This is an automated email from the git hooks/post-receive script. sthibault pushed a commit to branch master in repository hurd.
commit 579bc372b785bea05ffc1d1b2bd9f485734596a4 Author: Samuel Thibault <[email protected]> Date: Tue Dec 19 20:10:24 2017 +0000 patches/hash-weakref: New patch to fix use-after-free Closes: Bug#882507 --- debian/changelog | 6 ++++++ debian/patches/hash-weakref | 52 +++++++++++++++++++++++++++++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 59 insertions(+) diff --git a/debian/changelog b/debian/changelog index 3982270..3a8498b 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +hurd (1:0.9.git20171119-3) unstable; urgency=medium + + * patches/hash-weakref: New patch to fix use-after-free. Closes: Bug#882507. + + -- Samuel Thibault <[email protected]> Tue, 19 Dec 2017 20:09:37 +0000 + hurd (1:0.9.git20171119-2) unstable; urgency=medium * patches/pie-core: New patch to add at_entry note for PIE core dumps. diff --git a/debian/patches/hash-weakref b/debian/patches/hash-weakref new file mode 100644 index 0000000..ec44966 --- /dev/null +++ b/debian/patches/hash-weakref @@ -0,0 +1,52 @@ +commit b37c7dd4dd0de064b7ae2c9ad5687ebb635677c8 +Author: Samuel Thibault <[email protected]> +Date: Tue Dec 19 01:39:36 2017 +0100 + + libfshelp: Add weak reference for hash table reference + + Fixes reference w/o send right crash. + + * libfshelp/get-identity.c (fshelp_get_identity): Get weak reference for + the hash table reference. + (id_initialize): Pass id_clean as dropweak_routine instead of + clean_routine to ports_create_class. + (id_clean): Remove from hash table only if there are no hard references + left, i.e. we didn't reacquired a port right in between. + +diff --git a/libfshelp/get-identity.c b/libfshelp/get-identity.c +index 17244dee..9f92272e 100644 +--- a/libfshelp/get-identity.c ++++ b/libfshelp/get-identity.c +@@ -42,7 +42,12 @@ id_clean (void *cookie) + { + struct idspec *i = cookie; + pthread_mutex_lock (&idlock); +- hurd_ihash_locp_remove (&idhash, i->id_hashloc); ++ if (refcounts_hard_references(&i->pi.refcounts) == 0) ++ { ++ /* Nobody got a send right in between, we can remove from the hash. */ ++ hurd_ihash_locp_remove (&idhash, i->id_hashloc); ++ ports_port_deref_weak (&i->pi); ++ } + pthread_mutex_unlock (&idlock); + } + +@@ -50,7 +55,7 @@ static void + id_initialize () + { + assert_backtrace (!idclass); +- idclass = ports_create_class (id_clean, NULL); ++ idclass = ports_create_class (NULL, id_clean); + } + + error_t +@@ -75,6 +80,9 @@ fshelp_get_identity (struct port_bucket *bucket, + if (err) + goto lose_port; + ++ /* Weak reference for the hash entry. */ ++ ports_port_ref_weak(&i->pi); ++ + *pt = ports_get_right (i); + ports_port_deref (i); + } diff --git a/debian/patches/series b/debian/patches/series index 0cb5a88..1cba2e7 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -30,3 +30,4 @@ libports-iterate-refcount.patch exec_filename_rpctrace.patch exec_set_exe.patch pie-core +hash-weakref -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-hurd/hurd.git
