1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
samba-mirror/lib/tevent/tevent_signal.c
Stefan Metzmacher 9d797ffb27 tevent: fix access after free in tevent_common_check_signal()
This was reported by Pavel Březina <pbrezina@redhat.com>:

    We found a crash in SSSD when a tevent signal is freed in its handler, tevent
    than crashes when it access siginfo.

    sig_info is freed in signal destructor:

    > #ifdef SA_SIGINFO
    >         if (se->sa_flags & SA_SIGINFO) {
    >             if (sig_state->sig_info[se->signum]) {
    >                 talloc_free(sig_state->sig_info[se->signum]);
    >                 sig_state->sig_info[se->signum] = NULL;
    >             }
    >         }
    > #endif

    (gdb) bt
    #0  0x00007f5d4d86cc74 in tevent_signal_destructor (se=0x7f5d5370f920) at
    ../tevent_signal.c:213
    #1  0x00007f5d4d65f233 in _talloc_free_internal () from /lib64/libtalloc.so.2
    #2  0x00007f5d4d6593a3 in _talloc_free () from /lib64/libtalloc.so.2
    #3  0x00007f5d4342f3d4 in proxy_child_init_done (subreq=0x7f5d5370f600) at
    src/providers/proxy/proxy_auth.c:436
    #4  0x00007f5d4d86b0c2 in _tevent_req_error (req=req@entry=0x7f5d5370f600,
    error=error@entry=5, location=location@entry=0x7f5d43433010
    "src/providers/proxy/proxy_auth.c:356")
        at ../tevent_req.c:167
    #5  0x00007f5d4342ef5e in pc_init_sig_handler (ev=<optimized out>,
    sige=<optimized out>, signum=<optimized out>, count=<optimized out>,
    __siginfo=<optimized out>, pvt=<optimized out>)
        at src/providers/proxy/proxy_auth.c:356
    #6  0x00007f5d4d86d48c in tevent_common_check_signal (ev=0x7f5d536de670) at
    ../tevent_signal.c:428
    #7  0x00007f5d4d86f28c in epoll_event_loop (tvalp=0x7fff7b568490,
    epoll_ev=0x7f5d536de8b0) at ../tevent_epoll.c:647
    #8  epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at
    ../tevent_epoll.c:926
    #9  0x00007f5d4d86d7d7 in std_event_loop_once (ev=0x7f5d536de670,
    location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:114
    #10 0x00007f5d4d869fbd in _tevent_loop_once (ev=ev@entry=0x7f5d536de670,
    location=location@entry=0x7f5d50faedc3 "src/util/server.c:668") at
    ../tevent.c:530
    #11 0x00007f5d4d86a15b in tevent_common_loop_wait (ev=0x7f5d536de670,
    location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent.c:634
    #12 0x00007f5d4d86d777 in std_event_loop_wait (ev=0x7f5d536de670,
    location=0x7f5d50faedc3 "src/util/server.c:668") at ../tevent_standard.c:140
    #13 0x00007f5d50f96863 in server_loop (main_ctx=0x7f5d536dfac0) at
    src/util/server.c:668
    #14 0x00007f5d5180aa42 in main (argc=8, argv=<optimized out>) at
    src/providers/data_provider_be.c:2909

    But then it is accessed again in tevent_common_check_signal:

    > #ifdef SA_SIGINFO
    >         if (clear_processed_siginfo) {
    >             uint32_t j;
    >             for (j=0;j<count;j++) {
    >                 uint32_t ofs = (counter.seen + j)
    >                     % TEVENT_SA_INFO_QUEUE_COUNT;
    >                 memset((void*)&sig_state->sig_info[i][ofs],
    >                     '\0',
    >                     sizeof(siginfo_t));
    >             }
    >         }
    > #endif

    (gdb) bt
    #0  0x00007fd7ba400505 in memset (__len=<optimized out>, __ch=<optimized out>,
    __dest=<optimized out>) at /usr/include/bits/string3.h:84
    #1  tevent_common_check_signal (ev=0x7fd7bfddf670) at ../tevent_signal.c:459
    #2  0x00007fd7ba40228c in epoll_event_loop (tvalp=0x7fff85536430,
    epoll_ev=0x7fd7bfddf8b0) at ../tevent_epoll.c:647
    #3  epoll_event_loop_once (ev=<optimized out>, location=<optimized out>) at
    ../tevent_epoll.c:926
    #4  0x00007fd7ba4007d7 in std_event_loop_once (ev=0x7fd7bfddf670,
    location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:114
    #5  0x00007fd7ba3fcfbd in _tevent_loop_once (ev=ev@entry=0x7fd7bfddf670,
    location=location@entry=0x7fd7bdb417c3 "src/util/server.c:668") at
    ../tevent.c:530
    #6  0x00007fd7ba3fd15b in tevent_common_loop_wait (ev=0x7fd7bfddf670,
    location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent.c:634
    #7  0x00007fd7ba400777 in std_event_loop_wait (ev=0x7fd7bfddf670,
    location=0x7fd7bdb417c3 "src/util/server.c:668") at ../tevent_standard.c:140
    #8  0x00007fd7bdb29343 in server_loop (main_ctx=0x7fd7bfde0ac0) at
    src/util/server.c:668
    #9  0x00007fd7be39ca42 in main (argc=8, argv=<optimized out>) at
    src/providers/data_provider_be.c:2909

BUG: https://bugzilla.samba.org/show_bug.cgi?id=11308

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Tue Jun  2 21:02:11 CEST 2015 on sn-devel-104
2015-06-02 21:02:11 +02:00

513 lines
13 KiB
C

/*
Unix SMB/CIFS implementation.
common events code for signal events
Copyright (C) Andrew Tridgell 2007
** NOTE! The following LGPL license applies to the tevent
** library. This does NOT imply that all of Samba is released
** under the LGPL
This library is free software; you can redistribute it and/or
modify it under the terms of the GNU Lesser General Public
License as published by the Free Software Foundation; either
version 3 of the License, or (at your option) any later version.
This library is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
Lesser General Public License for more details.
You should have received a copy of the GNU Lesser General Public
License along with this library; if not, see <http://www.gnu.org/licenses/>.
*/
#include "replace.h"
#include "system/filesys.h"
#include "system/wait.h"
#include "tevent.h"
#include "tevent_internal.h"
#include "tevent_util.h"
/* maximum number of SA_SIGINFO signals to hold in the queue.
NB. This *MUST* be a power of 2, in order for the ring buffer
wrap to work correctly. Thanks to Petr Vandrovec <petr@vandrovec.name>
for this. */
#define TEVENT_SA_INFO_QUEUE_COUNT 256
size_t tevent_num_signals(void)
{
return TEVENT_NUM_SIGNALS;
}
size_t tevent_sa_info_queue_count(void)
{
return TEVENT_SA_INFO_QUEUE_COUNT;
}
struct tevent_sigcounter {
uint32_t count;
uint32_t seen;
};
#if defined(HAVE___SYNC_FETCH_AND_ADD)
#define TEVENT_SIG_INCREMENT(s) __sync_fetch_and_add(&((s).count), 1)
#elif defined(HAVE_ATOMIC_ADD_32)
#define TEVENT_SIG_INCREMENT(s) atomic_add_32(&((s).count), 1)
#else
#define TEVENT_SIG_INCREMENT(s) (s).count++
#endif
#define TEVENT_SIG_SEEN(s, n) (s).seen += (n)
#define TEVENT_SIG_PENDING(s) ((s).seen != (s).count)
struct tevent_common_signal_list {
struct tevent_common_signal_list *prev, *next;
struct tevent_signal *se;
};
/*
the poor design of signals means that this table must be static global
*/
static struct tevent_sig_state {
struct tevent_common_signal_list *sig_handlers[TEVENT_NUM_SIGNALS+1];
struct sigaction *oldact[TEVENT_NUM_SIGNALS+1];
struct tevent_sigcounter signal_count[TEVENT_NUM_SIGNALS+1];
struct tevent_sigcounter got_signal;
#ifdef SA_SIGINFO
/* with SA_SIGINFO we get quite a lot of info per signal */
siginfo_t *sig_info[TEVENT_NUM_SIGNALS+1];
struct tevent_sigcounter sig_blocked[TEVENT_NUM_SIGNALS+1];
#endif
} *sig_state;
/*
return number of sigcounter events not processed yet
*/
static uint32_t tevent_sig_count(struct tevent_sigcounter s)
{
return s.count - s.seen;
}
/*
signal handler - redirects to registered signals
*/
static void tevent_common_signal_handler(int signum)
{
char c = 0;
struct tevent_common_signal_list *sl;
struct tevent_context *ev = NULL;
int saved_errno = errno;
TEVENT_SIG_INCREMENT(sig_state->signal_count[signum]);
TEVENT_SIG_INCREMENT(sig_state->got_signal);
/* Write to each unique event context. */
for (sl = sig_state->sig_handlers[signum]; sl; sl = sl->next) {
if (sl->se->event_ctx && sl->se->event_ctx != ev) {
ev = sl->se->event_ctx;
/* doesn't matter if this pipe overflows */
(void) write(ev->pipe_fds[1], &c, 1);
}
}
errno = saved_errno;
}
#ifdef SA_SIGINFO
/*
signal handler with SA_SIGINFO - redirects to registered signals
*/
static void tevent_common_signal_handler_info(int signum, siginfo_t *info,
void *uctx)
{
uint32_t count = tevent_sig_count(sig_state->signal_count[signum]);
/* sig_state->signal_count[signum].seen % TEVENT_SA_INFO_QUEUE_COUNT
* is the base of the unprocessed signals in the ringbuffer. */
uint32_t ofs = (sig_state->signal_count[signum].seen + count) %
TEVENT_SA_INFO_QUEUE_COUNT;
sig_state->sig_info[signum][ofs] = *info;
tevent_common_signal_handler(signum);
/* handle SA_SIGINFO */
if (count+1 == TEVENT_SA_INFO_QUEUE_COUNT) {
/* we've filled the info array - block this signal until
these ones are delivered */
#ifdef HAVE_UCONTEXT_T
/*
* This is the only way for this to work.
* By default signum is blocked inside this
* signal handler using a temporary mask,
* but what we really need to do now is
* block it in the callers mask, so it
* stays blocked when the temporary signal
* handler mask is replaced when we return
* from here. The callers mask can be found
* in the ucontext_t passed in as the
* void *uctx argument.
*/
ucontext_t *ucp = (ucontext_t *)uctx;
sigaddset(&ucp->uc_sigmask, signum);
#else
/*
* WARNING !!! WARNING !!!!
*
* This code doesn't work.
* By default signum is blocked inside this
* signal handler, but calling sigprocmask
* modifies the temporary signal mask being
* used *inside* this handler, which will be
* replaced by the callers signal mask once
* we return from here. See Samba
* bug #9550 for details.
*/
sigset_t set;
sigemptyset(&set);
sigaddset(&set, signum);
sigprocmask(SIG_BLOCK, &set, NULL);
#endif
TEVENT_SIG_INCREMENT(sig_state->sig_blocked[signum]);
}
}
#endif
static int tevent_common_signal_list_destructor(struct tevent_common_signal_list *sl)
{
if (sig_state->sig_handlers[sl->se->signum]) {
DLIST_REMOVE(sig_state->sig_handlers[sl->se->signum], sl);
}
return 0;
}
/*
destroy a signal event
*/
static int tevent_signal_destructor(struct tevent_signal *se)
{
struct tevent_common_signal_list *sl =
talloc_get_type_abort(se->additional_data,
struct tevent_common_signal_list);
if (se->event_ctx) {
struct tevent_context *ev = se->event_ctx;
DLIST_REMOVE(ev->signal_events, se);
if (ev->signal_events == NULL && ev->pipe_fde != NULL) {
/*
* This was the last signal. Destroy the pipe.
*/
TALLOC_FREE(ev->pipe_fde);
close(ev->pipe_fds[0]);
close(ev->pipe_fds[1]);
}
}
talloc_free(sl);
if (sig_state->sig_handlers[se->signum] == NULL) {
/* restore old handler, if any */
if (sig_state->oldact[se->signum]) {
sigaction(se->signum, sig_state->oldact[se->signum], NULL);
sig_state->oldact[se->signum] = NULL;
}
#ifdef SA_SIGINFO
if (se->sa_flags & SA_SIGINFO) {
if (sig_state->sig_info[se->signum]) {
talloc_free(sig_state->sig_info[se->signum]);
sig_state->sig_info[se->signum] = NULL;
}
}
#endif
}
return 0;
}
/*
this is part of the pipe hack needed to avoid the signal race condition
*/
static void signal_pipe_handler(struct tevent_context *ev, struct tevent_fd *fde,
uint16_t flags, void *_private)
{
char c[16];
/* its non-blocking, doesn't matter if we read too much */
(void) read(fde->fd, c, sizeof(c));
}
/*
add a signal event
return NULL on failure (memory allocation error)
*/
struct tevent_signal *tevent_common_add_signal(struct tevent_context *ev,
TALLOC_CTX *mem_ctx,
int signum,
int sa_flags,
tevent_signal_handler_t handler,
void *private_data,
const char *handler_name,
const char *location)
{
struct tevent_signal *se;
struct tevent_common_signal_list *sl;
sigset_t set, oldset;
if (signum >= TEVENT_NUM_SIGNALS) {
errno = EINVAL;
return NULL;
}
/* the sig_state needs to be on a global context as it can last across
multiple event contexts */
if (sig_state == NULL) {
sig_state = talloc_zero(NULL, struct tevent_sig_state);
if (sig_state == NULL) {
return NULL;
}
}
se = talloc(mem_ctx?mem_ctx:ev, struct tevent_signal);
if (se == NULL) return NULL;
se->event_ctx = ev;
se->signum = signum;
se->sa_flags = sa_flags;
se->handler = handler;
se->private_data = private_data;
se->handler_name = handler_name;
se->location = location;
se->additional_data = NULL;
sl = talloc(se, struct tevent_common_signal_list);
if (!sl) {
talloc_free(se);
return NULL;
}
sl->se = se;
se->additional_data = sl;
/* Ensure, no matter the destruction order, that we always have a handle on the global sig_state */
if (!talloc_reference(se, sig_state)) {
talloc_free(se);
return NULL;
}
/* we need to setup the pipe hack handler if not already
setup */
if (ev->pipe_fde == NULL) {
if (pipe(ev->pipe_fds) == -1) {
talloc_free(se);
return NULL;
}
ev_set_blocking(ev->pipe_fds[0], false);
ev_set_blocking(ev->pipe_fds[1], false);
ev->pipe_fde = tevent_add_fd(ev, ev, ev->pipe_fds[0],
TEVENT_FD_READ,
signal_pipe_handler, NULL);
if (!ev->pipe_fde) {
close(ev->pipe_fds[0]);
close(ev->pipe_fds[1]);
talloc_free(se);
return NULL;
}
}
/* only install a signal handler if not already installed */
if (sig_state->sig_handlers[signum] == NULL) {
struct sigaction act;
ZERO_STRUCT(act);
act.sa_handler = tevent_common_signal_handler;
act.sa_flags = sa_flags;
#ifdef SA_SIGINFO
if (sa_flags & SA_SIGINFO) {
act.sa_handler = NULL;
act.sa_sigaction = tevent_common_signal_handler_info;
if (sig_state->sig_info[signum] == NULL) {
sig_state->sig_info[signum] =
talloc_zero_array(sig_state, siginfo_t,
TEVENT_SA_INFO_QUEUE_COUNT);
if (sig_state->sig_info[signum] == NULL) {
talloc_free(se);
return NULL;
}
}
}
#endif
sig_state->oldact[signum] = talloc(sig_state, struct sigaction);
if (sig_state->oldact[signum] == NULL) {
talloc_free(se);
return NULL;
}
if (sigaction(signum, &act, sig_state->oldact[signum]) == -1) {
talloc_free(se);
return NULL;
}
}
DLIST_ADD(se->event_ctx->signal_events, se);
/* Make sure the signal doesn't come in while we're mangling list. */
sigemptyset(&set);
sigaddset(&set, signum);
sigprocmask(SIG_BLOCK, &set, &oldset);
DLIST_ADD(sig_state->sig_handlers[signum], sl);
sigprocmask(SIG_SETMASK, &oldset, NULL);
talloc_set_destructor(se, tevent_signal_destructor);
talloc_set_destructor(sl, tevent_common_signal_list_destructor);
return se;
}
struct tevent_se_exists {
struct tevent_se_exists **myself;
};
static int tevent_se_exists_destructor(struct tevent_se_exists *s)
{
*s->myself = NULL;
return 0;
}
/*
check if a signal is pending
return != 0 if a signal was pending
*/
int tevent_common_check_signal(struct tevent_context *ev)
{
int i;
if (!sig_state || !TEVENT_SIG_PENDING(sig_state->got_signal)) {
return 0;
}
for (i=0;i<TEVENT_NUM_SIGNALS+1;i++) {
struct tevent_common_signal_list *sl, *next;
struct tevent_sigcounter counter = sig_state->signal_count[i];
uint32_t count = tevent_sig_count(counter);
#ifdef SA_SIGINFO
/* Ensure we null out any stored siginfo_t entries
* after processing for debugging purposes. */
bool clear_processed_siginfo = false;
#endif
if (count == 0) {
continue;
}
for (sl=sig_state->sig_handlers[i];sl;sl=next) {
struct tevent_signal *se = sl->se;
struct tevent_se_exists *exists;
next = sl->next;
/*
* We have to be careful to not touch "se"
* after it was deleted in its handler. Thus
* we allocate a child whose destructor will
* tell by nulling out itself that its parent
* is gone.
*/
exists = talloc(se, struct tevent_se_exists);
if (exists == NULL) {
continue;
}
exists->myself = &exists;
talloc_set_destructor(
exists, tevent_se_exists_destructor);
#ifdef SA_SIGINFO
if (se->sa_flags & SA_SIGINFO) {
uint32_t j;
clear_processed_siginfo = true;
for (j=0;j<count;j++) {
/* sig_state->signal_count[i].seen
* % TEVENT_SA_INFO_QUEUE_COUNT is
* the base position of the unprocessed
* signals in the ringbuffer. */
uint32_t ofs = (counter.seen + j)
% TEVENT_SA_INFO_QUEUE_COUNT;
se->handler(ev, se, i, 1,
(void*)&sig_state->sig_info[i][ofs],
se->private_data);
if (!exists) {
break;
}
}
#ifdef SA_RESETHAND
if (exists && (se->sa_flags & SA_RESETHAND)) {
talloc_free(se);
}
#endif
talloc_free(exists);
continue;
}
#endif
se->handler(ev, se, i, count, NULL, se->private_data);
#ifdef SA_RESETHAND
if (exists && (se->sa_flags & SA_RESETHAND)) {
talloc_free(se);
}
#endif
talloc_free(exists);
}
#ifdef SA_SIGINFO
if (clear_processed_siginfo && sig_state->sig_info[i] != NULL) {
uint32_t j;
for (j=0;j<count;j++) {
uint32_t ofs = (counter.seen + j)
% TEVENT_SA_INFO_QUEUE_COUNT;
memset((void*)&sig_state->sig_info[i][ofs],
'\0',
sizeof(siginfo_t));
}
}
#endif
TEVENT_SIG_SEEN(sig_state->signal_count[i], count);
TEVENT_SIG_SEEN(sig_state->got_signal, count);
#ifdef SA_SIGINFO
if (TEVENT_SIG_PENDING(sig_state->sig_blocked[i])) {
/* We'd filled the queue, unblock the
signal now the queue is empty again.
Note we MUST do this after the
TEVENT_SIG_SEEN(sig_state->signal_count[i], count)
call to prevent a new signal running
out of room in the sig_state->sig_info[i][]
ring buffer. */
sigset_t set;
sigemptyset(&set);
sigaddset(&set, i);
TEVENT_SIG_SEEN(sig_state->sig_blocked[i],
tevent_sig_count(sig_state->sig_blocked[i]));
sigprocmask(SIG_UNBLOCK, &set, NULL);
}
#endif
}
return 1;
}
void tevent_cleanup_pending_signal_handlers(struct tevent_signal *se)
{
struct tevent_common_signal_list *sl =
talloc_get_type_abort(se->additional_data,
struct tevent_common_signal_list);
tevent_common_signal_list_destructor(sl);
if (sig_state->sig_handlers[se->signum] == NULL) {
if (sig_state->oldact[se->signum]) {
sigaction(se->signum, sig_state->oldact[se->signum], NULL);
sig_state->oldact[se->signum] = NULL;
}
}
return;
}