Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
zdump: fix invalid memory access on memory chunk's data
If a memory chunk is added to mem_phys as well as mem_virt
in dfi_mem_chunk_add_vol() then an illegal memory access might occur
when accessing mem_chunk->data e.g. in dfi_elf_mem_chunk_read_fn()
because the data block pointed to by the data field is now being referenced
by two memory chunks, one in mem_phys and one in mem_virt. If it happens
that the memory chunk from mem_virt is freed in mem_unmap() then
the memory chunk in mem_phys still points to the common data block
which has been already freed. This leads to all sort of bad behavior
in dfi_elf_mem_chunk_read_fn() and other places where mem_chunk->data
might be accessed.
Fixes the following bug:
zgetdump: Unexpected end of file for "dump.all.elf"
And this was found by AddressSanitizer:
=================================================================
==81170==ERROR: AddressSanitizer: heap-use-after-free on address 0x602000000570 at pc 0x00000101ac10 bp 0x03ffd897e250 sp 0x03ffd897e248
READ of size 8 at 0x602000000570 thread T0
#0 0x101ac0f in dfi_elf_mem_chunk_read_fn s390-tools/zdump/dfi_elf.c:27
#1 0x100d8a5 in mem_read s390-tools/zdump/dfi.c:339
#2 0x100d8a5 in dfi_mem_phys_read s390-tools/zdump/dfi.c:616
#3 0x100d8a5 in mem_chunk_map_read_fn s390-tools/zdump/dfi.c:353
#4 0x100fd29 in mem_read s390-tools/zdump/dfi.c:339
#5 0x100fd29 in dfi_mem_read s390-tools/zdump/dfi.c:608
#6 0x1018e89 in os_info_get s390-tools/zdump/dfi_vmcoreinfo.c:65
#7 0x1018e89 in dfi_vmcoreinfo_init s390-tools/zdump/dfi_vmcoreinfo.c:86
#8 0x10175b3 in dfi_init s390-tools/zdump/dfi.c:1215
#9 0x1006e71 in do_stdout s390-tools/zdump/zgetdump.c:161
#10 0x1006e71 in main s390-tools/zdump/zgetdump.c:180
#11 0x3ffb07abb89 in __libc_start_main (/lib64/libc.so.6+0x2bb89)
#12 0x1007e8d (s390-tools/zdump/zgetdump+0x1007e8d)
0x602000000570 is located 0 bytes inside of 8-byte region [0x602000000570,0x602000000578)
freed by thread T0 here:
#0 0x3ffb0bc961b in free (/lib64/libasan.so.6+0xc961b)
#1 0x100d2d9 in mem_unmap s390-tools/zdump/dfi.c:1050
previously allocated by thread T0 here:
#0 0x3ffb0bc9aa9 in calloc (/lib64/libasan.so.6+0xc9aa9)
#1 0x100a271 in zg_alloc s390-tools/zdump/zg.c:93
SUMMARY: AddressSanitizer: heap-use-after-free s390-tools/zdump/dfi_elf.c:27 in dfi_elf_mem_chunk_read_fn
Shadow bytes around the buggy address:
0x100c0400000050: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x100c0400000060: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x100c0400000070: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x100c0400000080: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x100c0400000090: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
=>0x100c04000000a0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa[fd]fa
0x100c04000000b0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa fd fa
0x100c04000000c0: fa fa fd fa fa fa fd fa fa fa fd fa fa fa 04 fa
0x100c04000000d0: fa fa 00 fa fa fa 00 fa fa fa 00 fa fa fa 00 fa
0x100c04000000e0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
0x100c04000000f0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
Shadow gap: cc
==81170==ABORTING
Signed-off-by: Alexander Egorenkov <[email protected]>
Reviewed-by: Philipp Rudo <[email protected]>
Signed-off-by: Jan Höppner <[email protected]>- Loading branch information
