diff options
author | Andreas Schwab <schwab@suse.de> | 2013-01-15 16:39:07 +0100 |
---|---|---|
committer | Andreas Schwab <schwab@suse.de> | 2013-04-11 09:22:05 +0200 |
commit | 273cdee86d86e107c0eecef5614f57e37567b54e (patch) | |
tree | edd1f8a09dbacf3ca7cd4440837cad08b9587ab7 | |
parent | 01dc6df938832fe923ac394812553c0fc8a0f113 (diff) | |
download | glibc-273cdee86d86e107c0eecef5614f57e37567b54e.tar.gz |
Fix invalid free of memory allocated during rtld init
-rw-r--r-- | ChangeLog | 6 | ||||
-rw-r--r-- | NEWS | 10 | ||||
-rw-r--r-- | elf/dl-load.c | 6 |
3 files changed, 17 insertions, 5 deletions
@@ -1,3 +1,9 @@ +2013-04-11 Andreas Schwab <schwab@suse.de> + + [BZ #14293] + * elf/dl-load.c (_dl_init_paths): Mark decomposed RUNPATH as + non-freeable. + 2013-04-11 Siddhesh Poyarekar <siddhesh@redhat.com> * Makeconfig (rtld-prefix): Define built linker prefix. @@ -10,11 +10,11 @@ Version 2.18 * The following bugs are resolved with this release: 10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 14142, - 14176, 14200, 14317, 14327, 14478, 14496, 14686, 14812, 14920, 14964, - 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020, 15023, 15036, - 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234, 15283, 15285, - 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335, 15336, 15337, - 15342, 15346. + 14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812, 14920, + 14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020, 15023, + 15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234, 15283, + 15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335, 15336, + 15337, 15342, 15346. * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla #15078). diff --git a/elf/dl-load.c b/elf/dl-load.c index 6e65980c3c..dd182c9155 100644 --- a/elf/dl-load.c +++ b/elf/dl-load.c @@ -797,6 +797,9 @@ _dl_init_paths (const char *llp) (const void *) (D_PTR (l, l_info[DT_STRTAB]) + l->l_info[DT_RUNPATH]->d_un.d_val), l, "RUNPATH"); + /* During rtld init the memory is allocated by the stub malloc, + prevent any attempt to free it by the normal malloc. */ + l->l_runpath_dirs.malloced = 0; /* The RPATH is ignored. */ l->l_rpath_dirs.dirs = (void *) -1; @@ -813,6 +816,9 @@ _dl_init_paths (const char *llp) (const void *) (D_PTR (l, l_info[DT_STRTAB]) + l->l_info[DT_RPATH]->d_un.d_val), l, "RPATH"); + /* During rtld init the memory is allocated by the stub + malloc, prevent any attempt to free it by the normal + malloc. */ l->l_rpath_dirs.malloced = 0; } else |