| Message ID | 20200115103057.7665-2-ynezz@true.cz |
|---|---|
| State | Superseded |
| Delegated to: | Petr Štetiar |
| Headers | show |
| Series | [OpenWrt-Devel,procd,1/2] instance: fix typo in error message | expand |
Hi Petr, thanks for reviewing and fixing this! On Wed, Jan 15, 2020 at 11:30:57AM +0100, Petr Štetiar wrote: > Commit a5af33ce9a16 ("instance: strdup string attributes") has > introduced duplication of various string attributes in order to fix > use-after-free, but missed handling of one `pidfile` attribute case in > instance_config_move() where the new value of `pidfile` is being > copied/assigned. Source of this value is then free()d in following call > to instance_free() and then again for 2nd time during the service stop > command handling, leading to double free crash: > > #0 unmap_chunk at src/malloc/malloc.c:515 > #1 free at src/malloc/malloc.c:526 > #2 instance_free (in=0xd5e300) at instance.c:1100 > #3 instance_delete (in=0xd5e300) at instance.c:559 > #4 instance_stop (in=0xd5e300, halt=true) at instance.c:611 Right, didn't think about that. I don't have time to get into this right now (but will have tonight or tomorrow), but doesn't the same also apply at least for the 'seccomp' field? Cheers Daniel > > Ref: FS#2723 > Cc: Daniel Golle <daniel@makrotopia.org> > Fixes: a5af33ce9a16 ("instance: strdup string attributes") > Signed-off-by: Petr Štetiar <ynezz@true.cz> > --- > service/instance.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/service/instance.c b/service/instance.c > index ce5233807dbb..245b9629d99a 100644 > --- a/service/instance.c > +++ b/service/instance.c > @@ -1031,7 +1031,6 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr > blobmsg_list_move(&in->jail.mount, &in_src->jail.mount); > in->trigger = in_src->trigger; > in->command = in_src->command; > - in->pidfile = in_src->pidfile; > in->respawn = in_src->respawn; > in->respawn_retry = in_src->respawn_retry; > in->respawn_threshold = in_src->respawn_threshold; > @@ -1042,6 +1041,10 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr > in->node.avl.key = in_src->node.avl.key; > in->syslog_facility = in_src->syslog_facility; > > + free(in->pidfile); > + if (in_src->pidfile) > + in->pidfile = strdup(in_src->pidfile); > + > free(in->config); > in->config = in_src->config; > in_src->config = NULL;
diff --git a/service/instance.c b/service/instance.c index ce5233807dbb..245b9629d99a 100644 --- a/service/instance.c +++ b/service/instance.c @@ -1031,7 +1031,6 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr blobmsg_list_move(&in->jail.mount, &in_src->jail.mount); in->trigger = in_src->trigger; in->command = in_src->command; - in->pidfile = in_src->pidfile; in->respawn = in_src->respawn; in->respawn_retry = in_src->respawn_retry; in->respawn_threshold = in_src->respawn_threshold; @@ -1042,6 +1041,10 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr in->node.avl.key = in_src->node.avl.key; in->syslog_facility = in_src->syslog_facility; + free(in->pidfile); + if (in_src->pidfile) + in->pidfile = strdup(in_src->pidfile); + free(in->config); in->config = in_src->config; in_src->config = NULL;
Commit a5af33ce9a16 ("instance: strdup string attributes") has introduced duplication of various string attributes in order to fix use-after-free, but missed handling of one `pidfile` attribute case in instance_config_move() where the new value of `pidfile` is being copied/assigned. Source of this value is then free()d in following call to instance_free() and then again for 2nd time during the service stop command handling, leading to double free crash: #0 unmap_chunk at src/malloc/malloc.c:515 #1 free at src/malloc/malloc.c:526 #2 instance_free (in=0xd5e300) at instance.c:1100 #3 instance_delete (in=0xd5e300) at instance.c:559 #4 instance_stop (in=0xd5e300, halt=true) at instance.c:611 Ref: FS#2723 Cc: Daniel Golle <daniel@makrotopia.org> Fixes: a5af33ce9a16 ("instance: strdup string attributes") Signed-off-by: Petr Štetiar <ynezz@true.cz> --- service/instance.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-)