[glibc/arm/morello/main] cheri: fix invalid pointer use after realloc in localealias

[glibc/arm/morello/main] cheri: fix invalid pointer use after realloc in localealias

[Szabolcs Nagy]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=d0db1e8a122459e0f37b97eeca2bf399cadb043e

commit d0db1e8a122459e0f37b97eeca2bf399cadb043e
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Fri Mar 18 06:55:31 2022 +0000

    cheri: fix invalid pointer use after realloc in localealias
    
    This code updates pointers to a reallocated buffer to point to the new
    buffer.  It is not conforming (does arithmetics with freed pointers),
    but it also creates invalid capabilities because the provenance is
    derived from the original freed pointers instead of the new buffer.
    
    Change the arithmetics so provenance is derived from the new buffer.
    The conformance issue is not fixed.

Diff:
---
 intl/localealias.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/intl/localealias.c b/intl/localealias.c
index b36092363a..0401f35f9d 100644
--- a/intl/localealias.c
+++ b/intl/localealias.c
@@ -340,8 +340,10 @@ read_alias_file (const char *fname, int fname_len)
 
 			  for (i = 0; i < nmap; i++)
 			    {
-			      map[i].alias += new_pool - string_space;
-			      map[i].value += new_pool - string_space;
+			      map[i].alias = new_pool
+					     + (map[i].alias - string_space);
+			      map[i].value = new_pool
+					     + (map[i].value - string_space);
 			    }
 			}

[glibc/arm/morello/main] cheri: fix invalid pointer use after realloc in localealias

[Szabolcs Nagy]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cd345f5c03e504faca874e1da74bc966a379cedb

commit cd345f5c03e504faca874e1da74bc966a379cedb
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Fri Mar 18 06:55:31 2022 +0000

    cheri: fix invalid pointer use after realloc in localealias
    
    This code updates pointers to a reallocated buffer to point to the new
    buffer.  It is not conforming (does arithmetics with freed pointers),
    but it also creates invalid capabilities because the provenance is
    derived from the original freed pointers instead of the new buffer.
    
    Change the arithmetics so provenance is derived from the new buffer.
    The conformance issue is not fixed.

Diff:
---
 intl/localealias.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/intl/localealias.c b/intl/localealias.c
index b36092363a..0401f35f9d 100644
--- a/intl/localealias.c
+++ b/intl/localealias.c
@@ -340,8 +340,10 @@ read_alias_file (const char *fname, int fname_len)
 
 			  for (i = 0; i < nmap; i++)
 			    {
-			      map[i].alias += new_pool - string_space;
-			      map[i].value += new_pool - string_space;
+			      map[i].alias = new_pool
+					     + (map[i].alias - string_space);
+			      map[i].value = new_pool
+					     + (map[i].value - string_space);
 			    }
 			}

[glibc/arm/morello/main] cheri: fix invalid pointer use after realloc in localealias

[Szabolcs Nagy]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cf06645316e11077afbc9731693fd19e55619f59

commit cf06645316e11077afbc9731693fd19e55619f59
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Fri Mar 18 06:55:31 2022 +0000

    cheri: fix invalid pointer use after realloc in localealias
    
    This code updates pointers to a reallocated buffer to point to the new
    buffer.  It is not conforming (does arithmetics with freed pointers),
    but it also creates invalid capabilities because the provenance is
    derived from the original freed pointers instead of the new buffer.
    
    Change the arithmetics so provenance is derived from the new buffer.
    The conformance issue is not fixed.

Diff:
---
 intl/localealias.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/intl/localealias.c b/intl/localealias.c
index b36092363a..0401f35f9d 100644
--- a/intl/localealias.c
+++ b/intl/localealias.c
@@ -340,8 +340,10 @@ read_alias_file (const char *fname, int fname_len)
 
 			  for (i = 0; i < nmap; i++)
 			    {
-			      map[i].alias += new_pool - string_space;
-			      map[i].value += new_pool - string_space;
+			      map[i].alias = new_pool
+					     + (map[i].alias - string_space);
+			      map[i].value = new_pool
+					     + (map[i].value - string_space);
 			    }
 			}

[glibc/arm/morello/main] cheri: fix invalid pointer use after realloc in localealias

[Szabolcs Nagy]

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=9e285f1d642b5ea89710ef1882b89caa9fa2f6e4

commit 9e285f1d642b5ea89710ef1882b89caa9fa2f6e4
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Fri Mar 18 06:55:31 2022 +0000

    cheri: fix invalid pointer use after realloc in localealias
    
    This code updates pointers to a reallocated buffer to point to the new
    buffer.  It is not conforming (does arithmetics with freed pointers),
    but it also creates invalid capabilities because the provenance is
    derived from the original freed pointers instead of the new buffer.
    
    Change the arithmetics so provenance is derived from the new buffer.
    The conformance issue is not fixed.

Diff:
---
 intl/localealias.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/intl/localealias.c b/intl/localealias.c
index b36092363a..0401f35f9d 100644
--- a/intl/localealias.c
+++ b/intl/localealias.c
@@ -340,8 +340,10 @@ read_alias_file (const char *fname, int fname_len)
 
 			  for (i = 0; i < nmap; i++)
 			    {
-			      map[i].alias += new_pool - string_space;
-			      map[i].value += new_pool - string_space;
+			      map[i].alias = new_pool
+					     + (map[i].alias - string_space);
+			      map[i].value = new_pool
+					     + (map[i].value - string_space);
 			    }
 			}