[OpenWrt-Devel] [PATCH procd v2] instance: fix pidfile attribute double free crash

Wed, 15 Jan 2020 08:54:59 -0800 

Commit a5af33ce9a16 ("instance: strdup string attributes") has
introduced duplication of various string attributes in order to fix
use-after-free, but missed handling of `pidfile` and `seccomp` attribute
cases in instance_config_move() where the new value of `pidfile` or
`seccomp` is being copied/assigned. Source of this values is then
free()d in subsequent call to instance_free() and then again for 2nd
time during the service stop command handling, leading to double free
crash:

 #0  unmap_chunk at src/malloc/malloc.c:515
 #1  free at src/malloc/malloc.c:526
 #2  instance_free (in=0xd5e300) at instance.c:1100
 #3  instance_delete (in=0xd5e300) at instance.c:559
 #4  instance_stop (in=0xd5e300, halt=true) at instance.c:611

Ref: FS#2723
Cc: Daniel Golle <dan...@makrotopia.org>
Fixes: a5af33ce9a16 ("instance: strdup string attributes")
Signed-off-by: Petr Štetiar <yn...@true.cz>
---

 changes since v1:

  * added missed fix for `seccomp` attribute (Daniel)

 service/instance.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/service/instance.c b/service/instance.c
index ce5233807dbb..8fd44a80d6e5 100644
--- a/service/instance.c
+++ b/service/instance.c
@@ -1031,17 +1031,23 @@ instance_config_move(struct service_instance *in, 
struct service_instance *in_sr
        blobmsg_list_move(&in->jail.mount, &in_src->jail.mount);
        in->trigger = in_src->trigger;
        in->command = in_src->command;
-       in->pidfile = in_src->pidfile;
        in->respawn = in_src->respawn;
        in->respawn_retry = in_src->respawn_retry;
        in->respawn_threshold = in_src->respawn_threshold;
        in->respawn_timeout = in_src->respawn_timeout;
        in->name = in_src->name;
        in->trace = in_src->trace;
-       in->seccomp = in_src->seccomp;
        in->node.avl.key = in_src->node.avl.key;
        in->syslog_facility = in_src->syslog_facility;
 
+       free(in->pidfile);
+       if (in_src->pidfile)
+               in->pidfile = strdup(in_src->pidfile);
+
+       free(in->seccomp);
+       if (in_src->seccomp)
+               in->seccomp = strdup(in_src->seccomp);
+
        free(in->config);
        in->config = in_src->config;
        in_src->config = NULL;

_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to