From: Catalin Marinas <catalin.marinas@arm.com>
To: Arnaud Lacombe <lacombar@gmail.com>
Cc: Michal Marek <mmarek@suse.cz>,
"linux-kbuild@vger.kernel.org" <linux-kbuild@vger.kernel.org>
Subject: Re: Stale expression reference causing use-after-free
Date: Tue, 21 Sep 2010 17:22:50 +0100 [thread overview]
Message-ID: <tnxtyljhxr9.fsf@e102109-lin.cambridge.arm.com> (raw)
In-Reply-To: <AANLkTi=fudCXbVEwcAjz+a3ZvM-r8i5A1yH-=n63o2o8@mail.gmail.com> (Arnaud Lacombe's message of "Tue, 21 Sep 2010 10:36:43 -0400")
Arnaud Lacombe <lacombar@gmail.com> wrote:
> On Tue, Sep 21, 2010 at 8:32 AM, Catalin Marinas
> <catalin.marinas@arm.com> wrote:
>> From: Catalin Marinas <catalin.marinas@arm.com>
>>
>> Commit 246cf9c26b introduced the tracking of direct dependency to
>> provide additional warning when they are not met. With some complex
>> dependencies, the expr_copy() function called on such expressions may
>> cause stack exhaustion. The patch removes the superfluous expr_copy()
>> call since expr_transform handles symbol duplication already.
>
> I'm afraid this is just moving the problem from expr_copy() to
> expr_transform() as the first thing the latter do is to recurse. on
> the sub-expressions. I'm not sure that the expression causing the
> stack exhaustion is even correct, or its reference is still valid.
It may actually be just accessing freed symbols and the data being
corrupted in ends up in a loop. You Kconfig example doesn't seem to have
any dependency loops that would cause such problems.
Does the patch below make it any better (together with the previous
one)?
diff --git a/scripts/kconfig/menu.c b/scripts/kconfig/menu.c
index 7298806..e707aa2 100644
--- a/scripts/kconfig/menu.c
+++ b/scripts/kconfig/menu.c
@@ -107,7 +107,9 @@ static struct expr *menu_check_dep(struct expr *e)
void menu_add_dep(struct expr *dep)
{
current_entry->dep = expr_alloc_and(current_entry->dep, menu_check_dep(dep));
- current_entry->dir_dep = current_entry->dep;
+ if (current_entry->dir_dep)
+ expr_free(current_entry->dir_dep);
+ current_entry->dir_dep = expr_copy(current_entry->dep);
}
void menu_set_type(int type)
Thanks.
--
Catalin
next prev parent reply other threads:[~2010-09-21 16:22 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-19 4:56 Stale expression reference causing use-after-free Arnaud Lacombe
2010-09-20 2:54 ` Arnaud Lacombe
2010-09-21 12:32 ` Catalin Marinas
2010-09-21 14:36 ` Arnaud Lacombe
2010-09-21 16:22 ` Catalin Marinas [this message]
2010-09-21 16:46 ` Arnaud Lacombe
2010-09-21 16:55 ` Catalin Marinas
2010-09-21 16:57 ` Arnaud Lacombe
2010-09-21 17:03 ` Catalin Marinas
2010-09-21 18:03 ` Arnaud Lacombe
2010-09-22 11:08 ` Catalin Marinas
2010-09-22 17:32 ` Arnaud Lacombe
2010-09-23 10:58 ` Catalin Marinas
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tnxtyljhxr9.fsf@e102109-lin.cambridge.arm.com \
--to=catalin.marinas@arm.com \
--cc=lacombar@gmail.com \
--cc=linux-kbuild@vger.kernel.org \
--cc=mmarek@suse.cz \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.