This is the mail archive of the
glibc-bugs@sourceware.org
mailing list for the glibc project.
[Bug libc/13579] New: do_lookup_x may access dangling memory
- From: "ppluzhnikov at google dot com" <sourceware-bugzilla at sourceware dot org>
- To: glibc-bugs at sources dot redhat dot com
- Date: Tue, 10 Jan 2012 07:41:43 +0000
- Subject: [Bug libc/13579] New: do_lookup_x may access dangling memory
- Auto-submitted: auto-generated
http://sourceware.org/bugzilla/show_bug.cgi?id=13579
Bug #: 13579
Summary: do_lookup_x may access dangling memory
Product: glibc
Version: 2.15
Status: NEW
Severity: normal
Priority: P2
Component: libc
AssignedTo: drepper.fsp@gmail.com
ReportedBy: ppluzhnikov@google.com
Classification: Unclassified
This shows up as a crash in gnucash with glibc-2.15 on Precise Pangolin.
https://bugs.launchpad.net/ubuntu/+source/eglibc/+bug/893605
Confirmed present in current glibc git trunk.
Test:
/// --- cut --- foo.c ---
int foo () { return bar (); }
/// --- cut --- bar.c ---
int bar () { return 42; }
/// --- cut --- t.c ---
#include <stdio.h>
#include <dlfcn.h>
int main ()
{
void *h = dlopen ("./foo.so", RTLD_LAZY|RTLD_GLOBAL);
void *p = dlsym (h, "bar");
printf ("h = %p, p = %p\n", h, p);
dlclose (h);
h = dlopen ("./foo.so", RTLD_LAZY|RTLD_GLOBAL);
p = dlsym (h, "bar");
printf ("h = %p, p = %p\n", h, p);
return 0;
}
gcc -fPIC -shared -o bar.so bar.c &&
gcc -fPIC -shared -o foo.so foo.c ./bar.so &&
gcc t.c ./foo.so ./bar.so -ldl
valgrind ./a.out # no errors with glibc-2.11
==16605== Copyright (C) 2002-2011, and GNU GPL'd, by Julian Seward et al.
==16605== Using Valgrind-3.8.0.SVN and LibVEX; rerun with -h for copyright info
==16605== Command: ./a.out
==16605==
h = 0x4023b78, p = 0x503759c
==16605== Invalid read of size 8
==16605== at 0x40093F6: do_lookup_x (/tmp/glibc-git/elf/dl-lookup.c:98)
==16605== by 0x4009E4A: _dl_lookup_symbol_x
(/tmp/glibc-git/elf/dl-lookup.c:739)
==16605== by 0x5551305: do_sym (/tmp/glibc-git/elf/dl-sym.c:178)
==16605== by 0x523A043: dlsym_doit (/tmp/glibc-git/dlfcn/dlsym.c:51)
==16605== by 0x400E685: _dl_catch_error (/tmp/glibc-git/elf/dl-error.c:178)
==16605== by 0x523A4DB: _dlerror_run (/tmp/glibc-git/dlfcn/dlerror.c:164)
==16605== by 0x523A099: dlsym (/tmp/glibc-git/dlfcn/dlsym.c:71)
==16605== by 0x400806: main (in /tmp/bug/a.out)
==16605== Address 0x57e6098 is 40 bytes inside a block of size 72 free'd
==16605== at 0x4C2C0EB: free
(/valgrind-test/coregrind/m_replacemalloc/vg_replace_malloc.c:426)
==16605== by 0x4011D21: _dl_scope_free (/tmp/glibc-git/elf/dl-scope.c:32)
==16605== by 0x4013446: _dl_close_worker (/tmp/glibc-git/elf/dl-close.c:130)
==16605== by 0x401407B: _dl_close (/tmp/glibc-git/elf/dl-close.c:779)
==16605== by 0x400E685: _dl_catch_error (/tmp/glibc-git/elf/dl-error.c:178)
==16605== by 0x523A4DB: _dlerror_run (/tmp/glibc-git/dlfcn/dlerror.c:164)
==16605== by 0x523A00E: dlclose (/tmp/glibc-git/dlfcn/dlclose.c:48)
==16605== by 0x4007DF: main (in /tmp/bug/a.out)
==16605==
h = 0x4023b78, p = 0x503759c
==16605==
==16605== HEAP SUMMARY:
==16605== in use at exit: 0 bytes in 0 blocks
==16605== total heap usage: 2 allocs, 2 frees, 200 bytes allocated
==16605==
==16605== All heap blocks were freed -- no leaks are possible
==16605==
==16605== For counts of detected and suppressed errors, rerun with: -v
==16605== ERROR SUMMARY: 2 errors from 1 contexts (suppressed: 2 from 2)
The bug may have been introduced here:
commit 4bff6e0175ed195871f4e01cc4c4c33274b8f6e3
Author: Andreas Schwab <schwab@redhat.com>
Date: Fri Feb 25 20:49:48 2011 -0500
Fix memory leak in dlopen with RTLD_NOLOAD.
--
Configure bugmail: http://sourceware.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.