Commit graph

514 commits

Author SHA1 Message Date
Felix Fietkau
b3fa3d92e3 uloop: reset flags after __uloop_fd_delete call
Fixes fd delete with kqueue, which relies on the previous flags value

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-27 18:30:01 +01:00
Felix Fietkau
8a5a4319a8 uloop: fix typo in signal handling rework
Fixes procd issues

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-11-27 18:30:01 +01:00
Jo-Philipp Wich
f7d1569113 uloop: properly initialize signal handler mask
The structure passed to `sigaction()` left it's `sa_mask` member uninitialized.

Fixes: beb356b ("uloop: add support for user defined signal handlers")
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2023-11-03 22:27:57 +01:00
Jo-Philipp Wich
13d9b04fb0 uloop: add support for user defined signal handlers
Reuse and extend the existing signal waker pipe mechanism to add user
defined signal handling functionality to uloop.

This commit introduces two new api functions `uloop_signal_add()` and
`uloop_signal_remove()` along with a new structure type `uloop_signal`
to allow adding and removing arbitrary signal handlers.

Registered signal handlers are maintained in a linked list and matched
by their signo member value which allows registering multiple handlers
for the same signal numbers.

Upon registering a new signal handler, the existing handler is saved
in the `uloop_signal` structure. When removing the user defined signal
handler, the original behavior is restored.

The Lua binding has been updated as well to support the new signal
handler mechanism.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2023-11-02 17:56:45 +01:00
Jo-Philipp Wich
82fa6480de uloop: add support for interval timers
So far, the only way to implement periodic interval timers was to use
one-shot uloop_timeout timers which are rearmed within their completion
callback immediately on expiration.

While simple, this approach is not very precise and interval lengths will
slowly drift over time, due to callback execution overhead, scheduling
granularity etc.

In order to make uloop provide stable and precise interval timer
capabilities, this commit introduces a new `uloop_interval` structure
along with the new related `uloop_interval_set()`, `uloop_interval_cancel()`
and `uloop_interval_remaining()` api functions.

Periodic timers are implemented using the timerfd facility an Linux and
kqueue EVFILT_TIMER events on macOS/BSD.

The Lua binding has been updated to include support for the new timer type
as well.

Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2023-11-02 17:49:55 +01:00
Felix Fietkau
75a3b870ca uloop: add support for integrating with a different event loop
- support reading the next timeout in order to determine the poll timeout
- add a callback for fd add/delete/update

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-05-23 15:32:36 +02:00
Felix Fietkau
362951a2d9 uloop: fix uloop_run_timeout
Avoid running infinite poll loop, fix timeout value

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-05-23 15:32:36 +02:00
Philip Prindeville
5893cf78da
blobmsg: Don't do at run-time what can be done at compile-time
Repeatedly calling a run-time function like strlen() on an
invariant value is inefficient, especially if that value can be
computed once (at initialization) or better yet, computed at
compile-time.

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2023-04-16 14:53:11 +02:00
Philip Prindeville
6fc29d1c42 jshn.sh: Add pretty-printing to json_dump
If a JSON file might be read by a human, say for debugging, it
could be useful to pretty-print it.  We do this in places by
calling "json_dump -i" but it shouldn't be necessary to know the
arguments to "jshn" (and indeed, that's not portable if we retool
the underlying implementation). Conversely output that's ephemeral
doesn't need to be pretty (say being piped as input to another
command).

Signed-off-by: Philip Prindeville <philipp@redfish-solutions.com>
2023-04-15 15:04:19 +02:00
Felix Fietkau
ef5e8e38bd usock: fix poll return code check
errno needs to be compared against EINTR/EAGAIN instead of the return code,
and only if the return code is < 0.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-03-08 09:38:55 +01:00
Felix Fietkau
eac92a4d5d blobmsg: add blobmsg_parse_array_attr
Wrapper around blobmsg_parse_array, similar to blobmsg_parse_attr

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2023-01-03 10:43:49 +01:00
Felix Fietkau
b09b316aea blobmsg: add blobmsg_parse_attr function
This allows turning the common pattern of:
  blobmsg_parse(policy, ARRAY_SIZE(policy), tb, blobmsg_data(data), blobmsg_len(data));

into:
  blobmsg_parse_attr(policy, ARRAY_SIZE(policy), tb, data);

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-11-23 12:30:10 +01:00
Felix Fietkau
ea56013409 jshn.sh: add json_add_fields function for adding multiple fields at once
This simplifies passing extra object data as a function parameter

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-09-27 14:17:52 +02:00
Felix Fietkau
d2223ef9da blobmsg: work around false positive gcc -Warray-bounds warnings
Using the return value of blobmsg_name as input argument to strcpy can lead
to warnings like these:

error: 'strcpy' offset 6 from the object at 'cur' is out of the bounds of referenced subobject 'name' with type 'uint8_t[]' {aka 'unsigned char[]'} at offset 6 [-Werror=array-bounds]

Fix this by replacing hdr->name with the equivalent hdr + 1

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-05-15 13:42:58 +02:00
Felix Fietkau
cfa372ff8a blobmsg: implicitly reserve space for 0-terminator in string buf alloc
It may not be clear to all users of this API if the provided maxlen argument
refers to the maximum string length or the maximum buffer size.
In order to improve safety and convenience of this API, make it refer to
the maximum string length.

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-05-12 13:26:29 +02:00
Felix Fietkau
45210ce141 list.h: add container_of_safe macro
It works like container_of, except that it also deals with NULL pointers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-04-29 12:57:52 +02:00
Felix Fietkau
f2d6752901 blob: clear buf->head when freeing a buffer
Prevents accidental silent use-after-free bugs

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2022-02-10 21:02:20 +01:00
Daniel Golle
cce5e35127
vlist: define vlist_for_each_element_safe
Yet another macro wrapper around the corresponding avl_* macro.
This new macro makes it possible to iterate over vlists in ways which
may have destructive consequences without being punished by segfault.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2021-11-20 17:44:11 +00:00
Stijn Tintel
c86a894ec6 uloop: deprecate uloop_timeout_remaining
We have uloop_timeout_remaining64 now.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: John Crispin <john@phrozen.org>
2021-11-04 13:05:31 +02:00
Stijn Tintel
c87d3e1fb6 lua/uloop: use uloop_timeout_remaining64
We will deprecate uloop_timeout_remaining soon.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: John Crispin <john@phrozen.org>
2021-11-04 13:05:29 +02:00
Stijn Tintel
3344157381 uloop: add uloop_timeout_remaining64
This uses the same return type as tv_diff so we don't need to check for
integer overflow.

Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: John Crispin <john@phrozen.org>
2021-11-04 13:05:24 +02:00
Stijn Tintel
123e976f3d uloop: restore return type of uloop_timeout_remaining
The uloop_timeout_remaining function is public and changing its return
type breaks ABI. Change the return type back to int, and return INT_MIN
or INT_MAX if the value returned by tv_diff would overflow integer.

Fixes: be3dc7223a ("uloop: avoid integer overflow in tv_diff")
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
Acked-by: Jo-Philipp Wich <jo@mein.io>
Acked-by: John Crispin <john@phrozen.org>
2021-11-04 13:03:25 +02:00
Stijn Tintel
be3dc7223a uloop: avoid integer overflow in tv_diff
The tv_diff function can potentially overflow as soon as t2->tv_sec is
larger than 2147483. This is very easily hit in ujail, after only
2147484 seconds of uptime, or 24.85 days.

Improve the behaviour by changing the return type to int64_t.

Fixes: FS#3943
Signed-off-by: Stijn Tintel <stijn@linux-ipv6.be>
2021-11-04 01:45:46 +02:00
Felix Fietkau
d716ac4bc4 list.h: add a few missing iterator macros
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-08-19 08:56:59 +02:00
Felix Fietkau
b14c468861 json_script: fix unannotated fall-through warning
Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-16 18:07:26 +02:00
Felix Fietkau
b8abed7494 utils.h: add fallthrough macro
This can be used to silence clang warnings about unannotated fall-through

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2021-05-16 17:32:00 +02:00
Zefir Kurtisi
b36a3a9009 blob: fix exceeding maximum buffer length
Currently there is no measure in place to prevent the blob buffer
to exceed its maximum allowed length of 16MB. Continuously
calling blob_add() will expand the buffer until it exceeds
BLOB_ATTR_LEN_MASK and after that will return valid blob_attr
pointer without increasing the buflen.

A test program was added in the previous commit, this one fixes
the issue by asserting that the new bufflen after grow does not
exceed BLOB_ATTR_LEN_MASK.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@gmail.com>
2021-04-29 15:34:21 +02:00
Zefir Kurtisi
a0dbcf8b8f tests: add blob-buffer overflow test
The blob buffer has no limitation in place
to prevent buflen to exceed maximum size.

This commit adds a test to demonstrate how
a blob increases past the maximum allowd
size of 16MB. It continuously adds chunks
of 64KB and with the 255th one blob_add()
returns a valid attribute pointer but the
blob's buflen does not increase.

The test is used to demonstrate the
failure, which is fixed with a follow-up
commit.

Signed-off-by: Zefir Kurtisi <zefir.kurtisi@gmail.com>
[adjusted test case for cram usage]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-04-29 15:34:21 +02:00
Peter Seiderer
551d75b566 libubox: tests: add more blobmsg/json test cases
* add mixed int/double tests
 * add blobmsg_cast_u64/blobmsg_cast_s64 tests

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
2021-03-09 21:53:14 +01:00
Petr Štetiar
4d8995e91d tests: cram: test_base64: really fix failing tests
Remove the checks for 'Aborted (core dumped)' message altogether as it's
not reliable and not portable.

References: https://gitlab.com/openwrt/project/libubox/-/jobs/1070226897
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-03-03 18:26:52 +01:00
Petr Štetiar
870acee325 tests: cram: test_base64: fix failing tests
Seems like latest version of llvm compiler/sanitizer has changed
behaviour during crash so `Aborted (core dumped)` is now printed to
stdout.

Fixes following issue:

 --- /builds/openwrt/project/libubox/tests/cram/test_base64.t
 +++ /builds/openwrt/project/libubox/tests/cram/test_base64.t.err
 @@ -49,9 +49,7 @@
    b64_encode: Assertion `dest && targsize > 0' failed.

    $ test-b64_decode-san 2> output.log; check
 -  Aborted (core dumped)
    b64_decode: Assertion `dest && targsize > 0' failed.

    $ test-b64_encode-san 2> output.log; check
 -  Aborted (core dumped)
    b64_encode: Assertion `dest && targsize > 0' failed.

References: https://gitlab.com/openwrt/project/libubox/-/jobs/1069840314
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2021-03-03 14:37:09 +01:00
Peter Seiderer
2e52c7e9a9 libubox: fix BLOBMSG_CAST_INT64 (do not override BLOBMSG_TYPE_DOUBLE)
Commit 9e52171 ('blobmsg: introduce BLOBMSG_CAST_INT64') broke
blobmsg_parse() for BLOBMSG_TYPE_DOUBLE.

This is because the enum definition leads to the following double
define for BLOBMSG_CAST_INT64/BLOBMSG_TYPE_DOUBLE as value 8.

Tested with:

	$ cat test-enum-001.c
  #include <stdio.h>

  enum blobmsg_type {
  	BLOBMSG_TYPE_UNSPEC,
  	BLOBMSG_TYPE_ARRAY,
  	BLOBMSG_TYPE_TABLE,
  	BLOBMSG_TYPE_STRING,
  	BLOBMSG_TYPE_INT64,
  	BLOBMSG_TYPE_INT32,
  	BLOBMSG_TYPE_INT16,
  	BLOBMSG_TYPE_INT8,
  	BLOBMSG_TYPE_DOUBLE,
  	__BLOBMSG_TYPE_LAST,
  	BLOBMSG_TYPE_LAST = __BLOBMSG_TYPE_LAST - 1,
  	BLOBMSG_TYPE_BOOL = BLOBMSG_TYPE_INT8,
  	BLOBMSG_CAST_INT64,
  };

  int main(int artc, char* argv[]) {
  	printf("BLOBMSG_TYPE_UNSPEC: %d\n", BLOBMSG_TYPE_UNSPEC);
  	printf("BLOBMSG_TYPE_ARRAY: %d\n", BLOBMSG_TYPE_ARRAY);
  	printf("BLOBMSG_TYPE_TABLE: %d\n", BLOBMSG_TYPE_TABLE);
  	printf("BLOBMSG_TYPE_STRING: %d\n", BLOBMSG_TYPE_STRING);
  	printf("BLOBMSG_TYPE_INT64: %d\n", BLOBMSG_TYPE_INT64);
  	printf("BLOBMSG_TYPE_INT32: %d\n", BLOBMSG_TYPE_INT32);
  	printf("BLOBMSG_TYPE_INT16: %d\n", BLOBMSG_TYPE_INT16);
  	printf("BLOBMSG_TYPE_INT8: %d\n", BLOBMSG_TYPE_INT8);
  	printf("BLOBMSG_TYPE_DOUBLE: %d\n", BLOBMSG_TYPE_DOUBLE);
  	printf("__BLOBMSG_TYPE_LAST: %d\n", __BLOBMSG_TYPE_LAST);
  	printf("BLOBMSG_TYPE_LAST: %d\n", BLOBMSG_TYPE_LAST);
  	printf("BLOBMSG_TYPE_BOOL: %d\n", BLOBMSG_TYPE_BOOL);
  	printf("BLOBMSG_CAST_INT64: %d\n", BLOBMSG_CAST_INT64);
  	return 0;
  }

	$ gcc test-enum-001.c

	$ ./a.out
  BLOBMSG_TYPE_UNSPEC: 0
  BLOBMSG_TYPE_ARRAY: 1
  BLOBMSG_TYPE_TABLE: 2
  BLOBMSG_TYPE_STRING: 3
  BLOBMSG_TYPE_INT64: 4
  BLOBMSG_TYPE_INT32: 5
  BLOBMSG_TYPE_INT16: 6
  BLOBMSG_TYPE_INT8: 7
  BLOBMSG_TYPE_DOUBLE: 8
  __BLOBMSG_TYPE_LAST: 9
  BLOBMSG_TYPE_LAST: 8
  BLOBMSG_TYPE_BOOL: 7
  BLOBMSG_CAST_INT64: 8

Fix this by changing the enum defintion to assign BLOBMSG_CAST_INT64 to
the unique value 9.

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
2021-03-02 12:06:24 +00:00
Rui Salvaterra
5bc0146a1d utils: simplify mkdir_p boolean conditions
Just a trivial simplification.

Signed-off-by: Rui Salvaterra <rsalvaterra@gmail.com>
2020-12-13 12:05:45 +00:00
Daniel Golle
357877693c utils: introduce mkdir_p
Add new utility function mkdir_p(char *path, mode_t mode) to replace
the partially buggy implementations found accross fstools and procd.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-12-12 22:50:50 +00:00
Daniel Golle
9e52171d70 blobmsg: introduce BLOBMSG_CAST_INT64
When dealing with 64-bit integers in JSON documents, blobmsg_parse
becomes useless as blobmsg-json only uses BLOBMSG_TYPE_INT64 if the
value exceeds the range of a 32-bit integer, otherwise
BLOBMSG_TYPE_INT32 is used. This is because blobmsg-json parses the
JSON document ad-hoc without knowing the schema in advance and hence
a result of the design of blobmsg-json (and the absence of JSON
schema definitions).
In practise, this made code less readable as instead of using
blobmsg_parse() one had to to deal with *all* attributes manually just
to catch fields which can be both, BLOBMSG_TYPE_INT32 or
BLOBMSG_TYPE_INT64, but are always dealt with as uint64_t in code as
they potentially could exceed the 32-bit range.

To resolve this issue, introduce as special wildcard attribute
type BLOBMSG_CAST_INT64 which should only be used in policies used
by blobmsg_parse(). If used for an attribute in the policy,
blobmsg_parse shall accept all integer types and allow the user
to retrieve the value using the uint64_t blobmsg_cast_u64() and
int64_t blobmsg_cast_s64() functions which is also introduced by this
commit.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
2020-08-06 14:29:36 +01:00
Karl Palsson
f4e9bf73ac examples/lua: attempt to highlight some traps
Ran into some issues with my fd event being garbage collected.  As I
never wanted to call :delete, I had seen no reason to keep the returned
object, as my callback and upvalues were still valid.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2020-07-11 11:15:12 +02:00
Karl Palsson
53b9a2123f lua/uloop: fd_add: use absolute indices for arguments
Instead of having to adjust the index repeatedly as the stack is
manipulated, use absolute addressing for the function arguments, so they
stay the same throughout the call.  Zero functional change, just
subjectively easier to follow variables.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2020-07-11 11:15:12 +02:00
Karl Palsson
c0941d3289 lua/uloop: make get_sock_fd capable of absolute addresses
The original code required the use of relative addresses into the lua
stack.  It should accept either.

Signed-off-by: Karl Palsson <karlp@etactica.com>
2020-07-11 11:15:12 +02:00
Karl Palsson
161c25960b lua/uloop: fd_add() better args checking
Actually check for flags being valid, instead of simply ignoring the
call if flags was zero.

Use standard lua checks for the function argument, so you can get a
normal "argument #2 was invalid, expected function, got xxx" instead of
the vague, "invalid arg list"

Signed-off-by: Karl Palsson <karlp@etactica.com>
2020-07-11 11:15:12 +02:00
Rafał Miłecki
e85cb73976 blobmsg: drop old comment about json formatting functions
Those functions were moved out of blobmsg.h.

Fixes: 0918243e90 ("move json formatting to the blobmsg_json library")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2020-05-26 10:52:32 +02:00
Felix Fietkau
66195aee50 blobmsg: fix missing length checks
blobmsg_check_attr_len was calling blobmsg_check_data for some, but not all
attribute types. These checks was missing for arrays and tables.

Additionally, the length check in blobmsg_check_data was a bit off, since
it was comparing the blobmsg data length against the raw blob attr length.

Fix this by checking the raw blob length against the buffer length in
blobmsg_hdr_from_blob

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-05-26 10:06:53 +02:00
Felix Fietkau
639c29d197 blobmsg: simplify and fix name length checks in blobmsg_check_name
blobmsg_hdr_valid_namelen was omitted when name==false
The blob_len vs blobmsg_namelen changes were not taking into account
potential padding between name and data

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-05-26 10:06:53 +02:00
Felix Fietkau
c2fc622b77 blobmsg: fix length in blobmsg_check_array
blobmsg_check_array_len expects the length of the full attribute buffer,
not just the data length.
Due to other missing length checks (fixed in the next commit), this did
not show up as a test failure

Signed-off-by: Felix Fietkau <nbd@nbd.name>
2020-05-26 10:06:53 +02:00
Petr Štetiar
cf2e8eb485 tests: add fuzzer seed file for crash in blob_len
Following regression was introduced in commit 5e75160f48 ("blobmsg:
fix attrs iteration in the blobmsg_check_array_len()"):

 Thread 1 "test-fuzz" received signal SIGSEGV, Segmentation fault.
  in blob_len (attr=0x6020000100d4) at libubox/blob.h:102
  102             return (be32_to_cpu(attr->id_len) & BLOB_ATTR_LEN_MASK) - sizeof(struct blob_attr);

 blob_len (attr=0x6020000100d4) at /libubox/blob.h:102
 blob_raw_len (attr=0x6020000100d4) at /libubox/blob.h:111
 blob_pad_len (attr=0x6020000100d4) at /libubox/blob.h:120
 blobmsg_check_array_len (attr=0x6020000000d0, type=0, blob_len=10) at /libubox/blobmsg.c:145
 fuzz_blobmsg_parse (data=0x6020000000d0 "\001\004", size=10) at /libubox/tests/fuzz/test-fuzz.c:57

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-26 09:48:07 +02:00
Matthias Schiffer
86818eaa97
blob: make blob_parse_untrusted more permissive
Some tools like ucert use concatenations of multiple blobs. Account for
this case by allowing the underlying buffer length to be greater than
the blob length.

Signed-off-by: Matthias Schiffer <mschiffer@universe-factory.net>
2020-05-24 16:54:37 +02:00
Rafał Miłecki
5e75160f48 blobmsg: fix attrs iteration in the blobmsg_check_array_len()
Starting with 75e300aeec ("blobmsg: fix wrong payload len passed from
blobmsg_check_array") blobmsg_check_array_len() gets *blob* length
passed as argument. It cannot be used with __blobmsg_for_each_attr()
which expects *data* length.

Use blobmsg_for_each_attr() which calculates *data* length on its own.

The same bug was already reported in the past and there was fix attempt
in the commit cd75136b13 ("blobmsg: fix wrong payload len passed from
blobmsg_check_array"). That change made blobmsg_check_attr_len() calls
fail however.

This is hopefully the correct & complete fix:
1. blobmsg_check_array_len() gets *blob* length
2. It calls blobmsg_check_attr_len() which requires *blob* length
3. It uses blobmsg_for_each_attr() which gets *data* length

This fixes iterating over random memory treated as attrs. That was
resulting in check failing randomly for totally correct blobs. It's
critical e.g. for procd project with its instance_fill_array() failing
and procd not starting services.

Fixes: 75e300aeec ("blobmsg: fix wrong payload len passed from blobmsg_check_array")
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
2020-05-24 15:22:58 +02:00
Petr Štetiar
eeddf22d9c tests: runqueue: try to fix race on GitLab CI
Seems like the CI runners are slower and produce different test output:

 -  [0/1] finish 'sleep 1' (killer)
    [1/1] start 'sleep 1' (sleeper)
 +  [1/1] finish 'sleep 1' (killer)
 +  [1/1] finish 'sleep 1' (killer)
    [1/1] cancel 'sleep 1' (sleeper)
    [0/1] finish 'sleep 1' (sleeper)
    [1/1] start 'sleep 1' (sleeper)

Lets try to fix it by lowering the killing timeout.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-21 16:28:29 +02:00
Alban Bedel
89fb6136ad libubox: runqueue: fix use-after-free bug
Fixes a use-after-free bug in runqueue_task_kill():

 Invalid read of size 8
    at runqueue_task_kill (runqueue.c:200)
    by uloop_process_timeouts (uloop.c:505)
    by uloop_run_timeout (uloop.c:542)
    by uloop_run (uloop.h:111)
    by main (tests/test-runqueue.c:126)
  Address 0x5a4b058 is 24 bytes inside a block of size 208 free'd
    at free
    by runqueue_task_complete (runqueue.c:234)
    by runqueue_task_kill (runqueue.c:199)
    by uloop_process_timeouts (uloop.c:505)
    by uloop_run_timeout (uloop.c:542)
    by uloop_run (uloop.h:111)
    by main (tests/test-runqueue.c:126)
  Block was alloc'd at
    at calloc
    by add_sleeper (tests/test-runqueue.c:101)
    by main (tests/test-runqueue.c:123)

Since commit 11e8afea (runqueue should call the complete handler from
more places) the call to the complete() callback has been moved to
runqueue_task_complete().  However in runqueue_task_kill()
runqueue_task_complete() is called before the kill() callback.  This
will result in a use after free if the complete() callback frees the
task struct.

Furthermore runqueue_start_next() is already called at the end of
runqueue_task_complete(), so there is no need to call it again in
runqueue_task_kill().

The issue was that the _complete() callback frees the memory used by the
task struct, which is then read after the _complete() callback returns.

Ref: FS#3016
Signed-off-by: Alban Bedel <albeu@free.fr>
[initial test case, kill cb comment fix]
Signed-off-by: Chris Nisbet <nischris@gmail.com>
[testcase improvements and commit subject/description tweaks]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-21 15:58:46 +02:00
Chris Nisbet
1db3e7df31 libubox: runqueue fix comment in header
The comment relating to the runqueue task structure 'cancel' callback
indicated that the callback 'calls' runqueue_task_complete, which
isn't quite right. The callback _should_ call runqueue_task_complete.

Signed-off-by: Chris Nisbet <nischris@gmail.com>
2020-05-21 13:44:08 +02:00
Petr Štetiar
7c4ef0d9ae tests: list: add test case for list_empty iterator
Increasing unit testing code coverage.

Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-21 13:43:00 +02:00