crash/0006-netdump-fix-illegal-read-from-already-freed-buffer.patch
Lianbo Jiang 5a0c1d8fb7 Update to the latest upstream: commit <fdb41f0b6fa4>
Release crash-7.2.9-4

Signed-off-by: Lianbo Jiang <lijiang@redhat.com>
2021-02-05 14:16:10 +08:00

57 lines
2.0 KiB
Diff

From d066c93fefdd27dfc26012853d6a2ab5475bcf6b Mon Sep 17 00:00:00 2001
From: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
Date: Thu, 31 Dec 2020 17:20:52 +0900
Subject: [PATCH 06/13] netdump: fix illegal read from already freed buffer
This issue was detected by valgrind as follows:
==1212== Invalid read of size 8
==1212== at 0x56C400: resize_elf_header (netdump.c:585)
==1212== by 0x56C400: is_netdump (netdump.c:363)
==1212== by 0x463571: main (main.c:561)
==1212== Address 0x4e8ec10 is 32 bytes inside a block of size 304 free'd
==1212== at 0x483BCE8: realloc (vg_replace_malloc.c:834)
==1212== by 0x56C393: resize_elf_header (netdump.c:547)
==1212== by 0x56C393: is_netdump (netdump.c:363)
==1212== by 0x463571: main (main.c:561)
==1212== Block was alloc'd at
==1212== at 0x4839809: malloc (vg_replace_malloc.c:307)
==1212== by 0x56C078: is_netdump (netdump.c:136)
==1212== by 0x463571: main (main.c:561)
==1212==
The issue was introduced by the commit
f42db6a33f0e0652df7cce8506352745b4794287 (Support core files with
"unusual" layout).
In resize_elf_header(), both elf32 and elf64 refer to the same address
as eheader, but when reallocating the address pointed at by eheader,
elf32 and elf64 are not updated, resulting in referring to the already
freed address.
To fix this issue, let's update elf32 and elf64 at the realloc().
Signed-off-by: HATAYAMA Daisuke <d.hatayama@fujitsu.com>
Signed-off-by: Lianbo Jiang <lijiang@redhat.com>
---
netdump.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/netdump.c b/netdump.c
index ca9b459fc57b..f2b336374e79 100644
--- a/netdump.c
+++ b/netdump.c
@@ -555,6 +555,9 @@ resize_elf_header(int fd, char *file, char **eheader_ptr, char **sect0_ptr,
} else
*eheader_ptr = eheader;
+ elf32 = (Elf32_Ehdr *)&eheader[0];
+ elf64 = (Elf64_Ehdr *)&eheader[0];
+
if (FLAT_FORMAT()) {
if (!read_flattened_format(fd, 0, eheader, header_size))
return 0;
--
2.17.1