[Bug build/26779] New: benign use after realloc at localealias.c:329

[Bug build/26779] New: benign use after realloc at localealias.c:329

[msebor at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

            Bug ID: 26779
           Summary: benign use after realloc at localealias.c:329
           Product: glibc
           Version: unspecified
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: build
          Assignee: unassigned at sourceware dot org
          Reporter: msebor at gmail dot com
                CC: carlos at redhat dot com
  Target Milestone: ---

Testing a GCC 11 enhancement to detect invalid uses of freed pointers exposes
the following (benign) bug in localealias.  A successful call to realloc
renders its argument indeterminate, even when it doesn't result in moving the
object.  The affected code uses the indeterminate pointer to detect whether the
call resulted in moving the object.  Converting the pointers to intptr_t and
performing the equality test on those avoids the warning.

                      char *new_pool = (char *) realloc (string_space,
new_size);
                      if (new_pool == NULL)
                        goto out;

                      if (__builtin_expect (string_space != new_pool, 0))

and the warning is:

localealias.c: In function ‘read_alias_file’:
localealias.c:329:58: warning: statement uses a freed pointer
[-Wuse-after-free=]
  329 |                       if (__builtin_expect (string_space != new_pool,
0))
      |                                             ~~~~~~~~~~~~~^~~~~~~~~~~
localealias.c:325:49: note: freed by ‘realloc’ here
  325 |                       char *new_pool = (char *) realloc (string_space,
new_size);
      |                                                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
localealias.c:329:26: warning: statement uses a freed pointer
[-Wuse-after-free=]
  329 |                       if (__builtin_expect (string_space != new_pool,
0))
      |                          ^
localealias.c:325:49: note: freed by ‘realloc’ here
  325 |                       char *new_pool = (char *) realloc (string_space,
new_size);
      |                                                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[msebor at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

--- Comment #1 from Martin Sebor <msebor at gmail dot com> ---
Another instance of the same idiom that triggers the new warning is in
setenv.c:

setenv.c: In function ‘__add_to_environ’:
setenv.c:162:10: warning: statement uses a freed pointer [-Wuse-after-free=]
  162 |       if (__environ != last_environ)
      |          ^
setenv.c:154:31: note: freed by ‘realloc’ here
  154 |       new_environ = (char **) realloc (last_environ,
      |                               ^~~~~~~~~~~~~~~~~~~~~~
  155 |                                        (size + 2) * sizeof (char *));
      |                                        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The code:

      /* We allocated this space; we can extend it.  */
      new_environ = (char **) realloc (last_environ,
                                       (size + 2) * sizeof (char *));
      if (new_environ == NULL)
        {
          UNLOCK;
          return -1;
        }

      if (__environ != last_environ)
        memcpy ((char *) new_environ, (char *) __environ,
                size * sizeof (char *));

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[msebor at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

--- Comment #2 from Martin Sebor <msebor at gmail dot com> ---
Another instance is in argz-insert.c:

argz-insert.c: In function ‘__argz_insert’:
argz-insert.c:52:39: warning: dereferencing a freed pointer [-Wuse-after-free=]
   52 |         before = new_argz + (before - *argz);
      |                                       ^~~~~
argz-insert.c:48:22: note: freed by ‘realloc’ here
   48 |     char *new_argz = realloc (*argz, new_argz_len);
      |                      ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The code is straightforward: the value of *argz after a successful call to
realloc with it as an argument is (strictly speaking) indeterminate.

    char *new_argz = realloc (*argz, new_argz_len);

    if (new_argz)
      {
        before = new_argz + (before - *argz);

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[msebor at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

--- Comment #3 from Martin Sebor <msebor at gmail dot com> ---
And another one:

wordexp.c:1812:27: warning: statement uses a freed pointer [-Wuse-after-free=]
 1812 |           if (!colon_seen && value)
      |                           ^~
wordexp.c: In function ‘parse_dollars’:
wordexp.c:1810:13: note: freed by ‘free’ here
 1810 |             free (value);
      |             ^~~~~~~~~~~~

in this code:

          if (free_value)
            free (value);

          if (!colon_seen && value)
            /* Substitute NULL */
            goto success;

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[msebor at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

--- Comment #4 from Martin Sebor <msebor at gmail dot com> ---
*** Bug 28521 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[msebor at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

--- Comment #5 from Martin Sebor <msebor at gmail dot com> ---
The -Wunse-after-free patch was just approved for GCC 12.  I'm retesting it and
barring serious problems I plan to commit it over the weekend or early next
week.

For reference, the instances of the warning I see with the top of GCC and Glibc
trunks are:

-Wuse-after-free Instances:
  ldconfig.c:739
  localealias.c:329
  localealias.c:335
  setenv.c:162
  ../sysdeps/wordsize-64/../../io/ftw.c:330

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[msebor at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

--- Comment #6 from Martin Sebor <msebor at gmail dot com> ---
Created attachment 13906
  --> https://sourceware.org/bugzilla/attachment.cgi?id=13906&action=edit
Patch to suppress all -Wuse-after-free instances.

The attached patch suppresses all instances of the warning at the strictest
setting (-Wuse-after-free=3), which includes even uses in equality expressions.
 The default setting approved for GCC 12 is -Wuse-after-free=2, which doesn't
warn on such uses to accommodate the pointer-adjustment-after-realloc idiom. 
At the default setting, the changes to ldconfig.c and setenv are not necessary.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[msebor at gmail dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

Martin Sebor <msebor at gmail dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|UNCONFIRMED                 |RESOLVED
         Resolution|---                         |FIXED

--- Comment #7 from Martin Sebor <msebor at gmail dot com> ---
Fixed by the changes below:

https://sourceware.org/pipermail/glibc-cvs/2022q1/076319.html
https://sourceware.org/pipermail/glibc-cvs/2022q1/076320.html
https://sourceware.org/pipermail/glibc-cvs/2022q1/076321.html
https://sourceware.org/pipermail/glibc-cvs/2022q1/076322.html
https://sourceware.org/pipermail/glibc-cvs/2022q1/076324.html

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[carlos at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

Carlos O'Donell <carlos at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Target Milestone|---                         |2.35

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[vvinayag at arm dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

vvinayag at arm dot com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vvinayag at arm dot com

--- Comment #8 from vvinayag at arm dot com ---
(In reply to Martin Sebor from comment #7)
> Fixed by the changes below:
> 
> https://sourceware.org/pipermail/glibc-cvs/2022q1/076319.html
> https://sourceware.org/pipermail/glibc-cvs/2022q1/076320.html
> https://sourceware.org/pipermail/glibc-cvs/2022q1/076321.html
> https://sourceware.org/pipermail/glibc-cvs/2022q1/076322.html
> https://sourceware.org/pipermail/glibc-cvs/2022q1/076324.html

Hi,

I am still seeing this error when building on aarch64-none-linux-gnu with
bootstrapping glibc. 
Build = Host = Target = aarch64-none-linux-gnu
or
Build = Host = Target = arm-none-linux-gnueabihf



localealias.c: In function 'read_alias_file':

localealias.c:335:56: error: pointer may be used after 'realloc'
[-Werror=use-after-free]

  335 |                               map[i].alias += new_pool - string_space;

      |                                               ~~~~~~~~~^~~~~~~~~~~~~~

localealias.c:325:49: note: call to 'realloc' here

  325 |                       char *new_pool = (char *) realloc (string_space,
new_size);

      |                                                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

localealias.c: In function 'read_alias_file':

localealias.c:335:56: error: pointer may be used after 'realloc'
[-Werror=use-after-free]

  335 |                               map[i].alias += new_pool - string_space;

      |                                               ~~~~~~~~~^~~~~~~~~~~~~~

localealias.c:325:49: note: call to 'realloc' here

  325 |                       char *new_pool = (char *) realloc (string_space,
new_size);

      |                                                
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

cc1: all warnings being treated as errors

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[schwab@linux-m68k.org]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

--- Comment #9 from Andreas Schwab <schwab@linux-m68k.org> ---
Did you update your sources?

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[vvinayag at arm dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

--- Comment #10 from vvinayag at arm dot com ---
(In reply to Andreas Schwab from comment #9)
> Did you update your sources?

You are right, and thank you.
The build is not using the latest glibc sources due to a different issue.
Sorry about the false alarm.

-- 
You are receiving this mail because:
You are on the CC list for the bug.

[Bug build/26779] benign use after realloc at localealias.c:329

[fweimer at redhat dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=26779

Florian Weimer <fweimer at redhat dot com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |danglin at gcc dot gnu.org

--- Comment #11 from Florian Weimer <fweimer at redhat dot com> ---
*** Bug 29634 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are on the CC list for the bug.