[Bug 891349] New: Address zero referenced in libc.so.6, routine free, for arguments that have bits 26-63 unset
https://bugzilla.novell.com/show_bug.cgi?id=891349
https://bugzilla.novell.com/show_bug.cgi?id=891349#c0
Summary: Address zero referenced in libc.so.6, routine free,
for arguments that have bits 26-63 unset
Classification: openSUSE
Product: openSUSE 12.3
Version: Final
Platform: x86-64
OS/Version: openSUSE 12.3
Status: NEW
Severity: Normal
Priority: P5 - None
Component: Development
AssignedTo: bnc-team-screening@forge.provo.novell.com
ReportedBy: shamsundar@uh.edu
QAContact: qa-bugs@suse.de
Found By: ---
Blocker: ---
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/33.0.1750.117 Safari/537.36
Problem: If argument to free() has bits 30-63 equal to zero,
at offset 7ea24 (see disassembly below) contents of address 0 are
referenced,and then a crash is likely.
$ /lib64/libc.so.6
GNU C Library (GNU libc) stable release version 2.17 (git c758a6861537), by
Roland McGrath et al.
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
Configured for x86_64-suse-linux.
Compiled by GNU CC version 4.7.2 20130108 [gcc-4_7-branch revision 195012].
Compiled on a Linux 3.7.1 system.
Available extensions:
crypt add-on version 2.1 by Michael Glad and others
GNU Libidn by Simon Josefsson
Native POSIX Threads Library by Ulrich Drepper et al
BIND-8.2.3-T5B
libc ABIs: UNIQUE IFUNC
$ nm /lib64/libc.so.6 | grep -C4 -i ' free$'
00000000000fd590 T __fread_chk
0000000000074f90 T __freading
0000000000075ad0 T fread_unlocked
00000000000fd760 T __fread_unlocked_chk
000000000007e9f0 T free <=======
000000000007e9f0 t __free
00000000000d62a0 T freeaddrinfo
000000000007dd40 t free_atfork
00000000000c2ec0 t free_charset
$ objdump -d /lib64/libc.so.6 --start-address=0x7e9f0 --stop-address=0x7eb00
000000000007e9f0 <__libc_free>:
7e9f0: 48 8b 05 c1 94 32 00 mov 0x3294c1(%rip),%rax #
3a7eb8 <_DYNAMIC+0x378>
7e9f7: 48 8b 00 mov (%rax),%rax
7e9fa: 48 85 c0 test %rax,%rax
7e9fd: 75 73 jne 7ea72 <__libc_free+0x82>
7e9ff: 48 85 ff test %rdi,%rdi
7ea02: 74 6c je 7ea70 <__libc_free+0x80>
7ea04: 48 8b 47 f8 mov -0x8(%rdi),%rax
7ea08: 48 8d 77 f0 lea -0x10(%rdi),%rsi
7ea0c: a8 02 test $0x2,%al
7ea0e: 75 20 jne 7ea30 <__libc_free+0x40>
7ea10: a8 04 test $0x4,%al
7ea12: 48 8d 3d 27 9c 32 00 lea 0x329c27(%rip),%rdi #
3a8640
https://bugzilla.novell.com/show_bug.cgi?id=891349
https://bugzilla.novell.com/show_bug.cgi?id=891349#c1
--- Comment #1 from Dr. Shamsundar
https://bugzilla.novell.com/show_bug.cgi?id=891349
https://bugzilla.novell.com/show_bug.cgi?id=891349#c2
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=891349
https://bugzilla.novell.com/show_bug.cgi?id=891349#c3
--- Comment #3 from Dr. Shamsundar
https://bugzilla.novell.com/show_bug.cgi?id=891349
https://bugzilla.novell.com/show_bug.cgi?id=891349#c
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=891349
https://bugzilla.novell.com/show_bug.cgi?id=891349#c
Richard Biener
https://bugzilla.novell.com/show_bug.cgi?id=891349
https://bugzilla.novell.com/show_bug.cgi?id=891349#c4
Andreas Schwab
You can only pass valid heap pointers to free. Of course, and you can see from the Fortran source that I do not manipulate any
https://bugzilla.novell.com/show_bug.cgi?id=891349
https://bugzilla.novell.com/show_bug.cgi?id=891349#c5
--- Comment #5 from Dr. Shamsundar
participants (1)
-
bugzilla_noreply@novell.com