From b5ec02b92c19dd3ab63aa7017682f60dec8f3ccc Mon Sep 17 00:00:00 2001 From: Christophe Lyon Date: Wed, 4 Jul 2018 17:55:41 +0200 Subject: Fix htab_delete loop counter MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit dlclose can crash or stuck the system: When calling dlclose() then system can crash or freeze, because htab_delete() in ldso/ldso/fdpic/dl-inlines.h uses size_t for i which is a typedef to unsigned int. We exit the loop on negative value of i which can never occur since i is an unsigned int. This leads to random free of various pointers that kill the system. * ldso/include/inline-hashtab.h (htab_delete): Change type of 'i' to int. Signed-off-by: Mickaël Guêné Signed-off-by: Christophe Lyon --- ldso/include/inline-hashtab.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ldso/include/inline-hashtab.h b/ldso/include/inline-hashtab.h index 4a4812027..c6c584b08 100644 --- a/ldso/include/inline-hashtab.h +++ b/ldso/include/inline-hashtab.h @@ -107,7 +107,7 @@ htab_create(void) static __always_inline void htab_delete(struct funcdesc_ht *htab) { - size_t i; + int i; for (i = htab->size - 1; i >= 0; i--) if (htab->entries[i]) -- cgit v1.2.3