[glibc/arm/morello/main] cheri: fix invalid pointer use after realloc in localealias

public inbox for glibc-cvs@sourceware.org
help / color / mirror / Atom feed

From: Szabolcs Nagy <nsz@sourceware.org>
To: glibc-cvs@sourceware.org
Subject: [glibc/arm/morello/main] cheri: fix invalid pointer use after realloc in localealias
Date: Thu, 27 Oct 2022 13:56:49 +0000 (GMT)	[thread overview]
Message-ID: <20221027135649.367C93851508@sourceware.org> (raw)

https://sourceware.org/git/gitweb.cgi?p=glibc.git;h=cf06645316e11077afbc9731693fd19e55619f59

commit cf06645316e11077afbc9731693fd19e55619f59
Author: Szabolcs Nagy <szabolcs.nagy@arm.com>
Date:   Fri Mar 18 06:55:31 2022 +0000

    cheri: fix invalid pointer use after realloc in localealias
    
    This code updates pointers to a reallocated buffer to point to the new
    buffer.  It is not conforming (does arithmetics with freed pointers),
    but it also creates invalid capabilities because the provenance is
    derived from the original freed pointers instead of the new buffer.
    
    Change the arithmetics so provenance is derived from the new buffer.
    The conformance issue is not fixed.

Diff:
---
 intl/localealias.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/intl/localealias.c b/intl/localealias.c
index b36092363a..0401f35f9d 100644
--- a/intl/localealias.c
+++ b/intl/localealias.c
@@ -340,8 +340,10 @@ read_alias_file (const char *fname, int fname_len)
 
 			  for (i = 0; i < nmap; i++)
 			    {
-			      map[i].alias += new_pool - string_space;
-			      map[i].value += new_pool - string_space;
+			      map[i].alias = new_pool
+					     + (map[i].alias - string_space);
+			      map[i].value = new_pool
+					     + (map[i].value - string_space);
 			    }
 			}

next             reply	other threads:[~2022-10-27 13:56 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-10-27 13:56 Szabolcs Nagy [this message]
  -- strict thread matches above, loose matches on Subject: below --
2022-11-23 14:46 Szabolcs Nagy
2022-10-26 15:18 Szabolcs Nagy
2022-08-05 19:35 Szabolcs Nagy

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20221027135649.367C93851508@sourceware.org \
    --to=nsz@sourceware.org \
    --cc=glibc-cvs@sourceware.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).