From d066c93fefdd27dfc26012853d6a2ab5475bcf6b Mon Sep 17 00:00:00 2001 From: HATAYAMA Daisuke Date: Thu, 31 Dec 2020 17:20:52 +0900 Subject: [PATCH 06/13] netdump: fix illegal read from already freed buffer This issue was detected by valgrind as follows: ==1212== Invalid read of size 8 ==1212== at 0x56C400: resize_elf_header (netdump.c:585) ==1212== by 0x56C400: is_netdump (netdump.c:363) ==1212== by 0x463571: main (main.c:561) ==1212== Address 0x4e8ec10 is 32 bytes inside a block of size 304 free'd ==1212== at 0x483BCE8: realloc (vg_replace_malloc.c:834) ==1212== by 0x56C393: resize_elf_header (netdump.c:547) ==1212== by 0x56C393: is_netdump (netdump.c:363) ==1212== by 0x463571: main (main.c:561) ==1212== Block was alloc'd at ==1212== at 0x4839809: malloc (vg_replace_malloc.c:307) ==1212== by 0x56C078: is_netdump (netdump.c:136) ==1212== by 0x463571: main (main.c:561) ==1212== The issue was introduced by the commit f42db6a33f0e0652df7cce8506352745b4794287 (Support core files with "unusual" layout). In resize_elf_header(), both elf32 and elf64 refer to the same address as eheader, but when reallocating the address pointed at by eheader, elf32 and elf64 are not updated, resulting in referring to the already freed address. To fix this issue, let's update elf32 and elf64 at the realloc(). Signed-off-by: HATAYAMA Daisuke Signed-off-by: Lianbo Jiang --- netdump.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/netdump.c b/netdump.c index ca9b459fc57b..f2b336374e79 100644 --- a/netdump.c +++ b/netdump.c @@ -555,6 +555,9 @@ resize_elf_header(int fd, char *file, char **eheader_ptr, char **sect0_ptr, } else *eheader_ptr = eheader; + elf32 = (Elf32_Ehdr *)&eheader[0]; + elf64 = (Elf64_Ehdr *)&eheader[0]; + if (FLAT_FORMAT()) { if (!read_flattened_format(fd, 0, eheader, header_size)) return 0; -- 2.17.1