Bug#764130: libdbi1 double free in dbi_shutdown_r
At 2014-10-06 12:43 László Böszörményi was heard to say: Hi Markus, Sebastian experiencing a double free in libdb1. You can read the details in the bug report[1], but I quote it here. -- cut -- I'm seeing a double-free in dbi_shutdown_r which happens after a connection attempt (using dbi_conn_connect) fails and dbi_conn_close was called. I don't have a full reproduction case yet but I think this is related to the fix for #745980. I *assume* that the following happens: - dbi_conn_open adds the new connection to an internal list (using _update_internal_conn_list) - dbi_conn_connect does not touch that list - when calling dbi_conn_close after connect failed (supposedly conn-connection == NULL), the connection is not removed since dbi_conn_close returns early but after freeing the connection object (_update_internal_conn_list would only happen when not returning early) - when calling dbi_shutdown_r, the connection is still in the internal list and another attempt to close the connection is done causing an invalid read and the double-free I think the right fix is to not return early at all in dbi_conn_close but instead guard each single operation by checking if the required fields are set (similar to how it's done in most cases already). Let me know if you need any other information -- I can then try to come up with a small test-case which reproduces the problem. -- cut -- Cheers, Laszlo/GCS [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764130 Sebastian, could you please test-drive the current libdbi sources in the git repository? I concur with your analysis, and I've changed dbi_main.c with a supposed fix for this problem, see http://sourceforge.net/p/libdbi/libdbi/ci/cdc447994cf767ae03fa6b0ca663a6b2a89469dd/ Calling disconnect() if there is no connection should do no harm, as the drivers check for the connection anyway. I prefer to run this driver function as drivers might contain additional cleanup code right there. The remaining functions called in dbi_conn_close() should all be safe even if there is no connection. Please let me know if this patch fixes your problem. regards, Markus -- Markus Hoenicka http://www.mhoenicka.de AQ score 38 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764130: libdbi1 double free in dbi_shutdown_r
Hi Markus, Sebastian experiencing a double free in libdb1. You can read the details in the bug report[1], but I quote it here. -- cut -- I'm seeing a double-free in dbi_shutdown_r which happens after a connection attempt (using dbi_conn_connect) fails and dbi_conn_close was called. I don't have a full reproduction case yet but I think this is related to the fix for #745980. I *assume* that the following happens: - dbi_conn_open adds the new connection to an internal list (using _update_internal_conn_list) - dbi_conn_connect does not touch that list - when calling dbi_conn_close after connect failed (supposedly conn-connection == NULL), the connection is not removed since dbi_conn_close returns early but after freeing the connection object (_update_internal_conn_list would only happen when not returning early) - when calling dbi_shutdown_r, the connection is still in the internal list and another attempt to close the connection is done causing an invalid read and the double-free I think the right fix is to not return early at all in dbi_conn_close but instead guard each single operation by checking if the required fields are set (similar to how it's done in most cases already). Let me know if you need any other information -- I can then try to come up with a small test-case which reproduces the problem. -- cut -- Cheers, Laszlo/GCS [1] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=764130 -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#764130: libdbi1: double-free in dbi_shutdown_r
Package: libdbi1 Version: 0.9.0-3 Severity: serious Tags: upstream Hi, I'm seeing a double-free in dbi_shutdown_r which happens after a connection attempt (using dbi_conn_connect) fails and dbi_conn_close was called. I don't have a full reproduction case yet but I think this is related to the fix for #745980. I *assume* that the following happens: - dbi_conn_open adds the new connection to an internal list (using _update_internal_conn_list) - dbi_conn_connect does not touch that list - when calling dbi_conn_close after connect failed (supposedly conn-connection == NULL), the connection is not removed since dbi_conn_close returns early but after freeing the connection object (_update_internal_conn_list would only happen when not returning early) - when calling dbi_shutdown_r, the connection is still in the internal list and another attempt to close the connection is done causing an invalid read and the double-free I think the right fix is to not return early at all in dbi_conn_close but instead guard each single operation by checking if the required fields are set (similar to how it's done in most cases already). Let me know if you need any other information -- I can then try to come up with a small test-case which reproduces the problem. TIA, Sebastian -- Sebastian tokkee Harl +++ GnuPG-ID: 0x8501C7FC +++ http://tokkee.org/ Those who would give up Essential Liberty to purchase a little Temporary Safety, deserve neither Liberty nor Safety. -- Benjamin Franklin signature.asc Description: Digital signature
