talloc issues

tridge at samba.org tridge at samba.org
Mon Jul 27 02:01:15 MDT 2009 

Hi Metze,

 > I have some code here:
 > http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-talloc-metze
 > 
 > I'll reply more verbose tomorrow or next week.

I'll be interested in the explanation, but this seems like a pretty
dangerous change in behaviour to me. Do you have any plans on ways to
find existing code that depends on the old behaviour?

The specific types of changes I am concerned about are:

 in module 1:
    allocate memory

 in module 2:
    take reference as child of x
    call talloc_free on referenced pointer
    talloc_free x

or for a more specific example:

static bool test_newref(void)
{
	struct somestruct {
		int *ptr;
	};
	struct somestruct *s1, *s2;
	void *root = talloc_new(NULL);

	s1 = talloc(root, struct somestruct);
	s1->ptr = talloc(s1, int);

	*s1->ptr = 42;

	s2 = talloc(root, struct somestruct);
	s2->ptr = talloc_reference(s2, s1->ptr);

	talloc_free(s2->ptr);
	talloc_free(s2);

	printf("%d\n", *s1->ptr);
	return true;
}

    

With the original behaviour of talloc you get '42' printed and no
errors. With the changes I put in you get this message printed:

  ERROR: talloc_free with references at testsuite.c:1126
         reference at testsuite.c:1124

but still get the same result printed and no valgrind errors.

With the code in your wip branch, I get a valgrind error, as the
printf of *s1->ptr references freed memory.

One of the things I'm trying to achieve with these talloc changes is:

  - when there is a change in behaviour that could affect code logic,
    make sure we produce a warning in the logs

  - err on the side of leaking memory if necessary (with a warning),
    rather than leaving code with what it thinks is valid pointers
    that it could then dereference

The 2nd point is particularly important, as otherwise we risk creating
a security hole. The above example shows how the hole could be
produced. We just don't have any sane way that I can think of to audit
all our code for a change like this. I don't think 'make test' is a
sufficient test to be sure we haven't created a security hole
somewhere by reversing the behaviour of talloc_free() in this sort of
example.

I also don't like this approach as it re-introduces a separation of
the 'original' parent as being special, which I think is what got us
in so much trouble in the first place. 

Cheers, Tridge

More information about the samba-technical mailing list