summaryrefslogtreecommitdiff
path: root/ldso
diff options
context:
space:
mode:
authorRich Felker <dalias@aerifal.cx>2019-03-10 13:16:59 -0400
committerRich Felker <dalias@aerifal.cx>2019-03-10 13:16:59 -0400
commit50cd02386b152bb39a1a9d1edba3fdcda7771a4c (patch)
tree2467f39c7a510226f5ee64422e33d84a8886fc0d /ldso
parent4918b7fb0d9f3d3fd4b46be3313901fbd772064b (diff)
downloadmusl-50cd02386b152bb39a1a9d1edba3fdcda7771a4c.tar.gz
musl-50cd02386b152bb39a1a9d1edba3fdcda7771a4c.tar.bz2
musl-50cd02386b152bb39a1a9d1edba3fdcda7771a4c.tar.xz
musl-50cd02386b152bb39a1a9d1edba3fdcda7771a4c.zip
fix invalid-/double-/use-after-free in new dlopen ctor execution
this affected the error path where dlopen successfully found and loaded the requested dso and all its dependencies, but failed to resolve one or more relocations, causing the operation to fail after storage for the ctor queue was allocated. commit 188759bbee057aa94db2bbb7cf7f5855f3b9ab53 wrongly put the free for the ctor_queue array in the error path inside a loop over each loaded dso that needed to be backed-out, rather than just doing it once. in addition, the exit path also observed the ctor_queue pointer still being nonzero, and would attempt to call ctors on the backed-out dsos unless the double-free crashed the process first.
Diffstat (limited to 'ldso')
-rw-r--r--ldso/dynlink.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/ldso/dynlink.c b/ldso/dynlink.c
index 35cacd76..46c5b5ff 100644
--- a/ldso/dynlink.c
+++ b/ldso/dynlink.c
@@ -2000,8 +2000,9 @@ void *dlopen(const char *file, int mode)
free(p->deps);
unmap_library(p);
free(p);
- free(ctor_queue);
}
+ free(ctor_queue);
+ ctor_queue = 0;
if (!orig_tls_tail) libc.tls_head = 0;
tls_tail = orig_tls_tail;
if (tls_tail) tls_tail->next = 0;