Bug 15269 - ctdb: use-after-free in run_proc
Summary: ctdb: use-after-free in run_proc
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: CTDB (show other bugs)
Version: 4.17.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-23 15:36 UTC by Björn Baumbach
Modified: 2023-02-16 16:38 UTC (History)
1 user (show)

See Also:

Attachments
patch for 4.16 and 4.17 cherry-picked from master (3.96 KB, patch)
2022-12-23 15:38 UTC, Björn Baumbach 		vl: review+
Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Baumbach 2022-12-23 15:36:22 UTC 
Description from commit 688be0177b04d04709813a02ae6da1e983ac25dd

If you happen to talloc_free(run_ctx) before all the tevent_req's
hanging off it, you run into the following:

==495196== Invalid read of size 8
==495196==    at 0x10D757: run_proc_state_destructor (run_proc.c:413)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x48538B1: tevent_req_received (tevent_req.c:293)
==495196==    by 0x4853429: tevent_req_destructor (tevent_req.c:129)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x4890AF6: _tc_free_children_internal (talloc.c:1669)
==495196==    by 0x488F967: _tc_free_internal (talloc.c:1184)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd
==495196==    at 0x48399AB: free (vg_replace_malloc.c:538)
==495196==    by 0x488FB25: _tc_free_internal (talloc.c:1222)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10D315: run_proc_context_destructor (run_proc.c:329)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Block was alloc'd at
==495196==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==495196==    by 0x488EAD9: __talloc_with_prefix (talloc.c:783)
==495196==    by 0x488EC73: __talloc (talloc.c:825)
==495196==    by 0x488F0FC: _talloc_named_const (talloc.c:982)
==495196==    by 0x48925B1: _talloc_zero (talloc.c:2421)
==495196==    by 0x10C8F2: proc_new (run_proc.c:61)
==495196==    by 0x10D4C9: run_proc_send (run_proc.c:381)
==495196==    by 0x10DDF6: main (run_proc_test.c:79)

This happens because run_proc_context_destructor() directly does a
talloc_free() on the struct proc_context's and not the enclosing
tevent_req's. run_proc_kill() makes sure that we don't follow
proc->req, but it forgets the "state->proc", which is free()'ed, but
later dereferenced in run_proc_state_destructor().
Comment 1 Björn Baumbach 2022-12-23 15:38:48 UTC 
Created attachment 17711 [details]
patch for 4.16 and 4.17 cherry-picked from master
Comment 2 Jule Anger 2023-01-03 17:42:23 UTC 
Pushed to autobuild-v4-{17,16}-test.
Comment 3 Samba QA Contact 2023-01-03 19:20:28 UTC 
This bug was referenced in samba v4-16-test:

104fcaa89f81d1a66735c1b85830e2e85460d1e0
Comment 4 Samba QA Contact 2023-01-04 21:24:19 UTC 
This bug was referenced in samba v4-17-test:

0d89084e0443c5cabb3f9cc6633f6b9c6ede29c1
Comment 5 Jule Anger 2023-01-05 09:05:19 UTC 
Closing out bug report.

Thanks!
Comment 6 Samba QA Contact 2023-01-26 17:51:50 UTC 
This bug was referenced in samba v4-17-stable (Release samba-4.17.5):

0d89084e0443c5cabb3f9cc6633f6b9c6ede29c1
Comment 7 Samba QA Contact 2023-02-16 16:38:13 UTC 
This bug was referenced in samba v4-16-stable (Release samba-4.16.9):

104fcaa89f81d1a66735c1b85830e2e85460d1e0