[OpenWrt-Devel] [PATCH v3] instance: fix pidfile attribute double free crash

Daniel Golle daniel at makrotopia.org
Thu Jan 16 04:16:18 EST 2020 

Hi (again),

So that's what happends when you use git format-patch without thought.
This message came from me, just had Petr's From: because the original
patch I picked into my git tree came from him.
Sorry for that...

Cheers

Daniel

On Thu, Jan 16, 2020 at 11:13:22AM +0200, Petr Štetiar wrote:
> Hi Petr,
> Hi Felix,
> 
> seems like more things were wrong with instance_config_move(), some
> of the jail attributes were missing as well...
> 
> ---
> Commit a5af33ce9a16 ("instance: strdup string attributes") has
> introduced duplication of various string attributes in order to fix
> use-after-free, but missed handling of `pidfile` and `seccomp` attribute
> cases in instance_config_move() where the new value of `pidfile` or
> `seccomp` is being copied/assigned. Source of this values is then
> free()d in subsequent call to instance_free() and then again for 2nd
> time during the service stop command handling, leading to double free
> crash:
> 
>  #0  unmap_chunk at src/malloc/malloc.c:515
>  #1  free at src/malloc/malloc.c:526
>  #2  instance_free (in=0xd5e300) at instance.c:1100
>  #3  instance_delete (in=0xd5e300) at instance.c:559
>  #4  instance_stop (in=0xd5e300, halt=true) at instance.c:611
> 
> Ref: FS#2723
> Fixes: a5af33ce9a16 ("instance: strdup string attributes")
> Signed-off-by: Petr Štetiar <ynezz at true.cz>
> Signed-off-by: Daniel Golle <daniel at makrotopia.org>
> ---
>  service/instance.c | 26 ++++++++++++++++++++++++--
>  1 file changed, 24 insertions(+), 2 deletions(-)
> 
> diff --git a/service/instance.c b/service/instance.c
> index ce5b0bf..c2ebc76 100644
> --- a/service/instance.c
> +++ b/service/instance.c
> @@ -1040,17 +1040,39 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr
>  	blobmsg_list_move(&in->jail.mount, &in_src->jail.mount);
>  	in->trigger = in_src->trigger;
>  	in->command = in_src->command;
> -	in->pidfile = in_src->pidfile;
>  	in->respawn = in_src->respawn;
>  	in->respawn_retry = in_src->respawn_retry;
>  	in->respawn_threshold = in_src->respawn_threshold;
>  	in->respawn_timeout = in_src->respawn_timeout;
>  	in->name = in_src->name;
>  	in->trace = in_src->trace;
> -	in->seccomp = in_src->seccomp;
>  	in->node.avl.key = in_src->node.avl.key;
>  	in->syslog_facility = in_src->syslog_facility;
>  
> +	free(in->pidfile);
> +	if (in_src->pidfile)
> +		in->pidfile = strdup(in_src->pidfile);
> +	else
> +		in->pidfile = NULL;
> +
> +	free(in->seccomp);
> +	if (in_src->seccomp)
> +		in->seccomp = strdup(in_src->seccomp);
> +	else
> +		in->seccomp = NULL;
> +
> +	free(in->jail.name);
> +	if (in_src->jail.name)
> +		in->jail.name = strdup(in_src->jail.name);
> +	else
> +		in->jail.name = NULL;
> +
> +	free(in->jail.hostname);
> +	if (in_src->jail.hostname)
> +		in->jail.hostname = strdup(in_src->jail.hostname);
> +	else
> +		in->jail.hostname = NULL;
> +
>  	free(in->config);
>  	in->config = in_src->config;
>  	in_src->config = NULL;
> -- 
> 2.24.1
> 
> 
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel

_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

More information about the openwrt-devel mailing list