From b5ec02b92c19dd3ab63aa7017682f60dec8f3ccc Mon Sep 17 00:00:00 2001
From: Christophe Lyon <christophe.lyon@st.com>
Date: Wed, 4 Jul 2018 17:55:41 +0200
Subject: Fix htab_delete loop counter
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

dlclose can crash or stuck the system:

When calling dlclose() then system can crash or freeze, because
htab_delete() in ldso/ldso/fdpic/dl-inlines.h uses size_t for i which
is a typedef to unsigned int.  We exit the loop on negative value of i
which can never occur since i is an unsigned int. This leads to random
free of various pointers that kill the system.

	* ldso/include/inline-hashtab.h (htab_delete): Change type of 'i' to int.

Signed-off-by: Mickaël Guêné <mickael.guene@st.com>
Signed-off-by: Christophe Lyon <christophe.lyon@st.com>
---
 ldso/include/inline-hashtab.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'ldso')

diff --git a/ldso/include/inline-hashtab.h b/ldso/include/inline-hashtab.h
index 4a4812027..c6c584b08 100644
--- a/ldso/include/inline-hashtab.h
+++ b/ldso/include/inline-hashtab.h
@@ -107,7 +107,7 @@ htab_create(void)
 static __always_inline void
 htab_delete(struct funcdesc_ht *htab)
 {
-	size_t i;
+	int i;
 
 	for (i = htab->size - 1; i >= 0; i--)
 		if (htab->entries[i])
-- 
cgit v1.2.3