From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-hacker-return-8798-listarch-libc-hacker=sources.redhat.com@sourceware.org>
Received: (qmail 3740 invoked by alias); 18 Jan 2006 10:04:59 -0000
Received: (qmail 3720 invoked by uid 22791); 18 Jan 2006 10:04:58 -0000
X-Spam-Check-By: sourceware.org
Received: from sunsite.ms.mff.cuni.cz (HELO sunsite.mff.cuni.cz) (195.113.15.26)
    by sourceware.org (qpsmtpd/0.31) with ESMTP; Wed, 18 Jan 2006 10:04:53 +0000
Received: from sunsite.mff.cuni.cz (sunsite.mff.cuni.cz [127.0.0.1])
	by sunsite.mff.cuni.cz (8.13.1/8.13.1) with ESMTP id k0IA4fbo030827;
	Wed, 18 Jan 2006 11:04:41 +0100
Received: (from jj@localhost)
	by sunsite.mff.cuni.cz (8.13.1/8.13.1/Submit) id k0IA4eMb030826;
	Wed, 18 Jan 2006 11:04:40 +0100
Date: Wed, 18 Jan 2006 10:04:00 -0000
From: Jakub Jelinek <jakub@redhat.com>
To: Ulrich Drepper <drepper@redhat.com>, Roland McGrath <roland@redhat.com>
Cc: Glibc hackers <libc-hacker@sources.redhat.com>
Subject: [PATCH] Don't look at freed memory in dl-deps.c
Message-ID: <20060118100440.GI4625@sunsite.mff.cuni.cz>
Reply-To: Jakub Jelinek <jakub@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.4.1i
Mailing-List: contact libc-hacker-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Subscribe: <mailto:libc-hacker-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-hacker/>
List-Post: <mailto:libc-hacker@sourceware.org>
List-Help: <mailto:libc-hacker-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: libc-hacker-owner@sourceware.org
X-SW-Source: 2006-01/txt/msg00076.txt.bz2

Hi!

https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=178159
verified with valgrind on elf/neededtest4.
_dl_catch_error might allocate objname in the same memory block as errstring
(right after its terminating '\0'), so after free ((char *) errstring)
shouldn't be used.  But it is passed down to _dl_signal_error.
  if (errno_reason)
    _dl_signal_error (errno_reason == -1 ? 0 : errno_reason, objname,
                      NULL, errstring);
Fixed by making a local copy, verified with valgrind.

2006-01-18  Jakub Jelinek  <jakub@redhat.com>

	* elf/dl-deps.c (_dl_map_object_deps): In case of failure also make a
	copy of objname string.

--- libc/elf/dl-deps.c.jj	2005-06-22 18:34:11.000000000 +0200
+++ libc/elf/dl-deps.c	2006-01-18 10:28:34.000000000 +0100
@@ -247,6 +247,7 @@ _dl_map_object_deps (struct link_map *ma
 		if (__builtin_expect (errstring != NULL, 0))
 		  {
 		    char *new_errstring = strdupa (errstring);
+		    objname = strdupa (objname);
 		    if (malloced)
 		      free ((char *) errstring);
 		    errstring = new_errstring;
@@ -337,6 +338,7 @@ _dl_map_object_deps (struct link_map *ma
 		    if (__builtin_expect (errstring != NULL, 0))
 		      {
 			char *new_errstring = strdupa (errstring);
+			objname = strdupa (objname);
 			if (malloced)
 			  free ((char *) errstring);
 			errstring = new_errstring;

	Jakub