public inbox for glibc-cvs@sourceware.org help / color / mirror / Atom feed
From: Tulio Magno Quites Machado Filho <tuliom@sourceware.org> To: glibc-cvs@sourceware.org Subject: [glibc/ibm/2.28/master] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once) [BZ#24476] Date: Thu, 27 Jun 2019 14:31:00 -0000 [thread overview] Message-ID: <20190627143129.1310.qmail@sourceware.org> (raw) https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=059d6750f923b2c3aa06c82befa430142ef10389 commit 059d6750f923b2c3aa06c82befa430142ef10389 Author: Mark Wielaard <mark@klomp.org> Date: Wed May 15 17:14:01 2019 +0200 dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once) [BZ#24476] dlerror.c (__dlerror_main_freeres) will try to free resources which only have been initialized when init () has been called. That function is called when resources are needed using __libc_once (once, init) where once is a __libc_once_define (static, once) in the dlerror.c file. Trying to free those resources if init () hasn't been called will produce errors under valgrind memcheck. So guard the freeing of those resources using __libc_once_get (once) and make sure we have a valid key. Also add a similar guard to __dlerror (). * dlfcn/dlerror.c (__dlerror_main_freeres): Guard using __libc_once_get (once) and static_bug == NULL. (__dlerror): Check we have a valid key, set result to static_buf otherwise. Reviewed-by: Carlos O'Donell <carlos@redhat.com> (cherry picked from commit 11b451c8868d8a2b0edc5dfd44fc58d9ee538be0) Diff: --- ChangeLog | 8 ++++++++ NEWS | 1 + dlfcn/dlerror.c | 29 +++++++++++++++++++++-------- 3 files changed, 30 insertions(+), 8 deletions(-) diff --git a/ChangeLog b/ChangeLog index ce563e0..934fd6d 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2019-05-15 Mark Wielaard <mark@klomp.org> + + [BZ#24476] + * dlfcn/dlerror.c (__dlerror_main_freeres): Guard using + __libc_once_get (once) and static_buf == NULL. + (__dlerror): Check we have a valid key, set result to static_buf + otherwise. + 2019-05-15 Andreas Schwab <schwab@suse.de> [BZ #20568] diff --git a/NEWS b/NEWS index 1da958d..8bad7b0 100644 --- a/NEWS +++ b/NEWS @@ -58,6 +58,7 @@ The following bugs are resolved with this release: [24097] Can't use 64-bit register for size_t in assembly codes for x32 (CVE-2019-6488) [24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309) [24161] __run_fork_handlers self-deadlocks in malloc/tst-mallocfork2 + [24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once) Security related changes: diff --git a/dlfcn/dlerror.c b/dlfcn/dlerror.c index 96bf925..0673246 100644 --- a/dlfcn/dlerror.c +++ b/dlfcn/dlerror.c @@ -72,9 +72,16 @@ __dlerror (void) __libc_once (once, init); /* Get error string. */ - result = (struct dl_action_result *) __libc_getspecific (key); - if (result == NULL) - result = &last_result; + if (static_buf != NULL) + result = static_buf; + else + { + /* init () has been run and we don't use the static buffer. + So we have a valid key. */ + result = (struct dl_action_result *) __libc_getspecific (key); + if (result == NULL) + result = &last_result; + } /* Test whether we already returned the string. */ if (result->returned != 0) @@ -230,13 +237,19 @@ free_key_mem (void *mem) void __dlerror_main_freeres (void) { - void *mem; /* Free the global memory if used. */ check_free (&last_result); - /* Free the TSD memory if used. */ - mem = __libc_getspecific (key); - if (mem != NULL) - free_key_mem (mem); + + if (__libc_once_get (once) && static_buf == NULL) + { + /* init () has been run and we don't use the static buffer. + So we have a valid key. */ + void *mem; + /* Free the TSD memory if used. */ + mem = __libc_getspecific (key); + if (mem != NULL) + free_key_mem (mem); + } } struct dlfcn_hook *_dlfcn_hook __attribute__((nocommon));
reply other threads:[~2019-06-27 14:31 UTC|newest] Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=20190627143129.1310.qmail@sourceware.org \ --to=tuliom@sourceware.org \ --cc=glibc-cvs@sourceware.org \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).