Module Name: src
Committed By: rillig
Date: Sat Jul 29 10:22:50 UTC 2023
Modified Files:
src/usr.bin/xlint/lint1: mem1.c
Log Message:
lint: fix use-after-free in memory debug mode
A node may be allocated before its type. Since the objects are freed in
reverse allocation order, the type cannot be accessed anymore when the
node is freed.
To generate a diff of this commit:
cvs rdiff -u -r1.71 -r1.72 src/usr.bin/xlint/lint1/mem1.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/usr.bin/xlint/lint1/mem1.c
diff -u src/usr.bin/xlint/lint1/mem1.c:1.71 src/usr.bin/xlint/lint1/mem1.c:1.72
--- src/usr.bin/xlint/lint1/mem1.c:1.71 Sat Jul 15 15:56:17 2023
+++ src/usr.bin/xlint/lint1/mem1.c Sat Jul 29 10:22:50 2023
@@ -1,4 +1,4 @@
-/* $NetBSD: mem1.c,v 1.71 2023/07/15 15:56:17 rillig Exp $ */
+/* $NetBSD: mem1.c,v 1.72 2023/07/29 10:22:50 rillig Exp $ */
/*
* Copyright (c) 1994, 1995 Jochen Pohl
@@ -37,7 +37,7 @@
#include <sys/cdefs.h>
#if defined(__RCSID)
-__RCSID("$NetBSD: mem1.c,v 1.71 2023/07/15 15:56:17 rillig Exp $");
+__RCSID("$NetBSD: mem1.c,v 1.72 2023/07/29 10:22:50 rillig Exp $");
#endif
#include <sys/param.h>
@@ -199,12 +199,13 @@ mpool_free(memory_pool *pool)
debug_step("%s: freeing type '%s'",
__func__, type_name(p));
else if (strcmp(item->descr, "tnode") == 0)
- debug_step("%s: freeing node '%s' with type '%s'",
- __func__, op_name(((const tnode_t *)p)->tn_op),
- type_name(((const tnode_t *)p)->tn_type));
+ debug_step("%s: freeing node '%s'",
+ __func__, op_name(((const tnode_t *)p)->tn_op));
else
debug_step("%s: freeing '%s' with %zu bytes",
__func__, item->descr, item->size);
+ static void *(*volatile memset_ptr)(void *, int, size_t) = memset;
+ memset_ptr(p, 'Z', item->size);
#endif
free(p);
}
