1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-03 01:18:10 +03:00
samba-mirror/ctdb
Volker Lendecke 104fcaa89f ctdb: Fix a use-after-free in run_proc
If you happen to talloc_free(run_ctx) before all the tevent_req's
hanging off it, you run into the following:

==495196== Invalid read of size 8
==495196==    at 0x10D757: run_proc_state_destructor (run_proc.c:413)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x48538B1: tevent_req_received (tevent_req.c:293)
==495196==    by 0x4853429: tevent_req_destructor (tevent_req.c:129)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x4890AF6: _tc_free_children_internal (talloc.c:1669)
==495196==    by 0x488F967: _tc_free_internal (talloc.c:1184)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd
==495196==    at 0x48399AB: free (vg_replace_malloc.c:538)
==495196==    by 0x488FB25: _tc_free_internal (talloc.c:1222)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10D315: run_proc_context_destructor (run_proc.c:329)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Block was alloc'd at
==495196==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==495196==    by 0x488EAD9: __talloc_with_prefix (talloc.c:783)
==495196==    by 0x488EC73: __talloc (talloc.c:825)
==495196==    by 0x488F0FC: _talloc_named_const (talloc.c:982)
==495196==    by 0x48925B1: _talloc_zero (talloc.c:2421)
==495196==    by 0x10C8F2: proc_new (run_proc.c:61)
==495196==    by 0x10D4C9: run_proc_send (run_proc.c:381)
==495196==    by 0x10DDF6: main (run_proc_test.c:79)

This happens because run_proc_context_destructor() directly does a
talloc_free() on the struct proc_context's and not the enclosing
tevent_req's. run_proc_kill() makes sure that we don't follow
proc->req, but it forgets the "state->proc", which is free()'ed, but
later dereferenced in run_proc_state_destructor().

This is an attempt at a quick fix, I believe we should convert
run_proc_context->plist into an array of tevent_req's, so that we can
properly TALLOC_FREE() according to the "natural" hierarchy and not
just pull an arbitrary thread out of that heap.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15269

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Oct  6 15:10:20 UTC 2022 on sn-devel-184

(cherry picked from commit 688be0177b)
2023-01-03 18:21:10 +00:00
..
client ctdb-client: Drop unused recmaster functions 2022-01-17 10:21:33 +00:00
cluster ctdb-config: Add configuration option [cluster] leader timeout 2022-01-17 10:21:33 +00:00
common ctdb: Fix a use-after-free in run_proc 2023-01-03 18:21:10 +00:00
config ctdb-config: [cluster] recovery lock -> [cluster] cluster lock 2022-01-17 10:21:33 +00:00
database ctdb-database: Fix signed/unsigned comparison by casting 2019-07-05 05:03:24 +00:00
doc ctdb-doc: Remove documentation for recovery process 2022-01-17 10:21:33 +00:00
event ctdb-event: Reopen logs on SIGHUP 2022-01-17 03:43:30 +00:00
failover ctdb-failover: Add failover configuration options 2018-08-24 10:59:21 +02:00
ib ctdb-daemon: Rename ctdb_context private_data to transport_data 2019-11-14 02:20:46 +00:00
include ctdb-daemon: Drop implementation of {GET,SET}_RECMASTER controls 2022-01-17 10:21:33 +00:00
packaging/RPM ctdb-utils: Add tdb_mutex_check utility 2021-05-28 06:46:29 +00:00
protocol ctdb-protocol: Mark {GET,SET}_RECMASTER controls obsolete 2022-01-17 10:21:33 +00:00
server ctdb-daemon: Use DEBUG() macro for child logging 2022-06-18 08:47:17 +00:00
tcp ctdb-tcp: Do not stop outbound connection in ctdb_tcp_node_connect() 2020-03-12 05:29:20 +00:00
tests ctdb-tests: Add a test for stalled node triggering election 2022-02-15 09:55:38 +00:00
tools ctdb-tools: recovery master -> leader 2022-01-17 10:21:33 +00:00
utils ctdb-config: [cluster] recovery lock -> [cluster] cluster lock 2022-01-17 10:21:33 +00:00
.bzrignore
.gitignore ctdb-build: use a fixed ctdb_version.h using SAMBA_VERSION_STRING 2019-03-15 05:17:14 +00:00
configure build: Move python detection back into waf (instead of in configure and Makefile) 2018-12-14 14:40:19 +01:00
configure.rpm ctdb-packaging: Update library versions to upstream versions 2018-12-18 07:12:09 +01:00
COPYING
Makefile build: Move python detection back into waf (instead of in configure and Makefile) 2018-12-14 14:40:19 +01:00
README doc: README - add information about CTDB, license and website 2012-10-22 17:39:49 +11:00
wscript ctdb-utils: Add tdb_mutex_check utility 2021-05-28 06:46:29 +00:00

This is the release version of CTDB, a clustered implementation of TDB
database used by Samba and other projects to store temporary data.

This software is freely distributable under the GNU public license,
a copy of which you should have received with this software (in a file
called COPYING).

For documentation on CTDB, please visit CTDB website http://ctdb.samba.org.