5a0c1d8fb7
Release crash-7.2.9-4 Signed-off-by: Lianbo Jiang <lijiang@redhat.com>
57 lines
2.0 KiB
Diff
57 lines
2.0 KiB
Diff
From d066c93fefdd27dfc26012853d6a2ab5475bcf6b Mon Sep 17 00:00:00 2001
|
|
From: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
|
|
Date: Thu, 31 Dec 2020 17:20:52 +0900
|
|
Subject: [PATCH 06/13] netdump: fix illegal read from already freed buffer
|
|
|
|
This issue was detected by valgrind as follows:
|
|
|
|
==1212== Invalid read of size 8
|
|
==1212== at 0x56C400: resize_elf_header (netdump.c:585)
|
|
==1212== by 0x56C400: is_netdump (netdump.c:363)
|
|
==1212== by 0x463571: main (main.c:561)
|
|
==1212== Address 0x4e8ec10 is 32 bytes inside a block of size 304 free'd
|
|
==1212== at 0x483BCE8: realloc (vg_replace_malloc.c:834)
|
|
==1212== by 0x56C393: resize_elf_header (netdump.c:547)
|
|
==1212== by 0x56C393: is_netdump (netdump.c:363)
|
|
==1212== by 0x463571: main (main.c:561)
|
|
==1212== Block was alloc'd at
|
|
==1212== at 0x4839809: malloc (vg_replace_malloc.c:307)
|
|
==1212== by 0x56C078: is_netdump (netdump.c:136)
|
|
==1212== by 0x463571: main (main.c:561)
|
|
==1212==
|
|
|
|
The issue was introduced by the commit
|
|
f42db6a33f0e0652df7cce8506352745b4794287 (Support core files with
|
|
"unusual" layout).
|
|
|
|
In resize_elf_header(), both elf32 and elf64 refer to the same address
|
|
as eheader, but when reallocating the address pointed at by eheader,
|
|
elf32 and elf64 are not updated, resulting in referring to the already
|
|
freed address.
|
|
|
|
To fix this issue, let's update elf32 and elf64 at the realloc().
|
|
|
|
Signed-off-by: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
|
|
Signed-off-by: Lianbo Jiang <lijiang@redhat.com>
|
|
---
|
|
netdump.c | 3 +++
|
|
1 file changed, 3 insertions(+)
|
|
|
|
diff --git a/netdump.c b/netdump.c
|
|
index ca9b459fc57b..f2b336374e79 100644
|
|
--- a/netdump.c
|
|
+++ b/netdump.c
|
|
@@ -555,6 +555,9 @@ resize_elf_header(int fd, char *file, char **eheader_ptr, char **sect0_ptr,
|
|
} else
|
|
*eheader_ptr = eheader;
|
|
|
|
+ elf32 = (Elf32_Ehdr *)&eheader[0];
|
|
+ elf64 = (Elf64_Ehdr *)&eheader[0];
|
|
+
|
|
if (FLAT_FORMAT()) {
|
|
if (!read_flattened_format(fd, 0, eheader, header_size))
|
|
return 0;
|
|
--
|
|
2.17.1
|
|
|