Skip to content

Commit

Permalink
[squash] livepatch/klp-convert: fix use-after-frees
Browse files Browse the repository at this point in the history 
Note: squash with ("livepatch: Add klp-convert tool")

As discovered by running:

% valgrind --leak-check=full --track-origins=yes \
	scripts/livepatch/klp-convert \
	./Symbols.list \
	samples/livepatch/livepatch-annotated-sample.klp.o \
	samples/livepatch/livepatch-annotated-sample.ko

Invalid read of size 8
   at 0x404536: must_convert (klp-convert.c:521)
   by 0x404714: main (klp-convert.c:563)
 Address 0x56818a8 is 40 bytes inside a block of size 80 free'd
   at 0x4C3208C: free (vg_replace_malloc.c:540)
   by 0x40374F: clear_sympos_symbols (klp-convert.c:164)
   by 0x4037EA: clear_sympos_annontations (klp-convert.c:176)
   by 0x403C2C: load_usr_symbols (klp-convert.c:259)
   by 0x404666: main (klp-convert.c:553)
 Block was alloc'd at
   at 0x4C30E8B: malloc (vg_replace_malloc.c:309)
   by 0x401862: read_symbols (elf.c:169)
   by 0x402F09: elf_open (elf.c:660)
   by 0x40460B: main (klp-convert.c:544)

From a gdb session, these correspond to:

  (gdb) printf "sec %p %s, sym %p %s\n", sec, sec->name, sym, sym->name
  sec 0x60aec0 .klp.module_relocs.vmlinux, sym 0x634e30 .klp.module_relocs.vmlinux
  ...
  (gdb) printf "sec %p %s, sym %p %s\n", sec, sec->name, sym, sym->name
  sec 0x60aec0 .klp.module_relocs.vmlinux, sym 0x635c10 vmlinux_relocs

Invalid read of size 4
   at 0x4027AB: update_relas (elf.c:497)
   by 0x402DB6: elf_write_file (elf.c:617)
   by 0x40482E: main (klp-convert.c:578)
 Address 0x56818b8 is 56 bytes inside a block of size 80 free'd
   at 0x4C3208C: free (vg_replace_malloc.c:540)
   by 0x40374F: clear_sympos_symbols (klp-convert.c:164)
   by 0x4037EA: clear_sympos_annontations (klp-convert.c:176)
   by 0x403C2C: load_usr_symbols (klp-convert.c:259)
   by 0x404666: main (klp-convert.c:553)
 Block was alloc'd at
   at 0x4C30E8B: malloc (vg_replace_malloc.c:309)
   by 0x401862: read_symbols (elf.c:169)
   by 0x402F09: elf_open (elf.c:660)
   by 0x40460B: main (klp-convert.c:544)

Again from gdb:

  (gdb) printf "sec %p %s, rela %p sym %p\n", sec, sec->name, rela, rela->sym
  sec 0x621d90 .rela.debug_info, rela 0x680720 sym 0x635c10

[joe: fix symbol use-after-frees]

Signed-off-by: Joe Lawrence <joe.lawrence@redhat.com>
  • Loading branch information
@joe-lawrence
joe-lawrence committed Mar 18, 2019
1 parent 1ed8e5b commit 4e5f39e
Showing 1 changed file with 13 additions and 0 deletions.
13 changes: 13 additions & 0 deletions scripts/livepatch/klp-convert.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -160,6 +160,19 @@ static void clear_sympos_symbols(struct section *sec, struct elf *klp_elf)

list_for_each_entry_safe(sym, aux, &klp_elf->symbols, list) {
if (sym->sec == sec) {

struct section *sec;
struct rela *rela, *tmprela;

list_for_each_entry(sec, &klp_elf->sections, list) {
list_for_each_entry_safe(rela, tmprela, &sec->relas, list) {
if (rela->sym == sym) {
list_del(&rela->list);
free(rela);
}
}
}

list_del(&sym->list);
free(sym);
}
Expand Down

0 comments on commit 4e5f39e

Please sign in to comment.