Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 5 Feb 2017 02:44:08 +0000 (UTC)
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org
Subject:   svn commit: r313263 - head/cddl/contrib/opensolaris/lib/libdtrace/common
Message-ID:  <201702050244.v152i8QW018234@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help 
Author: markj
Date: Sun Feb  5 02:44:08 2017
New Revision: 313263
URL: https://svnweb.freebsd.org/changeset/base/313263

Log:
  Fix a double free of libelf data buffers in the USDT link code.
  
  libdtrace needs to append to the input object files' string and symbol
  tables. Currently it does so by allocating a larger buffer, copying the
  existing sections into them, and swapping pointers in the libelf data
  descriptors. However, it also frees those buffers when its processing is
  complete, which leads to a double free since the elftoolchain libelf
  owns them and also frees them in elf_end(3). Instead, free the buffers
  originally allocated by libelf.
  
  MFC after:	2 weeks

Modified:
  head/cddl/contrib/opensolaris/lib/libdtrace/common/dt_link.c

Modified: head/cddl/contrib/opensolaris/lib/libdtrace/common/dt_link.c
==============================================================================
--- head/cddl/contrib/opensolaris/lib/libdtrace/common/dt_link.c	Sun Feb  5 02:39:12 2017	(r313262)
+++ head/cddl/contrib/opensolaris/lib/libdtrace/common/dt_link.c	Sun Feb  5 02:44:08 2017	(r313263)
@@ -1205,6 +1205,7 @@ process_obj(dtrace_hdl_t *dtp, const cha
 	key_t objkey;
 	dt_link_pair_t *pair, *bufs = NULL;
 	dt_strtab_t *strtab;
+	void *tmp;
 
 	if ((fd = open64(obj, O_RDWR)) == -1) {
 		return (dt_link_error(dtp, elf, fd, bufs,
@@ -1463,7 +1464,9 @@ process_obj(dtrace_hdl_t *dtp, const cha
 			bufs = pair;
 
 			bcopy(data_str->d_buf, pair->dlp_str, data_str->d_size);
+			tmp = data_str->d_buf;
 			data_str->d_buf = pair->dlp_str;
+			pair->dlp_str = tmp;
 			data_str->d_size += len;
 			(void) elf_flagdata(data_str, ELF_C_SET, ELF_F_DIRTY);
 
@@ -1471,7 +1474,9 @@ process_obj(dtrace_hdl_t *dtp, const cha
 			(void) gelf_update_shdr(scn_str, &shdr_str);
 
 			bcopy(data_sym->d_buf, pair->dlp_sym, data_sym->d_size);
+			tmp = data_sym->d_buf;
 			data_sym->d_buf = pair->dlp_sym;
+			pair->dlp_sym = tmp;
 			data_sym->d_size += nsym * symsize;
 			(void) elf_flagdata(data_sym, ELF_C_SET, ELF_F_DIRTY);
 
@@ -1657,9 +1662,6 @@ process_obj(dtrace_hdl_t *dtp, const cha
 	(void) elf_end(elf);
 	(void) close(fd);
 
-#ifndef illumos
-	if (nsym > 0)
-#endif
 	while ((pair = bufs) != NULL) {
 		bufs = pair->dlp_next;
 		dt_free(dtp, pair->dlp_str);

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201702050244.v152i8QW018234>