[Bug 1435] New: dlopen/dlclose with ctors/dtors and on_exit handler -> using uninitialized memory

bugzilla at busybox.net bugzilla at busybox.net
Sat Mar 27 21:55:59 UTC 2010


https://bugs.busybox.net/show_bug.cgi?id=1435

           Summary: dlopen/dlclose with ctors/dtors and on_exit handler ->
                    using uninitialized memory
           Product: uClibc
           Version: <= 0.9.29.x
          Platform: PC
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Shared Library Support
        AssignedTo: unassigned at uclibc.org
        ReportedBy: rwahl at gmx.de
                CC: uclibc-cvs at uclibc.org
   Estimated Hours: 0.0


The appended test program registers an exit_handler with on_exit() and calls
dlopen and dlclose on a plugin (can be compiled using an empty source file). It
only needs to be compiled with a toolchain supporting ctors/dtors using
__cxa_exit. Valgrind will report:

==1264== Conditional jump or move depends on uninitialised value(s)
==1264==    at 0x405675F: __cxa_finalize (_atexit.c:203)
==1264==    by 0x4463354: (within /lib/test_plugin.so)
==1264==    by 0x446344B: (within /lib/test_plugin.so)
==1264==    by 0x40149F4: do_dlclose (libdl.c:545)
==1264==    by 0x8048522: main (dlclose_atexit_test_main.c:17)

This is because on_exit does not initialize the dso_handle to NULL in
on_exit(). The memory of the structure containing dso_handle is allocated with
realloc() and is uninitialized. Maybe this can crash the program on dlclose()
or even be used to call arbitrary code. Current uClibc seem to be affected as
well - at least the code looks the same. This patch fixes this:

Index: libc/stdlib/_atexit.c
===================================================================
--- libc/stdlib/_atexit.c       (revision 198509)
+++ libc/stdlib/_atexit.c       (revision 198510)
@@ -145,6 +145,7 @@

     efp->funcs.on_exit.func = func;
     efp->funcs.on_exit.arg = arg;
+    efp->funcs.cxa_atexit.dso_handle = NULL;
     /* assign last for thread safety, since we're now unlocked */
     efp->type = ef_on_exit;


--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--

#include <assert.h>
#include <dlfcn.h>
#include <stdio.h>
#include <stdlib.h>

static void exit_handler(int i, void* arg)
{
    (void)i;
    (void)arg;
}

int main(void)
{
    on_exit(exit_handler, NULL);
    void* dl_handle = dlopen("test_plugin.so", RTLD_LAZY);
    assert(dl_handle);
    dlclose(dl_handle);
    return 0;
}

--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--


-- 
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.


More information about the uClibc-cvs mailing list