Attachment 17711 Details for Bug 15269 – patch for 4.16 and 4.17 cherry-picked from master

[patch] patch for 4.16 and 4.17 cherry-picked from master

0001-ctdb-Fix-a-use-after-free-in-run_proc.patch (text/plain), 3.96 KB, created by Björn Baumbach on 2022-12-23 15:38:48 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Björn Baumbach

Created: 2022-12-23 15:38:48 UTC

Size: 3.96 KB

patch

obsolete

>From 7d6b4a820f3adf9c41fcee2a1350ec0b71f079c1 Mon Sep 17 00:00:00 2001
>From: Volker Lendecke <vl@samba.org>
>Date: Fri, 30 Sep 2022 17:02:41 +0200
>Subject: [PATCH] ctdb: Fix a use-after-free in run_proc
>
>If you happen to talloc_free(run_ctx) before all the tevent_req's
>hanging off it, you run into the following:
>
>==495196== Invalid read of size 8
>==495196==    at 0x10D757: run_proc_state_destructor (run_proc.c:413)
>==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
>==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
>==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
>==495196==    by 0x48538B1: tevent_req_received (tevent_req.c:293)
>==495196==    by 0x4853429: tevent_req_destructor (tevent_req.c:129)
>==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
>==495196==    by 0x4890AF6: _tc_free_children_internal (talloc.c:1669)
>==495196==    by 0x488F967: _tc_free_internal (talloc.c:1184)
>==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
>==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
>==495196==    by 0x10DE62: main (run_proc_test.c:86)
>==495196==  Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd
>==495196==    at 0x48399AB: free (vg_replace_malloc.c:538)
>==495196==    by 0x488FB25: _tc_free_internal (talloc.c:1222)
>==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
>==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
>==495196==    by 0x10D315: run_proc_context_destructor (run_proc.c:329)
>==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
>==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
>==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
>==495196==    by 0x10DE62: main (run_proc_test.c:86)
>==495196==  Block was alloc'd at
>==495196==    at 0x483877F: malloc (vg_replace_malloc.c:307)
>==495196==    by 0x488EAD9: __talloc_with_prefix (talloc.c:783)
>==495196==    by 0x488EC73: __talloc (talloc.c:825)
>==495196==    by 0x488F0FC: _talloc_named_const (talloc.c:982)
>==495196==    by 0x48925B1: _talloc_zero (talloc.c:2421)
>==495196==    by 0x10C8F2: proc_new (run_proc.c:61)
>==495196==    by 0x10D4C9: run_proc_send (run_proc.c:381)
>==495196==    by 0x10DDF6: main (run_proc_test.c:79)
>
>This happens because run_proc_context_destructor() directly does a
>talloc_free() on the struct proc_context's and not the enclosing
>tevent_req's. run_proc_kill() makes sure that we don't follow
>proc->req, but it forgets the "state->proc", which is free()'ed, but
>later dereferenced in run_proc_state_destructor().
>
>This is an attempt at a quick fix, I believe we should convert
>run_proc_context->plist into an array of tevent_req's, so that we can
>properly TALLOC_FREE() according to the "natural" hierarchy and not
>just pull an arbitrary thread out of that heap.
>
>BUG: https://bugzilla.samba.org/show_bug.cgi?id=15269
>
>Signed-off-by: Volker Lendecke <vl@samba.org>
>Reviewed-by: Martin Schwenke <martin@meltin.net>
>
>Autobuild-User(master): Volker Lendecke <vl@samba.org>
>Autobuild-Date(master): Thu Oct  6 15:10:20 UTC 2022 on sn-devel-184
>
>(cherry picked from commit 688be0177b04d04709813a02ae6da1e983ac25dd)
>---
> ctdb/common/run_proc.c | 5 +++--
> 1 file changed, 3 insertions(+), 2 deletions(-)
>
>diff --git a/ctdb/common/run_proc.c b/ctdb/common/run_proc.c
>index d55af6c3a1e..84bc343ba1f 100644
>--- a/ctdb/common/run_proc.c
>+++ b/ctdb/common/run_proc.c
>@@ -408,10 +408,10 @@ struct tevent_req *run_proc_send(TALLOC_CTX *mem_ctx,
> static int run_proc_state_destructor(struct run_proc_state *state)
> {
> 	/* Do not get rid of the child process if timeout has occurred */
>-	if (state->proc->req != NULL) {
>+	if ((state->proc != NULL) && (state->proc->req != NULL)) {
> 		state->proc->req = NULL;
> 		DLIST_REMOVE(state->run_ctx->plist, state->proc);
>-		talloc_free(state->proc);
>+		TALLOC_FREE(state->proc);
> 	}
> 
> 	return 0;
>@@ -439,6 +439,7 @@ static void run_proc_kill(struct tevent_req *req)
> 		req, struct run_proc_state);
> 
> 	state->proc->req = NULL;
>+	state->proc = NULL;
> 
> 	state->result.sig = SIGKILL;
> 
>-- 
>2.34.1
>

Flags:

vl: review+

Actions: View

Attachments on bug 15269: 17711