From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.org/gmane.linux.lib.musl.general/9042 Path: news.gmane.org!not-for-mail From: Alexander Cherepanov Newsgroups: gmane.linux.lib.musl.general Subject: [PATCH] fix use of pointer after free in unsetenv Date: Mon, 4 Jan 2016 02:09:44 +0300 Message-ID: <5689AA38.60108@openwall.com> Reply-To: musl@lists.openwall.com NNTP-Posting-Host: plane.gmane.org Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="------------090907090802090100010802" X-Trace: ger.gmane.org 1451862609 15293 80.91.229.3 (3 Jan 2016 23:10:09 GMT) X-Complaints-To: usenet@ger.gmane.org NNTP-Posting-Date: Sun, 3 Jan 2016 23:10:09 +0000 (UTC) To: musl@lists.openwall.com Original-X-From: musl-return-9055-gllmg-musl=m.gmane.org@lists.openwall.com Mon Jan 04 00:10:04 2016 Return-path: Envelope-to: gllmg-musl@m.gmane.org Original-Received: from mother.openwall.net ([195.42.179.200]) by plane.gmane.org with smtp (Exim 4.69) (envelope-from ) id 1aFrmm-0006XG-CR for gllmg-musl@m.gmane.org; Mon, 04 Jan 2016 00:10:04 +0100 Original-Received: (qmail 1721 invoked by uid 550); 3 Jan 2016 23:10:01 -0000 Mailing-List: contact musl-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: Original-Received: (qmail 1683 invoked from network); 3 Jan 2016 23:09:56 -0000 X-Enigmail-Draft-Status: N1110 Xref: news.gmane.org gmane.linux.lib.musl.general:9042 Archived-At: This is a multi-part message in MIME format. --------------090907090802090100010802 Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Hi! The code in [1] uses a pointer which was freed and hence has an indeterminate value. Patch attached. [1] http://git.musl-libc.org/cgit/musl/tree/src/env/unsetenv.c#n23 -- Alexander Cherepanov --------------090907090802090100010802 Content-Type: text/x-patch; name="0001-fix-use-of-pointer-after-free-in-unsetenv.patch" Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename="0001-fix-use-of-pointer-after-free-in-unsetenv.patch" >From f446b5811a8abc08bcc8202aa241dce82d4c917d Mon Sep 17 00:00:00 2001 From: Alexander Cherepanov Date: Mon, 4 Jan 2016 01:40:03 +0300 Subject: [PATCH] fix use of pointer after free in unsetenv the value of a pointer becomes indeterminate after free() so delay free() until the pointer is not needed anymore. --- src/env/unsetenv.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/env/unsetenv.c b/src/env/unsetenv.c index 3569335..b5d8b19 100644 --- a/src/env/unsetenv.c +++ b/src/env/unsetenv.c @@ -19,9 +19,10 @@ again: if (__environ[i]) { if (__env_map) { for (j=0; __env_map[j] && __env_map[j] != __environ[i]; j++); - free (__env_map[j]); + char *t =__env_map[j]; for (; __env_map[j]; j++) __env_map[j] = __env_map[j+1]; + free (t); } for (; __environ[i]; i++) __environ[i] = __environ[i+1]; -- 1.7.10.4 --------------090907090802090100010802--