From owner-freebsd-hackers@FreeBSD.ORG Thu Dec 20 09:34:20 2012 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8E9BBB3B; Thu, 20 Dec 2012 09:34:20 +0000 (UTC) (envelope-from redcrash@gmail.com) Received: from mail-vc0-f175.google.com (mail-vc0-f175.google.com [209.85.220.175]) by mx1.freebsd.org (Postfix) with ESMTP id 1E48D8FC12; Thu, 20 Dec 2012 09:34:19 +0000 (UTC) Received: by mail-vc0-f175.google.com with SMTP id fy7so3435239vcb.20 for ; Thu, 20 Dec 2012 01:34:19 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=g2rlBNw1opwDMCUGGI/wD5k7Y2Y9kDjLxvKn6rWeFxo=; b=cJjsYnnIGn132DTVbPJZSxt8h3eE9kQAxywibBndnl5nzrT6yu45fUhZjCG+ph0TIw 7s9XjDMsvHmsSH7/pEB3jajhiKdTOWvZW/Jf9wJxVwz3yLrLtIh2e2G/wuCocs26TDLZ uNggWkWeP2LlfmvuuVlCDrSlEyrVabumd2fDQ/coooMlkFPIkkF7uT9OMEE8TSeNZpQP JlOFbehN18kw47VtkH7siTWhQ60vbHxw/i9unRdQ2qFb8aJr0BALkUAkniGTpZ4uvZPk 8VLOn31IncwIxOn68GgDl7NeQPPmTQ+xSCcHdN6NLjM+3Q6Kq6PZ9c9837zyCDf2H8O5 R3gA== MIME-Version: 1.0 Received: by 10.58.161.113 with SMTP id xr17mr13850098veb.3.1355996058993; Thu, 20 Dec 2012 01:34:18 -0800 (PST) Received: by 10.220.5.75 with HTTP; Thu, 20 Dec 2012 01:34:18 -0800 (PST) In-Reply-To: References: Date: Thu, 20 Dec 2012 10:34:18 +0100 Message-ID: Subject: Re: use after free in grep? From: Harald Servat To: Eitan Adler Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.14 Cc: FreeBSD Hackers , Gabor Kovesdan X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 20 Dec 2012 09:34:20 -0000 Hello Eitan, ptr is not changed in realloc (although its allocated memory region is freed). Is it possible that hash_table_del only takes the value of ptr and removes such an entry from the hash table? While *ptr is not accessed, that should be fine, shouldn't it? Regards. 2012/12/20 Eitan Adler > Hey, > > in xrealloc_impl > > 338 new_ptr =3D realloc(ptr, new_size); > 339 if (new_ptr !=3D NULL) > 340 { > 341 hash_table_del(xmalloc_table, ptr); > > ^^^ isn't this a use-after-free of ptr? > > =A77.22.3.5.2 says that ptr is deallocated after the call to realloc. > > 342 hash_table_add(xmalloc_table, new_ptr, (int)new_size, file, > line, func); > 343 } > > > > -- > Eitan Adler > _______________________________________________ > freebsd-hackers@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-hackers > To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org= " --=20 Fry: You can see how I lived before I met you. Bender: You lived before you met me?! Fry: Yeah, lots of people did. Bender: Really?!