DGNum/libubox
6
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
libubox/tests/cram
History
Alban Bedel 89fb6136ad libubox: runqueue: fix use-after-free bug 
Fixes a use-after-free bug in runqueue_task_kill():

 Invalid read of size 8
    at runqueue_task_kill (runqueue.c:200)
    by uloop_process_timeouts (uloop.c:505)
    by uloop_run_timeout (uloop.c:542)
    by uloop_run (uloop.h:111)
    by main (tests/test-runqueue.c:126)
  Address 0x5a4b058 is 24 bytes inside a block of size 208 free'd
    at free
    by runqueue_task_complete (runqueue.c:234)
    by runqueue_task_kill (runqueue.c:199)
    by uloop_process_timeouts (uloop.c:505)
    by uloop_run_timeout (uloop.c:542)
    by uloop_run (uloop.h:111)
    by main (tests/test-runqueue.c:126)
  Block was alloc'd at
    at calloc
    by add_sleeper (tests/test-runqueue.c:101)
    by main (tests/test-runqueue.c:123)

Since commit 11e8afea (runqueue should call the complete handler from
more places) the call to the complete() callback has been moved to
runqueue_task_complete().  However in runqueue_task_kill()
runqueue_task_complete() is called before the kill() callback.  This
will result in a use after free if the complete() callback frees the
task struct.

Furthermore runqueue_start_next() is already called at the end of
runqueue_task_complete(), so there is no need to call it again in
runqueue_task_kill().

The issue was that the _complete() callback frees the memory used by the
task struct, which is then read after the _complete() callback returns.

Ref: FS#3016
Signed-off-by: Alban Bedel <albeu@free.fr>
[initial test case, kill cb comment fix]
Signed-off-by: Chris Nisbet <nischris@gmail.com>
[testcase improvements and commit subject/description tweaks]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
2020-05-21 15:58:46 +02:00
..
inputs blobmsg: fix wrong payload len passed from blobmsg_check_array 2019-12-28 21:17:46 +01:00
CMakeLists.txt add cram based unit tests 2019-11-24 13:26:58 +01:00
test_avl.t tests: add unit tests covered with Clang sanitizers 2019-12-25 10:31:58 +01:00
test_base64.t tests: add unit tests covered with Clang sanitizers 2019-12-25 10:31:58 +01:00
test_blob_parse.t blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes 2020-01-20 16:54:10 +01:00
test_blobmsg.t blobmsg_json: prefer snprintf usage 2020-01-20 16:54:10 +01:00
test_blobmsg_check_array.t tests: blobmsg: add test case 2020-02-27 21:56:20 +01:00
test_blobmsg_parse.t blobmsg: blobmsg_parse and blobmsg_parse_array oob read fixes 2020-01-20 16:54:10 +01:00
test_blobmsg_procd_instance.t blobmsg: fix wrong payload len passed from blobmsg_check_array 2019-12-28 21:17:46 +01:00
test_jshn.t tests: add unit tests covered with Clang sanitizers 2019-12-25 10:31:58 +01:00
test_json_script.t tests: add unit tests covered with Clang sanitizers 2019-12-25 10:31:58 +01:00
test_list.t tests: list: add test case for list_empty iterator 2020-05-21 13:43:00 +02:00
test_runqueue.t libubox: runqueue: fix use-after-free bug 2020-05-21 15:58:46 +02:00