From patchwork Fri Mar 3 13:26:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mark Wielaard X-Patchwork-Id: 65970 Return-Path: X-Original-To: patchwork@sourceware.org Delivered-To: patchwork@sourceware.org Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 3F1D538582A1 for ; Fri, 3 Mar 2023 13:26:46 +0000 (GMT) X-Original-To: elfutils-devel@sourceware.org Delivered-To: elfutils-devel@sourceware.org Received: from gnu.wildebeest.org (gnu.wildebeest.org [45.83.234.184]) by sourceware.org (Postfix) with ESMTPS id 24D9D3858D37 for ; Fri, 3 Mar 2023 13:26:39 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.2 sourceware.org 24D9D3858D37 Authentication-Results: sourceware.org; dmarc=none (p=none dis=none) header.from=klomp.org Authentication-Results: sourceware.org; spf=pass smtp.mailfrom=klomp.org Received: from r6.localdomain (82-217-174-174.cable.dynamic.v4.ziggo.nl [82.217.174.174]) (using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by gnu.wildebeest.org (Postfix) with ESMTPSA id AD20C30067B8; Fri, 3 Mar 2023 14:26:35 +0100 (CET) Received: by r6.localdomain (Postfix, from userid 1000) id 89DF1340215; Fri, 3 Mar 2023 14:26:34 +0100 (CET) From: Mark Wielaard To: elfutils-devel@sourceware.org Cc: Mark Wielaard Subject: [COMMITTED] readelf: Fix use-after-free ebl pointer issue Date: Fri, 3 Mar 2023 14:26:31 +0100 Message-Id: <20230303132631.219940-1-mark@klomp.org> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-Spam-Status: No, score=-3035.8 required=5.0 tests=BAYES_00, GIT_PATCH_0, JMQ_SPF_NEUTRAL, KAM_DMARC_STATUS, RCVD_IN_BARRACUDACENTRAL, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server2.sourceware.org X-BeenThere: elfutils-devel@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Elfutils-devel mailing list List-Unsubscribe: , List-Archive: List-Help: List-Subscribe: , Errors-To: elfutils-devel-bounces+patchwork=sourceware.org@sourceware.org Sender: "Elfutils-devel" With -flto gcc 13 sees that we use the ebl pointer after closing and freeing it. In function ‘process_elf_file’, inlined from ‘process_dwflmod’ at readelf.c:818:3: readelf.c:1070:6: error: pointer ‘ebl_18’ used after ‘free’ [-Werror=use-after-free] 1070 | if (pure_ebl != ebl) | ^ In function ‘ebl_closebackend’, inlined from ‘process_elf_file’ at readelf.c:1068:3, inlined from ‘process_dwflmod’ at readelf.c:818:3: ../libebl/eblclosebackend.c:47:7: note: call to ‘free’ here 47 | free (ebl); | ^ Fix by only calling ebl_closebackend after using it in the comparison. Signed-off-by: Mark Wielaard --- src/ChangeLog | 5 +++++ src/readelf.c | 5 +++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/src/ChangeLog b/src/ChangeLog index 699d98ee..c26dafdd 100644 --- a/src/ChangeLog +++ b/src/ChangeLog @@ -1,3 +1,8 @@ +2023-03-03 Mark Wielaard + + * readelf (process_elf_file): ebl_closebackend only after + comparing ebl pointer. + 2023-02-12 Mark Wielaard * readelf.c (print_attributes): Add comment about check. diff --git a/src/readelf.c b/src/readelf.c index 0f13874f..6950204e 100644 --- a/src/readelf.c +++ b/src/readelf.c @@ -1065,13 +1065,14 @@ process_elf_file (Dwfl_Module *dwflmod, int fd) if (print_string_sections) print_strings (ebl); - ebl_closebackend (ebl); - if (pure_ebl != ebl) { + ebl_closebackend (ebl); ebl_closebackend (pure_ebl); elf_end (pure_elf); } + else + ebl_closebackend (ebl); }