Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.bin/xlint/lint1 lint: fix use-after-free in memory debug...
details: https://anonhg.NetBSD.org/src/rev/e37f5a14edc1
branches: trunk
changeset: 378284:e37f5a14edc1
user: rillig <rillig%NetBSD.org@localhost>
date: Sat Jul 29 10:22:50 2023 +0000
description:
lint: fix use-after-free in memory debug mode
A node may be allocated before its type. Since the objects are freed in
reverse allocation order, the type cannot be accessed anymore when the
node is freed.
diffstat:
usr.bin/xlint/lint1/mem1.c | 11 ++++++-----
1 files changed, 6 insertions(+), 5 deletions(-)
diffs (35 lines):
diff -r b49be486f791 -r e37f5a14edc1 usr.bin/xlint/lint1/mem1.c
--- a/usr.bin/xlint/lint1/mem1.c Sat Jul 29 10:01:24 2023 +0000
+++ b/usr.bin/xlint/lint1/mem1.c Sat Jul 29 10:22:50 2023 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: mem1.c,v 1.71 2023/07/15 15:56:17 rillig Exp $ */
+/* $NetBSD: mem1.c,v 1.72 2023/07/29 10:22:50 rillig Exp $ */
/*
* Copyright (c) 1994, 1995 Jochen Pohl
@@ -37,7 +37,7 @@
#include <sys/cdefs.h>
#if defined(__RCSID)
-__RCSID("$NetBSD: mem1.c,v 1.71 2023/07/15 15:56:17 rillig Exp $");
+__RCSID("$NetBSD: mem1.c,v 1.72 2023/07/29 10:22:50 rillig Exp $");
#endif
#include <sys/param.h>
@@ -199,12 +199,13 @@ mpool_free(memory_pool *pool)
debug_step("%s: freeing type '%s'",
__func__, type_name(p));
else if (strcmp(item->descr, "tnode") == 0)
- debug_step("%s: freeing node '%s' with type '%s'",
- __func__, op_name(((const tnode_t *)p)->tn_op),
- type_name(((const tnode_t *)p)->tn_type));
+ debug_step("%s: freeing node '%s'",
+ __func__, op_name(((const tnode_t *)p)->tn_op));
else
debug_step("%s: freeing '%s' with %zu bytes",
__func__, item->descr, item->size);
+ static void *(*volatile memset_ptr)(void *, int, size_t) = memset;
+ memset_ptr(p, 'Z', item->size);
#endif
free(p);
}
Home |
Main Index |
Thread Index |
Old Index