diff options
| author | Petr Štetiar <ynezz@true.cz> | 2020-01-17 18:22:37 +0100 |
|---|---|---|
| committer | Daniel Golle <daniel@makrotopia.org> | 2020-01-18 11:14:42 +0200 |
| commit | 153820c764719adfbcb185d35e63587097ddecbe (patch) | |
| tree | 2b0319621d9100f4c0edb42da84f58fcf9db3945 /service | |
| parent | a5af33ce9a16f6aa599f19cc7161e067fab9495d (diff) | |
| download | procd-153820c764719adfbcb185d35e63587097ddecbe.tar.gz | |
instance: fix pidfile and seccomp attributes double free
Commit a5af33ce9a16 ("instance: strdup string attributes") has
introduced duplication of various string attributes in order to fix
use-after-free, but missed handling of `pidfile` and `seccomp` attribute
cases in instance_config_move() where the new value of `pidfile` or
`seccomp` is being copied/assigned. Source of this values is then
free()d in subsequent call to instance_free() and then again for 2nd
time during the service stop command handling, leading to double free
crash:
#0 unmap_chunk at src/malloc/malloc.c:515
#1 free at src/malloc/malloc.c:526
#2 instance_free (in=0xd5e300) at instance.c:1100
#3 instance_delete (in=0xd5e300) at instance.c:559
#4 instance_stop (in=0xd5e300, halt=true) at instance.c:611
While at it, add missing handling of jail.name and jail.hostname
attributes as well.
Ref: FS#2723
Fixes: a5af33ce9a16 ("instance: strdup string attributes")
Signed-off-by: Daniel Golle <daniel@makrotopia.org>
Signed-off-by: Petr Štetiar <ynezz@true.cz>
Diffstat (limited to 'service')
| -rw-r--r-- | service/instance.c | 22 |
1 files changed, 20 insertions, 2 deletions
diff --git a/service/instance.c b/service/instance.c index b0c9807..342199a 100644 --- a/service/instance.c +++ b/service/instance.c @@ -1019,6 +1019,21 @@ instance_config_cleanup(struct service_instance *in) } static void +instance_config_move_strdup(char **dst, char *src) +{ + if (!*dst) + return; + + free(*dst); + *dst = NULL; + + if (!src) + return; + + *dst = strdup(src); +} + +static void instance_config_move(struct service_instance *in, struct service_instance *in_src) { instance_config_cleanup(in); @@ -1031,17 +1046,20 @@ instance_config_move(struct service_instance *in, struct service_instance *in_sr blobmsg_list_move(&in->jail.mount, &in_src->jail.mount); in->trigger = in_src->trigger; in->command = in_src->command; - in->pidfile = in_src->pidfile; in->respawn = in_src->respawn; in->respawn_retry = in_src->respawn_retry; in->respawn_threshold = in_src->respawn_threshold; in->respawn_timeout = in_src->respawn_timeout; in->name = in_src->name; in->trace = in_src->trace; - in->seccomp = in_src->seccomp; in->node.avl.key = in_src->node.avl.key; in->syslog_facility = in_src->syslog_facility; + instance_config_move_strdup(&in->pidfile, in_src->pidfile); + instance_config_move_strdup(&in->seccomp, in_src->seccomp); + instance_config_move_strdup(&in->jail.name, in_src->jail.name); + instance_config_move_strdup(&in->jail.hostname, in_src->jail.hostname); + free(in->config); in->config = in_src->config; in_src->config = NULL; |