Page MenuHomeFreeBSD
Differential D11288

Fix use-after-free introduced in r300388.
ClosedPublic
Actions

Authored by delphij on Jun 21 2017, 5:47 AM.
Tags
None
Referenced Files
F83137618: D11288.id29881.diff
Mon, May 6, 8:22 PM
Unknown Object (File)
Wed, May 1, 6:35 AM
Unknown Object (File)
Tue, Apr 30, 1:45 PM
Unknown Object (File)
Sun, Apr 21, 8:57 PM
Unknown Object (File)
Mar 19 2024, 3:11 AM
Unknown Object (File)
Feb 6 2024, 5:08 PM
Unknown Object (File)
Jan 29 2024, 2:23 AM
Unknown Object (File)
Jan 21 2024, 6:26 PM
View All 24 Files
Subscribers
imp

Details

Reviewers
kevlo
gordon
cem
alfred
ngie
Commits
rS320216: Fix use-after-free introduced in r300388.
Summary

In r300388, endnetconfig() was called on nc_handle which would release
the associated netconfig structure, which means tmpnconf->nc_netid
would be a use-after-free.

Solve this by doing endnetconfig() in return paths instead.

Reported by: jemalloc via kevlo

Test Plan

Run various RPC daemons

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

delphij created this revision.Jun 21 2017, 5:47 AM
Herald added a subscriber: imp. · View Herald TranscriptJun 21 2017, 5:47 AM
Harbormaster completed remote builds in B10024: Diff 29881.Jun 21 2017, 5:47 AM
ngie accepted this revision.Jun 21 2017, 6:01 AM

Yowch... thanks for catching this. One note/concern about this code (both before and after this change).

lib/libc/rpc/rpcb_clnt.c
511 ↗(On Diff #29881)

In the event netid is NULL (which was a pathological condition before, but can happen now if strdup fails), it's going to return a NULL loopnconf, which is going to trigger a delayed segfault on line 516 in getclnthandle. It should probably return NULL if loopnconf is NULL between line 515 and 516.

This revision is now accepted and ready to land.Jun 21 2017, 6:01 AM
delphij added inline comments.Jun 21 2017, 6:17 AM
lib/libc/rpc/rpcb_clnt.c
511 ↗(On Diff #29881)

I don't quite follow -- isn't the case handled in 506-509?

cem edited edge metadata.Jun 21 2017, 3:33 PM

Wouldn't it be easier to just endnetconfig() in both return paths? Avoid a bunch of unused strdup calls too.

delphij updated this revision to Diff 29939.Jun 22 2017, 5:00 AM
delphij edited edge metadata.

Use endnetconfig() instead of previous approach.

This revision now requires review to proceed.Jun 22 2017, 5:00 AM
Harbormaster completed remote builds in B10054: Diff 29939.Jun 22 2017, 5:00 AM
delphij marked 2 inline comments as done.Jun 22 2017, 5:00 AM
In D11288#233844, @cem wrote:

Wouldn't it be easier to just endnetconfig() in both return paths? Avoid a bunch of unused strdup calls too.

Done.

delphij edited the summary of this revision. (Show Details)Jun 22 2017, 5:01 AM
cem accepted this revision.Jun 22 2017, 5:02 AM
This revision is now accepted and ready to land.Jun 22 2017, 5:02 AM
Closed by commit rS320216: Fix use-after-free introduced in r300388. (authored by delphij). · Explain WhyJun 22 2017, 5:10 AM
This revision was automatically updated to reflect the committed changes.

Revision Contents
Changeset List

PathSize
head/
lib/
libc/
rpc/
3 lines

Diff 29940

View Options

head/lib/libc/rpc/rpcb_clnt.c

Loading...