machine: fix use-after-free in Rename() DBus method

Fixes a bug introduced by 1ddb263d21099ae42195c2bc382bdf72a7f24f82. Note, this requires the previous two commits, and cannot backport without them. Note, before the previous commit, the use-after-free could be triggered only by Rename() DBus method, and could not by RenameImage(), as we did not cache Image object when RenameImage() method is called. And machinectl always uses RenameImage(). Hence, the issue could be triggered only when Rename() DBus method is explicitly called by e.g. busctl. With the previous commit, the Image object passed to the function is always cached. Hence, the issue could be triggered even with machinectl command, and this fix is important. (cherry picked from commit 3b1b2d4e3d544c593399e914fd1c3a5f61d7e827)
2025-03-12 08:58:20 +03:00 · 2024-05-18 06:14:50 +09:00 · 2024-05-18 06:14:50 +09:00 · c937169b0e
commit c937169b0e
parent bf270a3b06
1 changed files with 9 additions and 1 deletions
--- a/src/machine/image-dbus.c
+++ b/src/machine/image-dbus.c
@ -133,9 +133,17 @@ int bus_image_method_rename(
        if (r == 0)
                return 1; /* Will call us back */

+        /* The image is cached with its name, hence it is necessary to remove from the cache before renaming. */
+        assert_se(hashmap_remove_value(m->image_cache, image->name, image));
+
        r = image_rename(image, new_name);
-        if (r < 0)
+        if (r < 0) {
+                image_unref(image);
                return r;
+        }
+
+        /* Then save the object again in the cache. */
+        assert_se(hashmap_put(m->image_cache, image->name, image) > 0);

        return sd_bus_reply_method_return(message, NULL);
 }