[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug binutils/21787] Heap-use-after-free in bfd_cache_close
From: |
nickc at redhat dot com |
Subject: |
[Bug binutils/21787] Heap-use-after-free in bfd_cache_close |
Date: |
Wed, 19 Jul 2017 13:59:55 +0000 |
https://sourceware.org/bugzilla/show_bug.cgi?id=21787
Nick Clifton <nickc at redhat dot com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|UNCONFIRMED |RESOLVED
CC| |nickc at redhat dot com
Resolution|--- |FIXED
--- Comment #3 from Nick Clifton <nickc at redhat dot com> ---
Hi Ned,
Thanks for reporting this bug.
The problem is an interesting one because the code is actually set up to
prevent the use-after-free from happening. In the normal course of events
when an element of an archive is no longer needed and the memory is freed,
all pointers to it will be tidied away. But in this case, because the
archive is corrupt, the wrong set of memory releasing functions are being
used and the pointers are not tidied away. Later on, when another element
is freed, the stale pointer is encountered and the bug triggered.
I have checked in a patch to fix the problem. It makes the test for a
genuine archive be more aggressive when it signals that an archive is
corrupt, forcing the format matching mechanism to declare it as unrecognised
long before it can cause any memory corruption.
Cheers
Nick
--
You are receiving this mail because:
You are on the CC list for the bug.