From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gdb-patches-return-140921-listarch-gdb-patches=sources.redhat.com@sourceware.org>
Received: (qmail 16780 invoked by alias); 11 Aug 2017 15:07:06 -0000
Mailing-List: contact gdb-patches-help@sourceware.org; run by ezmlm
Precedence: bulk
List-Id: <gdb-patches.sourceware.org>
List-Subscribe: <mailto:gdb-patches-subscribe@sourceware.org>
List-Archive: <http://sourceware.org/ml/gdb-patches/>
List-Post: <mailto:gdb-patches@sourceware.org>
List-Help: <mailto:gdb-patches-help@sourceware.org>, <http://sourceware.org/ml/#faqs>
Sender: gdb-patches-owner@sourceware.org
Received: (qmail 2678 invoked by uid 89); 11 Aug 2017 15:06:46 -0000
Authentication-Results: sourceware.org; auth=none
X-Virus-Found: No
X-Spam-SWARE-Status: No, score=-25.1 required=5.0 tests=BAYES_00,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,GIT_PATCH_0,GIT_PATCH_1,GIT_PATCH_2,GIT_PATCH_3,RCVD_IN_DNSWL_NONE,RCVD_IN_SORBS_SPAM,SEM_URIRED,SPF_PASS autolearn=ham version=3.3.2 spammy=
X-HELO: mail-io0-f176.google.com
Received: from mail-io0-f176.google.com (HELO mail-io0-f176.google.com) (209.85.223.176) by sourceware.org (qpsmtpd/0.93/v0.84-503-g423c35a) with ESMTP; Fri, 11 Aug 2017 15:06:44 +0000
Received: by mail-io0-f176.google.com with SMTP id g71so20950888ioe.5        for <gdb-patches@sourceware.org>; Fri, 11 Aug 2017 08:06:44 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;        d=1e100.net; s=20161025;        h=x-gm-message-state:subject:to:cc:references:from:message-id:date         :user-agent:mime-version:in-reply-to:content-transfer-encoding         :content-language;        bh=eT2ywix9sC8Z3s39WMMM+JZjTdxvM+K8dW4Wu+kfRWI=;        b=pwoWkyUAt7hwiryJUAzMAit8sTD5ojEZU6fg8scLPem2U0IhiZ9XiTb1BllBkI6VQx         vDX8hU/e66AfoxRv2BUPFo3cVy+Rpq+2ZaTSwCxe0ctu5bmCAW8DBlgHaTCN4yNfKO90         j8Uhz5lRzNLGrYIvbXKMTITJbtsGtJTOl/fjSxSKK8bwq5g6jRMOI4PC+kseuwFVQqCx         aLJuibR0W5LUwllegny4OHz9tJYcGLLqnp3pfnJYJndOmEENBnkHZQzJkWD16+0tlYsr         9Myn6mYQ6VA5jhy3JI6o6sfTzLg3WL/nYykEKGG3hw4+17w/IDexE2BTt/rk1Dw2Lp4Z         y3Rw==
X-Gm-Message-State: AIVw113VdYs8paIVF5njMHVAOoTpuMAVFAnD67Rd8ZxMTPYnvGCZ6e1/	FJlHj4/bwHm4eeU+aQg=
X-Received: by 10.107.10.11 with SMTP id u11mr14808135ioi.283.1502464002153;        Fri, 11 Aug 2017 08:06:42 -0700 (PDT)
Received: from [128.174.163.204] ([128.174.163.204])        by smtp.gmail.com with ESMTPSA id b86sm626836itd.34.2017.08.11.08.06.41        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);        Fri, 11 Aug 2017 08:06:41 -0700 (PDT)
Subject: Re: Synthetic symbol leak in in elf_x86_64_get_synthetic_symtab and elf_read_minimal_symbols
To: Yao Qi <qiyaoltc@gmail.com>
Cc: gdb-patches@sourceware.org
References: <ce856f01-6e4b-5e74-fe8a-8e4aa0cb89e6@gmail.com> <20170811092709.GH8039@1170ee0b50d5>
From: Alex Lindsay <alexlindsay239@gmail.com>
Message-ID: <cdbdcbc6-724f-b950-6e74-1ce12680f3d9@gmail.com>
Date: Fri, 11 Aug 2017 15:07:00 -0000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170811092709.GH8039@1170ee0b50d5>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 7bit
X-IsSubscribed: yes
X-SW-Source: 2017-08/txt/msg00237.txt.bz2

Thanks for looking into it!

On 08/11/2017 04:27 AM, Yao Qi wrote:
> On 17-08-07 10:19:15, Alex Lindsay wrote:
>> We perform a couple of  dynamic allocations in
>> elf_x86_64_get_synthetic_symtab (elf64-x86-64.c):
>>
>>    s = *ret = (asymbol *) bfd_zmalloc (size);
>>
>>    names = (char *) bfd_malloc (size);
>>
>> that appear to never get freed. My patch for this:
> Good catch!  It is more complicated that other bfd targets allocate
> memory for asymbol in a different way as if asymbol.name is defined
> as an zero-length array, so memory allocated for both asymbol and .name
> in one bfd_malloc call, like,
>
> 	  sym = *r->sym_ptr_ptr;
> 	  if (!sym_exists_at (syms, opdsymend, symcount,
> 			      sym->section->id, sym->value + r->addend))
> 	    {
> 	      ++count;
> 	      size += sizeof (asymbol);
> 	      size += strlen (syms[i]->name) + 2;
> 	    }
> 	}
>
>        if (size == 0)
> 	goto done;
>        s = *ret = bfd_malloc (size);
>
> or
>
>    size = count * sizeof (asymbol);
>    p = relplt->relocation;
>    for (i = 0; i < count; i++, p += elf32_arm_size_info.int_rels_per_ext_rel)
>      {
>        size += strlen ((*p->sym_ptr_ptr)->name) + sizeof ("@plt");
>        if (p->addend != 0)
> 	size += sizeof ("+0x") - 1 + 8;
>      }
>
>    s = *ret = (asymbol *) bfd_malloc (size);
>
>> diff --git a/gdb/elfread.c b/gdb/elfread.c
>> index ece704ca7c..5ed8a6f957 100644
>> --- a/gdb/elfread.c
>> +++ b/gdb/elfread.c
>> @@ -1144,6 +1144,9 @@ elf_read_minimal_symbols (struct objfile *objfile, int
>> symfile_flags,
>>
>>     if (symtab_create_debug)
>>       fprintf_unfiltered (gdb_stdlog, "Done reading minimal symbols.\n");
>> +  if (synthcount > 0)
>> +    xfree ((char *) synthsyms->name);
> We can't do this for some bfd targets.
>
>> +  xfree (synthsyms);
> We can only safely do this, but .name is leaked for x86_64.  Other
> tools using bfd, like objdump, nm, and gprof may have this issue too.
> I'll ask binutils people on asymbol allocation and de-allocation.
>