Package: incron Version: 0.5.12-1 Severity: grave Tags: security patch upstream
Hi, incron crashes for me frequently. As incron runs as root, but is controllable by users, this bug might be security-relevant, so I'm reporting it a severity grave and tagging it security. Please downgrade if you can rule out this concern. Further investigation shows that the problem is caused by the creation of new directories within watched paths: these trigger a reload of the inotify watch target, rendering the old watch structure invalid. Only after the reload, potential commands are executed. This may require to get path of the event, but the corresponding pointer is invalid after the reload. Attached is a patch that extracts the path before the reload, making this problem disappear for me. Note that the patch assumes that LOOPER is not defined, which seems to be the case for the Debian package. Backtrace for reference: bt full #0 0x004ba484 in IncronTabEntry::GetSafePath (rPath=<error: Cannot access memory at address 0x7475612f>) at /usr/include/c++/8/bits/basic_string.h:1046 i = 0 stream = <incomplete type> len = 1919509615 #1 0x004c43f3 in UserTable::OnEvent (this=<optimized out>, rEvt=...) at inotify-cxx.h:428 px = 40 pW = 0x1fbde40 pE = 0x1fbc920 events = "IN_CREATE,IN_ISDIR" cmd = "/home/user/autoscripts/imageresize.sh " cs = "/home/user/autoscripts/imageresize.sh $@/$# $# $%" pos = 39 oldpos = 0 len = <optimized out> pid = <optimized out> #2 0x004c4767 in EventDispatcher::ProcessEvents (this=<optimized out>) at usertable.cpp:110 pIn = 0x1fc7d24 it = {first = 1702521203, second = 0x1fc0072} i = 2 pipe = false evt = {m_uMask = 1073742080, m_uCookie = 0, m_name = "Neuer Ordner", m_pWatch = 0x1fbde40} #3 0x004b8650 in main (argc=<optimized out>, argv=<optimized out>) at icd-main.cpp:458 res = <optimized out> wm = 10184 in = {m_fd = 6, m_watches = std::map with 2 elements = {[1] = 0xbfc8ab40, [2] = 0xbfc8ab68}, m_paths = std::map with 2 elements = { ["/etc/incron.d"] = 0xbfc8ab40, ["/var/spool/incron"] = 0xbfc8ab68}, m_buf = '\000' <repeats 29450 times>..., m_events = std::deque with 0 elements} stw = {m_path = "/etc/incron.d", m_uMask = 10184, m_wd = 1, m_pInotify = 0xbfc8ab90, m_fEnabled = true} utw = {m_path = "/var/spool/incron", m_uMask = 10184, m_wd = 2, m_pInotify = 0xbfc8ab90, m_fEnabled = true} ed = {m_iPipeFd = 4, m_iMgmtFd = 6, m_pIn = 0xbfc8ab90, m_pSys = 0xbfc8ab40, m_pUser = 0xbfc8ab68, m_maps = std::map with 1 element = {[8] = 0x1fc7d20}, m_size = 3, m_pPoll = 0x1fbe080} cfg = "/etc/incron.conf" lckdir = "/var/run" lckfile = "incrond" app = {m_path = "/var/run/incrond.pid", m_fLocked = true} ret = 0 sysBase = "/etc/incron.d" userBase = "/var/spool/incron" -- System Information: Debian Release: 10.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-debug'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 4.19.0-6-686-pae (SMP w/4 CPU cores) Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8), LANGUAGE=de_AT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages incron depends on: ii adduser 3.118 ii init-system-helpers 1.56+nmu1 ii libc6 2.28-10 ii libgcc1 1:8.3.0-6 ii libstdc++6 8.3.0-6 ii lsb-base 10.2019051400 incron recommends no packages. incron suggests no packages. -- Configuration Files: /etc/incron.allow [Errno 13] Keine Berechtigung: '/etc/incron.allow' /etc/incron.deny [Errno 13] Keine Berechtigung: '/etc/incron.deny' -- no debconf information
diff --git a/usertable.cpp b/usertable.cpp index 3f1ef4a..bdc7f29 100644 --- a/usertable.cpp +++ b/usertable.cpp @@ -370,6 +370,8 @@ void UserTable::OnEvent(InotifyEvent& rEvt) { InotifyWatch* pW = rEvt.GetWatch(); IncronTabEntry* pE = FindEntry(pW); + + std::string pWPath = pW->GetPath(); // no entry found - this shouldn't occur if (pE == NULL) @@ -422,7 +424,7 @@ void UserTable::OnEvent(InotifyEvent& rEvt) else { cmd.append(cs.substr(oldpos, pos-oldpos)); if (cs[px] == '@') { // base path - cmd.append(IncronTabEntry::GetSafePath(pW->GetPath())); + cmd.append(IncronTabEntry::GetSafePath(pWPath)); oldpos = pos + 2; } else if (cs[px] == '#') { // file name