[PATCH v2] Fix invalid free in trace_close_memstream
Dmitry V. Levin
ldv at altlinux.org
Mon Aug 5 16:59:33 UTC 2019
On Sun, Aug 04, 2019 at 04:39:29PM +0100, Pierre Marsais wrote:
> In maybe_switch_tcbs we exchange the pointers to the memstream's
> buffers between 2 tcb, however the libc doesn't know and keeps updating
> the tcb->memfptr as if the exchange didn't happen. This leads to
> unsynchronized tcb->memfptr and tcb->outf and invalid frees. Adding a
> new indirection fixes the problem.
>
> * stage_output.c (struct staged_output_data): New struct.
> (strace_open_memstream, strace_close_memstream): Use it.
> * defs.h (struct tcb): Change memfptr and memfloc to a pointer to struct
> staged_output_data.
> * strace.c (maybe_switch_tcbs): Use it.
> * syscall.c (print_syscall_resume): Ditto.
>
> Signed-off-by: Pierre Marsais <pierre.marsais at lse.epita.fr>
> ---
> Hi,
>
> Here is a second version fixing some small oversights.
>
> Changes in v2:
> - use xmalloc instead of malloc
> - move real_outf inside struct staged_output_data
> - make struct staged_output_data opaque
> - If for some reason tcp->staged_output_data->memfptr == NULL in
> strace_close_memstream, we wouldn't free(tcp->staged_output_data)
> (can it happen ?). Fix this behaviour.
>
> defs.h | 4 +---
> stage_output.c | 32 +++++++++++++++++++++-----------
> strace.c | 21 +++++++--------------
> syscall.c | 2 +-
> 4 files changed, 30 insertions(+), 29 deletions(-)
Applied, thanks!
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20190805/41eaa584/attachment.bin>
More information about the Strace-devel
mailing list