From becd9908beb8f1b47ddc6628cb005185a26ec85c Mon Sep 17 00:00:00 2001 From: Jessica Clarke Date: Tue, 12 Jul 2022 17:47:47 +0100 Subject: [PATCH] rtld-elf: Fix leaks and wild frees in origin_subst 55abf23dd36b inverted the value passed to origin_subst_one when rolling up the existing code into a loop. If the first token is found ($ORIGIN), this results in a wild free of part of strtab. Processing the second token works fine and will act how the first should have regardless of whether found, allocating memory for the string without freeing. Processing subsequent tokens however will then leak, regardless of whether found, as they will also believe they need to allocate memory and can't free the string. Found by: CHERI Reviewed by: kib, markj Fixes: 55abf23dd36b ("rtld: make token substitution table-driven") MFC after: 3 days Differential Revision: https://reviews.freebsd.org/D35792 --- libexec/rtld-elf/rtld.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/libexec/rtld-elf/rtld.c b/libexec/rtld-elf/rtld.c index aa5400d29fc2..7828bf413a7a 100644 --- a/libexec/rtld-elf/rtld.c +++ b/libexec/rtld-elf/rtld.c @@ -1222,7 +1222,7 @@ origin_subst(Obj_Entry *obj, const char *real) res = __DECONST(char *, real); for (i = 0; i < (int)nitems(tokens); i++) { res = origin_subst_one(tokens[i].pass_obj ? obj : NULL, - res, tokens[i].kw, tokens[i].subst, i == 0); + res, tokens[i].kw, tokens[i].subst, i != 0); } return (res); }