The Samba-Bugzilla – Attachment 17711 Details for
Bug 15269
ctdb: use-after-free in run_proc
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.16 and 4.17 cherry-picked from master
0001-ctdb-Fix-a-use-after-free-in-run_proc.patch (text/plain), 3.96 KB, created by
Björn Baumbach
on 2022-12-23 15:38:48 UTC
(
hide
)
Description:
patch for 4.16 and 4.17 cherry-picked from master
Filename:
MIME Type:
Creator:
Björn Baumbach
Created:
2022-12-23 15:38:48 UTC
Size:
3.96 KB
patch
obsolete
>From 7d6b4a820f3adf9c41fcee2a1350ec0b71f079c1 Mon Sep 17 00:00:00 2001 >From: Volker Lendecke <vl@samba.org> >Date: Fri, 30 Sep 2022 17:02:41 +0200 >Subject: [PATCH] ctdb: Fix a use-after-free in run_proc > >If you happen to talloc_free(run_ctx) before all the tevent_req's >hanging off it, you run into the following: > >==495196== Invalid read of size 8 >==495196== at 0x10D757: run_proc_state_destructor (run_proc.c:413) >==495196== by 0x488F736: _tc_free_internal (talloc.c:1158) >==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) >==495196== by 0x4890F41: _talloc_free (talloc.c:1792) >==495196== by 0x48538B1: tevent_req_received (tevent_req.c:293) >==495196== by 0x4853429: tevent_req_destructor (tevent_req.c:129) >==495196== by 0x488F736: _tc_free_internal (talloc.c:1158) >==495196== by 0x4890AF6: _tc_free_children_internal (talloc.c:1669) >==495196== by 0x488F967: _tc_free_internal (talloc.c:1184) >==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) >==495196== by 0x4890F41: _talloc_free (talloc.c:1792) >==495196== by 0x10DE62: main (run_proc_test.c:86) >==495196== Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd >==495196== at 0x48399AB: free (vg_replace_malloc.c:538) >==495196== by 0x488FB25: _tc_free_internal (talloc.c:1222) >==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) >==495196== by 0x4890F41: _talloc_free (talloc.c:1792) >==495196== by 0x10D315: run_proc_context_destructor (run_proc.c:329) >==495196== by 0x488F736: _tc_free_internal (talloc.c:1158) >==495196== by 0x488FBDD: _talloc_free_internal (talloc.c:1248) >==495196== by 0x4890F41: _talloc_free (talloc.c:1792) >==495196== by 0x10DE62: main (run_proc_test.c:86) >==495196== Block was alloc'd at >==495196== at 0x483877F: malloc (vg_replace_malloc.c:307) >==495196== by 0x488EAD9: __talloc_with_prefix (talloc.c:783) >==495196== by 0x488EC73: __talloc (talloc.c:825) >==495196== by 0x488F0FC: _talloc_named_const (talloc.c:982) >==495196== by 0x48925B1: _talloc_zero (talloc.c:2421) >==495196== by 0x10C8F2: proc_new (run_proc.c:61) >==495196== by 0x10D4C9: run_proc_send (run_proc.c:381) >==495196== by 0x10DDF6: main (run_proc_test.c:79) > >This happens because run_proc_context_destructor() directly does a >talloc_free() on the struct proc_context's and not the enclosing >tevent_req's. run_proc_kill() makes sure that we don't follow >proc->req, but it forgets the "state->proc", which is free()'ed, but >later dereferenced in run_proc_state_destructor(). > >This is an attempt at a quick fix, I believe we should convert >run_proc_context->plist into an array of tevent_req's, so that we can >properly TALLOC_FREE() according to the "natural" hierarchy and not >just pull an arbitrary thread out of that heap. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15269 > >Signed-off-by: Volker Lendecke <vl@samba.org> >Reviewed-by: Martin Schwenke <martin@meltin.net> > >Autobuild-User(master): Volker Lendecke <vl@samba.org> >Autobuild-Date(master): Thu Oct 6 15:10:20 UTC 2022 on sn-devel-184 > >(cherry picked from commit 688be0177b04d04709813a02ae6da1e983ac25dd) >--- > ctdb/common/run_proc.c | 5 +++-- > 1 file changed, 3 insertions(+), 2 deletions(-) > >diff --git a/ctdb/common/run_proc.c b/ctdb/common/run_proc.c >index d55af6c3a1e..84bc343ba1f 100644 >--- a/ctdb/common/run_proc.c >+++ b/ctdb/common/run_proc.c >@@ -408,10 +408,10 @@ struct tevent_req *run_proc_send(TALLOC_CTX *mem_ctx, > static int run_proc_state_destructor(struct run_proc_state *state) > { > /* Do not get rid of the child process if timeout has occurred */ >- if (state->proc->req != NULL) { >+ if ((state->proc != NULL) && (state->proc->req != NULL)) { > state->proc->req = NULL; > DLIST_REMOVE(state->run_ctx->plist, state->proc); >- talloc_free(state->proc); >+ TALLOC_FREE(state->proc); > } > > return 0; >@@ -439,6 +439,7 @@ static void run_proc_kill(struct tevent_req *req) > req, struct run_proc_state); > > state->proc->req = NULL; >+ state->proc = NULL; > > state->result.sig = SIGKILL; > >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
vl
:
review+
Actions:
View
Attachments on
bug 15269
: 17711