Subject: bin/7246: Bogus free() in ELF ldd
To: None <gnats-bugs@gnats.netbsd.org>
From: None <mbrinico@nc.com>
List: netbsd-bugs
Date: 03/25/1999 23:14:56
>Number: 7246
>Category: bin
>Synopsis: Bogus free() in ELF ldd
>Confidential: no
>Severity: non-critical
>Priority: medium
>Responsible: bin-bug-people (Utility Bug People)
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Thu Mar 25 23:20:00 1999
>Last-Modified:
>Originator: Mark Brinicombe
>Organization:
Network Computer Inc
>Release: NetBSD-current 1999/03/25
>Environment:
System: NetBSD p2.devlab.nc.com 1.3I-NCOS NetBSD 1.3I-NCOS (P2) #1: Wed Mar 17 16:37:17 PST 1999 mark@p2.devlab.nc.com:/usr/export/mark/NCOS/os-src/sys/arch/i386/compile/P2 i386
>Description:
The ELF ldd binary performs a free() call on pointer that it did not
obtain via malloc().
The path in _rtld_objmain is set to argv[0] and _rtld_objmain is
added to the _rtld_objtail list. However all paths in the Obj_Entry
structures are freed via free() resulting in a free() call with
the argv[0] pointer.
>How-To-Repeat:
Account the free() verse malloc() calls in ldd.
>Fix:
1. Make a copy of *argv with strup()
2. Modify the code so that it will not try and free the path for
_rtld_objmain
The solution for (1) is given.
*** ldd/ldd_elf/ldd.c.orig Thu Mar 25 23:04:51 1999
--- ldd/ldd_elf/ldd.c Thu Mar 25 23:10:26 1999
***************
*** 107,113 ****
continue;
}
! _rtld_objmain->path = *argv;
_rtld_objmain->mainprog = true;
_rtld_digest_dynamic(_rtld_objmain);
--- 107,113 ----
continue;
}
! _rtld_objmain->path = strdup(*argv);
_rtld_objmain->mainprog = true;
_rtld_digest_dynamic(_rtld_objmain);
>Audit-Trail:
>Unformatted: