[Bug libctf/32903] New: Error pointer overwritten on successful dict open in ctf_dict_open

[bruce.mcculloch at oracle dot com]

https://sourceware.org/bugzilla/show_bug.cgi?id=32903

            Bug ID: 32903
           Summary: Error pointer overwritten on successful dict open in
                    ctf_dict_open
           Product: binutils
           Version: 2.45 (HEAD)
            Status: UNCONFIRMED
          Severity: normal
          Priority: P2
         Component: libctf
          Assignee: unassigned at sourceware dot org
          Reporter: bruce.mcculloch at oracle dot com
  Target Milestone: ---

Created attachment 16048
  --> https://sourceware.org/bugzilla/attachment.cgi?id=16048&action=edit
binutils libctf patch

When calling ctf_dict_open (const ctf_archive_t *arc, const char *name, int
*errp), the provided error pointer gets overwritten with junk memory on
success. This issue was initially discovered when opening a vmlinux.ctfa.

The error was indirectly introduced by the commit
61914bb6990c943c65fa8e10b1577c0808016149, which intended to return appropriate
error codes when an archive opening function fails.

I have included a patch that fixes the issue and still maintains the code added
in the above commit. Simply, in ctf_arc_import_parent, give the error variable
an initial value, and write to the provided error pointer arg IFF the local
error variable is set by the ctf_dict_open_cached call.

If you would like to test this, I have also included a reproducer written by
Stephen Brennan (stephen.s.bren...@oracle.com). Just build this, link with your
new libctf.so, and provide the path to your vmlinux.ctfa:

#include <stdio.h>
#include <ctf-api.h>

int main(int argc, char **argv)
{
        if (argc != 2) {
                fprintf(stderr, "usage: %s ARCHIVE\n", argv[0]);
                return 1;
        }
        int errnum = 0;
        ctf_archive_t *arc = ctf_open(argv[1], NULL, &errnum);
        if (!arc) {
                fprintf(stderr, "ctf_open returned null, errnum = %d (%s)\n",
errnum, ctf_errmsg(errnum));
                return 1;
        }
        if (errnum)
                fprintf(stderr, "ctf_open returned non-null, errnum = %d\n",
errnum);
        errnum=0;
        ctf_dict_t *dict = ctf_dict_open(arc, "vmlinux", &errnum);
        if (!dict) {
                fprintf(stderr, "ctf_dict_open returned null, errnum = %d
(%s)\n", errnum, ctf_errmsg(errnum));
                return 1;
        }
        if (errnum)
                fprintf(stderr, "ctf_dict_open returned non-null, errnum =
%d\n", errnum);

        ctf_id_t id = ctf_lookup_by_name(dict, "struct module");
        printf("struct module = 0x%x, kind %d\n", id, ctf_type_kind(dict, id));
}

-- 
You are receiving this mail because:
You are on the CC list for the bug.