[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Bug in elf/dl-close.c function _dl_close(void *) libc Version 2.2.2
|
From: |
Guenter Jung |
|
Subject: |
Bug in elf/dl-close.c function _dl_close(void *) libc Version 2.2.2 |
|
Date: |
Tue, 20 Nov 2001 17:38:50 +0100 |
Hi,
in version 2.2.2 of glibc there's a bug in elf/dl-close.c which leads
to a potential segfault when a library loaded via dlopen uses dlopen
to load another one and closes that library later.
The bug is in function _dl_close near line 308:
if (__builtin_expect (imap->l_reldeps != NULL, 0))
{
struct reldep_list *newrel;
newrel = (struct reldep_list *) alloca (sizeof (*reldeps));
!!!! newrel->rellist = map->l_reldeps;
!!!! ^^^ this should be imap
!!!! newrel->nrellist = map->l_reldepsact;
!!!! ^^^ this should be imap
newrel->next = reldeps;
reldeps = newrel;
}
this leads to potentialy calling _dl_close multiple time on the same lib
when later in this function the following code is executed:
while (__builtin_expect (reldeps != NULL, 0))
{
while (reldeps->nrellist-- > 0)
_dl_close (reldeps->rellist[reldeps->nrellist]);
free (reldeps->rellist);
reldeps = reldeps->next;
}
cheers,
Guenter
--
===================================================================
Guenter Jung imbus AG
phone: +49 9131 7518 68 +49 9131 7518 0
email: mailto:address@hidden
priv.: mailto:address@hidden
@ Lucent: +49 911 526 4703 (Nuernberg)
email: mailto:address@hidden
===================================================================
- Bug in elf/dl-close.c function _dl_close(void *) libc Version 2.2.2,
Guenter Jung <=