From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: by sourceware.org (Postfix, from userid 48) id 459743858015; Sun, 31 Oct 2021 19:05:47 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 459743858015 From: "msebor at gmail dot com" To: glibc-bugs@sourceware.org Subject: [Bug build/28521] New: likely benign use-after-free instances in Glibc Date: Sun, 31 Oct 2021 19:05:46 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: glibc X-Bugzilla-Component: build X-Bugzilla-Version: unspecified X-Bugzilla-Keywords: X-Bugzilla-Severity: normal X-Bugzilla-Who: msebor at gmail dot com X-Bugzilla-Status: UNCONFIRMED X-Bugzilla-Resolution: X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: unassigned at sourceware dot org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Flags: X-Bugzilla-Changed-Fields: bug_id short_desc product version bug_status bug_severity priority component assigned_to reporter cc target_milestone Message-ID: Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Bugzilla-URL: http://sourceware.org/bugzilla/ Auto-Submitted: auto-generated MIME-Version: 1.0 X-BeenThere: glibc-bugs@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Glibc-bugs mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 31 Oct 2021 19:05:47 -0000 https://sourceware.org/bugzilla/show_bug.cgi?id=3D28521 Bug ID: 28521 Summary: likely benign use-after-free instances in Glibc Product: glibc Version: unspecified Status: UNCONFIRMED Severity: normal Priority: P2 Component: build Assignee: unassigned at sourceware dot org Reporter: msebor at gmail dot com CC: carlos at redhat dot com Target Milestone: --- Testing a new GCC warning to detect uses of pointers invalidated by a deallocation call exposed a few instances in Glibc. This is to make record= of these ahead of submitting the new GCC warning for review. As best I can te= ll these are all true positives (using an indeterminate pointer in any express= ion, including but not limited to dereferencing it, is undefined), although the = uses are in all likelihood benign. localealias.c: In function =E2=80=98read_alias_file=E2=80=99: localealias.c:335:56: warning: pointer may be used after =E2=80=98realloc= =E2=80=99 [-Wuse-after-free=3D] 335 | map[i].alias +=3D new_pool - string_s= pace; | ~~~~~~~~~^~~~~~~~~~~~= ~~ localealias.c:325:49: note: call to =E2=80=98realloc=E2=80=99 here 325 | char *new_pool =3D (char *) realloc (string_s= pace, new_size); |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ localealias.c:329:26: warning: pointer may be used after =E2=80=98realloc= =E2=80=99 [-Wuse-after-free=3D] 329 | if (__builtin_expect (string_space !=3D new_p= ool, 0)) | ^ localealias.c:325:49: note: call to =E2=80=98realloc=E2=80=99 here 325 | char *new_pool =3D (char *) realloc (string_s= pace, new_size); |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ localealias.c:335:56: warning: pointer may be used after =E2=80=98realloc= =E2=80=99 [-Wuse-after-free=3D] 335 | map[i].alias +=3D new_pool - string_s= pace; | ~~~~~~~~~^~~~~~~~~~~~= ~~ localealias.c:325:49: note: call to =E2=80=98realloc=E2=80=99 here 325 | char *new_pool =3D (char *) realloc (string_s= pace, new_size); |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ localealias.c:329:26: warning: pointer may be used after =E2=80=98realloc= =E2=80=99 [-Wuse-after-free=3D] 329 | if (__builtin_expect (string_space !=3D new_p= ool, 0)) | ^ localealias.c:325:49: note: call to =E2=80=98realloc=E2=80=99 here 325 | char *new_pool =3D (char *) realloc (string_s= pace, new_size); |=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ setenv.c: In function =E2=80=98__add_to_environ=E2=80=99: setenv.c:162:10: warning: pointer may be used after =E2=80=98realloc=E2=80= =99 [-Wuse-after-free=3D] 162 | if (__environ !=3D last_environ) | ^ setenv.c:154:31: note: call to =E2=80=98realloc=E2=80=99 here 154 | new_environ =3D (char **) realloc (last_environ, | ^~~~~~~~~~~~~~~~~~~~~~ 155 | (size + 2) * sizeof (char *)= ); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ setenv.c:162:10: warning: pointer may be used after =E2=80=98realloc=E2=80= =99 [-Wuse-after-free=3D] 162 | if (__environ !=3D last_environ) | ^ setenv.c:154:31: note: call to =E2=80=98realloc=E2=80=99 here 154 | new_environ =3D (char **) realloc (last_environ, | ^~~~~~~~~~~~~~~~~~~~~~ 155 | (size + 2) * sizeof (char *)= ); | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ldconfig.c: In function =E2=80=98manual_link=E2=80=99: ldconfig.c:739:6: warning: pointer =E2=80=98path=E2=80=99 may be used after= =E2=80=98free=E2=80=99 [-Wuse-after-free=3D] 739 | if (path !=3D real_path) | ^ ldconfig.c:738:3: note: call to =E2=80=98free=E2=80=99 here 738 | free (path); | ^~~~~~~~~~~ ldconfig.c:739:6: warning: pointer =E2=80=98path=E2=80=99 may be used after= =E2=80=98free=E2=80=99 [-Wuse-after-free=3D] 739 | if (path !=3D real_path) | ^ ldconfig.c:738:3: note: call to =E2=80=98free=E2=80=99 here 738 | free (path); | ^~~~~~~~~~~ --=20 You are receiving this mail because: You are on the CC list for the bug.=