rtld-elf: Fix leaks and wild frees in origin_subst

55abf23dd3 inverted the value passed to origin_subst_one when rolling up the existing code into a loop. If the first token is found ($ORIGIN), this results in a wild free of part of strtab. Processing the second token works fine and will act how the first should have regardless of whether found, allocating memory for the string without freeing. Processing subsequent tokens however will then leak, regardless of whether found, as they will also believe they need to allocate memory and can't free the string. Found by: CHERI Reviewed by: kib, markj Fixes: 55abf23dd3 ("rtld: make token substitution table-driven") MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D35792
2024-11-27 13:32:45 +00:00 · 2022-07-12 17:47:47 +01:00 · 2022-07-12 17:47:47 +01:00 · becd9908be
commit becd9908be
parent 70b2996120
1 changed files with 1 additions and 1 deletions
--- a/libexec/rtld-elf/rtld.c
+++ b/libexec/rtld-elf/rtld.c
@ -1222,7 +1222,7 @@ origin_subst(Obj_Entry *obj, const char *real)
 	res = __DECONST(char *, real);
 	for (i = 0; i < (int)nitems(tokens); i++) {
 		res = origin_subst_one(tokens[i].pass_obj ? obj : NULL,
-		    res, tokens[i].kw, tokens[i].subst, i == 0);
+		    res, tokens[i].kw, tokens[i].subst, i != 0);
 	}
 	return (res);
 }