Commit a5af33ce9a16 ("instance: strdup string attributes") has introduced duplication of various string attributes in order to fix use-after-free, but missed handling of `pidfile` and `seccomp` attribute cases in instance_config_move() where the new value of `pidfile` or `seccomp` is being copied/assigned. Source of this values is then free()d in subsequent call to instance_free() and then again for 2nd time during the service stop command handling, leading to double free crash:
#0 unmap_chunk at src/malloc/malloc.c:515 #1 free at src/malloc/malloc.c:526 #2 instance_free (in=0xd5e300) at instance.c:1100 #3 instance_delete (in=0xd5e300) at instance.c:559 #4 instance_stop (in=0xd5e300, halt=true) at instance.c:611 Ref: FS#2723 Cc: Daniel Golle <dan...@makrotopia.org> Fixes: a5af33ce9a16 ("instance: strdup string attributes") Signed-off-by: Petr Štetiar <yn...@true.cz> --- changes since v1: * added missed fix for `seccomp` attribute (Daniel) service/instance.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/service/instance.c b/service/instance.c index ce5233807dbb..8fd44a80d6e5 100644 --- a/service/instance.c +++ b/service/instance.c @@ -1031,17 +1031,23 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr blobmsg_list_move(&in->jail.mount, &in_src->jail.mount); in->trigger = in_src->trigger; in->command = in_src->command; - in->pidfile = in_src->pidfile; in->respawn = in_src->respawn; in->respawn_retry = in_src->respawn_retry; in->respawn_threshold = in_src->respawn_threshold; in->respawn_timeout = in_src->respawn_timeout; in->name = in_src->name; in->trace = in_src->trace; - in->seccomp = in_src->seccomp; in->node.avl.key = in_src->node.avl.key; in->syslog_facility = in_src->syslog_facility; + free(in->pidfile); + if (in_src->pidfile) + in->pidfile = strdup(in_src->pidfile); + + free(in->seccomp); + if (in_src->seccomp) + in->seccomp = strdup(in_src->seccomp); + free(in->config); in->config = in_src->config; in_src->config = NULL; _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel