From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <libc-stable-return-945-listarch-libc-stable=sourceware.org@sourceware.org>
Received: (qmail 49536 invoked by alias); 16 May 2019 13:23:02 -0000
Mailing-List: contact libc-stable-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Post: <mailto:libc-stable@sourceware.org>
List-Help: <mailto:libc-stable-help@sourceware.org>
List-Subscribe: <mailto:libc-stable-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/libc-stable/>
Sender: libc-stable-owner@sourceware.org
Received: (qmail 49440 invoked by uid 89); 16 May 2019 13:23:02 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Checked: by ClamAV 0.100.3 on sourceware.org
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.1 spammy=H*Ad:U*mark
X-Spam-Status: No, score=-26.9 required=5.0 tests=BAYES_00,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,SPF_HELO_PASS autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on sourceware.org
X-Spam-Level:
X-HELO: mx1.redhat.com
Received: from mx1.redhat.com (HELO mx1.redhat.com) (209.132.183.28) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Thu, 16 May 2019 13:23:00 +0000
Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12])	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))	(No client certificate requested)	by mx1.redhat.com (Postfix) with ESMTPS id C6A1B83F40;	Thu, 16 May 2019 13:22:59 +0000 (UTC)
Received: from tarox.wildebeest.org (ovpn-116-166.ams2.redhat.com [10.36.116.166])	by smtp.corp.redhat.com (Postfix) with ESMTPS id 9714A60BE5;	Thu, 16 May 2019 13:22:59 +0000 (UTC)
Received: by tarox.wildebeest.org (Postfix, from userid 1000)	id 5B6F7413CC18; Thu, 16 May 2019 15:22:58 +0200 (CEST)
From: Mark Wielaard <mjw@redhat.com>
To: libc-stable@sourceware.org
Cc: Mark Wielaard <mark@klomp.org>
Subject: [2.28 COMMITTED] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once) [BZ#24476]
Date: Tue, 01 Jan 2019 00:00:00 -0000
Message-Id: <1558012972-11372-1-git-send-email-mjw@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.27]); Thu, 16 May 2019 13:22:59 +0000 (UTC)
X-SW-Source: 2019-05/txt/msg00010.txt.bz2

From: Mark Wielaard <mark@klomp.org>

dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once) [BZ#24476]

dlerror.c (__dlerror_main_freeres) will try to free resources which only
have been initialized when init () has been called. That function is
called when resources are needed using __libc_once (once, init) where
once is a __libc_once_define (static, once) in the dlerror.c file.
Trying to free those resources if init () hasn't been called will
produce errors under valgrind memcheck. So guard the freeing of those
resources using __libc_once_get (once) and make sure we have a valid
key. Also add a similar guard to __dlerror ().

	* dlfcn/dlerror.c (__dlerror_main_freeres): Guard using
	__libc_once_get (once) and static_bug == NULL.
	(__dlerror): Check we have a valid key, set result to static_buf
	otherwise.

Reviewed-by: Carlos O'Donell <carlos@redhat.com>
(cherry picked from commit 11b451c8868d8a2b0edc5dfd44fc58d9ee538be0)

diff --git a/NEWS b/NEWS
index 1da958d..8bad7b0 100644
--- a/NEWS
+++ b/NEWS
@@ -58,6 +58,7 @@ The following bugs are resolved with this release:
   [24097] Can't use 64-bit register for size_t in assembly codes for x32 (CVE-2019-6488)
   [24155] x32 memcmp can treat positive length as 0 (if sign bit in RDX is set) (CVE-2019-7309)
   [24161] __run_fork_handlers self-deadlocks in malloc/tst-mallocfork2
+  [24476] dlfcn: Guard __dlerror_main_freeres with __libc_once_get (once)
 
 Security related changes:
 
diff --git a/dlfcn/dlerror.c b/dlfcn/dlerror.c
index 96bf925..0673246 100644
--- a/dlfcn/dlerror.c
+++ b/dlfcn/dlerror.c
@@ -72,9 +72,16 @@ __dlerror (void)
   __libc_once (once, init);
 
   /* Get error string.  */
-  result = (struct dl_action_result *) __libc_getspecific (key);
-  if (result == NULL)
-    result = &last_result;
+  if (static_buf != NULL)
+    result = static_buf;
+  else
+    {
+      /* init () has been run and we don't use the static buffer.
+	 So we have a valid key.  */
+      result = (struct dl_action_result *) __libc_getspecific (key);
+      if (result == NULL)
+	result = &last_result;
+    }
 
   /* Test whether we already returned the string.  */
   if (result->returned != 0)
@@ -230,13 +237,19 @@ free_key_mem (void *mem)
 void
 __dlerror_main_freeres (void)
 {
-  void *mem;
   /* Free the global memory if used.  */
   check_free (&last_result);
-  /* Free the TSD memory if used.  */
-  mem = __libc_getspecific (key);
-  if (mem != NULL)
-    free_key_mem (mem);
+
+  if (__libc_once_get (once) && static_buf == NULL)
+    {
+      /* init () has been run and we don't use the static buffer.
+	 So we have a valid key.  */
+      void *mem;
+      /* Free the TSD memory if used.  */
+      mem = __libc_getspecific (key);
+      if (mem != NULL)
+	free_key_mem (mem);
+    }
 }
 
 struct dlfcn_hook *_dlfcn_hook __attribute__((nocommon));