From c7a37d3e87132864ebc44710baf1d50a69682b5c Mon Sep 17 00:00:00 2001 From: Jiri Sasek Date: Fri, 13 Mar 2020 19:02:58 +0100 Subject: [PATCH] Add finalization safety check to com_err If the linker erroneously runs the libkrb5 finalizer after the libcom_err finalizer, the consequent remove_error_table() calls could crash due to accessing a destroyed mutex or an invalid et_list pointer. Add an unsynchronized check on finalized in remove_error_table(), and set et_list to null in com_err_terminate() after destroying the list. [ghudson@mit.edu: minimized code hanges; rewrote comment and commit message] ticket: 8890 (new) (cherry picked from commit 9d654aa05e26bbf22f140abde3436afeff2fdf8d) --- src/util/et/error_message.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/src/util/et/error_message.c b/src/util/et/error_message.c index d7069a9df..7dc02a34e 100644 --- a/src/util/et/error_message.c +++ b/src/util/et/error_message.c @@ -26,7 +26,7 @@ static struct et_list *et_list; static k5_mutex_t et_list_lock = K5_MUTEX_PARTIAL_INITIALIZER; -static int terminated = 0; /* for debugging shlib fini sequence errors */ +static int terminated = 0; /* for safety and finalization debugging */ MAKE_INIT_FUNCTION(com_err_initialize); MAKE_FINI_FUNCTION(com_err_terminate); @@ -69,6 +69,7 @@ void com_err_terminate(void) enext = e->next; free(e); } + et_list = NULL; k5_mutex_unlock(&et_list_lock); k5_mutex_destroy(&et_list_lock); terminated = 1; @@ -280,6 +281,10 @@ remove_error_table(const struct error_table *et) { struct et_list **ep, *e; + /* Safety check in case libraries are finalized in the wrong order. */ + if (terminated) + return ENOENT; + if (CALL_INIT_FUNCTION(com_err_initialize)) return 0; k5_mutex_lock(&et_list_lock);