Skip to content

Commit

Permalink
daemon/cmld: fix use-after-free during compartment destroy
Browse files Browse the repository at this point in the history 
While destroying a container, a use-after-free occurred, since
the used observer callback in cmld.c frees the container and
therefore also the compartment before all other registered observers
where called.

Similarly to the container reload, we now use the observer finish
callback to do a delayed free after all compartments observer
callbacks have been run.

This fixes asan error:

=================================================================
==203==ERROR: AddressSanitizer: heap-use-after-free on address \
 0x511000000838 at pc 0x557253082656 bp 0x7ffe4cfee190 sp 0x7ffe4cfee180
READ of size 8 at 0x511000000838 thread T0
    #0 0x557253082655 in compartment_notify_observers daemon/compartment.c:1681
    #1 0x557253088149 in compartment_sigchld_handle_helpers daemon/compartment.c:705
    #2 0x5572530886c9 in compartment_sigchld_cb daemon/compartment.c:787
    #3 0x55725312e759 in event_signal_handler common/event.c:780
    #4 0x55725312e759 in event_loop common/event.c:851
    #5 0x5572530666ac in main daemon/main.c:146
    #6 0x7ff708bd5863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
    #7 0x7ff708bd590a in __libc_start_main_impl ../csu/libc-start.c:389
    #8 0x5572530689d4 in _start (/usr/sbin/cmld+0x13e9d4)

Signed-off-by: Michael Weiß <[email protected]>
  • Loading branch information
@quitschbo @k0ch4lo
quitschbo authored and k0ch4lo committed Jan 30, 2025
1 parent f17d10b commit e4eed39
Showing 1 changed file with 9 additions and 4 deletions.
13 changes: 9 additions & 4 deletions daemon/cmld.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -587,7 +587,7 @@ cmld_container_config_sync_cb(container_t *container, container_callback_t *cb,
}

static void
cmld_container_reload_delayed_free(void *data)
cmld_container_delayed_free(void *data)
{
ASSERT(data);

Expand Down Expand Up @@ -629,8 +629,7 @@ cmld_reload_container(const uuid_t *uuid, const char *path)

cmld_containers_list = list_remove(cmld_containers_list, c_current);
// delayed free to allow all observers to finish up
container_finish_observers(c_current, cmld_container_reload_delayed_free,
c_current);
container_finish_observers(c_current, cmld_container_delayed_free, c_current);
}

DEBUG("Loaded config for container %s", container_get_name(c));
Expand Down Expand Up @@ -1639,7 +1638,13 @@ cmld_container_destroy_cb(container_t *container, container_callback_t *cb, UNUS
cmld_containers_list = list_remove(cmld_containers_list, container);
audit_log_event(container_get_uuid(container), SSA, CMLD, CONTAINER_MGMT,
"container-remove", uuid_string(container_get_uuid(container)), 0);
container_free(container);

if (cb) {
// delayed free to allow all observers to finish up
container_finish_observers(container, cmld_container_delayed_free, container);
} else {
container_free(container);
}
}

int
Expand Down

0 comments on commit e4eed39

Please sign in to comment.