diff options
author | Simon Kissane <skissane@gmail.com> | 2023-02-11 08:58:02 +1100 |
---|---|---|
committer | DJ Delorie <dj@redhat.com> | 2023-02-22 21:03:30 -0500 |
commit | bde121872001d8f3224eeafa5b7effb871c3fbca (patch) | |
tree | 7b3051e54e9d17873a2cf02a5161a3a21b00f351 /elf/unload4mod3.c | |
parent | 31be941e4367c001b2009308839db5c67bf9dcbc (diff) | |
download | glibc-bde121872001d8f3224eeafa5b7effb871c3fbca.zip glibc-bde121872001d8f3224eeafa5b7effb871c3fbca.tar.gz glibc-bde121872001d8f3224eeafa5b7effb871c3fbca.tar.bz2 |
gmon: fix memory corruption issues [BZ# 30101]
V2 of this patch fixes an issue in V1, where the state was changed to ON not
OFF at end of _mcleanup. I hadn't noticed that (counterintuitively) ON=0 and
OFF=3, hence zeroing the buffer turned it back on. So set the state to OFF
after the memset.
1. Prevent double free, and reads from unallocated memory, when
_mcleanup is (incorrectly) called two or more times in a row,
without an intervening call to __monstartup; with this patch, the
second and subsequent calls effectively become no-ops instead.
While setting tos=NULL is minimal fix, safest action is to zero the
whole gmonparam buffer.
2. Prevent memory leak when __monstartup is (incorrectly) called two
or more times in a row, without an intervening call to _mcleanup;
with this patch, the second and subsequent calls effectively become
no-ops instead.
3. After _mcleanup, treat __moncontrol(1) as __moncontrol(0) instead.
With zeroing of gmonparam buffer in _mcleanup, this stops the
state incorrectly being changed to GMON_PROF_ON despite profiling
actually being off. If we'd just done the minimal fix to _mcleanup
of setting tos=NULL, there is risk of far worse memory corruption:
kcount would point to deallocated memory, and the __profil syscall
would make the kernel write profiling data into that memory,
which could have since been reallocated to something unrelated.
4. Ensure __moncontrol(0) still turns off profiling even in error
state. Otherwise, if mcount overflows and sets state to
GMON_PROF_ERROR, when _mcleanup calls __moncontrol(0), the __profil
syscall to disable profiling will not be invoked. _mcleanup will
free the buffer, but the kernel will still be writing profiling
data into it, potentially corrupted arbitrary memory.
Also adds a test case for (1). Issues (2)-(4) are not feasible to test.
Signed-off-by: Simon Kissane <skissane@gmail.com>
Reviewed-by: DJ Delorie <dj@redhat.com>
Diffstat (limited to 'elf/unload4mod3.c')
0 files changed, 0 insertions, 0 deletions