From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <sourceware-bugzilla@sourceware.org>
Received: by sourceware.org (Postfix, from userid 48)
 id 603C03851C12; Wed,  3 Jun 2020 11:43:53 +0000 (GMT)
DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 603C03851C12
From: "fweimer at redhat dot com" <sourceware-bugzilla@sourceware.org>
To: glibc-bugs@sourceware.org
Subject: [Bug dynamic-link/26076] New: dlclose crashes when cleaning up an
 empty namespace after dlmopen failure
Date: Wed, 03 Jun 2020 11:43:53 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: glibc
X-Bugzilla-Component: dynamic-link
X-Bugzilla-Version: unspecified
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: minor
X-Bugzilla-Who: fweimer at redhat dot com
X-Bugzilla-Status: NEW
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: P2
X-Bugzilla-Assigned-To: unassigned at sourceware dot org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: security-
X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status
 bug_severity priority component assigned_to reporter target_milestone
 flagtypes.name
Message-ID: <bug-26076-131@http.sourceware.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: http://sourceware.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: glibc-bugs@sourceware.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Glibc-bugs mailing list <glibc-bugs.sourceware.org>
List-Unsubscribe: <http://sourceware.org/mailman/options/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=unsubscribe>
List-Archive: <https://sourceware.org/pipermail/glibc-bugs/>
List-Help: <mailto:glibc-bugs-request@sourceware.org?subject=help>
List-Subscribe: <http://sourceware.org/mailman/listinfo/glibc-bugs>,
 <mailto:glibc-bugs-request@sourceware.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Jun 2020 11:43:53 -0000

https://sourceware.org/bugzilla/show_bug.cgi?id=3D26076

            Bug ID: 26076
           Summary: dlclose crashes when cleaning up an empty namespace
                    after dlmopen failure
           Product: glibc
           Version: unspecified
            Status: NEW
          Severity: minor
          Priority: P2
         Component: dynamic-link
          Assignee: unassigned at sourceware dot org
          Reporter: fweimer at redhat dot com
  Target Milestone: ---
             Flags: security-

If nothing has been loaded, ns->_ns_loaded is NULL and head->l_auditing
attempts to dereference a NULL pointer:

#ifdef SHARED
  /* Auditing checkpoint: we have deleted all objects.  */
  if (__glibc_unlikely (do_audit))
    {
      struct link_map *head =3D ns->_ns_loaded;
      /* Do not call the functions for any auditing object.  */
      if (head->l_auditing =3D=3D 0)
        {
          struct audit_ifaces *afct =3D GLRO(dl_audit);
          for (unsigned int cnt =3D 0; cnt < GLRO(dl_naudit); ++cnt)
            {
              if (afct->activity !=3D NULL)
                {
                  struct auditstate *state =3D link_map_audit_state (head, =
cnt);
                  afct->activity (&state->cookie, LA_ACT_CONSISTENT);
                }

              afct =3D afct->next;
            }
        }
    }
#endif

--=20
You are receiving this mail because:
You are on the CC list for the bug.=