Bug 15269 - ctdb: use-after-free in run_proc
Summary: ctdb: use-after-free in run_proc
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: CTDB (show other bugs)
Version: 4.17.4
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2022-12-23 15:36 UTC by Björn Baumbach
Modified: 2023-02-16 16:38 UTC (History)
1 user (show)

See Also:


Attachments
patch for 4.16 and 4.17 cherry-picked from master (3.96 KB, patch)
2022-12-23 15:38 UTC, Björn Baumbach
vl: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Björn Baumbach 2022-12-23 15:36:22 UTC
Description from commit 688be0177b04d04709813a02ae6da1e983ac25dd

If you happen to talloc_free(run_ctx) before all the tevent_req's
hanging off it, you run into the following:

==495196== Invalid read of size 8
==495196==    at 0x10D757: run_proc_state_destructor (run_proc.c:413)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x48538B1: tevent_req_received (tevent_req.c:293)
==495196==    by 0x4853429: tevent_req_destructor (tevent_req.c:129)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x4890AF6: _tc_free_children_internal (talloc.c:1669)
==495196==    by 0x488F967: _tc_free_internal (talloc.c:1184)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd
==495196==    at 0x48399AB: free (vg_replace_malloc.c:538)
==495196==    by 0x488FB25: _tc_free_internal (talloc.c:1222)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10D315: run_proc_context_destructor (run_proc.c:329)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Block was alloc'd at
==495196==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==495196==    by 0x488EAD9: __talloc_with_prefix (talloc.c:783)
==495196==    by 0x488EC73: __talloc (talloc.c:825)
==495196==    by 0x488F0FC: _talloc_named_const (talloc.c:982)
==495196==    by 0x48925B1: _talloc_zero (talloc.c:2421)
==495196==    by 0x10C8F2: proc_new (run_proc.c:61)
==495196==    by 0x10D4C9: run_proc_send (run_proc.c:381)
==495196==    by 0x10DDF6: main (run_proc_test.c:79)

This happens because run_proc_context_destructor() directly does a
talloc_free() on the struct proc_context's and not the enclosing
tevent_req's. run_proc_kill() makes sure that we don't follow
proc->req, but it forgets the "state->proc", which is free()'ed, but
later dereferenced in run_proc_state_destructor().
Comment 1 Björn Baumbach 2022-12-23 15:38:48 UTC
Created attachment 17711 [details]
patch for 4.16 and 4.17 cherry-picked from master
Comment 2 Jule Anger 2023-01-03 17:42:23 UTC
Pushed to autobuild-v4-{17,16}-test.
Comment 3 Samba QA Contact 2023-01-03 19:20:28 UTC
This bug was referenced in samba v4-16-test:

104fcaa89f81d1a66735c1b85830e2e85460d1e0
Comment 4 Samba QA Contact 2023-01-04 21:24:19 UTC
This bug was referenced in samba v4-17-test:

0d89084e0443c5cabb3f9cc6633f6b9c6ede29c1
Comment 5 Jule Anger 2023-01-05 09:05:19 UTC
Closing out bug report.

Thanks!
Comment 6 Samba QA Contact 2023-01-26 17:51:50 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.5):

0d89084e0443c5cabb3f9cc6633f6b9c6ede29c1
Comment 7 Samba QA Contact 2023-02-16 16:38:13 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.9):

104fcaa89f81d1a66735c1b85830e2e85460d1e0