From: Aaron Merey <amerey@redhat.com>
Date: Fri, 5 Sep 2025 19:27:52 +0000 (-0400)
Subject: libdw_open_elf: Avoid invalid free
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=df9bd6bdc332243d1e3072844e227cac9ec5d025;p=thirdparty%2Felfutils.git

libdw_open_elf: Avoid invalid free

If libdw_open_elf detects an invalid ELF file, it may attempt to
temporarily treat it as an ELF archive in order to check if there's
a valid ELF file following a header.

When doing this, the elf descriptor for the invalid file is given
the dummy state.ar.elf_ar_hdr.ar_name "libdwfl is faking you out".

Afterwards libdw_open_elf will call elf_end on the elf descriptor
for the invalid ELF file.  elf_end will attempt to free the address
of the "libdwfl is faking you out" literal, causing an invalid free.

Fix this by setting the ar_name to NULL before libdw_open_elf calls
elf_end on the descriptor of the invalid ELF file.

Signed-off-by: Aaron Merey <amerey@redhat.com>
---

diff --git a/libdwfl/open.c b/libdwfl/open.c
index 43b29fa9..03e66dfa 100644
--- a/libdwfl/open.c
+++ b/libdwfl/open.c
@@ -153,6 +153,7 @@ libdw_open_elf (int *fdp, Elf **elfp, bool close_on_fail, bool archive_ok,
 	  elf->state.ar.offset = offset - sizeof (struct ar_hdr);
 	  Elf *subelf = elf_begin (-1, elf->cmd, elf);
 	  elf->kind = ELF_K_NONE;
+	  elf->state.ar.elf_ar_hdr.ar_name = NULL;
 	  if (unlikely (subelf == NULL))
 	    error = DWFL_E_LIBELF;
 	  else