1 Star 0 Fork 18

邹鹏/ltrace

forked from src-openEuler/ltrace 
加入 Gitee
与超过 1200万 开发者一起发现、参与优秀开源项目,私有仓库也完全免费 :)
免费加入
文件
该仓库未声明开源许可证文件(LICENSE),使用请关注具体项目描述及其代码上游依赖。
克隆/下载
bugfix-for-use-after-free-about-soname.patch 7.65 KB
一键复制 编辑 原始数据 按行查看 历史
sigui 提交于 2020-02-21 02:22 . Package init
From 8eccd30f5d3ae0be17f2a75116600f5fca9c76db Mon Sep 17 00:00:00 2001
From: root <root@localhost.localdomain>
Date: Sat, 4 May 2019 16:51:52 +0800
Subject: [PATCH] bugfix for use after free about soname
==18904==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa0d00313 at pc 0xffffa3d1bc70 bp 0xffffe9c118d0 sp 0xffffe9c11948
READ of size 5 at 0xffffa0d00313 thread T0
#0 0xffffa3d1bc6f (/usr/lib64/libasan.so.4+0x50c6f)
#1 0xaaaae94e1d67 in library_get_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:198
#2 0xaaaae94e2f8f in lookup_symbol_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:243
#3 0xaaaae94e383b in lookup_symbol_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:703
#4 0xaaaae94e383b in output_right /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:644
#5 0xaaaae94e08d3 in output_right_tos /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:665
#6 0xaaaae94e1a4f in handle_breakpoint /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:703
#7 0xaaaae94e1a4f in handle_event /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:200
#8 0xaaaae94ce237 in ltrace_main /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:174
#9 0xaaaae94cdd1f in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:55
#10 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
#11 0xaaaae94cdd5f (/ltrace+0x9d5f)
0xffffa0d00313 is located 3 bytes inside of 8-byte region [0xffffa0d00310,0xffffa0d00318)
freed by thread T0 here:
#0 0xffffa3d9b6c3 in free (/usr/lib64/libasan.so.4+0xd06c3)
#1 0xaaaae94d101f in private_process_destroy /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:273
#2 0xaaaae94d10ab in remove_process /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:753
#3 0xaaaae94e0d73 in handle_exit_signal /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:521
#4 0xaaaae94e0d73 in handle_event /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:142
#5 0xaaaae94ce237 in ltrace_main /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:174
#6 0xaaaae94cdd1f in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:55
#7 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
#8 0xaaaae94cdd5f (/ltrace+0x9d5f)
previously allocated by thread T0 here:
#0 0xffffa3d3e34f in strdup (/usr/lib64/libasan.so.4+0x7334f)
#1 0xaaaae94cfb2b in process_bare_init /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:128
#2 0xaaaae94cfcbf in process_init /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:214
#3 0xaaaae94cfe17 in open_program /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:330
#4 0xaaaae94ce09f in ltrace_init /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:125
#5 0xaaaae94cdd1b in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:47
#6 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
#7 0xaaaae94cdd5f (/ltrace+0x9d5f)
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib64/libasan.so.4+0x50c6f)
Shadow bytes around the buggy address:
0x200ff41a0010: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 00 00
0x200ff41a0020: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x200ff41a0030: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x200ff41a0040: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 00 00
0x200ff41a0050: fa fa 00 00 fa fa fd fa fa fa fd fa fa fa fd fd
=>0x200ff41a0060: fa fa[fd]fa fa fa 00 07 fa fa 06 fa fa fa 05 fa
0x200ff41a0070: fa fa 00 00 fa fa 05 fa fa fa 00 00 fa fa 00 00
0x200ff41a0080: fa fa 00 00 fa fa 00 00 fa fa 00 00 fa fa 01 fa
0x200ff41a0090: fa fa 00 00 fa fa 00 00 fa fa 01 fa fa fa 00 00
0x200ff41a00a0: fa fa 04 fa fa fa 04 fa fa fa 00 fa fa fa fd fd
0x200ff41a00b0: fa fa 04 fa fa fa 04 fa fa fa 00 fa fa fa 04 fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
=================================================================
==18904==ERROR: AddressSanitizer: heap-use-after-free on address 0xffffa0d00313 at pc 0xffffa3d3fbe4 bp 0xffffe9c118c0 sp 0xffffe9c11938
READ of size 5 at 0xffffa0d00313 thread T0
#0 0xffffa3d3fbe3 (/usr/lib64/libasan.so.4+0x74be3)
#1 0xaaaae94e1db3 in memcpy /usr/include/bits/string_fortified.h:34
#2 0xaaaae94e1db3 in library_get_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:200
#3 0xaaaae94e2f8f in lookup_symbol_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:243
#4 0xaaaae94e383b in lookup_symbol_prototype /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:703
#5 0xaaaae94e383b in output_right /root/rpmbuild/BUILD/ltrace-0.7.91/output.c:644
#6 0xaaaae94e08d3 in output_right_tos /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:665
#7 0xaaaae94e1a4f in handle_breakpoint /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:703
#8 0xaaaae94e1a4f in handle_event /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:200
#9 0xaaaae94ce237 in ltrace_main /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:174
#10 0xaaaae94cdd1f in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:55
#11 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
#12 0xaaaae94cdd5f (/ltrace+0x9d5f)
0xffffa0d00313 is located 3 bytes inside of 8-byte region [0xffffa0d00310,0xffffa0d00318)
freed by thread T0 here:
#0 0xffffa3d9b6c3 in free (/usr/lib64/libasan.so.4+0xd06c3)
#1 0xaaaae94d101f in private_process_destroy /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:273
#2 0xaaaae94d10ab in remove_process /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:753
#3 0xaaaae94e0d73 in handle_exit_signal /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:521
#4 0xaaaae94e0d73 in handle_event /root/rpmbuild/BUILD/ltrace-0.7.91/handle_event.c:142
#5 0xaaaae94ce237 in ltrace_main /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:174
#6 0xaaaae94cdd1f in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:55
#7 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
#8 0xaaaae94cdd5f (/ltrace+0x9d5f)
previously allocated by thread T0 here:
#0 0xffffa3d3e34f in strdup (/usr/lib64/libasan.so.4+0x7334f)
#1 0xaaaae94cfb2b in process_bare_init /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:128
#2 0xaaaae94cfcbf in process_init /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:214
#3 0xaaaae94cfe17 in open_program /root/rpmbuild/BUILD/ltrace-0.7.91/proc.c:330
#4 0xaaaae94ce09f in ltrace_init /root/rpmbuild/BUILD/ltrace-0.7.91/libltrace.c:125
#5 0xaaaae94cdd1b in main /root/rpmbuild/BUILD/ltrace-0.7.91/main.c:47
#6 0xffffa38ecadf in __libc_start_main (/lib64/libc.so.6+0x20adf)
#7 0xaaaae94cdd5f (/ltrace+0x9d5f)
SUMMARY: AddressSanitizer: heap-use-after-free (/usr/lib64/libasan.so.4+0x74be3)
---
ltrace-elf.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/ltrace-elf.c b/ltrace-elf.c
index f638342..286790a 100644
--- a/ltrace-elf.c
+++ b/ltrace-elf.c
@@ -1214,12 +1214,14 @@ read_module(struct library *lib, struct process *proc,
goto fail;
library_set_soname(lib, soname, 1);
} else {
+ char *soname_str = NULL;
const char *soname = rindex(lib->pathname, '/');
if (soname != NULL)
soname += 1;
else
soname = lib->pathname;
- library_set_soname(lib, soname, 0);
+ soname_str = strdup(soname);
+ library_set_soname(lib, soname_str, 1);
}
/* XXX The double cast should be removed when
--
2.19.1
Loading...
马建仓 AI 助手
尝试更多
代码解读
代码找茬
代码优化
1
https://gitee.com/peng_zou/ltrace.git
git@gitee.com:peng_zou/ltrace.git
peng_zou
ltrace
ltrace
master

搜索帮助