_size, (size_t) -1)) == NULL)
+ goto write_err;
+
+ ctf_dict_close (fp);
+
+ /* Corrupt the dict. */
+
+ memset (written + sizeof (ctf_header_t), 64, 64);
+
+ /* Reset the counters: we are interested only in leaks at open
+ time. */
+ malloc_count = 0;
+ free_count = 0;
+
+ if ((ctf_simple_open (written, written_size, NULL, 0, 0, NULL, 0, &err)) != NULL)
+ {
+ fprintf (stderr, "wildly corrupted dict still opened OK?!\n");
+ exit (1);
+ }
+
+ /* The error log will have accumulated errors which need to be
+ consumed and freed if they are not to appear as a spurious leak. */
+
+ while ((foo = ctf_errwarning_next (NULL, &it, NULL, NULL)) != NULL)
+ free (foo);
+
+ frozen_malloc_count = malloc_count;
+ frozen_free_count = free_count;
+
+ if (frozen_malloc_count == 0)
+ fprintf (stderr, "Allocation count after failed open is zero: likely hook failure.\n");
+ else if (frozen_malloc_count > frozen_free_count)
+ fprintf (stderr, "Memory leak is present: %lli allocations (%lli allocations, %lli frees).\n",
+ frozen_malloc_count - frozen_free_count, frozen_malloc_count, frozen_free_count);
+ else if (frozen_malloc_count < frozen_free_count)
+ fprintf (stderr, "Possible double-free: %li allocations, %li frees.\n",
+ frozen_malloc_count, frozen_free_count);
+
+ printf ("All OK.\n");
+ exit (0);
+
+ open_err:
+ fprintf (stderr, "Cannot open/create: %s\n", ctf_errmsg (err));
+ exit (1);
+
+ err:
+ fprintf (stderr, "Cannot add: %s\n", ctf_errmsg (ctf_errno (fp)));
+ exit (1);
+
+ write_err:
+ fprintf (stderr, "Cannot write: %s\n", ctf_errmsg (ctf_errno (fp)));
+ exit (1);
+}
diff --git a/libctf/testsuite/libctf-regression/open-error-free.lk b/libctf/testsuite/libctf-regression/open-error-free.lk
new file mode 100644
index 00000000000..383cfff20d5
--- /dev/null
+++ b/libctf/testsuite/libctf-regression/open-error-free.lk
@@ -0,0 +1,5 @@
+# source: pptrtab-a.c
+# source: pptrtab-b.c
+# host: *-linux-gnu
+# lookup-link: -ldl
+All OK.
--
2.44.0.273.ge0bd14271f
prev parent reply other threads:[~2024-04-26 20:20 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-26 20:20 [PATCH 0/7] libctf: leak-adjacent fixes Nick Alcock
2024-04-26 20:20 ` [PATCH 1/7] libctf: typos Nick Alcock
2024-04-26 20:20 ` [PATCH 2/7] libctf: failure to open parent dicts that exist should be an error Nick Alcock
2024-04-26 20:20 ` [PATCH 3/7] libctf: ctf_archive_iter: fix tiny leak Nick Alcock
2024-04-26 20:20 ` [PATCH 4/7] libctf: test: add lookup_link Nick Alcock
2024-04-26 20:20 ` [PATCH 5/7] libctf: test: add host Nick Alcock
2024-04-26 20:20 ` [PATCH 6/7] libctf: test: add wrapper Nick Alcock
2024-04-26 20:20 ` Nick Alcock [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240426202023.423064-8-nick.alcock@oracle.com \
--to=nick.alcock@oracle.com \
--cc=binutils@sourceware.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).