1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-06 13:18:07 +03:00
samba-mirror/ctdb/common/run_proc.c
Volker Lendecke 104fcaa89f ctdb: Fix a use-after-free in run_proc
If you happen to talloc_free(run_ctx) before all the tevent_req's
hanging off it, you run into the following:

==495196== Invalid read of size 8
==495196==    at 0x10D757: run_proc_state_destructor (run_proc.c:413)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x48538B1: tevent_req_received (tevent_req.c:293)
==495196==    by 0x4853429: tevent_req_destructor (tevent_req.c:129)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x4890AF6: _tc_free_children_internal (talloc.c:1669)
==495196==    by 0x488F967: _tc_free_internal (talloc.c:1184)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd
==495196==    at 0x48399AB: free (vg_replace_malloc.c:538)
==495196==    by 0x488FB25: _tc_free_internal (talloc.c:1222)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10D315: run_proc_context_destructor (run_proc.c:329)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Block was alloc'd at
==495196==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==495196==    by 0x488EAD9: __talloc_with_prefix (talloc.c:783)
==495196==    by 0x488EC73: __talloc (talloc.c:825)
==495196==    by 0x488F0FC: _talloc_named_const (talloc.c:982)
==495196==    by 0x48925B1: _talloc_zero (talloc.c:2421)
==495196==    by 0x10C8F2: proc_new (run_proc.c:61)
==495196==    by 0x10D4C9: run_proc_send (run_proc.c:381)
==495196==    by 0x10DDF6: main (run_proc_test.c:79)

This happens because run_proc_context_destructor() directly does a
talloc_free() on the struct proc_context's and not the enclosing
tevent_req's. run_proc_kill() makes sure that we don't follow
proc->req, but it forgets the "state->proc", which is free()'ed, but
later dereferenced in run_proc_state_destructor().

This is an attempt at a quick fix, I believe we should convert
run_proc_context->plist into an array of tevent_req's, so that we can
properly TALLOC_FREE() according to the "natural" hierarchy and not
just pull an arbitrary thread out of that heap.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15269

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Oct  6 15:10:20 UTC 2022 on sn-devel-184

(cherry picked from commit 688be0177b)
2023-01-03 18:21:10 +00:00

504 lines
10 KiB
C

/*
Run a child process and collect the output
Copyright (C) Amitay Isaacs 2016
This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, see <http://www.gnu.org/licenses/>.
*/
#include "replace.h"
#include "system/filesys.h"
#include "system/wait.h"
#include <talloc.h>
#include <tevent.h>
#include "lib/util/tevent_unix.h"
#include "lib/util/sys_rw.h"
#include "lib/util/blocking.h"
#include "lib/util/dlinklist.h"
#include "common/run_proc.h"
/*
* Process abstraction
*/
struct run_proc_context;
struct proc_context {
struct proc_context *prev, *next;
pid_t pid;
int fd;
struct tevent_fd *fde;
char *output;
struct run_proc_result result;
struct tevent_req *req;
};
static int proc_destructor(struct proc_context *proc);
static struct proc_context *proc_new(TALLOC_CTX *mem_ctx,
struct run_proc_context *run_ctx)
{
struct proc_context *proc;
proc = talloc_zero(mem_ctx, struct proc_context);
if (proc == NULL) {
return NULL;
}
proc->pid = -1;
proc->fd = -1;
talloc_set_destructor(proc, proc_destructor);
return proc;
}
static void run_proc_kill(struct tevent_req *req);
static int proc_destructor(struct proc_context *proc)
{
if (proc->req != NULL) {
run_proc_kill(proc->req);
}
talloc_free(proc->fde);
if (proc->pid != -1) {
kill(-proc->pid, SIGKILL);
}
return 0;
}
static void proc_read_handler(struct tevent_context *ev,
struct tevent_fd *fde, uint16_t flags,
void *private_data);
static int proc_start(struct proc_context *proc, struct tevent_context *ev,
const char *path, const char **argv, int stdin_fd)
{
int fd[2];
int ret;
ret = pipe(fd);
if (ret != 0) {
return ret;
}
proc->pid = fork();
if (proc->pid == -1) {
ret = errno;
close(fd[0]);
close(fd[1]);
return ret;
}
if (proc->pid == 0) {
close(fd[0]);
ret = dup2(fd[1], STDOUT_FILENO);
if (ret == -1) {
exit(64 + errno);
}
ret = dup2(fd[1], STDERR_FILENO);
if (ret == -1) {
exit(64 + errno);
}
close(fd[1]);
if (stdin_fd != -1) {
ret = dup2(stdin_fd, STDIN_FILENO);
if (ret == -1) {
exit(64 + errno);
}
}
ret = setpgid(0, 0);
if (ret != 0) {
exit(64 + errno);
}
ret = execv(path, discard_const(argv));
if (ret != 0) {
exit(64 + errno);
}
exit(64 + ENOEXEC);
}
close(fd[1]);
proc->fd = fd[0];
proc->fde = tevent_add_fd(ev, proc, fd[0], TEVENT_FD_READ,
proc_read_handler, proc);
if (proc->fde == NULL) {
close(fd[0]);
return ENOMEM;
}
tevent_fd_set_auto_close(proc->fde);
return 0;
}
static void proc_read_handler(struct tevent_context *ev,
struct tevent_fd *fde, uint16_t flags,
void *private_data)
{
struct proc_context *proc = talloc_get_type_abort(
private_data, struct proc_context);
size_t offset;
ssize_t nread;
int len = 0;
int ret;
ret = ioctl(proc->fd, FIONREAD, &len);
if (ret != 0) {
goto fail;
}
if (len == 0) {
/* pipe closed */
goto close;
}
offset = (proc->output == NULL) ? 0 : strlen(proc->output);
proc->output = talloc_realloc(proc, proc->output, char, offset+len+1);
if (proc->output == NULL) {
goto fail;
}
nread = sys_read(proc->fd, proc->output + offset, len);
if (nread == -1) {
goto fail;
}
proc->output[offset+nread] = '\0';
return;
fail:
if (proc->pid != -1) {
kill(-proc->pid, SIGKILL);
proc->pid = -1;
}
close:
TALLOC_FREE(proc->fde);
proc->fd = -1;
}
/*
* Run proc abstraction
*/
struct run_proc_context {
struct tevent_context *ev;
struct tevent_signal *se;
struct proc_context *plist;
};
static void run_proc_signal_handler(struct tevent_context *ev,
struct tevent_signal *se,
int signum, int count, void *siginfo,
void *private_data);
static int run_proc_context_destructor(struct run_proc_context *run_ctx);
static void run_proc_done(struct tevent_req *req);
int run_proc_init(TALLOC_CTX *mem_ctx, struct tevent_context *ev,
struct run_proc_context **result)
{
struct run_proc_context *run_ctx;
run_ctx = talloc_zero(mem_ctx, struct run_proc_context);
if (run_ctx == NULL) {
return ENOMEM;
}
run_ctx->ev = ev;
run_ctx->se = tevent_add_signal(ev, run_ctx, SIGCHLD, 0,
run_proc_signal_handler, run_ctx);
if (run_ctx->se == NULL) {
talloc_free(run_ctx);
return ENOMEM;
}
talloc_set_destructor(run_ctx, run_proc_context_destructor);
*result = run_ctx;
return 0;
}
static void run_proc_signal_handler(struct tevent_context *ev,
struct tevent_signal *se,
int signum, int count, void *siginfo,
void *private_data)
{
struct run_proc_context *run_ctx = talloc_get_type_abort(
private_data, struct run_proc_context);
struct proc_context *proc;
pid_t pid = -1;
int status;
again:
pid = waitpid(-1, &status, WNOHANG);
if (pid == -1) {
return;
}
if (pid == 0) {
return;
}
for (proc = run_ctx->plist; proc != NULL; proc = proc->next) {
if (proc->pid == pid) {
break;
}
}
if (proc == NULL) {
/* unknown process */
goto again;
}
/* Mark the process as terminated */
proc->pid = -1;
/* Update process status */
if (WIFEXITED(status)) {
int pstatus = WEXITSTATUS(status);
if (WIFSIGNALED(status)) {
proc->result.sig = WTERMSIG(status);
} else if (pstatus >= 64 && pstatus < 255) {
proc->result.err = pstatus-64;
} else {
proc->result.status = pstatus;
}
} else if (WIFSIGNALED(status)) {
proc->result.sig = WTERMSIG(status);
}
/* Confirm that all data has been read from the pipe */
if (proc->fd != -1) {
proc_read_handler(ev, proc->fde, 0, proc);
TALLOC_FREE(proc->fde);
proc->fd = -1;
}
DLIST_REMOVE(run_ctx->plist, proc);
/* Active run_proc request */
if (proc->req != NULL) {
run_proc_done(proc->req);
} else {
talloc_free(proc);
}
goto again;
}
static int run_proc_context_destructor(struct run_proc_context *run_ctx)
{
struct proc_context *proc;
/* Get rid of signal handler */
TALLOC_FREE(run_ctx->se);
/* Kill any pending processes */
while ((proc = run_ctx->plist) != NULL) {
DLIST_REMOVE(run_ctx->plist, proc);
talloc_free(proc);
}
return 0;
}
struct run_proc_state {
struct tevent_context *ev;
struct run_proc_context *run_ctx;
struct proc_context *proc;
struct run_proc_result result;
char *output;
pid_t pid;
};
static int run_proc_state_destructor(struct run_proc_state *state);
static void run_proc_timedout(struct tevent_req *subreq);
struct tevent_req *run_proc_send(TALLOC_CTX *mem_ctx,
struct tevent_context *ev,
struct run_proc_context *run_ctx,
const char *path, const char **argv,
int stdin_fd, struct timeval timeout)
{
struct tevent_req *req;
struct run_proc_state *state;
struct stat st;
int ret;
req = tevent_req_create(mem_ctx, &state, struct run_proc_state);
if (req == NULL) {
return NULL;
}
state->ev = ev;
state->run_ctx = run_ctx;
state->pid = -1;
ret = stat(path, &st);
if (ret != 0) {
state->result.err = errno;
tevent_req_done(req);
return tevent_req_post(req, ev);
}
if (! (st.st_mode & S_IXUSR)) {
state->result.err = EACCES;
tevent_req_done(req);
return tevent_req_post(req, ev);
}
state->proc = proc_new(run_ctx, run_ctx);
if (tevent_req_nomem(state->proc, req)) {
return tevent_req_post(req, ev);
}
state->proc->req = req;
DLIST_ADD(run_ctx->plist, state->proc);
ret = proc_start(state->proc, ev, path, argv, stdin_fd);
if (ret != 0) {
tevent_req_error(req, ret);
return tevent_req_post(req, ev);
}
talloc_set_destructor(state, run_proc_state_destructor);
if (! tevent_timeval_is_zero(&timeout)) {
struct tevent_req *subreq;
subreq = tevent_wakeup_send(state, ev, timeout);
if (tevent_req_nomem(subreq, req)) {
return tevent_req_post(req, ev);
}
tevent_req_set_callback(subreq, run_proc_timedout, req);
}
return req;
}
static int run_proc_state_destructor(struct run_proc_state *state)
{
/* Do not get rid of the child process if timeout has occurred */
if ((state->proc != NULL) && (state->proc->req != NULL)) {
state->proc->req = NULL;
DLIST_REMOVE(state->run_ctx->plist, state->proc);
TALLOC_FREE(state->proc);
}
return 0;
}
static void run_proc_done(struct tevent_req *req)
{
struct run_proc_state *state = tevent_req_data(
req, struct run_proc_state);
state->proc->req = NULL;
state->result = state->proc->result;
if (state->proc->output != NULL) {
state->output = talloc_move(state, &state->proc->output);
}
talloc_steal(state, state->proc);
tevent_req_done(req);
}
static void run_proc_kill(struct tevent_req *req)
{
struct run_proc_state *state = tevent_req_data(
req, struct run_proc_state);
state->proc->req = NULL;
state->proc = NULL;
state->result.sig = SIGKILL;
tevent_req_done(req);
}
static void run_proc_timedout(struct tevent_req *subreq)
{
struct tevent_req *req = tevent_req_callback_data(
subreq, struct tevent_req);
struct run_proc_state *state = tevent_req_data(
req, struct run_proc_state);
bool status;
state->proc->req = NULL;
status = tevent_wakeup_recv(subreq);
TALLOC_FREE(subreq);
if (! status) {
tevent_req_error(req, EIO);
return;
}
state->result.err = ETIMEDOUT;
if (state->proc->output != NULL) {
state->output = talloc_move(state, &state->proc->output);
}
state->pid = state->proc->pid;
tevent_req_done(req);
}
bool run_proc_recv(struct tevent_req *req, int *perr,
struct run_proc_result *result, pid_t *pid,
TALLOC_CTX *mem_ctx, char **output)
{
struct run_proc_state *state = tevent_req_data(
req, struct run_proc_state);
int ret;
if (tevent_req_is_unix_error(req, &ret)) {
if (perr != NULL) {
*perr = ret;
}
return false;
}
if (result != NULL) {
*result = state->result;
}
if (pid != NULL) {
*pid = state->pid;
}
if (output != NULL) {
*output = talloc_move(mem_ctx, &state->output);
}
return true;
}