[Bug 1435] dlopen/dlclose with ctors/dtors and on_exit handler -> using uninitialized memory
bugzilla at busybox.net
bugzilla at busybox.net
Wed Mar 31 20:32:53 UTC 2010
https://bugs.busybox.net/show_bug.cgi?id=1435
--- Comment #3 from Ronald Wahl <rwahl at gmx.de> 2010-03-31 20:32:53 UTC ---
Well unfortunately I cannot test this quickly. But probably you'll at least see
the logical bug (or show me that I'm wrong):
In the following I talk about libc/stdlib/_atexit.c
(1) When registering an exit handler with on_exit or __cxa_atexit a new exit
slot is acquired in __new_exitfn - in the end it is allocated with realloc
there and this memory is actually not initialized.
(2) When a handler is registered with __cxa_atexit we initialize
efp->funcs.cxa_atexit.dso_handle (note efp->funcs is actually a union!)
(3) When a handler is registered with on_exit the
efp->funcs.cxa_atexit.dso_handle field is not initialized because it is in
the wrong part of the union which is perfecly ok.
(4) Now look at the __cxa_finalize function: We iterate over the exit handlers
and happily assume that efp->funcs.cxa_atexit.dso_handle is initialized.
But
this is only true for slots of type ef_cxa_atexit. If one registered an
on_exit handler it will access uninitialized memory.
I'm not sure why you can't reproduce this. Either the uClibc has this
__cxa_atexit stuff disabled, the toolchain does not support it, valgrind
surpresses the output or whatever.
So can you tell me if I missed something or is this really a bug?
--
Configure bugmail: https://bugs.busybox.net/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are on the CC list for the bug.
More information about the uClibc-cvs
mailing list