From nobody Tue Jul 12 16:48:45 2022
X-Original-To: dev-commits-src-main@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id DC95117F98F8;
	Tue, 12 Jul 2022 16:48:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4Lj6CK5vwhz3Tcl;
	Tue, 12 Jul 2022 16:48:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1657644525;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=o7gWs0FYJcCnySPKU2Y6oo+qI0SmiZ3Luk08jGR3rnY=;
	b=SRUm5meG2fP8oFsXnwXHua1z5xIwd7l8Dds124epZ/SgbO8KeXujd7uMsYw/03Odnvgocc
	tStYuwaE8c0fe9mMsUtD/BHSUS9EhDgdp3ZrBJb9+tWgD7GXIvMElFOsHTM/FbMBSdNXmW
	Mb1BD8n+Scs511/Vu5oho/BIn7bP4dMM7CTjFE8czEH57pq+KaVWYdkIHkIOPsM2kSfrd8
	QnJIMxI+fB7AmNhPUS6B7t7j21OuRMC/X115g/w2BPUTTBa5wBYGIcQuhlLsybeKlFwkF0
	ySpTaVaZXazJMGDChlz5IDyssNPfLcOlheSv9UpnxNuLy7xD6DWjdpCoX8uj5g==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4Lj6CK4z6HzrMX;
	Tue, 12 Jul 2022 16:48:45 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 26CGmjr6097857;
	Tue, 12 Jul 2022 16:48:45 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 26CGmjmr097856;
	Tue, 12 Jul 2022 16:48:45 GMT
	(envelope-from git)
Date: Tue, 12 Jul 2022 16:48:45 GMT
Message-Id: <202207121648.26CGmjmr097856@gitrepo.freebsd.org>
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org,
        dev-commits-src-main@FreeBSD.org
From: Jessica Clarke <jrtc27@FreeBSD.org>
Subject: git: becd9908beb8 - main - rtld-elf: Fix leaks and wild frees in origin_subst
List-Id: Commit messages for the main branch of the src repository <dev-commits-src-main.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-main
List-Help: <mailto:dev-commits-src-main+help@freebsd.org>
List-Post: <mailto:dev-commits-src-main@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-main+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-main+unsubscribe@freebsd.org>
Sender: owner-dev-commits-src-main@freebsd.org
X-BeenThere: dev-commits-src-main@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jrtc27
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: becd9908beb8f1b47ddc6628cb005185a26ec85c
Auto-Submitted: auto-generated
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1657644525;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=o7gWs0FYJcCnySPKU2Y6oo+qI0SmiZ3Luk08jGR3rnY=;
	b=VAZAbXtq8FO5PwKSAWvYXQ00HKpkrQZQg93p2+cxZriPMVO6BAsRgJW81ORlIi3820uq2J
	rKDKZnmTdzL10kLRi0em+zaPFjvcah/JMJ9vLvlkVxdfwB7TSA0INfXncJeX8ItUDPu+5u
	ouGZqWV+/7N4JSKp4ksTYzBpyv7Ewvyw4gHX5p2WijOaqkZ0zPoUHN93NrAW/1J7v2wc1b
	1a93zbHMLgwfjIw6gP8TSGyj3dBpDUumljOLZDSBLUOmss8LMsN3/jxW1G6bkXLGqanlzr
	MhIGXDiy53HPK5qKcDUwQ3XAByj72BCSw6mgAj5wYs91LAFXyTZdRlK/hYOy2g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1657644525; a=rsa-sha256; cv=none;
	b=mbd4nQ0H8TOUGdRwuqBCekIe7kCy0xkcekOzYpAGdbbKchN4+K25Lca6OIAlHVm6IDrYfd
	pCi9AKzBWlOwIpPA6Z+mOQ+Feb3SzCgr4UV1ezaHsrjAMcJM0vgdLs7ycVt5B2CTcVQHQW
	128tnLCsvdH1RmTpK9C7HkwB8XiE46cechJT4yjUj1qG+os1cR5ppXU4tOLXXBcjyD8a1F
	rNN0R+HzQqmi8noCwm9RZgiHSF/UYLdr0rdqjkX9KGgJc+kn4zDkcJfuroqpbceYqJMgPH
	NV2n9uffZ02tA+vP3IL0WUFDeeT7xw7aj71q/I5MfQsN9AvdwxA6w5bjeS74wA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

The branch main has been updated by jrtc27:

URL: https://cgit.FreeBSD.org/src/commit/?id=becd9908beb8f1b47ddc6628cb005185a26ec85c

commit becd9908beb8f1b47ddc6628cb005185a26ec85c
Author:     Jessica Clarke <jrtc27@FreeBSD.org>
AuthorDate: 2022-07-12 16:47:47 +0000
Commit:     Jessica Clarke <jrtc27@FreeBSD.org>
CommitDate: 2022-07-12 16:47:47 +0000

    rtld-elf: Fix leaks and wild frees in origin_subst
    
    55abf23dd36b inverted the value passed to origin_subst_one when rolling
    up the existing code into a loop. If the first token is found ($ORIGIN),
    this results in a wild free of part of strtab. Processing the second
    token works fine and will act how the first should have regardless of
    whether found, allocating memory for the string without freeing.
    Processing subsequent tokens however will then leak, regardless of
    whether found, as they will also believe they need to allocate memory
    and can't free the string.
    
    Found by:       CHERI
    Reviewed by:    kib, markj
    Fixes:          55abf23dd36b ("rtld: make token substitution table-driven")
    MFC after:      3 days
    Differential Revision:  https://reviews.freebsd.org/D35792
---
 libexec/rtld-elf/rtld.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c
index aa5400d29fc2..7828bf413a7a 100644
--- a/libexec/rtld-elf/rtld.c
+++ b/libexec/rtld-elf/rtld.c
@@ -1222,7 +1222,7 @@ origin_subst(Obj_Entry *obj, const char *real)
 	res = __DECONST(char *, real);
 	for (i = 0; i < (int)nitems(tokens); i++) {
 		res = origin_subst_one(tokens[i].pass_obj ? obj : NULL,
-		    res, tokens[i].kw, tokens[i].subst, i == 0);
+		    res, tokens[i].kw, tokens[i].subst, i != 0);
 	}
 	return (res);
 }