Re: Stale expression reference causing use-after-free

Catalin Marinas <catalin.marinas@xxxxxxx> · Tue, 21 Sep 2010 13:32:59 +0100

Hi Arnaud,

On Sun, 2010-09-19 at 22:54 -0400, Arnaud Lacombe wrote:
> It would seem that this issue is responsible for the crash I've seen
> randomly happening with gconf (2.6.36-rc6, before my generalization's
> branch). So far, I've traced it to the following line in
> menu_finalize():
> 
> sym->dir_dep.expr = expr_transform(expr_copy(parent->dir_dep));
> 
> The crash happen in expr_copy(). expr_transform() is never being
> called. The trace is the following:
> 
> Program received signal SIGSEGV, Segmentation fault.
[...]
> so we're dying from stack exhaustion, because expr_copy() is given a
> really nasty symbol:
[...]
> Reverting 246cf9c26bf11f2bffbecea6e5bd222eee7b1df8 fixes the crash.

Thanks for investigating this. The expr_copy() is a recursive function
and it could indeed run out of stack.

I wonder if we really need the expr_copy() here. It looks to me like
expr_transform() already does some memory allocations:


kbuild: Avoid additional copy of the 'depends' expression

From: Catalin Marinas <catalin.marinas@xxxxxxx>

Commit 246cf9c26b introduced the tracking of direct dependency to
provide additional warning when they are not met. With some complex
dependencies, the expr_copy() function called on such expressions may
cause stack exhaustion. The patch removes the superfluous expr_copy()
call since expr_transform handles symbol duplication already.

Signed-off-by: Catalin Marinas <catalin.marinas@xxxxxxx>
Reported-by: Arnaud Lacombe <lacombar@xxxxxxxxx>
---
 scripts/kconfig/menu.c |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c
index 4fb5902..7298806 100644
--- a/scripts/kconfig/menu.c
+++ b/scripts/kconfig/menu.c
@@ -292,7 +292,7 @@ void menu_finalize(struct menu *parent)
 			menu_finalize(menu);
 	} else if (sym) {
 		/* ignore inherited dependencies for dir_dep */
-		sym->dir_dep.expr = expr_transform(expr_copy(parent->dir_dep));
+		sym->dir_dep.expr = expr_transform(parent->dir_dep);
 		sym->dir_dep.expr = expr_eliminate_dups(sym->dir_dep.expr);
 
 		basedep = parent->prompt ? parent->prompt->visible.expr : NULL;


-- 
Catalin

--
To unsubscribe from this list: send the line "unsubscribe linux-kbuild" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html





