From owner-freebsd-hackers@FreeBSD.ORG  Thu Dec 20 12:19:14 2012
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Delivered-To: freebsd-hackers@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
 by hub.freebsd.org (Postfix) with ESMTP id B9BCB30D;
 Thu, 20 Dec 2012 12:19:14 +0000 (UTC) (envelope-from dim@FreeBSD.org)
Received: from tensor.andric.com (tensor.andric.com [87.251.56.140])
 by mx1.freebsd.org (Postfix) with ESMTP id 6F9BC8FC0C;
 Thu, 20 Dec 2012 12:19:12 +0000 (UTC)
Received: from [IPv6:2001:7b8:3a7:0:d537:ea34:110c:5177] (unknown
 [IPv6:2001:7b8:3a7:0:d537:ea34:110c:5177])
 (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits))
 (No client certificate requested)
 by tensor.andric.com (Postfix) with ESMTPSA id DD4F15C5A;
 Thu, 20 Dec 2012 13:19:04 +0100 (CET)
Message-ID: <50D3023B.8090407@FreeBSD.org>
Date: Thu, 20 Dec 2012 13:19:07 +0100
From: Dimitry Andric <dim@FreeBSD.org>
Organization: The FreeBSD Project
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64;
 rv:18.0) Gecko/20121128 Thunderbird/18.0
MIME-Version: 1.0
To: Eitan Adler <lists@eitanadler.com>
Subject: Re: use after free in grep?
References: <CAF6rxg=Ni2Kcgdw2XrSVtU1f9eHaFt1-oBTNv8pm8An52x13nQ@mail.gmail.com>
In-Reply-To: <CAF6rxg=Ni2Kcgdw2XrSVtU1f9eHaFt1-oBTNv8pm8An52x13nQ@mail.gmail.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 7bit
Cc: FreeBSD Hackers <freebsd-hackers@freebsd.org>,
 Gabor Kovesdan <gabor@freebsd.org>
X-BeenThere: freebsd-hackers@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: Technical Discussions relating to FreeBSD
 <freebsd-hackers.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-hackers>, 
 <mailto:freebsd-hackers-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-hackers>
List-Post: <mailto:freebsd-hackers@freebsd.org>
List-Help: <mailto:freebsd-hackers-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-hackers>,
 <mailto:freebsd-hackers-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Dec 2012 12:19:14 -0000

On 2012-12-20 08:13, Eitan Adler wrote:
> in xrealloc_impl
>
> 338   new_ptr = realloc(ptr, new_size);
> 339   if (new_ptr != NULL)
> 340     {
> 341       hash_table_del(xmalloc_table, ptr);
>
> ^^^ isn't this a use-after-free of ptr?

Yes, realloc does not guarantee the realloc'd space will be at the same
address, so it may free ptr at its discretion.  Also, there is a memory
leak if realloc() returns NULL.  This is a very usual mistake when using
realloc(). :-)

Probably, the code should do the hash_table_del() before the realloc(),
but I am not sure if hash_table_del() will already free ptr.