NetBSD Problem Report #46456
From www@NetBSD.org Wed May 16 06:21:38 2012
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [149.20.53.66])
by www.NetBSD.org (Postfix) with ESMTP id DE67463D3F2
for <gnats-bugs@gnats.NetBSD.org>; Wed, 16 May 2012 06:21:37 +0000 (UTC)
Message-Id: <20120516062137.2CD3363C785@www.NetBSD.org>
Date: Wed, 16 May 2012 06:21:37 +0000 (UTC)
From: amolpise15@gmail.com
Reply-To: amolpise15@gmail.com
To: gnats-bugs@NetBSD.org
Subject: xmalloc.c issue (after xfree(cp), cp is used in irealloc())
X-Send-Pr-Version: www-1.0
>Number: 46456
>Category: lib
>Synopsis: xmalloc.c issue (after xfree(cp), cp is used in irealloc())
>Confidential: no
>Severity: non-critical
>Priority: high
>Responsible: lib-bug-people
>State: closed
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed May 16 06:25:00 +0000 2012
>Closed-Date: Thu Aug 24 08:43:10 +0000 2017
>Last-Modified: Thu Aug 24 08:43:10 +0000 2017
>Originator: Amol Pise
>Release: NetBSD 5.0
>Organization:
Tata Elxsi
>Environment:
Not applicable
>Description:
I used netBSD-5 for my system and during the code observation, I have a seen in the xmalloc.c the pointer "cp" is used after xfree(cp).
How it is possible ? please see the code below
# cat src/libexec/ld.elf_so/xmalloc.c
{{{
332 static void *
333 irealloc(void *cp, size_t nbytes)
334 {
335 register u_int onb;
336 register int i;
337 union overhead *op;
338 char *res;
:
:
<snip>
358 /* avoid the copy if same size block */
359 if (i) {
360 i = 1 << (i + 2);
361 if (i < pagesz)
362 i -= sizeof (*op) + RSLOP;
363 else
364 i += pagesz - sizeof (*op) - RSLOP;
365 }
366 if (nbytes <= onb && nbytes > i) {
367 #ifdef RCHECK
368 op->ov_size = (nbytes + RSLOP - 1) & ~(RSLOP - 1);
369 *(u_short *)((caddr_t)(op + 1) + op->ov_size) = RMAGIC;
370 #endif
371 return(cp);
372 } else
373 xfree(cp);
374 if ((res = imalloc(nbytes)) == NULL)
375 return (NULL);
376 if (cp != res) /* common optimization if "compacting" */
377 memcpy(res, cp, (nbytes < onb) ? nbytes : onb);
378 return (res);
379 }
}}}
In the above code at line:373 xfree(cp) is done and at line:377 cp is used to copy to the result. The code is clearly wrong, this needs to be fixed.
>How-To-Repeat:
Based on code inspection
>Fix:
Christos suggested below fix:
Index: xmalloc.c
===================================================================
RCS file: /cvsroot/src/libexec/ld.elf_so/xmalloc.c,v
retrieving revision 1.11
diff -u -u -r1.11 xmalloc.c
--- xmalloc.c 25 May 2011 14:41:46 -0000 1.11
+++ xmalloc.c 14 May 2012 16:03:13 -0000
@@ -369,12 +369,13 @@
*(u_short *)((caddr_t)(op + 1) + op->ov_size) = RMAGIC;
#endif
return(cp);
- } else
- xfree(cp);
+ }
if ((res = imalloc(nbytes)) == NULL)
return (NULL);
- if (cp != res) /* common optimization if "compacting" */
+ if (cp != res) { /* common optimization if "compacting" */
memcpy(res, cp, (nbytes < onb) ? nbytes : onb);
+ xfree(cp);
+ }
return (res);
}
>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->closed
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Thu, 24 Aug 2017 08:43:10 +0000
State-Changed-Why:
Fixed in 2013, thanks for the report.
>Unformatted:
(Contact us)
$NetBSD: query-full-pr,v 1.39 2013/11/01 18:47:49 spz Exp $
$NetBSD: gnats_config.sh,v 1.8 2006/05/07 09:23:38 tsutsui Exp $
Copyright © 1994-2007
The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.