fix invalid-/double-/use-after-free in new dlopen ctor execution
authorRich Felker <dalias@aerifal.cx>
Sun, 10 Mar 2019 17:16:59 +0000 (13:16 -0400)
committerRich Felker <dalias@aerifal.cx>
Sun, 10 Mar 2019 17:16:59 +0000 (13:16 -0400)
this affected the error path where dlopen successfully found and
loaded the requested dso and all its dependencies, but failed to
resolve one or more relocations, causing the operation to fail after
storage for the ctor queue was allocated.

commit 188759bbee057aa94db2bbb7cf7f5855f3b9ab53 wrongly put the free
for the ctor_queue array in the error path inside a loop over each
loaded dso that needed to be backed-out, rather than just doing it
once. in addition, the exit path also observed the ctor_queue pointer
still being nonzero, and would attempt to call ctors on the backed-out
dsos unless the double-free crashed the process first.

ldso/dynlink.c

index 35cacd76fbd1dc9ee84ceb650cc9af00ca78e829..46c5b5ff09aa2d762e6f97236d935db1bc4da6f2 100644 (file)
@@ -2000,8 +2000,9 @@ void *dlopen(const char *file, int mode)
                        free(p->deps);
                        unmap_library(p);
                        free(p);
-                       free(ctor_queue);
                }
+               free(ctor_queue);
+               ctor_queue = 0;
                if (!orig_tls_tail) libc.tls_head = 0;
                tls_tail = orig_tls_tail;
                if (tls_tail) tls_tail->next = 0;