From 2ea85d8228663c9592705a13edecbd4d3c70aac1 Mon Sep 17 00:00:00 2001

From: Jiri Sasek <Jiri.Sasek@Oracle.COM>

Date: Fri, 13 Mar 2020 19:02:58 +0100

Subject: [PATCH] Add finalization safety check to com_err

If the linker erroneously runs the libkrb5 finalizer after the

libcom_err finalizer, the consequent remove_error_table() calls could

crash due to accessing a destroyed mutex or an invalid et_list

pointer.  Add an unsynchronized check on finalized in

remove_error_table(), and set et_list to null in com_err_terminate()

after destroying the list.

[ghudson@mit.edu: minimized code hanges; rewrote comment and commit

message]

ticket: 8890 (new)

(cherry picked from commit 9d654aa05e26bbf22f140abde3436afeff2fdf8d)

(cherry picked from commit c7a37d3e87132864ebc44710baf1d50a69682b5c)

---

 src/util/et/error_message.c | 7 ++++++-

 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/util/et/error_message.c b/src/util/et/error_message.c

index d7069a9df..7dc02a34e 100644

--- a/src/util/et/error_message.c

+++ b/src/util/et/error_message.c

@@ -26,7 +26,7 @@

 static struct et_list *et_list;

 static k5_mutex_t et_list_lock = K5_MUTEX_PARTIAL_INITIALIZER;

-static int terminated = 0;      /* for debugging shlib fini sequence errors */

+static int terminated = 0;      /* for safety and finalization debugging */

 MAKE_INIT_FUNCTION(com_err_initialize);

 MAKE_FINI_FUNCTION(com_err_terminate);

@@ -69,6 +69,7 @@ void com_err_terminate(void)

         enext = e->next;

         free(e);

     }

+    et_list = NULL;

     k5_mutex_unlock(&et_list_lock);

     k5_mutex_destroy(&et_list_lock);

     terminated = 1;

@@ -280,6 +281,10 @@ remove_error_table(const struct error_table *et)

 {

     struct et_list **ep, *e;

+    /* Safety check in case libraries are finalized in the wrong order. */

+    if (terminated)

+        return ENOENT;

+

     if (CALL_INIT_FUNCTION(com_err_initialize))

         return 0;

     k5_mutex_lock(&et_list_lock);