Closed Bug 1082524 Opened 5 years ago Closed 5 years ago

Use of uninitialized memory when failing to load a library

Categories

(Core :: mozglue, defect)

All
Android
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla36

People

(Reporter: glandium, Assigned: glandium)

References

(Blocks 1 open bug)

Details

Attachments

(2 files, 1 obsolete file)

No description provided.
Attached patch Initialize link_map (obsolete) — Splinter Review
When a library fails to load with CustomElf before it's registered, the
unregistration that does happen in CustomElf's destructor uses link_map,
so it needs to be initialized.
Attachment #8504669 - Flags: review?(nfroyd)
When a library fails to load with CustomElf before it's registered, the
unregistration that does happen in CustomElf's destructor uses link_map,
so it needs to be initialized.
Attachment #8504702 - Flags: review?(nfroyd)
Attachment #8504669 - Attachment is obsolete: true
Attachment #8504669 - Flags: review?(nfroyd)
Attachment #8504702 - Flags: review?(nfroyd) → review+
https://hg.mozilla.org/mozilla-central/rev/efe4e96122a3
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
This was actually not enough, the memory is now initialized, but it still crashes because of a NULL deref.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment on attachment 8506703 [details] [diff] [review]
Do not deref null pointers in link_map

Review of attachment 8506703 [details] [diff] [review]:
-----------------------------------------------------------------

::: mozglue/linker/ElfLoader.cpp
@@ +892,5 @@
>      /* When removing the first added library, its l_next is going to be
>       * data handled by the system linker, and that data may be read-only */
>      EnsureWritable w(&map->l_next->l_prev);
>      map->l_next->l_prev = map->l_prev;
> +  } else if (map->l_next)

Might as well add some braces around here while you're poking around.
Attachment #8506703 - Flags: review?(nfroyd) → review+
https://hg.mozilla.org/mozilla-central/rev/4701a7ff7279
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.