diff mbox series

[OpenWrt-Devel,procd,v4] instance: fix pidfile and seccomp attributes double free

Message ID 20200117172237.2959-1-ynezz@true.cz
State Accepted
Headers show
Series [OpenWrt-Devel,procd,v4] instance: fix pidfile and seccomp attributes double free | expand

Commit Message

Petr Štetiar Jan. 17, 2020, 5:22 p.m. UTC
Commit a5af33ce9a16 ("instance: strdup string attributes") has
introduced duplication of various string attributes in order to fix
use-after-free, but missed handling of `pidfile` and `seccomp` attribute
cases in instance_config_move() where the new value of `pidfile` or
`seccomp` is being copied/assigned. Source of this values is then
free()d in subsequent call to instance_free() and then again for 2nd
time during the service stop command handling, leading to double free
crash:

 #0  unmap_chunk at src/malloc/malloc.c:515
 #1  free at src/malloc/malloc.c:526
 #2  instance_free (in=0xd5e300) at instance.c:1100
 #3  instance_delete (in=0xd5e300) at instance.c:559
 #4  instance_stop (in=0xd5e300, halt=true) at instance.c:611

While at it, add missing handling of jail.name and jail.hostname
attributes as well.

Ref: FS#2723
Fixes: a5af33ce9a16 ("instance: strdup string attributes")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
---

changes since v3:

 * prevent double free, again
 * follow DRY and use instance_config_move_strdup
 
 service/instance.c | 22 ++++++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)
diff mbox series

Patch

diff --git a/service/instance.c b/service/instance.c
index ce5233807dbb..ee258687c3cf 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -1018,6 +1018,21 @@  instance_config_cleanup(struct service_instance *in)
 	blobmsg_list_free(&in->jail.mount);
 }
 
+static void
+instance_config_move_strdup(char **dst, char *src)
+{
+	if (!*dst)
+		return;
+
+	free(*dst);
+	*dst = NULL;
+
+	if (!src)
+		return;
+
+	*dst = strdup(src);
+}
+
 static void
 instance_config_move(struct service_instance *in, struct service_instance *in_src)
 {
@@ -1031,17 +1046,20 @@  instance_config_move(struct service_instance *in, struct service_instance *in_sr
 	blobmsg_list_move(&in->jail.mount, &in_src->jail.mount);
 	in->trigger = in_src->trigger;
 	in->command = in_src->command;
-	in->pidfile = in_src->pidfile;
 	in->respawn = in_src->respawn;
 	in->respawn_retry = in_src->respawn_retry;
 	in->respawn_threshold = in_src->respawn_threshold;
 	in->respawn_timeout = in_src->respawn_timeout;
 	in->name = in_src->name;
 	in->trace = in_src->trace;
-	in->seccomp = in_src->seccomp;
 	in->node.avl.key = in_src->node.avl.key;
 	in->syslog_facility = in_src->syslog_facility;
 
+	instance_config_move_strdup(&in->pidfile, in_src->pidfile);
+	instance_config_move_strdup(&in->seccomp, in_src->seccomp);
+	instance_config_move_strdup(&in->jail.name, in_src->jail.name);
+	instance_config_move_strdup(&in->jail.hostname, in_src->jail.hostname);
+
 	free(in->config);
 	in->config = in_src->config;
 	in_src->config = NULL;