1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-10 01:18:15 +03:00
samba-mirror/ctdb
Volker Lendecke 688be0177b ctdb: Fix a use-after-free in run_proc
If you happen to talloc_free(run_ctx) before all the tevent_req's
hanging off it, you run into the following:

==495196== Invalid read of size 8
==495196==    at 0x10D757: run_proc_state_destructor (run_proc.c:413)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x48538B1: tevent_req_received (tevent_req.c:293)
==495196==    by 0x4853429: tevent_req_destructor (tevent_req.c:129)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x4890AF6: _tc_free_children_internal (talloc.c:1669)
==495196==    by 0x488F967: _tc_free_internal (talloc.c:1184)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Address 0x55b77f8 is 152 bytes inside a block of size 160 free'd
==495196==    at 0x48399AB: free (vg_replace_malloc.c:538)
==495196==    by 0x488FB25: _tc_free_internal (talloc.c:1222)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10D315: run_proc_context_destructor (run_proc.c:329)
==495196==    by 0x488F736: _tc_free_internal (talloc.c:1158)
==495196==    by 0x488FBDD: _talloc_free_internal (talloc.c:1248)
==495196==    by 0x4890F41: _talloc_free (talloc.c:1792)
==495196==    by 0x10DE62: main (run_proc_test.c:86)
==495196==  Block was alloc'd at
==495196==    at 0x483877F: malloc (vg_replace_malloc.c:307)
==495196==    by 0x488EAD9: __talloc_with_prefix (talloc.c:783)
==495196==    by 0x488EC73: __talloc (talloc.c:825)
==495196==    by 0x488F0FC: _talloc_named_const (talloc.c:982)
==495196==    by 0x48925B1: _talloc_zero (talloc.c:2421)
==495196==    by 0x10C8F2: proc_new (run_proc.c:61)
==495196==    by 0x10D4C9: run_proc_send (run_proc.c:381)
==495196==    by 0x10DDF6: main (run_proc_test.c:79)

This happens because run_proc_context_destructor() directly does a
talloc_free() on the struct proc_context's and not the enclosing
tevent_req's. run_proc_kill() makes sure that we don't follow
proc->req, but it forgets the "state->proc", which is free()'ed, but
later dereferenced in run_proc_state_destructor().

This is an attempt at a quick fix, I believe we should convert
run_proc_context->plist into an array of tevent_req's, so that we can
properly TALLOC_FREE() according to the "natural" hierarchy and not
just pull an arbitrary thread out of that heap.

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Martin Schwenke <martin@meltin.net>

Autobuild-User(master): Volker Lendecke <vl@samba.org>
Autobuild-Date(master): Thu Oct  6 15:10:20 UTC 2022 on sn-devel-184
2022-10-06 15:10:20 +00:00
..
client ctdb-client: Drop unused recmaster functions 2022-01-17 10:21:33 +00:00
cluster ctdb-config: Add configuration option [cluster] leader timeout 2022-01-17 10:21:33 +00:00
common ctdb: Fix a use-after-free in run_proc 2022-10-06 15:10:20 +00:00
config ctdb-scripts: Add debugging variable CTDB_KILLTCP_DEBUGLEVEL 2022-09-20 11:42:16 +00:00
database ctdb-database: Fix signed/unsigned comparison by casting 2019-07-05 05:03:24 +00:00
doc ctdb-doc: Fix typos in the policy routing documentation 2022-05-31 05:06:29 +00:00
event ctdb-tests: Iterate protocol tests internally 2022-02-14 04:32:29 +00:00
failover ctdb-failover: Add failover configuration options 2018-08-24 10:59:21 +02:00
ib ctdb-daemon: Rename ctdb_context private_data to transport_data 2019-11-14 02:20:46 +00:00
include ctdb-daemon: Drop unused ban_state element from CTDB node structure 2022-07-22 16:09:31 +00:00
protocol ctdb-protocol: Add separator argument to ctdb_connection_to_buf() 2022-07-22 16:09:31 +00:00
server ctdb-mutex: Test the lock by locking a 2nd byte range 2022-07-28 10:09:34 +00:00
tcp ctdb-tcp: Do not stop outbound connection in ctdb_tcp_node_connect() 2020-03-12 05:29:20 +00:00
tests ctdb-tests: Reformat remaining test stubs with "shfmt -w -p -i 0 -fn" 2022-09-16 04:35:09 +00:00
tools ctdb-tools: Improve/add debug 2022-09-20 10:43:37 +00:00
utils ctdb-config: [cluster] recovery lock -> [cluster] cluster lock 2022-01-17 10:21:33 +00:00
.bzrignore
.gitignore ctdb-build: use a fixed ctdb_version.h using SAMBA_VERSION_STRING 2019-03-15 05:17:14 +00:00
configure configure/Makefile: export PYTHONHASHSEED=1 in all 'configure/Makefile' scripts 2022-03-29 22:32:32 +00:00
configure.rpm ctdb-packaging: Update library versions to upstream versions 2018-12-18 07:12:09 +01:00
COPYING
Makefile configure/Makefile: export PYTHONHASHSEED=1 in all 'configure/Makefile' scripts 2022-03-29 22:32:32 +00:00
README
wscript ctdb-build: Add --enable-pcap configure option 2022-09-20 10:43:37 +00:00

This is the release version of CTDB, a clustered implementation of TDB
database used by Samba and other projects to store temporary data.

This software is freely distributable under the GNU public license,
a copy of which you should have received with this software (in a file
called COPYING).

For documentation on CTDB, please visit CTDB website http://ctdb.samba.org.