[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possi
From: |
Michael Pyne |
Subject: |
Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext |
Date: |
Tue, 10 May 2016 20:08:47 -0400 |
User-agent: |
KMail/4.14.10 (Linux/4.6.0-rc4-00007-g95d0c42; KDE/4.14.17; x86_64; git-9fa4e2a; 2016-02-25) |
On Tue, May 10, 2016 11:22:58 Daiki Ueno wrote:
> Michael Pyne <address@hidden> writes:
> > On Mon, May 9, 2016 08:51:56 Daiki Ueno wrote:
> >> Follow-up Comment #3, bug #47847 (project gettext):
> >>
> >> Thanks for the comment, Bruno.
> >>
> >> The reasoning sounds convincing, but I'm a bit confused that there is no
> >> such path in the original code. ISO C 6.2.4 also says: "The result of
> >> attempting to indirectly access an object with automatic storage duration
> >> from a thread other than the one with which the object is associated is
> >> implementation-defined", but I neither see a possibility of this.
> >>
> >> So far, the more I think of this, the more it seems like a false positive
> >> (and if so, perhaps we could add an annotation instead to suppress the
> >> warning).
> >
> > It is absolutely not a false positive. It is warning because the pointer
> > is
> > referred to after it has been free()'d. This is a class of behavior which
> > is explicitly described as undefined behavior in the C standard (Annex
> > J.2 lists the conditions if you have the reference handy, as does the
> > CERT link I provided in the bug link).
>
> Could you point me to the actual sentence which you think is the case?
>
> - The value of a pointer to an object whose lifetime has ended is used
> (6.2.4).
This sentence or, alternately,
> - The value of a pointer that refers to space deallocated by a call to
> the free or realloc function is used (7.22.3).
The section is really 7.20.3 (at least in the standard I have available) but
either way this text is talking about object lifetime, not passing a pointer
back to free (7.20.3.2) or realloc (7.20.3.4).
This is important because 6.2.4 specifies that the value of a pointer is only
valid as long as the lifetime of the pointed-to object. 6.2.4 further says
that "The value of a pointer becomes indeterminate when the object it points
to reaches the end of its lifetime." (i.e. after free() is called).
*This* is important since use of an "indeterminate" value is what is undefined
here. Not "use in free()" or "use in realloc()" but *any use* at all. For
example if you keep reading in 6.2.4 it says that "The initial value of the
object [of automatic storage duration] is indeterminate".
In other words the same verbiage that makes using an uninitialized value on
the stack undefined behavior (at least, I hope we all agree this is UB...), is
also used to reference use (any use) of a free()'d pointer.
> So, if I read it correctly, the behavior is undefined only if the
> pointer value is used as an argument of free or realloc, not in a
> general expression.
That much is true for the C standard library memory management functions, but
not for pointers in general (per 6.2.4). The value of a pointer cannot be used
after it has been deallocated, either by free() or realloc().
Regards,
- Michael Pyne
- [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, anonymous, 2016/05/04
- [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/08
- [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Bruno Haible, 2016/05/09
- [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/09
- Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Michael Pyne, 2016/05/09
- Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/09
- Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext,
Michael Pyne <=
- Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/10
- Message not available
- Re: [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/12
- [bug-gettext] [bug #47847] Undefined behavior [use-after-free] possible in libgettext, Daiki Ueno, 2016/05/12