Fix invalid memory access in do_lookup_x.

[BZ #13579] Do not free l_initfini and allow it to be reused
on subsequent dl_open calls for the same library. This fixes
the invalid memory access in do_lookup_x when the previously
free'd l_initfini was accessed through l_searchlist when a
library had been opened for the second time.

(cherry picked from commit 0479b305c5b7c8e3fa8e3002982cf8cac02b842e)

diff --git a/ChangeLog b/ChangeLog
index 9654d0ac4aeb2103f312d58d26ec342e631a517e..82d343df4dfc7dcb6ddd84d8225a029995042f1b 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,14 @@
+2012-06-22  Andreas Schwab  <schwab@redhat.com>
+
+       [BZ #13579]
+       * include/link.h (struct link_map): Add l_free_initfini.
+       * elf/dl-deps.c (_dl_map_object_deps): Set it when assigning
+       l_initfini.
+       * elf/dl-close.c (_dl_close_worker): Don't free l_initfini.
+       * elf/rtld.c (dl_main): Clear it on all objects loaded on startup.
+       * elf/dl-libc.c (free_mem): Free l_initfini if l_free_initfini is
+       set.
+
 2012-02-24  Ulrich Drepper  <drepper@gmail.com>
 
        * stdlib/fmtmsg.c (fmtmsg): Lock around use of severity list.

diff --git a/NEWS b/NEWS
index 63cf1d15ca72b0e6a2ac3741c460305ed86a5ed8..1abe378f179140a97c7c983253bc6e38672c5674 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -11,7 +11,8 @@ Version 2.15.1
 
   411, 2547, 2548, 11261, 11365, 11494, 13583, 13618, 13731, 13732, 13733,
   13747, 13748, 13749, 13753, 13754, 13756, 13765, 13771, 13773, 13774,
-  13786, 14048, 14059, 14167, 14273, 14459, 14621, 14648, 14040, 15073
+  13786, 14048, 14059, 14167, 14273, 14284, 14459, 14621, 14648, 14040,
+  15073
 
 Version 2.15
 

diff --git a/elf/dl-close.c b/elf/dl-close.c
index 8fb55d0fbcd9cefa512a8d67c487a96546fcde0b..76af878485471d2c3fe89e8ab06b36b4e2278605 100644 (file)
--- a/elf/dl-close.c
+++ b/elf/dl-close.c
@@ -1,5 +1,5 @@
 /* Close a shared object opened by `_dl_open'.
-   Copyright (C) 1996-2007, 2009, 2010, 2011 Free Software Foundation, Inc.
+   Copyright (C) 1996-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -119,17 +119,8 @@ _dl_close_worker (struct link_map *map)
   if (map->l_direct_opencount > 0 || map->l_type != lt_loaded
       || dl_close_state != not_pending)
     {
-      if (map->l_direct_opencount == 0)
-       {
-         if (map->l_type == lt_loaded)
-           dl_close_state = rerun;
-         else if (map->l_type == lt_library)
-           {
-             struct link_map **oldp = map->l_initfini;
-             map->l_initfini = map->l_orig_initfini;
-             _dl_scope_free (oldp);
-           }
-       }
+      if (map->l_direct_opencount == 0 && map->l_type == lt_loaded)
+       dl_close_state = rerun;
 
       /* There are still references to this object.  Do nothing more.  */
       if (__builtin_expect (GLRO(dl_debug_mask) & DL_DEBUG_FILES, 0))

diff --git a/elf/dl-deps.c b/elf/dl-deps.c
index 565a339331a93cafdc278ddf19351d94369d3b9f..912c4fc7a3121c63af0e40729296019bf48b43a4 100644 (file)
--- a/elf/dl-deps.c
+++ b/elf/dl-deps.c
@@ -1,6 +1,5 @@
 /* Load the dependencies of a mapped object.
-   Copyright (C) 1996-2003, 2004, 2005, 2006, 2007, 2010, 2011
-   Free Software Foundation, Inc.
+   Copyright (C) 1996-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -489,6 +488,7 @@ _dl_map_object_deps (struct link_map *map,
                  nneeded * sizeof needed[0]);
          atomic_write_barrier ();
          l->l_initfini = l_initfini;
+         l->l_free_initfini = 1;
        }
 
       /* If we have no auxiliary objects just go on to the next map.  */
@@ -689,6 +689,7 @@ Filters not supported with LD_TRACE_PRELINKING"));
   l_initfini[nlist] = NULL;
   atomic_write_barrier ();
   map->l_initfini = l_initfini;
+  map->l_free_initfini = 1;
   if (l_reldeps != NULL)
     {
       atomic_write_barrier ();
@@ -697,7 +698,7 @@ Filters not supported with LD_TRACE_PRELINKING"));
       _dl_scope_free (old_l_reldeps);
     }
   if (old_l_initfini != NULL)
-      map->l_orig_initfini = old_l_initfini;
+    _dl_scope_free (old_l_initfini);
 
   if (errno_reason)
     _dl_signal_error (errno_reason == -1 ? 0 : errno_reason, objname,

diff --git a/elf/dl-libc.c b/elf/dl-libc.c
index f44fa10e0e998c7d6361dcef8612ff469cd6dddd..0a1921c064237e473758adc3f053db09dda6a25e 100644 (file)
--- a/elf/dl-libc.c
+++ b/elf/dl-libc.c
@@ -1,6 +1,5 @@
 /* Handle loading and unloading shared objects for internal libc purposes.
-   Copyright (C) 1999-2002,2004-2006,2009,2010,2011
-   Free Software Foundation, Inc.
+   Copyright (C) 1999-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
    Contributed by Zack Weinberg <zack@rabi.columbia.edu>, 1999.
 
@@ -270,13 +269,13 @@ libc_freeres_fn (free_mem)
 
   for (Lmid_t ns = 0; ns < GL(dl_nns); ++ns)
     {
-      /* Remove all additional names added to the objects.  */
       for (l = GL(dl_ns)[ns]._ns_loaded; l != NULL; l = l->l_next)
        {
          struct libname_list *lnp = l->l_libname->next;
 
          l->l_libname->next = NULL;
 
+         /* Remove all additional names added to the objects.  */
          while (lnp != NULL)
            {
              struct libname_list *old = lnp;
@@ -284,6 +283,10 @@ libc_freeres_fn (free_mem)
              if (! old->dont_free)
                free (old);
            }
+
+         /* Free the initfini dependency list.  */
+         if (l->l_free_initfini)
+           free (l->l_initfini);
        }
 
       if (__builtin_expect (GL(dl_ns)[ns]._ns_global_scope_alloc, 0) != 0

diff --git a/elf/rtld.c b/elf/rtld.c
index e4e413f601b8fefabb376f76554c98859a59d114..ba4aa7423836018b3b9e31e54a66ee7aaaf079c6 100644 (file)
--- a/elf/rtld.c
+++ b/elf/rtld.c
@@ -2276,6 +2276,8 @@ ERROR: ld.so: object '%s' cannot be loaded as audit interface: %s; ignored.\n",
              lnp->dont_free = 1;
              lnp = lnp->next;
            }
+         /* Also allocated with the fake malloc().  */
+         l->l_free_initfini = 0;
 
          if (l != &GL(dl_rtld_map))
            _dl_relocate_object (l, l->l_scope, GLRO(dl_lazy) ? RTLD_LAZY : 0,

diff --git a/include/link.h b/include/link.h
index e87710464152cf5da67c56904da8ef9fc21c3202..27686a49934a210f5061b4cffe9d18b1036259ea 100644 (file)
--- a/include/link.h
+++ b/include/link.h
@@ -1,6 +1,6 @@
 /* Data structure for communication from the run-time dynamic linker for
    loaded ELF shared objects.
-   Copyright (C) 1995-2006, 2007, 2009, 2010, 2011 Free Software Foundation, Inc.
+   Copyright (C) 1995-2012 Free Software Foundation, Inc.
    This file is part of the GNU C Library.
 
    The GNU C Library is free software; you can redistribute it and/or
@@ -192,6 +192,9 @@ struct link_map
                                                 during LD_TRACE_PRELINKING=1
                                                 contains any DT_SYMBOLIC
                                                 libraries.  */
+    unsigned int l_free_initfini:1; /* Nonzero if l_initfini can be
+                                      freed, ie. not allocated with
+                                      the dummy malloc in ld.so.  */
 
     /* Collected information about own RPATH directories.  */
     struct r_search_path_struct l_rpath_dirs;
@@ -240,9 +243,6 @@ struct link_map
 
     /* List of object in order of the init and fini calls.  */
     struct link_map **l_initfini;
-    /* The init and fini list generated at startup, saved when the
-       object is also loaded dynamically.  */
-    struct link_map **l_orig_initfini;
 
     /* List of the dependencies introduced through symbol binding.  */
     struct link_map_reldeps