From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=JW8S=4G=gmail.com=amodra@sourceware.org>
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f])
	by sourceware.org (Postfix) with ESMTPS id 75B84395252D
	for <binutils@sourceware.org>; Thu,  8 Dec 2022 01:22:57 +0000 (GMT)
DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org 75B84395252D
Authentication-Results: sourceware.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=gmail.com
Received: by mail-pj1-x102f.google.com with SMTP id v13-20020a17090a6b0d00b00219c3be9830so7521pjj.4
        for <binutils@sourceware.org>; Wed, 07 Dec 2022 17:22:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=JCLcgS26GjkeBIFrrH/hsizESKaPK/8pmzqEmSvLFow=;
        b=ZiYZZ9hQYZAC5yxJWKuX9AoDDUDsV+5TkpN2qSkVXJKcfH3aiu+8WUO0hapPYa5zir
         BJjLS+DCa2l2pJPZ9KFJPlm9+i0hN4gUNSP3d6gUlt+uiVrTIAVxv+6Ot7AjlvSF3TBK
         kwUwUH3Ua9qkHetUNCYFT15JFNNZJaktJs4xIL84i3vHt8je1sDdziQGJsI5h6IgTw8m
         mnS5lmdR1Eni/YyDupYGWURDKZsp1aV/ADXe9BgUQYvhI1JfEu41DacXknfZCoI1n2RC
         APKBywV5DUTRzjl3Ob4MIaEnTZSUk7ts3KNJHzukJQvh5Gxa4amRACz2Jyk/3KRO5t7K
         mQTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=JCLcgS26GjkeBIFrrH/hsizESKaPK/8pmzqEmSvLFow=;
        b=G51AyPF+j0y7tdsTirHkyKOj+/lZyetsBh8F1xJ/CrEOqZddnb2lbJcMeTBkucX99U
         bD05Ns7bdcDgAHxOuWop0YZJ3xZjjcJVa82wxUBkQ0SuY5av56yQT2WgzMZh1ijeJ0TP
         dzPyexOCOIckkmEdvb1565FkGi/mXJaV5axywYW6JlZYZ98yqNg+Ch8c7SvhF8hKYAmw
         Ko6XFnDmleeV/CGyXe2mGSk3HqHGJ0kM/9ViApc2gP+WPvnXVOvOG4ji1j1H1IRv/LRa
         gLCeuBw/dhlt1T26ZkhxMr4YCAy5E52d9G8TCwyV0k69yXnfD2GLFslj0VFK9vSP0dwo
         xkzw==
X-Gm-Message-State: ANoB5pnnLAddwUnUzgxVKluJSteGmL0VORKcWib0oWvAork6z5bTewre
	XcICALSBJsvmwnFsBVc5EmM=
X-Google-Smtp-Source: AA0mqf5lN6mEx1X0Alg2/ExGjjdnkODB/N60bjgudlaGOJR3Ss7dIfbs4vcRVRChPZ5ihEKtMzUBWQ==
X-Received: by 2002:a17:903:1209:b0:186:7608:1880 with SMTP id l9-20020a170903120900b0018676081880mr1922636plh.36.1670462576382;
        Wed, 07 Dec 2022 17:22:56 -0800 (PST)
Received: from squeak.grove.modra.org (158.106.96.58.static.exetel.com.au. [58.96.106.158])
        by smtp.gmail.com with ESMTPSA id l7-20020a170903120700b0018703bf3ec9sm15345865plh.61.2022.12.07.17.22.55
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 07 Dec 2022 17:22:55 -0800 (PST)
Received: by squeak.grove.modra.org (Postfix, from userid 1000)
	id 2905711402F6; Thu,  8 Dec 2022 11:52:53 +1030 (ACDT)
Date: Thu, 8 Dec 2022 11:52:53 +1030
From: Alan Modra <amodra@gmail.com>
To: Felix Willgerodt <felix.willgerodt@intel.com>
Cc: binutils@sourceware.org
Subject: Re: [PATCH 1/1] libctf: Fix double free in ctf_link_add_cu_mapping.
Message-ID: <Y5E8bWk4cIGs3jI0@squeak.grove.modra.org>
References: <20221207141137.1527113-1-felix.willgerodt@intel.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20221207141137.1527113-1-felix.willgerodt@intel.com>
X-Spam-Status: No, score=-3036.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM,GIT_PATCH_0,RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS,TXREP autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org
List-Id: <binutils.sourceware.org>

On Wed, Dec 07, 2022 at 03:11:37PM +0100, Felix Willgerodt via Binutils wrote:
> This fixes a potential double free which can occur if we jump to
> oom_noerrno after the first free.
> 
> I am not very familiar with libctf, so any comments are welcome.
> I am wondering if the right solution wouldn't be to free both t and f before
> the "return 0".  But I didn't fully understand the code and saw that other
> users of ctf_dynhash_insert() also don't free the key manually.

No, they can't be freed if successfully inserted into the hash table,
but "t" should indeed be freed if already inserted.  I'm applying the
following fix.

	* ctf-link.c (ctf_link_add_cu_mapping): Set t NULL after free.

diff --git a/libctf/ctf-link.c b/libctf/ctf-link.c
index 702f2b4d5fe..902b4408cd6 100644
--- a/libctf/ctf-link.c
+++ b/libctf/ctf-link.c
@@ -431,7 +431,10 @@ ctf_link_add_cu_mapping (ctf_dict_t *fp, const char *from, const char *to)
 	}
     }
   else
-    free (t);
+    {
+      free (t);
+      t = NULL;
+    }
 
   if (ctf_dynhash_insert (one_out, f, NULL) < 0)
     {


-- 
Alan Modra
Australia Development Lab, IBM