Fix invalid free of memory allocated during rtld init

diff --git a/ChangeLog b/ChangeLog
index 6aaff9a..6313627 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,9 @@
+2013-04-11  Andreas Schwab  <schwab@suse.de>
+
+       [BZ #14293]
+       * elf/dl-load.c (_dl_init_paths): Mark decomposed RUNPATH as
+       non-freeable.
+
 2013-04-11  Siddhesh Poyarekar  <siddhesh@redhat.com>
 
        * Makeconfig (rtld-prefix): Define built linker prefix.

diff --git a/NEWS b/NEWS
index 17a997a..639b1f0 100644 (file)
--- a/NEWS
+++ b/NEWS
@@ -10,11 +10,11 @@ Version 2.18
 * The following bugs are resolved with this release:
 
   10060, 10062, 10357, 11120, 11561, 12723, 13550, 13889, 13951, 14142,
-  14176, 14200, 14317, 14327, 14478, 14496, 14686, 14812, 14920, 14964,
-  14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020, 15023, 15036,
-  15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234, 15283, 15285,
-  15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335, 15336, 15337,
-  15342, 15346.
+  14176, 14200, 14293, 14317, 14327, 14478, 14496, 14686, 14812, 14920,
+  14964, 14981, 14982, 14985, 14994, 14996, 15003, 15006, 15020, 15023,
+  15036, 15054, 15055, 15062, 15078, 15160, 15214, 15232, 15234, 15283,
+  15285, 15287, 15304, 15305, 15307, 15309, 15327, 15330, 15335, 15336,
+  15337, 15342, 15346.
 
 * CVE-2013-0242 Buffer overrun in regexp matcher has been fixed (Bugzilla
   #15078).

diff --git a/elf/dl-load.c b/elf/dl-load.c
index 6e65980..dd182c9 100644 (file)
--- a/elf/dl-load.c
+++ b/elf/dl-load.c
@@ -797,6 +797,9 @@ _dl_init_paths (const char *llp)
                           (const void *) (D_PTR (l, l_info[DT_STRTAB])
                                           + l->l_info[DT_RUNPATH]->d_un.d_val),
                           l, "RUNPATH");
+         /* During rtld init the memory is allocated by the stub malloc,
+            prevent any attempt to free it by the normal malloc.  */
+         l->l_runpath_dirs.malloced = 0;
 
          /* The RPATH is ignored.  */
          l->l_rpath_dirs.dirs = (void *) -1;
@@ -813,6 +816,9 @@ _dl_init_paths (const char *llp)
                               (const void *) (D_PTR (l, l_info[DT_STRTAB])
                                               + l->l_info[DT_RPATH]->d_un.d_val),
                               l, "RPATH");
+             /* During rtld init the memory is allocated by the stub
+                malloc, prevent any attempt to free it by the normal
+                malloc.  */
              l->l_rpath_dirs.malloced = 0;
            }
          else