Hi Frank, On Thu, Feb 20, 2025 at 02:18:04PM -0500, Frank Ch. Eigler wrote: > > [...] > > This does sounds like a bug in glibc sscanf. I cannot find a > > description of what exactly happens with 'm' modifier allocated > > buffers on error. So I can imagine a double free if sscanf frees the > > buffer on error. But returning a bogus pointer? That seems a bug. If > > we aren't guaranteed a valid pointer (or NULL) then this could easily > > lead to memory leaks. > > Spent way too long trying to reproduce this. It was a PEBCAK on my > part, comparing a version of elfutils with the distro, and a > locally-built one that included this commit. I think I must have > mixed up some LD_LIBRARY_PATH and run a franken-binary, then misplaced > the blame for the crash. I'll revert my unnecessary fix.
At least you confirmed this can happen in practice. I must admit I had assumed this was just a theoretical fix, but that the compiler wouldn't actually produce code where the variable wasn't initialized. > (It might be nice if the fedora build got this fix sometime.) > > > commit 1be0787d6654ed71bf659e8bfd34895fea7589eb > Author: Aaron Merey <ame...@redhat.com> > Date: Fri Jan 24 19:43:19 2025 -0500 > > debuginfod-client.c: Avoid freeing uninitialized value Added it to the fedora elfutils package. In general it might be good to make a new elfutils release. We have been accumulating various fixes since 0.192. Fedora is carrying 8 backports (plus an odd s390x endian fixup, that is probably not necessary anymore). https://src.fedoraproject.org/rpms/elfutils/tree/rawhide Cheers, Mark
