public inbox for glibc-bugs@sourceware.org
help / color / mirror / Atom feed
* [Bug build/26779] New: benign use after realloc at localealias.c:329
@ 2020-10-23 17:12 msebor at gmail dot com
2020-10-23 21:14 ` [Bug build/26779] " msebor at gmail dot com
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: msebor at gmail dot com @ 2020-10-23 17:12 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
Bug ID: 26779
Summary: benign use after realloc at localealias.c:329
Product: glibc
Version: unspecified
Status: UNCONFIRMED
Severity: normal
Priority: P2
Component: build
Assignee: unassigned at sourceware dot org
Reporter: msebor at gmail dot com
CC: carlos at redhat dot com
Target Milestone: ---
Testing a GCC 11 enhancement to detect invalid uses of freed pointers exposes
the following (benign) bug in localealias. A successful call to realloc
renders its argument indeterminate, even when it doesn't result in moving the
object. The affected code uses the indeterminate pointer to detect whether the
call resulted in moving the object. Converting the pointers to intptr_t and
performing the equality test on those avoids the warning.
char *new_pool = (char *) realloc (string_space,
new_size);
if (new_pool == NULL)
goto out;
if (__builtin_expect (string_space != new_pool, 0))
and the warning is:
localealias.c: In function ‘read_alias_file’:
localealias.c:329:58: warning: statement uses a freed pointer
[-Wuse-after-free=]
329 | if (__builtin_expect (string_space != new_pool,
0))
| ~~~~~~~~~~~~~^~~~~~~~~~~
localealias.c:325:49: note: freed by ‘realloc’ here
325 | char *new_pool = (char *) realloc (string_space,
new_size);
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
localealias.c:329:26: warning: statement uses a freed pointer
[-Wuse-after-free=]
329 | if (__builtin_expect (string_space != new_pool,
0))
| ^
localealias.c:325:49: note: freed by ‘realloc’ here
325 | char *new_pool = (char *) realloc (string_space,
new_size);
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
@ 2020-10-23 21:14 ` msebor at gmail dot com
2020-10-27 21:21 ` msebor at gmail dot com
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: msebor at gmail dot com @ 2020-10-23 21:14 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
--- Comment #1 from Martin Sebor <msebor at gmail dot com> ---
Another instance of the same idiom that triggers the new warning is in
setenv.c:
setenv.c: In function ‘__add_to_environ’:
setenv.c:162:10: warning: statement uses a freed pointer [-Wuse-after-free=]
162 | if (__environ != last_environ)
| ^
setenv.c:154:31: note: freed by ‘realloc’ here
154 | new_environ = (char **) realloc (last_environ,
| ^~~~~~~~~~~~~~~~~~~~~~
155 | (size + 2) * sizeof (char *));
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The code:
/* We allocated this space; we can extend it. */
new_environ = (char **) realloc (last_environ,
(size + 2) * sizeof (char *));
if (new_environ == NULL)
{
UNLOCK;
return -1;
}
if (__environ != last_environ)
memcpy ((char *) new_environ, (char *) __environ,
size * sizeof (char *));
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
2020-10-23 21:14 ` [Bug build/26779] " msebor at gmail dot com
@ 2020-10-27 21:21 ` msebor at gmail dot com
2020-10-27 21:41 ` msebor at gmail dot com
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: msebor at gmail dot com @ 2020-10-27 21:21 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
--- Comment #2 from Martin Sebor <msebor at gmail dot com> ---
Another instance is in argz-insert.c:
argz-insert.c: In function ‘__argz_insert’:
argz-insert.c:52:39: warning: dereferencing a freed pointer [-Wuse-after-free=]
52 | before = new_argz + (before - *argz);
| ^~~~~
argz-insert.c:48:22: note: freed by ‘realloc’ here
48 | char *new_argz = realloc (*argz, new_argz_len);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The code is straightforward: the value of *argz after a successful call to
realloc with it as an argument is (strictly speaking) indeterminate.
char *new_argz = realloc (*argz, new_argz_len);
if (new_argz)
{
before = new_argz + (before - *argz);
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
2020-10-23 21:14 ` [Bug build/26779] " msebor at gmail dot com
2020-10-27 21:21 ` msebor at gmail dot com
@ 2020-10-27 21:41 ` msebor at gmail dot com
2022-01-12 17:16 ` msebor at gmail dot com
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: msebor at gmail dot com @ 2020-10-27 21:41 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
--- Comment #3 from Martin Sebor <msebor at gmail dot com> ---
And another one:
wordexp.c:1812:27: warning: statement uses a freed pointer [-Wuse-after-free=]
1812 | if (!colon_seen && value)
| ^~
wordexp.c: In function ‘parse_dollars’:
wordexp.c:1810:13: note: freed by ‘free’ here
1810 | free (value);
| ^~~~~~~~~~~~
in this code:
if (free_value)
free (value);
if (!colon_seen && value)
/* Substitute NULL */
goto success;
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
` (2 preceding siblings ...)
2020-10-27 21:41 ` msebor at gmail dot com
@ 2022-01-12 17:16 ` msebor at gmail dot com
2022-01-12 17:20 ` msebor at gmail dot com
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: msebor at gmail dot com @ 2022-01-12 17:16 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
--- Comment #4 from Martin Sebor <msebor at gmail dot com> ---
*** Bug 28521 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
` (3 preceding siblings ...)
2022-01-12 17:16 ` msebor at gmail dot com
@ 2022-01-12 17:20 ` msebor at gmail dot com
2022-01-14 0:28 ` msebor at gmail dot com
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: msebor at gmail dot com @ 2022-01-12 17:20 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
--- Comment #5 from Martin Sebor <msebor at gmail dot com> ---
The -Wunse-after-free patch was just approved for GCC 12. I'm retesting it and
barring serious problems I plan to commit it over the weekend or early next
week.
For reference, the instances of the warning I see with the top of GCC and Glibc
trunks are:
-Wuse-after-free Instances:
ldconfig.c:739
localealias.c:329
localealias.c:335
setenv.c:162
../sysdeps/wordsize-64/../../io/ftw.c:330
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
` (4 preceding siblings ...)
2022-01-12 17:20 ` msebor at gmail dot com
@ 2022-01-14 0:28 ` msebor at gmail dot com
2022-01-26 17:43 ` msebor at gmail dot com
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: msebor at gmail dot com @ 2022-01-14 0:28 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
--- Comment #6 from Martin Sebor <msebor at gmail dot com> ---
Created attachment 13906
--> https://sourceware.org/bugzilla/attachment.cgi?id=13906&action=edit
Patch to suppress all -Wuse-after-free instances.
The attached patch suppresses all instances of the warning at the strictest
setting (-Wuse-after-free=3), which includes even uses in equality expressions.
The default setting approved for GCC 12 is -Wuse-after-free=2, which doesn't
warn on such uses to accommodate the pointer-adjustment-after-realloc idiom.
At the default setting, the changes to ldconfig.c and setenv are not necessary.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
` (5 preceding siblings ...)
2022-01-14 0:28 ` msebor at gmail dot com
@ 2022-01-26 17:43 ` msebor at gmail dot com
2022-01-26 20:24 ` carlos at redhat dot com
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: msebor at gmail dot com @ 2022-01-26 17:43 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
Martin Sebor <msebor at gmail dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
Resolution|--- |FIXED
--- Comment #7 from Martin Sebor <msebor at gmail dot com> ---
Fixed by the changes below:
https://sourceware.org/pipermail/glibc-cvs/2022q1/076319.html
https://sourceware.org/pipermail/glibc-cvs/2022q1/076320.html
https://sourceware.org/pipermail/glibc-cvs/2022q1/076321.html
https://sourceware.org/pipermail/glibc-cvs/2022q1/076322.html
https://sourceware.org/pipermail/glibc-cvs/2022q1/076324.html
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
` (6 preceding siblings ...)
2022-01-26 17:43 ` msebor at gmail dot com
@ 2022-01-26 20:24 ` carlos at redhat dot com
2022-02-09 14:05 ` vvinayag at arm dot com
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: carlos at redhat dot com @ 2022-01-26 20:24 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
Carlos O'Donell <carlos at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Target Milestone|--- |2.35
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
` (7 preceding siblings ...)
2022-01-26 20:24 ` carlos at redhat dot com
@ 2022-02-09 14:05 ` vvinayag at arm dot com
2022-02-09 14:59 ` schwab@linux-m68k.org
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: vvinayag at arm dot com @ 2022-02-09 14:05 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
vvinayag at arm dot com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |vvinayag at arm dot com
--- Comment #8 from vvinayag at arm dot com ---
(In reply to Martin Sebor from comment #7)
> Fixed by the changes below:
>
> https://sourceware.org/pipermail/glibc-cvs/2022q1/076319.html
> https://sourceware.org/pipermail/glibc-cvs/2022q1/076320.html
> https://sourceware.org/pipermail/glibc-cvs/2022q1/076321.html
> https://sourceware.org/pipermail/glibc-cvs/2022q1/076322.html
> https://sourceware.org/pipermail/glibc-cvs/2022q1/076324.html
Hi,
I am still seeing this error when building on aarch64-none-linux-gnu with
bootstrapping glibc.
Build = Host = Target = aarch64-none-linux-gnu
or
Build = Host = Target = arm-none-linux-gnueabihf
localealias.c: In function 'read_alias_file':
localealias.c:335:56: error: pointer may be used after 'realloc'
[-Werror=use-after-free]
335 | map[i].alias += new_pool - string_space;
| ~~~~~~~~~^~~~~~~~~~~~~~
localealias.c:325:49: note: call to 'realloc' here
325 | char *new_pool = (char *) realloc (string_space,
new_size);
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
localealias.c: In function 'read_alias_file':
localealias.c:335:56: error: pointer may be used after 'realloc'
[-Werror=use-after-free]
335 | map[i].alias += new_pool - string_space;
| ~~~~~~~~~^~~~~~~~~~~~~~
localealias.c:325:49: note: call to 'realloc' here
325 | char *new_pool = (char *) realloc (string_space,
new_size);
|
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
` (8 preceding siblings ...)
2022-02-09 14:05 ` vvinayag at arm dot com
@ 2022-02-09 14:59 ` schwab@linux-m68k.org
2022-02-09 16:13 ` vvinayag at arm dot com
2024-01-11 9:33 ` fweimer at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: schwab@linux-m68k.org @ 2022-02-09 14:59 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
--- Comment #9 from Andreas Schwab <schwab@linux-m68k.org> ---
Did you update your sources?
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
` (9 preceding siblings ...)
2022-02-09 14:59 ` schwab@linux-m68k.org
@ 2022-02-09 16:13 ` vvinayag at arm dot com
2024-01-11 9:33 ` fweimer at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: vvinayag at arm dot com @ 2022-02-09 16:13 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
--- Comment #10 from vvinayag at arm dot com ---
(In reply to Andreas Schwab from comment #9)
> Did you update your sources?
You are right, and thank you.
The build is not using the latest glibc sources due to a different issue.
Sorry about the false alarm.
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
* [Bug build/26779] benign use after realloc at localealias.c:329
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
` (10 preceding siblings ...)
2022-02-09 16:13 ` vvinayag at arm dot com
@ 2024-01-11 9:33 ` fweimer at redhat dot com
11 siblings, 0 replies; 13+ messages in thread
From: fweimer at redhat dot com @ 2024-01-11 9:33 UTC (permalink / raw)
To: glibc-bugs
https://sourceware.org/bugzilla/show_bug.cgi?id=26779
Florian Weimer <fweimer at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |danglin at gcc dot gnu.org
--- Comment #11 from Florian Weimer <fweimer at redhat dot com> ---
*** Bug 29634 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are on the CC list for the bug.
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2024-01-11 9:33 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-23 17:12 [Bug build/26779] New: benign use after realloc at localealias.c:329 msebor at gmail dot com
2020-10-23 21:14 ` [Bug build/26779] " msebor at gmail dot com
2020-10-27 21:21 ` msebor at gmail dot com
2020-10-27 21:41 ` msebor at gmail dot com
2022-01-12 17:16 ` msebor at gmail dot com
2022-01-12 17:20 ` msebor at gmail dot com
2022-01-14 0:28 ` msebor at gmail dot com
2022-01-26 17:43 ` msebor at gmail dot com
2022-01-26 20:24 ` carlos at redhat dot com
2022-02-09 14:05 ` vvinayag at arm dot com
2022-02-09 14:59 ` schwab@linux-m68k.org
2022-02-09 16:13 ` vvinayag at arm dot com
2024-01-11 9:33 ` fweimer at redhat dot com
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).