[SCM] Samba Shared Repository - branch master updated

Volker Lendecke vlendec at samba.org
Thu Oct 6 15:11:01 UTC 2022


The branch, master has been updated
       via  688be0177b0 ctdb: Fix a use-after-free in run_proc
      from  9a8bc67f4a5 vfs_glusterfs: Remove special handling of O_CREAT flag

https://git.samba.org/?p=samba.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit 688be0177b04d04709813a02ae6da1e983ac25dd
Author: Volker Lendecke <vl at samba.org>
Date:   Fri Sep 30 17:02:41 2022 +0200

    ctdb: Fix a use-after-free in run_proc
    
    If you happen to talloc_free(run_ctx) before all the tevent_req's
    hanging off it, you run into the following:
    
    ==495196== Invalid read of size 8
    ==495196==    at 0x10D757: run_proc_state_destructor (run_proc.c:413)
    ==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
    ==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
    ==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
    ==495196==    by 0x48538B1: tevent_req_received (tevent_req.c:293)
    ==495196==    by 0x4853429: tevent_req_destructor (tevent_req.c:129)
    ==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
    ==495196==    by 0x4890AF6: _tc_free_children_internal (talloc.c:1669)
    ==495196==    by 0x488F967: _tc_free_internal (talloc.c:1184)
    ==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
    ==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
    ==495196==    by 0x10DE62: main (run_proc_test.c:86)
    ==495196==  Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd
    ==495196==    at 0x48399AB: free (vg_replace_malloc.c:538)
    ==495196==    by 0x488FB25: _tc_free_internal (talloc.c:1222)
    ==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
    ==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
    ==495196==    by 0x10D315: run_proc_context_destructor (run_proc.c:329)
    ==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
    ==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
    ==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
    ==495196==    by 0x10DE62: main (run_proc_test.c:86)
    ==495196==  Block was alloc'd at
    ==495196==    at 0x483877F: malloc (vg_replace_malloc.c:307)
    ==495196==    by 0x488EAD9: __talloc_with_prefix (talloc.c:783)
    ==495196==    by 0x488EC73: __talloc (talloc.c:825)
    ==495196==    by 0x488F0FC: _talloc_named_const (talloc.c:982)
    ==495196==    by 0x48925B1: _talloc_zero (talloc.c:2421)
    ==495196==    by 0x10C8F2: proc_new (run_proc.c:61)
    ==495196==    by 0x10D4C9: run_proc_send (run_proc.c:381)
    ==495196==    by 0x10DDF6: main (run_proc_test.c:79)
    
    This happens because run_proc_context_destructor() directly does a
    talloc_free() on the struct proc_context's and not the enclosing
    tevent_req's. run_proc_kill() makes sure that we don't follow
    proc->req, but it forgets the "state->proc", which is free()'ed, but
    later dereferenced in run_proc_state_destructor().
    
    This is an attempt at a quick fix, I believe we should convert
    run_proc_context->plist into an array of tevent_req's, so that we can
    properly TALLOC_FREE() according to the "natural" hierarchy and not
    just pull an arbitrary thread out of that heap.
    
    Signed-off-by: Volker Lendecke <vl at samba.org>
    Reviewed-by: Martin Schwenke <martin at meltin.net>
    
    Autobuild-User(master): Volker Lendecke <vl at samba.org>
    Autobuild-Date(master): Thu Oct  6 15:10:20 UTC 2022 on sn-devel-184

-----------------------------------------------------------------------

Summary of changes:
 ctdb/common/run_proc.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)


Changeset truncated at 500 lines:

diff --git a/ctdb/common/run_proc.c b/ctdb/common/run_proc.c
index d55af6c3a1e..84bc343ba1f 100644
--- a/ctdb/common/run_proc.c
+++ b/ctdb/common/run_proc.c
@@ -408,10 +408,10 @@ struct tevent_req *run_proc_send(TALLOC_CTX *mem_ctx,
 static int run_proc_state_destructor(struct run_proc_state *state)
 {
 	/* Do not get rid of the child process if timeout has occurred */
-	if (state->proc->req != NULL) {
+	if ((state->proc != NULL) && (state->proc->req != NULL)) {
 		state->proc->req = NULL;
 		DLIST_REMOVE(state->run_ctx->plist, state->proc);
-		talloc_free(state->proc);
+		TALLOC_FREE(state->proc);
 	}
 
 	return 0;
@@ -439,6 +439,7 @@ static void run_proc_kill(struct tevent_req *req)
 		req, struct run_proc_state);
 
 	state->proc->req = NULL;
+	state->proc = NULL;
 
 	state->result.sig = SIGKILL;
 


-- 
Samba Shared Repository



More information about the samba-cvs mailing list