git: becd9908beb8 - main - rtld-elf: Fix leaks and wild frees in origin_subst
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 12 Jul 2022 16:48:45 UTC
The branch main has been updated by jrtc27:
URL: https://cgit.FreeBSD.org/src/commit/?id=becd9908beb8f1b47ddc6628cb005185a26ec85c
commit becd9908beb8f1b47ddc6628cb005185a26ec85c
Author: Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2022-07-12 16:47:47 +0000
Commit: Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2022-07-12 16:47:47 +0000
rtld-elf: Fix leaks and wild frees in origin_subst
55abf23dd36b inverted the value passed to origin_subst_one when rolling
up the existing code into a loop. If the first token is found ($ORIGIN),
this results in a wild free of part of strtab. Processing the second
token works fine and will act how the first should have regardless of
whether found, allocating memory for the string without freeing.
Processing subsequent tokens however will then leak, regardless of
whether found, as they will also believe they need to allocate memory
and can't free the string.
Found by: CHERI
Reviewed by: kib, markj
Fixes: 55abf23dd36b ("rtld: make token substitution table-driven")
MFC after: 3 days
Differential Revision: https://reviews.freebsd.org/D35792
---
libexec/rtld-elf/rtld.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c
index aa5400d29fc2..7828bf413a7a 100644
--- a/libexec/rtld-elf/rtld.c
+++ b/libexec/rtld-elf/rtld.c
@@ -1222,7 +1222,7 @@ origin_subst(Obj_Entry *obj, const char *real)
res = __DECONST(char *, real);
for (i = 0; i < (int)nitems(tokens); i++) {
res = origin_subst_one(tokens[i].pass_obj ? obj : NULL,
- res, tokens[i].kw, tokens[i].subst, i == 0);
+ res, tokens[i].kw, tokens[i].subst, i != 0);
}
return (res);
}