[Tinycc-devel] [PATCH] Fix a use-after-free bug in build_got

tinycc-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Tinycc-devel] [PATCH] Fix a use-after-free bug in build_got_entries() w

From:	Yichun Zhang (agentzh)
Subject:	[Tinycc-devel] [PATCH] Fix a use-after-free bug in build_got_entries() when realloc() happens.
Date:	Wed, 5 Dec 2018 21:41:04 -0800

When running the test program 25_quicksort.c with valgrind, like this,

    valgrind -s ./tcc -run tests/tests2/25_quicksort.c

on the current master branch (commit d348a9a51d3), we will get
use-after-free errors reported like below:

    ==73876== Invalid read of size 1
    ==73876==    at 0x4E5F36A: build_got_entries (tccelf.c:1101)
    ==73876==    by 0x4E66016: tcc_relocate_ex (tccrun.c:192)
    ==73876==    by 0x4E66016: tcc_relocate (tccrun.c:67)
    ==73876==    by 0x4E6629F: tcc_run (tccrun.c:123)
    ==73876==    by 0x401699: main (tcc.c:349)
    ==73876==  Address 0x5bc52d4 is 100 bytes inside a block of size 512 free'd
    ==73876==    at 0x4C2EC15: realloc (vg_replace_malloc.c:785)
    ==73876==    by 0x4E416E8: tcc_realloc (libtcc.c:224)
    ==73876==    by 0x4E5DA93: section_realloc (tccelf.c:267)
    ==73876==    by 0x4E5DB0F: section_add (tccelf.c:282)
    ==73876==    by 0x4E5DB2D: section_ptr_add (tccelf.c:293)
    ==73876==    by 0x4E5DDBA: put_elf_sym (tccelf.c:396)
    ==73876==    by 0x4E5F6E5: build_got (tccelf.c:916)
    ==73876==    by 0x4E5F6E5: build_got_entries (tccelf.c:1096)
    ==73876==    by 0x4E66016: tcc_relocate_ex (tccrun.c:192)
    ==73876==    by 0x4E66016: tcc_relocate (tccrun.c:67)
    ==73876==    by 0x4E6629F: tcc_run (tccrun.c:123)
    ==73876==    by 0x401699: main (tcc.c:349)
    ==73876==  Block was alloc'd at
    ==73876==    at 0x4C2EC15: realloc (vg_replace_malloc.c:785)
    ==73876==    by 0x4E416E8: tcc_realloc (libtcc.c:224)
    ==73876==    by 0x4E5DA93: section_realloc (tccelf.c:267)
    ==73876==    by 0x4E5DB0F: section_add (tccelf.c:282)
    ==73876==    by 0x4E5DB2D: section_ptr_add (tccelf.c:293)
    ==73876==    by 0x4E5DDBA: put_elf_sym (tccelf.c:396)
    ==73876==    by 0x4E4E62D: put_extern_sym2 (tccgen.c:411)
    ==73876==    by 0x4E4EE16: get_sym_ref (tccgen.c:818)
    ==73876==    by 0x4E5B1EA: decl_initializer_alloc (tccgen.c:6985)
    ==73876==    by 0x4E56DA7: unary (tccgen.c:4690)
    ==73876==    by 0x4E58018: expr_prod (tccgen.c:5290)
    ==73876==    by 0x4E5806A: expr_sum (tccgen.c:5303)

This is because the build_got() call might invalidate the "sym"
variable's pointer value stored on the C stack.

This bug affects the tcc_relocate() operation.
---
 tccelf.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/tccelf.c b/tccelf.c
index 70d47e1..160150f 100644
--- a/tccelf.c
+++ b/tccelf.c
@@ -1092,8 +1092,10 @@ ST_FUNC void build_got_entries(TCCState *s1)
             } else
                 reloc_type = R_GLOB_DAT;
 
-            if (!s1->got)
+            if (!s1->got) {
                 build_got(s1);
+                sym = &((ElfW(Sym) *)symtab_section->data)[sym_index];
+            }
 
             if (gotplt_entry == BUILD_GOT_ONLY)
                 continue;
-- 
2.11.0.295.gd7dffce

[Prev in Thread]

Current Thread

[Next in Thread]

[Tinycc-devel] [PATCH] Fix a use-after-free bug in build_got_entries() when realloc() happens., Yichun Zhang (agentzh) <=

Prev by Date: [Tinycc-devel] TinyCC crashes when loading /usr/lib/crt1.o
Next by Date: [Tinycc-devel] [PATCH] tests/Makefile: introduce the RUN variable to allow running the test programs with tools like valgrind
Previous by thread: [Tinycc-devel] TinyCC crashes when loading /usr/lib/crt1.o
Next by thread: [Tinycc-devel] [PATCH] tests/Makefile: introduce the RUN variable to allow running the test programs with tools like valgrind
Index(es):
- Date
- Thread