libubox

530 commits 1 branch 0 tags 577 KiB

Author SHA1 Message Date

Author	SHA1	Message	Date
Petr Štetiar	eeddf22d9c	tests: runqueue: try to fix race on GitLab CI Seems like the CI runners are slower and produce different test output: - [0/1] finish 'sleep 1' (killer) [1/1] start 'sleep 1' (sleeper) + [1/1] finish 'sleep 1' (killer) + [1/1] finish 'sleep 1' (killer) [1/1] cancel 'sleep 1' (sleeper) [0/1] finish 'sleep 1' (sleeper) [1/1] start 'sleep 1' (sleeper) Lets try to fix it by lowering the killing timeout. Signed-off-by: Petr Štetiar <ynezz@true.cz>	2020-05-21 16:28:29 +02:00
Alban Bedel	89fb6136ad	libubox: runqueue: fix use-after-free bug Fixes a use-after-free bug in runqueue_task_kill(): Invalid read of size 8 at runqueue_task_kill (runqueue.c:200) by uloop_process_timeouts (uloop.c:505) by uloop_run_timeout (uloop.c:542) by uloop_run (uloop.h:111) by main (tests/test-runqueue.c:126) Address 0x5a4b058 is 24 bytes inside a block of size 208 free'd at free by runqueue_task_complete (runqueue.c:234) by runqueue_task_kill (runqueue.c:199) by uloop_process_timeouts (uloop.c:505) by uloop_run_timeout (uloop.c:542) by uloop_run (uloop.h:111) by main (tests/test-runqueue.c:126) Block was alloc'd at at calloc by add_sleeper (tests/test-runqueue.c:101) by main (tests/test-runqueue.c:123) Since commit `11e8afea` (runqueue should call the complete handler from more places) the call to the complete() callback has been moved to runqueue_task_complete(). However in runqueue_task_kill() runqueue_task_complete() is called before the kill() callback. This will result in a use after free if the complete() callback frees the task struct. Furthermore runqueue_start_next() is already called at the end of runqueue_task_complete(), so there is no need to call it again in runqueue_task_kill(). The issue was that the _complete() callback frees the memory used by the task struct, which is then read after the _complete() callback returns. Ref: FS#3016 Signed-off-by: Alban Bedel <albeu@free.fr> [initial test case, kill cb comment fix] Signed-off-by: Chris Nisbet <nischris@gmail.com> [testcase improvements and commit subject/description tweaks] Signed-off-by: Petr Štetiar <ynezz@true.cz>	2020-05-21 15:58:46 +02:00
Petr Štetiar	b0a5cd8a28	add cram based unit tests For improved QA etc. For the start with initial test cases for avl, base64, jshn and list components. Moved runqueue and blobmsg from examples to tests. Converted just a few first test cases from json-script example into the new cram based unit test, more to come. Signed-off-by: Petr Štetiar <ynezz@true.cz>	2019-11-24 13:26:58 +01:00

Petr Štetiar

eeddf22d9c

tests: runqueue: try to fix race on GitLab CI

Seems like the CI runners are slower and produce different test output:

 -  [0/1] finish 'sleep 1' (killer)
    [1/1] start 'sleep 1' (sleeper)
 +  [1/1] finish 'sleep 1' (killer)
 +  [1/1] finish 'sleep 1' (killer)
    [1/1] cancel 'sleep 1' (sleeper)
    [0/1] finish 'sleep 1' (sleeper)
    [1/1] start 'sleep 1' (sleeper)

Lets try to fix it by lowering the killing timeout.

Signed-off-by: Petr Štetiar <ynezz@true.cz>

2020-05-21 16:28:29 +02:00

Alban Bedel

89fb6136ad

libubox: runqueue: fix use-after-free bug

Fixes a use-after-free bug in runqueue_task_kill():

 Invalid read of size 8
    at runqueue_task_kill (runqueue.c:200)
    by uloop_process_timeouts (uloop.c:505)
    by uloop_run_timeout (uloop.c:542)
    by uloop_run (uloop.h:111)
    by main (tests/test-runqueue.c:126)
  Address 0x5a4b058 is 24 bytes inside a block of size 208 free'd
    at free
    by runqueue_task_complete (runqueue.c:234)
    by runqueue_task_kill (runqueue.c:199)
    by uloop_process_timeouts (uloop.c:505)
    by uloop_run_timeout (uloop.c:542)
    by uloop_run (uloop.h:111)
    by main (tests/test-runqueue.c:126)
  Block was alloc'd at
    at calloc
    by add_sleeper (tests/test-runqueue.c:101)
    by main (tests/test-runqueue.c:123)

Since commit 11e8afea (runqueue should call the complete handler from
more places) the call to the complete() callback has been moved to
runqueue_task_complete().  However in runqueue_task_kill()
runqueue_task_complete() is called before the kill() callback.  This
will result in a use after free if the complete() callback frees the
task struct.

Furthermore runqueue_start_next() is already called at the end of
runqueue_task_complete(), so there is no need to call it again in
runqueue_task_kill().

The issue was that the _complete() callback frees the memory used by the
task struct, which is then read after the _complete() callback returns.

Ref: FS#3016
Signed-off-by: Alban Bedel <albeu@free.fr>
[initial test case, kill cb comment fix]
Signed-off-by: Chris Nisbet <nischris@gmail.com>
[testcase improvements and commit subject/description tweaks]
Signed-off-by: Petr Štetiar <ynezz@true.cz>

2020-05-21 15:58:46 +02:00

Petr Štetiar

b0a5cd8a28

add cram based unit tests

For improved QA etc. For the start with initial test cases for avl,
base64, jshn and list components. Moved runqueue and blobmsg from
examples to tests.  Converted just a few first test cases from
json-script example into the new cram based unit test, more to come.

Signed-off-by: Petr Štetiar <ynezz@true.cz>

2019-11-24 13:26:58 +01:00

Renamed from examples/runqueue-example.c (Browse further)

3 commits