From owner-freebsd-hackers@FreeBSD.ORG  Thu Dec 20 07:13:38 2012
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id D1D448AB
 for <freebsd-hackers@freebsd.org>; Thu, 20 Dec 2012 07:13:38 +0000 (UTC)
 (envelope-from lists@eitanadler.com)
Received: from mail-la0-f45.google.com (mail-la0-f45.google.com
 [209.85.215.45])
 by mx1.freebsd.org (Postfix) with ESMTP id 44BDE8FC0C
 for <freebsd-hackers@freebsd.org>; Thu, 20 Dec 2012 07:13:37 +0000 (UTC)
Received: by mail-la0-f45.google.com with SMTP id p9so2380896laa.4
 for <freebsd-hackers@freebsd.org>; Wed, 19 Dec 2012 23:13:31 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=eitanadler.com; s=0xdeadbeef;
 h=mime-version:from:date:message-id:subject:to:cc:content-type
 :content-transfer-encoding;
 bh=9wNkIED45gPxngVEdCkNqAyI4hMeyyeqTleJzOJ6vnQ=;
 b=JjBnEdM3NKofpOQdWmmCE6fRqDKf1no57M8Bkod1VIx52aJOA8bTjPl4t4z6J9Xu3B
 mufyskv1tkQsY+Xpyb+PKoj1wjwzr4R6SkvDw/SPH8Gg5kwsw116szSc2P8OkqQ8aERa
 uiSQPpbZxwzd/S+6n2joQs5PMHFwouPpoLlUk=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=google.com; s=20120113;
 h=mime-version:from:date:message-id:subject:to:cc:content-type
 :content-transfer-encoding:x-gm-message-state;
 bh=9wNkIED45gPxngVEdCkNqAyI4hMeyyeqTleJzOJ6vnQ=;
 b=a4TDpwGaz87i1e5FIRikWg2zDbfB8KrkgK9bnbGj/dQ5jcUcHFjeFDOE5urlmQCXA+
 tvF/HCsIU+CTetn6lixKCHrp5hGe+6osIRS/G2/WDIev/xNgbOVoEJdynR9ERRwcIWx1
 ffNxzOz77trd9pwAD1dDHdQrbRYPJnzYyd5ukW+dHuiPnKd+Cmjwe2TQ6Ork/TR/yean
 kHUop9E+5fz+imRkkyzwmXRrbkir5RLqlMzUJrRj+83pdMDwo4zuhc/UQ/a6pN1VLtFx
 4ng8gIzsLHqoRI8fHCLcUWJ0C0DVQz2pTPI8noQObZOp1vSTG2PPs8440tOJg9lqc6bn
 r1mg==
Received: by 10.112.46.199 with SMTP id x7mr3394944lbm.109.1355987611175; Wed,
 19 Dec 2012 23:13:31 -0800 (PST)
MIME-Version: 1.0
Received: by 10.112.162.100 with HTTP; Wed, 19 Dec 2012 23:13:01 -0800 (PST)
From: Eitan Adler <lists@eitanadler.com>
Date: Thu, 20 Dec 2012 02:13:01 -0500
Message-ID: <CAF6rxg=Ni2Kcgdw2XrSVtU1f9eHaFt1-oBTNv8pm8An52x13nQ@mail.gmail.com>
Subject: use after free in grep?
To: Gabor Kovesdan <gabor@freebsd.org>
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable
X-Gm-Message-State: ALoCoQmjvZ08ItuJ78wKXNxLdoeoNeXsU0sPJXFuZ8Bko/0hJuU3oVW5oy7ZYH50Kz2Gk2dpjcsA
Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2012 07:13:38 -0000

Hey,

in xrealloc_impl

338   new_ptr =3D realloc(ptr, new_size);
339   if (new_ptr !=3D NULL)
340     {
341       hash_table_del(xmalloc_table, ptr);

^^^ isn't this a use-after-free of ptr?

=C2=A77.22.3.5.2 says that ptr is deallocated after the call to realloc.

342       hash_table_add(xmalloc_table, new_ptr, (int)new_size, file,
line, func);
343     }



--=20
Eitan Adler