From c5168f7f348d6585a46e7511483aaccae706faeb Mon Sep 17 00:00:00 2001 From: Michal Domonkos Date: Jul 01 2021 13:51:34 +0000 Subject: Fix use-after-free error in hashtab.c This file has been completely removed upstream in the meantime (as part of the debuginfo tooling split off in commit 04b0805) so this patch will only be carried downstream. The issue here was that htab->entries would be freed at the end of htab_expand() if the htab->return_allocation_failure toggle was 0, and later accessed in the calling function(s). In reality, though, the toggle is initialized to 1 and never turned off in the current implementation, but let's future-proof ourselves in case we inadvertently turn it off in a future patch. Found by Coverity. Related: #1938861 --- diff --git a/rpm-4.16.1.3-hashtab-use-after-free-fix.patch b/rpm-4.16.1.3-hashtab-use-after-free-fix.patch new file mode 100644 index 0000000..eee3cc3 --- /dev/null +++ b/rpm-4.16.1.3-hashtab-use-after-free-fix.patch @@ -0,0 +1,13 @@ +diff -up rpm-4.16.1.3/tools/hashtab.c.orig rpm-4.16.1.3/tools/hashtab.c +--- rpm-4.16.1.3/tools/hashtab.c.orig 2021-07-01 14:51:24.576237269 +0200 ++++ rpm-4.16.1.3/tools/hashtab.c 2021-07-01 15:02:42.005754968 +0200 +@@ -292,7 +292,8 @@ htab_expand (htab) + } + while (p < olimit); + +- free (oentries); ++ if (oentries != htab->entries) ++ free(oentries); + return 1; + } + diff --git a/rpm.spec b/rpm.spec index 5fd1b33..89a837e 100644 --- a/rpm.spec +++ b/rpm.spec @@ -84,6 +84,9 @@ Patch914: 0004-NFC-debugedit-Move-code-to-separate-functions.patch Patch915: 0005-debugedit-Implement-DWARF-5-unit-header-and-new-form.patch Patch916: 0006-debugedit-Handle-DWARF-5-debug_line-and-debug_line_s.patch +# Downstream-only patches +Patch1000: rpm-4.16.1.3-hashtab-use-after-free-fix.patch + # Partially GPL/LGPL dual-licensed and some bits with BSD # SourceLicense: (GPLv2+ and LGPLv2+ with exceptions) and BSD License: GPLv2+