From patchwork Sun Nov 20 01:08:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Venekamp X-Patchwork-Id: 1706683 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=U60ktD/2; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4NFCDy4vKRz23mg for ; Sun, 20 Nov 2022 12:12:50 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=cXSXBwkkO8phxmqjf6tR5kpgml+yX7EtzYodsTzg1n8=; b=U60ktD/2rCaqen zGyHqdX2C2MnNTvq143HVwPy4OyJpFvGXVO2U3S5LhO9YyRExhHMxoZEmQCHTOQgMc1rUJZP0x69z vRuwkQz8M5sXKvcwbLyd0h9Xd4vYfdTUr3mSfBd+H5bBLmQWsQSRrBlOFq8ZJcQ1lCF4cw2wrw7mp LQQHXQwFpoX9S2YTTwBn4200WhEhW0FmHXKHsbYPpJ10uniES1uU+Lx6/D2dfdNO35cLG5XCmj4Si uLE1lM48ECl2LgK6No8hMDXBC5teOX3A+TxoZOFmvKb881Qm5Nw/B1qDF0BAzlVG+FU0KyAUXYqQC QctvhBivJuncchqVhcew==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1owYph-000pC2-BY; Sun, 20 Nov 2022 01:09:17 +0000 Received: from virt1.bvwebdesign.nl ([149.210.228.112]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1owYp1-000p36-2x for openwrt-devel@lists.openwrt.org; Sun, 20 Nov 2022 01:08:38 +0000 Received: from localhost.localdomain (84-31-67-158.cable.dynamic.v4.ziggo.nl [84.31.67.158]) by virt1.bvwebdesign.nl (Postfix) with ESMTPSA id E26BBA5ED60 for ; Sun, 20 Nov 2022 02:08:28 +0100 (CET) From: Jan Venekamp To: openwrt-devel@lists.openwrt.org Subject: [PATCH v2 1/9] uci: fix use-after-free uci_set on update option Date: Sun, 20 Nov 2022 02:08:20 +0100 Message-Id: <20221120010828.23765-2-jan@venekamp.net> X-Mailer: git-send-email 2.32.0 (Apple Git-132) In-Reply-To: <20221120010828.23765-1-jan@venekamp.net> References: <20221120010828.23765-1-jan@venekamp.net> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20221119_170835_345308_E62A3363 X-CRM114-Status: UNSURE ( 9.56 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When uci_set is called with ptr->o set and ptr->option = NULL, then in uci_expand_ptr ptr->option is set to ptr->o->e.name. This will result in use-after-free because ptr->option is used in the call t [...] Content analysis details: (-0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org When uci_set is called with ptr->o set and ptr->option = NULL, then in uci_expand_ptr ptr->option is set to ptr->o->e.name. This will result in use-after-free because ptr->option is used in the call to uci_add_delta after uci_free_option(ptr->o). Signed-off-by: Jan Venekamp --- list.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/list.c b/list.c index 24ed2ee..ac3686c 100644 --- a/list.c +++ b/list.c @@ -725,15 +725,16 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr) ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section); ptr->last = &ptr->s->e; } else if (ptr->o && ptr->option) { /* update option */ - struct uci_option *o; + struct uci_option *old = ptr->o; if ((ptr->o->type == UCI_TYPE_STRING) && !strcmp(ptr->o->v.string, ptr->value)) return 0; - o = ptr->o; ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value); - uci_free_option(o); + if (ptr->option == old->e.name) + ptr->option = ptr->o->e.name; + uci_free_option(old); ptr->last = &ptr->o->e; } else if (ptr->s && ptr->section) { /* update section */ char *s = uci_strdup(ctx, ptr->value);