Hi (again),
So that's what happends when you use git format-patch without thought.
This message came from me, just had Petr's From: because the original
patch I picked into my git tree came from him.
Sorry for that...
Cheers
Daniel
On Thu, Jan 16, 2020 at 11:13:22AM +0200, Petr Štetiar wrote:
> Hi Petr,
> Hi Felix,
>
> seems like more things were wrong with instance_config_move(), some
> of the jail attributes were missing as well...
>
> ---
> Commit a5af33ce9a16 ("instance: strdup string attributes") has
> introduced duplication of various string attributes in order to fix
> use-after-free, but missed handling of `pidfile` and `seccomp` attribute
> cases in instance_config_move() where the new value of `pidfile` or
> `seccomp` is being copied/assigned. Source of this values is then
> free()d in subsequent call to instance_free() and then again for 2nd
> time during the service stop command handling, leading to double free
> crash:
>
> #0 unmap_chunk at src/malloc/malloc.c:515
> #1 free at src/malloc/malloc.c:526
> #2 instance_free (in=0xd5e300) at instance.c:1100
> #3 instance_delete (in=0xd5e300) at instance.c:559
> #4 instance_stop (in=0xd5e300, halt=true) at instance.c:611
>
> Ref: FS#2723
> Fixes: a5af33ce9a16 ("instance: strdup string attributes")
> Signed-off-by: Petr Štetiar <yn...@true.cz>
> Signed-off-by: Daniel Golle <dan...@makrotopia.org>
> ---
> service/instance.c | 26 ++++++++++++++++++++++++--
> 1 file changed, 24 insertions(+), 2 deletions(-)
>
> diff --git a/service/instance.c b/service/instance.c
> index ce5b0bf..c2ebc76 100644
> --- a/service/instance.c
> +++ b/service/instance.c
> @@ -1040,17 +1040,39 @@ instance_config_move(struct service_instance *in,
> struct service_instance *in_sr
> blobmsg_list_move(&in->jail.mount, &in_src->jail.mount);
> in->trigger = in_src->trigger;
> in->command = in_src->command;
> - in->pidfile = in_src->pidfile;
> in->respawn = in_src->respawn;
> in->respawn_retry = in_src->respawn_retry;
> in->respawn_threshold = in_src->respawn_threshold;
> in->respawn_timeout = in_src->respawn_timeout;
> in->name = in_src->name;
> in->trace = in_src->trace;
> - in->seccomp = in_src->seccomp;
> in->node.avl.key = in_src->node.avl.key;
> in->syslog_facility = in_src->syslog_facility;
>
> + free(in->pidfile);
> + if (in_src->pidfile)
> + in->pidfile = strdup(in_src->pidfile);
> + else
> + in->pidfile = NULL;
> +
> + free(in->seccomp);
> + if (in_src->seccomp)
> + in->seccomp = strdup(in_src->seccomp);
> + else
> + in->seccomp = NULL;
> +
> + free(in->jail.name);
> + if (in_src->jail.name)
> + in->jail.name = strdup(in_src->jail.name);
> + else
> + in->jail.name = NULL;
> +
> + free(in->jail.hostname);
> + if (in_src->jail.hostname)
> + in->jail.hostname = strdup(in_src->jail.hostname);
> + else
> + in->jail.hostname = NULL;
> +
> free(in->config);
> in->config = in_src->config;
> in_src->config = NULL;
> --
> 2.24.1
>
>
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel@lists.openwrt.org
> https://lists.openwrt.org/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
