some ids-specific updates #1
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
myprot
commented
Feb 4, 2018
•
myprot
commented
- Added makefiles to enable Android-independent build;
- "generalized" the code to detach from Android-specific issues and dependencies
added 2 commits
February 12, 2018 15:03
- Added makefiles to enable Android-independent build - "generalized" the code to detach from Android-specific issues and dependencies
srinidhih
pushed a commit
to srinidhih/device_fraunhofer_common_cml
that referenced
this pull request
Jul 6, 2021
native x86 cml-tiny distro with initial uefi secure boot and tpm2 support
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 13, 2024
If the client gets terminated, e.g, by compartment_kill(), the notify
handler will receive an exception in the main process and seccomp->event
will get removed andd freed. Afterwards when the seccomp_cleanup()
method will ois cleaning up the module it also wants to remove the io
event from event loop and free seccomp->event. This is currently a
double free. Thus, in the handler we just have to set seccomp->event to
NULL. This is checked in compartment_cleanup() and the removal and free
is not done anymore.
This fixes ASAN error:
=================================================================
==464==ERROR: AddressSanitizer: heap-use-after-free on address 0x50300001dea0 at pc \
0x556f3a0ce5a6 bp 0x7ffea48362c0 sp 0x7ffea48362b0
READ of size 4 at 0x50300001dea0 thread T0
#0 0x556f3a0ce5a5 in event_remove_io common/event.c:394
gyroidos#1 0x556f3a0b80c4 in c_seccomp_cleanup daemon/c_seccomp/seccomp.c:578
gyroidos#2 0x556f3a02a854 in compartment_cleanup daemon/compartment.c:656
gyroidos#3 0x556f3a02cf4b in compartment_sigchld_cb daemon/compartment.c:746
gyroidos#4 0x556f3a0d09d9 in event_signal_handler common/event.c:780
gyroidos#5 0x556f3a0d09d9 in event_loop common/event.c:851
gyroidos#6 0x556f3a00b12c in main daemon/main.c:146
gyroidos#7 0x7f3dee8f5863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#8 0x7f3dee8f590a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#9 0x556f3a00d3b4 in _start (/usr/sbin/cmld+0x1393b4)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 13, 2024
If the client gets terminated, e.g, by compartment_kill(), the notify
handler will receive an exception in the main process and seccomp->event
will get removed andd freed. Afterwards when the seccomp_cleanup()
method will ois cleaning up the module it also wants to remove the io
event from event loop and free seccomp->event. This is currently a
double free. Thus, in the handler we just have to set seccomp->event to
NULL. This is checked in compartment_cleanup() and the removal and free
is not done anymore.
This fixes ASAN error:
=================================================================
==464==ERROR: AddressSanitizer: heap-use-after-free on address 0x50300001dea0 at pc \
0x556f3a0ce5a6 bp 0x7ffea48362c0 sp 0x7ffea48362b0
READ of size 4 at 0x50300001dea0 thread T0
#0 0x556f3a0ce5a5 in event_remove_io common/event.c:394
gyroidos#1 0x556f3a0b80c4 in c_seccomp_cleanup daemon/c_seccomp/seccomp.c:578
gyroidos#2 0x556f3a02a854 in compartment_cleanup daemon/compartment.c:656
gyroidos#3 0x556f3a02cf4b in compartment_sigchld_cb daemon/compartment.c:746
gyroidos#4 0x556f3a0d09d9 in event_signal_handler common/event.c:780
gyroidos#5 0x556f3a0d09d9 in event_loop common/event.c:851
gyroidos#6 0x556f3a00b12c in main daemon/main.c:146
gyroidos#7 0x7f3dee8f5863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#8 0x7f3dee8f590a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#9 0x556f3a00d3b4 in _start (/usr/sbin/cmld+0x1393b4)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 13, 2024
If the client gets terminated, e.g, by compartment_kill(), the notify
handler will receive an exception in the main process and seccomp->event
will get removed and freed. Afterwards when the seccomp_cleanup()
method is cleaning up the module, it also wants to remove the io event
from event loop and free seccomp->event. This is currently a double free.
Thus, in the handler we just have to set seccomp->event to NULL. This is
checked in compartment_cleanup() and the removal and free is not done
anymore.
This fixes ASAN error:
=================================================================
==464==ERROR: AddressSanitizer: heap-use-after-free on address \
0x50300001dea0 at pc 0x556f3a0ce5a6 bp 0x7ffea48362c0 sp 0x7ffea48362b0
READ of size 4 at 0x50300001dea0 thread T0
#0 0x556f3a0ce5a5 in event_remove_io common/event.c:394
gyroidos#1 0x556f3a0b80c4 in c_seccomp_cleanup daemon/c_seccomp/seccomp.c:578
gyroidos#2 0x556f3a02a854 in compartment_cleanup daemon/compartment.c:656
gyroidos#3 0x556f3a02cf4b in compartment_sigchld_cb daemon/compartment.c:746
gyroidos#4 0x556f3a0d09d9 in event_signal_handler common/event.c:780
gyroidos#5 0x556f3a0d09d9 in event_loop common/event.c:851
gyroidos#6 0x556f3a00b12c in main daemon/main.c:146
gyroidos#7 0x7f3dee8f5863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#8 0x7f3dee8f590a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#9 0x556f3a00d3b4 in _start (/usr/sbin/cmld+0x1393b4)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
k0ch4lo
pushed a commit
that referenced
this pull request
Sep 13, 2024
If the client gets terminated, e.g, by compartment_kill(), the notify
handler will receive an exception in the main process and seccomp->event
will get removed and freed. Afterwards when the seccomp_cleanup()
method is cleaning up the module, it also wants to remove the io event
from event loop and free seccomp->event. This is currently a double free.
Thus, in the handler we just have to set seccomp->event to NULL. This is
checked in compartment_cleanup() and the removal and free is not done
anymore.
This fixes ASAN error:
=================================================================
==464==ERROR: AddressSanitizer: heap-use-after-free on address \
0x50300001dea0 at pc 0x556f3a0ce5a6 bp 0x7ffea48362c0 sp 0x7ffea48362b0
READ of size 4 at 0x50300001dea0 thread T0
#0 0x556f3a0ce5a5 in event_remove_io common/event.c:394
#1 0x556f3a0b80c4 in c_seccomp_cleanup daemon/c_seccomp/seccomp.c:578
#2 0x556f3a02a854 in compartment_cleanup daemon/compartment.c:656
#3 0x556f3a02cf4b in compartment_sigchld_cb daemon/compartment.c:746
#4 0x556f3a0d09d9 in event_signal_handler common/event.c:780
#5 0x556f3a0d09d9 in event_loop common/event.c:851
#6 0x556f3a00b12c in main daemon/main.c:146
#7 0x7f3dee8f5863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#8 0x7f3dee8f590a in __libc_start_main_impl ../csu/libc-start.c:389
#9 0x556f3a00d3b4 in _start (/usr/sbin/cmld+0x1393b4)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 16, 2024
In case download errors occure, the guestos_delete() function is
called by the guestos_mgr module. To avoid following asan error, we
now set the os->downloding variable in 'guestos.c' before we trigger
the corresponding externly regsiterd callbacks of guestos_mgr().
=================================================================
==214==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5060000df0cc at pc 0x5597a07aa5b4 bp 0x7ffee4146050 sp 0x7ffee4146040
WRITE of size 1 at 0x5060000df0cc thread T0
#0 0x5597a07aa5b3 in iterate_images_cb_download_hash_complete daemon/guestos.c:749
gyroidos#1 0x5597a07b14aa in download_sigchld_cb daemon/download.c:93
gyroidos#2 0x5597a081f7c9 in event_signal_handler common/event.c:780
gyroidos#3 0x5597a081f7c9 in event_loop common/event.c:851
gyroidos#4 0x5597a075d08c in main daemon/main.c:146
gyroidos#5 0x7fa267fee863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#6 0x7fa267fee90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#7 0x5597a075f284 in _start (/usr/sbin/cmld+0x138284)
0x5060000df0cc is located 44 bytes inside of 64-byte region [0x5060000df0a0,0x5060000df0e0)
freed by thread T0 here:
#0 0x7fa26826c726 in __interceptor_free [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:127
gyroidos#1 0x5597a07ad3dd in guestos_mgr_delete daemon/guestos_mgr.c:230
Signed-off-by: Michael Weiß <[email protected]>
k0ch4lo
pushed a commit
that referenced
this pull request
Sep 17, 2024
In case download errors occure, the guestos_delete() function is
called by the guestos_mgr module. To avoid following asan error, we
now set the os->downloding variable in 'guestos.c' before we trigger
the corresponding externly regsiterd callbacks of guestos_mgr().
=================================================================
==214==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5060000df0cc at pc 0x5597a07aa5b4 bp 0x7ffee4146050 sp 0x7ffee4146040
WRITE of size 1 at 0x5060000df0cc thread T0
#0 0x5597a07aa5b3 in iterate_images_cb_download_hash_complete daemon/guestos.c:749
#1 0x5597a07b14aa in download_sigchld_cb daemon/download.c:93
#2 0x5597a081f7c9 in event_signal_handler common/event.c:780
#3 0x5597a081f7c9 in event_loop common/event.c:851
#4 0x5597a075d08c in main daemon/main.c:146
#5 0x7fa267fee863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#6 0x7fa267fee90a in __libc_start_main_impl ../csu/libc-start.c:389
#7 0x5597a075f284 in _start (/usr/sbin/cmld+0x138284)
0x5060000df0cc is located 44 bytes inside of 64-byte region [0x5060000df0a0,0x5060000df0e0)
freed by thread T0 here:
#0 0x7fa26826c726 in __interceptor_free [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:127
#1 0x5597a07ad3dd in guestos_mgr_delete daemon/guestos_mgr.c:230
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 26, 2024
In several places the seccomp module accidentially called
audit_log_record() with integer values as variable argument which
then inside of audit_log_record() was interpreted as const char*.
See the asan error log below.
We fixed that for syscall values by logging the corresponding
"SYS_<syscall name>" string instead of the syscall nr as integer. For
errno we use now the strerrorname_np(errno) to get the corresponding
errno define as string, e.g., "EPERM". The pid also is now provided as
pid_str by using mem_printf() and the corresponding format string.
=================================================================
==216==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 \
(pc 0x7faf880972fd bp 0x7fff9be4c0b0 sp 0x7fff9be4b838 T0)
==216==The signal is caused by a READ memory access.
==216==Hint: address points to the zero page.
#0 0x7faf880972fd in __strlen_avx2 (/lib/libc.so.6+0x1442fd)
gyroidos#1 0x7faf881aa81f in __interceptor_strdup [..]/gcc-11.4.0/libsanitizer/asan/asan_interceptors.cpp:450
gyroidos#2 0x55cae7b9dd0e in mem_strdup common/mem.c:71
gyroidos#3 0x55cae7b35c6a in audit_log_event daemon/audit.c:720
gyroidos#4 0x55cae7b7d6e8 in c_seccomp_handle_notify c_seccomp/seccomp.c:401
gyroidos#5 0x55cae7b9399d in event_epoll common/event.c:437
gyroidos#6 0x55cae7b98b73 in event_loop common/event.c:854
gyroidos#7 0x55cae7ad211c in main daemon/main.c:146
gyroidos#8 0x7faf87f7f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#9 0x7faf87f7f90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#10 0x55cae7ad4364 in _start (/usr/sbin/cmld+0x13c364)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 26, 2024
In several places the seccomp module accidentially called
audit_log_record() with integer values as variable argument which
then inside of audit_log_record() was interpreted as const char*.
See the asan error log below.
We fixed that for syscall values by logging the corresponding
"SYS_<syscall name>" string instead of the syscall nr as integer. For
errno we use now the strerrorname_np(errno) to get the corresponding
errno define as string, e.g., "EPERM". The pid also is now provided as
pid_str by using mem_printf() and the corresponding format string.
=================================================================
==216==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 \
(pc 0x7faf880972fd bp 0x7fff9be4c0b0 sp 0x7fff9be4b838 T0)
==216==The signal is caused by a READ memory access.
==216==Hint: address points to the zero page.
#0 0x7faf880972fd in __strlen_avx2 (/lib/libc.so.6+0x1442fd)
gyroidos#1 0x7faf881aa81f in __interceptor_strdup [..]/gcc-11.4.0/libsanitizer/asan/asan_interceptors.cpp:450
gyroidos#2 0x55cae7b9dd0e in mem_strdup common/mem.c:71
gyroidos#3 0x55cae7b35c6a in audit_log_event daemon/audit.c:720
gyroidos#4 0x55cae7b7d6e8 in c_seccomp_handle_notify c_seccomp/seccomp.c:401
gyroidos#5 0x55cae7b9399d in event_epoll common/event.c:437
gyroidos#6 0x55cae7b98b73 in event_loop common/event.c:854
gyroidos#7 0x55cae7ad211c in main daemon/main.c:146
gyroidos#8 0x7faf87f7f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#9 0x7faf87f7f90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#10 0x55cae7ad4364 in _start (/usr/sbin/cmld+0x13c364)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 27, 2024
In several places the seccomp module accidentially called
audit_log_record() with integer values as variable argument which
then inside of audit_log_record() was interpreted as const char*.
See the asan error log below.
We fixed that for syscall values by logging the corresponding
"SYS_<syscall name>" string instead of the syscall nr as integer. For
errno we use now the strerror(errno) to get the corresponding error
description as string, e.g., EINVAL -> "Invalid argument". The pid
also is now provided as pid_str by using mem_printf() and the
corresponding format string.
=================================================================
==216==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 \
(pc 0x7faf880972fd bp 0x7fff9be4c0b0 sp 0x7fff9be4b838 T0)
==216==The signal is caused by a READ memory access.
==216==Hint: address points to the zero page.
#0 0x7faf880972fd in __strlen_avx2 (/lib/libc.so.6+0x1442fd)
gyroidos#1 0x7faf881aa81f in __interceptor_strdup [..]/gcc-11.4.0/libsanitizer/asan/asan_interceptors.cpp:450
gyroidos#2 0x55cae7b9dd0e in mem_strdup common/mem.c:71
gyroidos#3 0x55cae7b35c6a in audit_log_event daemon/audit.c:720
gyroidos#4 0x55cae7b7d6e8 in c_seccomp_handle_notify c_seccomp/seccomp.c:401
gyroidos#5 0x55cae7b9399d in event_epoll common/event.c:437
gyroidos#6 0x55cae7b98b73 in event_loop common/event.c:854
gyroidos#7 0x55cae7ad211c in main daemon/main.c:146
gyroidos#8 0x7faf87f7f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#9 0x7faf87f7f90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#10 0x55cae7ad4364 in _start (/usr/sbin/cmld+0x13c364)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
fix modified: c_seccomp/seccomp.c
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 27, 2024
The X509 struct used for iteratively parsing the certificate chain,
was not freed during iteration, thus leaking memory. See following
asan log:
=================================================================
==229==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 46 byte(s) in 1 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24ec1f236 in __vasprintf_internal [..]/glibc/2.35-r0/git/libio/vasprintf.c:71
gyroidos#2 0x7ffcc3f74897 ([stack]+0x20897)
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
Indirect leak of 575 byte(s) in 17 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
SUMMARY: AddressSanitizer: 661 byte(s) leaked in 19 allocation(s).
Fixes: ed54281 ("trustme github release (based on Android 5.1.1)")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 27, 2024
cert_name was allocatd by X509_NAME_dup(). However the correspoding
call to X509_NAME_free() was missing at the end of the funtion.
This should at least partialy fix the following asan log:
=================================================================
==229==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 46 byte(s) in 1 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24ec1f236 in __vasprintf_internal [..]/glibc/2.35-r0/git/libio/vasprintf.c:71
gyroidos#2 0x7ffcc3f74897 ([stack]+0x20897)
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
Indirect leak of 575 byte(s) in 17 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
SUMMARY: AddressSanitizer: 661 byte(s) leaked in 19 allocation(s).
Fixes: ed54281 ("trustme github release (based on Android 5.1.1)")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 27, 2024
cert_name was allocated by X509_NAME_dup(). However the corresponding
call to X509_NAME_free() was missing at the end of the function.
This fixes the following asan error:
=================================================================
==229==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
Indirect leak of 575 byte(s) in 17 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
Fixes: ed54281 ("trustme github release (based on Android 5.1.1)")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 27, 2024
cert_name was allocated by X509_NAME_dup(). However the corresponding
call to X509_NAME_free() was missing at the end of the function.
This fixes the following asan error:
=================================================================
==229==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
Indirect leak of 575 byte(s) in 17 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
Fixes: ed54281 ("trustme github release (based on Android 5.1.1)")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 27, 2024
location was allocated by mem_printf(). However, in some error cases
it was exited early by just returning without the corresponding call
to mem_free(). This is fixed now by a jump to on new out label which
includes mem_free() and return.
This fixes the following asan error:
=================================================================
==222==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 46 byte(s) in 1 object(s) allocated from:
#0 0x7f4de7a28a2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7f4de77f9236 in __vasprintf_internal [..]/glibc/2.35-r0/git/libio/vasprintf.c:71
gyroidos#2 0x7ffc30e45917 ([stack]+0x1f917)
Fixes: ed54281 ("trustme github release (based on Android 5.1.1)")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 29, 2024
uri_uuid was allocated by mem_printf(). In the comment it was stated
that it will be freed if the corresponding req struct is freed. But
that is not the case. Just free it now at the end of ssl_mkreq().
This fixes the following asan error:
=================================================================
==229==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 46 byte(s) in 1 object(s) allocated from:
#0 0x7f2375007a2a in __interceptor_malloc ../../../../../../../../../work-shared/gcc-11.4.0-r0/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7f2374dd8236 in __vasprintf_internal /usr/src/debug/glibc/2.35-r0/git/libio/vasprintf.c:71
gyroidos#2 0x7ffd7b4def97 ([stack]+0x1ff97)
Fixes: ed54281 ("trustme github release (based on Android 5.1.1)")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 29, 2024
cert_name was allocated by X509_NAME_dup(). However the corresponding
call to X509_NAME_free() was missing at the end of the function.
This fixes the following asan error:
=================================================================
==229==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
Indirect leak of 575 byte(s) in 17 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
Fixes: ed54281 ("trustme github release (based on Android 5.1.1)")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 29, 2024
uri_uuid was allocated by mem_printf(). In the comment it was stated
that it will be freed if the corresponding req struct is freed. But
that is not the case. Just free it now at the end of ssl_mkreq().
This fixes the following asan error:
=================================================================
==229==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 46 byte(s) in 1 object(s) allocated from:
#0 0x7f2375007a2a in __interceptor_malloc ../../../../../../../../../work-shared/gcc-11.4.0-r0/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
gyroidos#1 0x7f2374dd8236 in __vasprintf_internal /usr/src/debug/glibc/2.35-r0/git/libio/vasprintf.c:71
gyroidos#2 0x7ffd7b4def97 ([stack]+0x1ff97)
Fixes: ed54281 ("trustme github release (based on Android 5.1.1)")
Signed-off-by: Michael Weiß <[email protected]>
k0ch4lo
pushed a commit
that referenced
this pull request
Sep 30, 2024
cert_name was allocated by X509_NAME_dup(). However the corresponding
call to X509_NAME_free() was missing at the end of the function.
This fixes the following asan error:
=================================================================
==229==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 40 byte(s) in 1 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
Indirect leak of 575 byte(s) in 17 object(s) allocated from:
#0 0x7fa24ee4ea2a in __interceptor_malloc [..]/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7fa24e8afc78 in CRYPTO_malloc [..]/openssl-3.0.15/crypto/mem.c:196
Fixes: ed54281 ("trustme github release (based on Android 5.1.1)")
Signed-off-by: Michael Weiß <[email protected]>
k0ch4lo
pushed a commit
that referenced
this pull request
Sep 30, 2024
uri_uuid was allocated by mem_printf(). In the comment it was stated
that it will be freed if the corresponding req struct is freed. But
that is not the case. Just free it now at the end of ssl_mkreq().
This fixes the following asan error:
=================================================================
==229==ERROR: LeakSanitizer: detected memory leaks
Direct leak of 46 byte(s) in 1 object(s) allocated from:
#0 0x7f2375007a2a in __interceptor_malloc ../../../../../../../../../work-shared/gcc-11.4.0-r0/gcc-11.4.0/libsanitizer/asan/asan_malloc_linux.cpp:145
#1 0x7f2374dd8236 in __vasprintf_internal /usr/src/debug/glibc/2.35-r0/git/libio/vasprintf.c:71
#2 0x7ffd7b4def97 ([stack]+0x1ff97)
Fixes: ed54281 ("trustme github release (based on Android 5.1.1)")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Sep 30, 2024
In several places the seccomp module accidentially called
audit_log_record() with integer values as variable argument which
then inside of audit_log_record() was interpreted as const char*.
See the asan error log below.
We fixed that for syscall values by logging the corresponding
"SYS_<syscall name>" string instead of the syscall nr as integer. For
errno we use now the strerror(errno) to get the corresponding error
description as string, e.g., EINVAL -> "Invalid argument". The pid
also is now provided as pid_str by using mem_printf() and the
corresponding format string.
=================================================================
==216==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 \
(pc 0x7faf880972fd bp 0x7fff9be4c0b0 sp 0x7fff9be4b838 T0)
==216==The signal is caused by a READ memory access.
==216==Hint: address points to the zero page.
#0 0x7faf880972fd in __strlen_avx2 (/lib/libc.so.6+0x1442fd)
gyroidos#1 0x7faf881aa81f in __interceptor_strdup [..]/gcc-11.4.0/libsanitizer/asan/asan_interceptors.cpp:450
gyroidos#2 0x55cae7b9dd0e in mem_strdup common/mem.c:71
gyroidos#3 0x55cae7b35c6a in audit_log_event daemon/audit.c:720
gyroidos#4 0x55cae7b7d6e8 in c_seccomp_handle_notify c_seccomp/seccomp.c:401
gyroidos#5 0x55cae7b9399d in event_epoll common/event.c:437
gyroidos#6 0x55cae7b98b73 in event_loop common/event.c:854
gyroidos#7 0x55cae7ad211c in main daemon/main.c:146
gyroidos#8 0x7faf87f7f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#9 0x7faf87f7f90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#10 0x55cae7ad4364 in _start (/usr/sbin/cmld+0x13c364)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
fix modified: c_seccomp/seccomp.c
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Oct 4, 2024
In several places the seccomp module accidentially called
audit_log_record() with integer values as variable argument which
then inside of audit_log_record() was interpreted as const char*.
See the asan error log below.
We fixed that for syscall values by logging the corresponding
"SYS_<syscall name>" string instead of the syscall nr as integer. For
errno we use now the strerror(errno) to get the corresponding error
description as string, e.g., EINVAL -> "Invalid argument". The pid
also is now provided as pid_str by using mem_printf() and the
corresponding format string.
=================================================================
==216==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 \
(pc 0x7faf880972fd bp 0x7fff9be4c0b0 sp 0x7fff9be4b838 T0)
==216==The signal is caused by a READ memory access.
==216==Hint: address points to the zero page.
#0 0x7faf880972fd in __strlen_avx2 (/lib/libc.so.6+0x1442fd)
gyroidos#1 0x7faf881aa81f in __interceptor_strdup [..]/gcc-11.4.0/libsanitizer/asan/asan_interceptors.cpp:450
gyroidos#2 0x55cae7b9dd0e in mem_strdup common/mem.c:71
gyroidos#3 0x55cae7b35c6a in audit_log_event daemon/audit.c:720
gyroidos#4 0x55cae7b7d6e8 in c_seccomp_handle_notify c_seccomp/seccomp.c:401
gyroidos#5 0x55cae7b9399d in event_epoll common/event.c:437
gyroidos#6 0x55cae7b98b73 in event_loop common/event.c:854
gyroidos#7 0x55cae7ad211c in main daemon/main.c:146
gyroidos#8 0x7faf87f7f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#9 0x7faf87f7f90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#10 0x55cae7ad4364 in _start (/usr/sbin/cmld+0x13c364)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Oct 4, 2024
In several places the seccomp module accidentially called
audit_log_record() with integer values as variable argument which
then inside of audit_log_record() was interpreted as const char*.
See the asan error log below.
We fixed that for syscall values by logging the corresponding
"SYS_<syscall name>" string instead of the syscall nr as integer. For
errno we use now the strerror(errno) to get the corresponding error
description as string, e.g., EINVAL -> "Invalid argument". The pid
also is now provided as pid_str by using mem_printf() and the
corresponding format string.
=================================================================
==216==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 \
(pc 0x7faf880972fd bp 0x7fff9be4c0b0 sp 0x7fff9be4b838 T0)
==216==The signal is caused by a READ memory access.
==216==Hint: address points to the zero page.
#0 0x7faf880972fd in __strlen_avx2 (/lib/libc.so.6+0x1442fd)
gyroidos#1 0x7faf881aa81f in __interceptor_strdup [..]/gcc-11.4.0/libsanitizer/asan/asan_interceptors.cpp:450
gyroidos#2 0x55cae7b9dd0e in mem_strdup common/mem.c:71
gyroidos#3 0x55cae7b35c6a in audit_log_event daemon/audit.c:720
gyroidos#4 0x55cae7b7d6e8 in c_seccomp_handle_notify c_seccomp/seccomp.c:401
gyroidos#5 0x55cae7b9399d in event_epoll common/event.c:437
gyroidos#6 0x55cae7b98b73 in event_loop common/event.c:854
gyroidos#7 0x55cae7ad211c in main daemon/main.c:146
gyroidos#8 0x7faf87f7f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#9 0x7faf87f7f90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#10 0x55cae7ad4364 in _start (/usr/sbin/cmld+0x13c364)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
k0ch4lo
pushed a commit
that referenced
this pull request
Oct 7, 2024
In several places the seccomp module accidentially called
audit_log_record() with integer values as variable argument which
then inside of audit_log_record() was interpreted as const char*.
See the asan error log below.
We fixed that for syscall values by logging the corresponding
"SYS_<syscall name>" string instead of the syscall nr as integer. For
errno we use now the strerror(errno) to get the corresponding error
description as string, e.g., EINVAL -> "Invalid argument". The pid
also is now provided as pid_str by using mem_printf() and the
corresponding format string.
=================================================================
==216==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000002 \
(pc 0x7faf880972fd bp 0x7fff9be4c0b0 sp 0x7fff9be4b838 T0)
==216==The signal is caused by a READ memory access.
==216==Hint: address points to the zero page.
#0 0x7faf880972fd in __strlen_avx2 (/lib/libc.so.6+0x1442fd)
#1 0x7faf881aa81f in __interceptor_strdup [..]/gcc-11.4.0/libsanitizer/asan/asan_interceptors.cpp:450
#2 0x55cae7b9dd0e in mem_strdup common/mem.c:71
#3 0x55cae7b35c6a in audit_log_event daemon/audit.c:720
#4 0x55cae7b7d6e8 in c_seccomp_handle_notify c_seccomp/seccomp.c:401
#5 0x55cae7b9399d in event_epoll common/event.c:437
#6 0x55cae7b98b73 in event_loop common/event.c:854
#7 0x55cae7ad211c in main daemon/main.c:146
#8 0x7faf87f7f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#9 0x7faf87f7f90a in __libc_start_main_impl ../csu/libc-start.c:389
#10 0x55cae7ad4364 in _start (/usr/sbin/cmld+0x13c364)
Fixes: 3353cde ("daemon/compartment: Introduce c_seccomp module")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Dec 9, 2024
In compartment_register_observers, callbacks are prepended to the
list of callbacks. However, in 'cmld.c' the sync as well as the
destroy callback are considered to at the end of the list, and
thus it should be safe to destroy the container and thus also the
inner compartment object. In the notify_observers on the other
hand the list of observers is called from the head to the tail of
the list. Due to the registration order the sync callback is
called first and with that the container and compartment objects
are freed, while the rest of the observers are called on the
already freed compartment object.
We now just switch back to append the observers instead of
prepending them in compartment_register_observers().
This fixes following ASAN error:
=================================================================
==174==ERROR: AddressSanitizer: heap-use-after-free on address 0x5100000009b8 \
at pc 0x55bd534973a5 bp 0x7fff58c59c90 sp 0x7fff58c59c80
READ of size 8 at 0x5100000009b8 thread T0
#0 0x55bd534973a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x55bd5349cd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x55bd5349d319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x55bd53543329 in event_signal_handler common/event.c:780
gyroidos#4 0x55bd53543329 in event_loop common/event.c:851
gyroidos#5 0x55bd5347b6ac in main daemon/main.c:146
gyroidos#6 0x7f4ac17fb863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7f4ac17fb90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x55bd5347d9d4 in _start (/usr/sbin/cmld+0x13e9d4)
Fixes: e816baf ("daemon/cmld: Properly register config_sync_cb")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Dec 9, 2024
In compartment_register_observers, callbacks are prepended to the
list of callbacks. However, in 'cmld.c' the sync as well as the
destroy callback are considered to at the end of the list, and
thus it should be safe to destroy the container and thus also the
inner compartment object. In the notify_observers on the other
hand the list of observers is called from the head to the tail of
the list. Due to the registration order the sync callback is
called first and with that the container and compartment objects
are freed, while the rest of the observers are called on the
already freed compartment object.
We now just switch back to append the observers instead of
prepending them in compartment_register_observers().
This fixes following ASAN error:
=================================================================
==174==ERROR: AddressSanitizer: heap-use-after-free on address 0x5100000009b8 \
at pc 0x55bd534973a5 bp 0x7fff58c59c90 sp 0x7fff58c59c80
READ of size 8 at 0x5100000009b8 thread T0
#0 0x55bd534973a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x55bd5349cd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x55bd5349d319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x55bd53543329 in event_signal_handler common/event.c:780
gyroidos#4 0x55bd53543329 in event_loop common/event.c:851
gyroidos#5 0x55bd5347b6ac in main daemon/main.c:146
gyroidos#6 0x7f4ac17fb863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7f4ac17fb90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x55bd5347d9d4 in _start (/usr/sbin/cmld+0x13e9d4)
Fixes: e816baf ("daemon/cmld: Properly register config_sync_cb")
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 13, 2025
We introduce an observer finisher which can be registered in
the compartment struct. This finisher is called now in the method
compartment_notify_observers() after all observers have been executed
in the notify observer list. With this it is possible to register a
callback which can cleanly destroy the compartment object triggerd by
an observer.
Previously on container reload the reaload callback destroyed the
compartment object, but in the compartment_notify observers() method
the compartment object is accessed after each callback, even if it is
the last one. This caused the use-after-free error below.
=================================================================
==210==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5100000011b8 at pc 0x560d9ae6a3a5 bp 0x7fffd1ff8710 sp 0x7fffd1ff8700
READ of size 8 at 0x5100000011b8 thread T0
#0 0x560d9ae6a3a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x560d9ae6fd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x560d9ae70319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x560d9af16329 in event_signal_handler common/event.c:780
gyroidos#4 0x560d9af16329 in event_loop common/event.c:851
gyroidos#5 0x560d9ae4e6ac in main daemon/main.c:146
gyroidos#6 0x7fe2bf99b863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7fe2bf99b90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x560d9ae509d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 13, 2025
We introduce an observer finisher which can be registered in
the compartment struct. This finisher is called now in the method
compartment_notify_observers() after all observers have been executed
in the notify observer list. With this it is possible to register a
callback which can cleanly destroy the compartment object triggerd by
an observer.
Previously on container reload the reaload callback destroyed the
compartment object, but in the compartment_notify observers() method
the compartment object is accessed after each callback, even if it is
the last one. This caused the use-after-free error below.
=================================================================
==210==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5100000011b8 at pc 0x560d9ae6a3a5 bp 0x7fffd1ff8710 sp 0x7fffd1ff8700
READ of size 8 at 0x5100000011b8 thread T0
#0 0x560d9ae6a3a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x560d9ae6fd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x560d9ae70319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x560d9af16329 in event_signal_handler common/event.c:780
gyroidos#4 0x560d9af16329 in event_loop common/event.c:851
gyroidos#5 0x560d9ae4e6ac in main daemon/main.c:146
gyroidos#6 0x7fe2bf99b863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7fe2bf99b90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x560d9ae509d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 13, 2025
We introduce an observer finisher which can be registered in
the compartment struct. This finisher is called now in the method
compartment_notify_observers() after all observers have been executed
in the notify observer list. With this it is possible to register a
callback which can cleanly destroy the compartment object triggerd by
an observer.
Previously on container reload the reaload callback destroyed the
compartment object, but in the compartment_notify observers() method
the compartment object is accessed after each callback, even if it is
the last one. This caused the use-after-free error below.
=================================================================
==210==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5100000011b8 at pc 0x560d9ae6a3a5 bp 0x7fffd1ff8710 sp 0x7fffd1ff8700
READ of size 8 at 0x5100000011b8 thread T0
#0 0x560d9ae6a3a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x560d9ae6fd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x560d9ae70319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x560d9af16329 in event_signal_handler common/event.c:780
gyroidos#4 0x560d9af16329 in event_loop common/event.c:851
gyroidos#5 0x560d9ae4e6ac in main daemon/main.c:146
gyroidos#6 0x7fe2bf99b863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7fe2bf99b90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x560d9ae509d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 13, 2025
We introduce an observer finisher which can be registered in
the compartment struct. This finisher is called now in the method
compartment_notify_observers() after all observers have been executed
in the notify observer list. With this it is possible to register a
callback which can cleanly destroy the compartment object triggerd by
an observer.
Previously on container reload the reaload callback destroyed the
compartment object, but in the compartment_notify observers() method
the compartment object is accessed after each callback, even if it is
the last one. This caused the use-after-free error below.
=================================================================
==210==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5100000011b8 at pc 0x560d9ae6a3a5 bp 0x7fffd1ff8710 sp 0x7fffd1ff8700
READ of size 8 at 0x5100000011b8 thread T0
#0 0x560d9ae6a3a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x560d9ae6fd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x560d9ae70319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x560d9af16329 in event_signal_handler common/event.c:780
gyroidos#4 0x560d9af16329 in event_loop common/event.c:851
gyroidos#5 0x560d9ae4e6ac in main daemon/main.c:146
gyroidos#6 0x7fe2bf99b863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7fe2bf99b90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x560d9ae509d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 14, 2025
We introduce an observer finisher which can be registered in
the compartment struct. This finisher is called now in the method
compartment_notify_observers() after all observers have been executed
in the notify observer list. With this it is possible to register a
callback which can cleanly destroy the compartment object triggerd by
an observer.
Previously on container reload the reaload callback destroyed the
compartment object, but in the compartment_notify observers() method
the compartment object is accessed after each callback, even if it is
the last one. This caused the use-after-free error below.
=================================================================
==210==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5100000011b8 at pc 0x560d9ae6a3a5 bp 0x7fffd1ff8710 sp 0x7fffd1ff8700
READ of size 8 at 0x5100000011b8 thread T0
#0 0x560d9ae6a3a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x560d9ae6fd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x560d9ae70319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x560d9af16329 in event_signal_handler common/event.c:780
gyroidos#4 0x560d9af16329 in event_loop common/event.c:851
gyroidos#5 0x560d9ae4e6ac in main daemon/main.c:146
gyroidos#6 0x7fe2bf99b863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7fe2bf99b90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x560d9ae509d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 14, 2025
We introduce an observer finisher which can be registered in
the compartment struct. This finisher is called now in the method
compartment_notify_observers() after all observers have been executed
in the notify observer list. With this it is possible to register a
callback which can cleanly destroy the compartment object triggerd by
an observer.
Previously on container reload the reaload callback destroyed the
compartment object, but in the compartment_notify observers() method
the compartment object is accessed after each callback, even if it is
the last one. This caused the use-after-free error below.
=================================================================
==210==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5100000011b8 at pc 0x560d9ae6a3a5 bp 0x7fffd1ff8710 sp 0x7fffd1ff8700
READ of size 8 at 0x5100000011b8 thread T0
#0 0x560d9ae6a3a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x560d9ae6fd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x560d9ae70319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x560d9af16329 in event_signal_handler common/event.c:780
gyroidos#4 0x560d9af16329 in event_loop common/event.c:851
gyroidos#5 0x560d9ae4e6ac in main daemon/main.c:146
gyroidos#6 0x7fe2bf99b863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7fe2bf99b90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x560d9ae509d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 14, 2025
We introduce an observer finisher which can be registered in
the compartment struct. This finisher is called now in the method
compartment_notify_observers() after all observers have been executed
in the notify observer list. With this it is possible to register a
callback which can cleanly destroy the compartment object triggerd by
an observer.
Previously on container reload the reaload callback destroyed the
compartment object, but in the compartment_notify observers() method
the compartment object is accessed after each callback, even if it is
the last one. This caused the use-after-free error below.
=================================================================
==210==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5100000011b8 at pc 0x560d9ae6a3a5 bp 0x7fffd1ff8710 sp 0x7fffd1ff8700
READ of size 8 at 0x5100000011b8 thread T0
#0 0x560d9ae6a3a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x560d9ae6fd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x560d9ae70319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x560d9af16329 in event_signal_handler common/event.c:780
gyroidos#4 0x560d9af16329 in event_loop common/event.c:851
gyroidos#5 0x560d9ae4e6ac in main daemon/main.c:146
gyroidos#6 0x7fe2bf99b863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7fe2bf99b90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x560d9ae509d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 14, 2025
We introduce an observer finisher which can be registered in
the compartment struct. This finisher is called now in the method
compartment_notify_observers() after all observers have been executed
in the notify observer list. With this it is possible to register a
callback which can cleanly destroy the compartment object triggerd by
an observer.
Previously on container reload the reaload callback destroyed the
compartment object, but in the compartment_notify observers() method
the compartment object is accessed after each callback, even if it is
the last one. This caused the use-after-free error below.
=================================================================
==210==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5100000011b8 at pc 0x560d9ae6a3a5 bp 0x7fffd1ff8710 sp 0x7fffd1ff8700
READ of size 8 at 0x5100000011b8 thread T0
#0 0x560d9ae6a3a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x560d9ae6fd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x560d9ae70319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x560d9af16329 in event_signal_handler common/event.c:780
gyroidos#4 0x560d9af16329 in event_loop common/event.c:851
gyroidos#5 0x560d9ae4e6ac in main daemon/main.c:146
gyroidos#6 0x7fe2bf99b863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7fe2bf99b90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x560d9ae509d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 15, 2025
We introduce an observer finisher which can be registered in
the compartment struct. This finisher is called now in the method
compartment_notify_observers() after all observers have been executed
in the notify observer list. With this it is possible to register a
callback which can cleanly destroy the compartment object triggerd by
an observer.
Previously on container reload the reaload callback destroyed the
compartment object, but in the compartment_notify observers() method
the compartment object is accessed after each callback, even if it is
the last one. This caused the use-after-free error below.
=================================================================
==210==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5100000011b8 at pc 0x560d9ae6a3a5 bp 0x7fffd1ff8710 sp 0x7fffd1ff8700
READ of size 8 at 0x5100000011b8 thread T0
#0 0x560d9ae6a3a4 in compartment_notify_observers daemon/compartment.c:1677
gyroidos#1 0x560d9ae6fd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
gyroidos#2 0x560d9ae70319 in compartment_sigchld_cb daemon/compartment.c:783
gyroidos#3 0x560d9af16329 in event_signal_handler common/event.c:780
gyroidos#4 0x560d9af16329 in event_loop common/event.c:851
gyroidos#5 0x560d9ae4e6ac in main daemon/main.c:146
gyroidos#6 0x7fe2bf99b863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7fe2bf99b90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x560d9ae509d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
k0ch4lo
pushed a commit
that referenced
this pull request
Jan 23, 2025
We introduce an observer finisher which can be registered in
the compartment struct. This finisher is called now in the method
compartment_notify_observers() after all observers have been executed
in the notify observer list. With this it is possible to register a
callback which can cleanly destroy the compartment object triggerd by
an observer.
Previously on container reload the reaload callback destroyed the
compartment object, but in the compartment_notify observers() method
the compartment object is accessed after each callback, even if it is
the last one. This caused the use-after-free error below.
=================================================================
==210==ERROR: AddressSanitizer: heap-use-after-free on address \
0x5100000011b8 at pc 0x560d9ae6a3a5 bp 0x7fffd1ff8710 sp 0x7fffd1ff8700
READ of size 8 at 0x5100000011b8 thread T0
#0 0x560d9ae6a3a4 in compartment_notify_observers daemon/compartment.c:1677
#1 0x560d9ae6fd49 in compartment_sigchld_handle_helpers daemon/compartment.c:700
#2 0x560d9ae70319 in compartment_sigchld_cb daemon/compartment.c:783
#3 0x560d9af16329 in event_signal_handler common/event.c:780
#4 0x560d9af16329 in event_loop common/event.c:851
#5 0x560d9ae4e6ac in main daemon/main.c:146
#6 0x7fe2bf99b863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7fe2bf99b90a in __libc_start_main_impl ../csu/libc-start.c:389
#8 0x560d9ae509d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 27, 2025
While destroying a container, a use-after-free occurred, since
the used observer callback in cmld.c frees the container and
therefore also the compartment before all other registered observers
where called.
Similarly to the container reload, we now use the observer finish
callback to do a delayed free after all compartments observer
callbacks have been run.
This fixes asan error:
=================================================================
==203==ERROR: AddressSanitizer: heap-use-after-free on address \
0x511000000838 at pc 0x557253082656 bp 0x7ffe4cfee190 sp 0x7ffe4cfee180
READ of size 8 at 0x511000000838 thread T0
#0 0x557253082655 in compartment_notify_observers daemon/compartment.c:1681
gyroidos#1 0x557253088149 in compartment_sigchld_handle_helpers daemon/compartment.c:705
gyroidos#2 0x5572530886c9 in compartment_sigchld_cb daemon/compartment.c:787
gyroidos#3 0x55725312e759 in event_signal_handler common/event.c:780
gyroidos#4 0x55725312e759 in event_loop common/event.c:851
gyroidos#5 0x5572530666ac in main daemon/main.c:146
gyroidos#6 0x7ff708bd5863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7ff708bd590a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x5572530689d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 28, 2025
While destroying a container, a use-after-free occurred, since
the used observer callback in cmld.c frees the container and
therefore also the compartment before all other registered observers
where called.
Similarly to the container reload, we now use the observer finish
callback to do a delayed free after all compartments observer
callbacks have been run.
This fixes asan error:
=================================================================
==203==ERROR: AddressSanitizer: heap-use-after-free on address \
0x511000000838 at pc 0x557253082656 bp 0x7ffe4cfee190 sp 0x7ffe4cfee180
READ of size 8 at 0x511000000838 thread T0
#0 0x557253082655 in compartment_notify_observers daemon/compartment.c:1681
gyroidos#1 0x557253088149 in compartment_sigchld_handle_helpers daemon/compartment.c:705
gyroidos#2 0x5572530886c9 in compartment_sigchld_cb daemon/compartment.c:787
gyroidos#3 0x55725312e759 in event_signal_handler common/event.c:780
gyroidos#4 0x55725312e759 in event_loop common/event.c:851
gyroidos#5 0x5572530666ac in main daemon/main.c:146
gyroidos#6 0x7ff708bd5863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#7 0x7ff708bd590a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#8 0x5572530689d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 28, 2025
Move event_remove_inoftify of watching dev dir from stop to cleanup hook.
This avoids following use-after-free:
=================================================================
==202==ERROR: AddressSanitizer: heap-use-after-free on address \
0x504000001fec at pc 0x5577ecae15da bp 0x7ffec417cda0 sp 0x7ffec417cd90
READ of size 4 at 0x504000001fec thread T0
#0 0x5577ecae15d9 in event_remove_inotify common/event.c:658
gyroidos#1 0x5577ecad2ba6 in c_automount_stop daemon/c_automount.c:251
gyroidos#2 0x5577eca4442e in compartment_stop daemon/compartment.c:1573
gyroidos#3 0x5577eca1d1b5 in cmld_container_stop daemon/cmld.c:1695
gyroidos#4 0x5577eca49771 in control_handle_message daemon/control.c:1170
gyroidos#5 0x5577eca50fb9 in control_cb_recv_message_local daemon/control.c:1679
gyroidos#6 0x5577ecaddc3d in event_epoll common/event.c:437
gyroidos#7 0x5577ecae2e13 in event_loop common/event.c:854
gyroidos#8 0x5577eca1a6ac in main daemon/main.c:146
gyroidos#9 0x7f2cab14f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#10 0x7f2cab14f90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#11 0x5577eca1c9d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
quitschbo
added a commit
to quitschbo/cml
that referenced
this pull request
Jan 30, 2025
Move event_remove_inoftify of watching dev dir from stop to cleanup hook.
This avoids following use-after-free:
=================================================================
==202==ERROR: AddressSanitizer: heap-use-after-free on address \
0x504000001fec at pc 0x5577ecae15da bp 0x7ffec417cda0 sp 0x7ffec417cd90
READ of size 4 at 0x504000001fec thread T0
#0 0x5577ecae15d9 in event_remove_inotify common/event.c:658
gyroidos#1 0x5577ecad2ba6 in c_automount_stop daemon/c_automount.c:251
gyroidos#2 0x5577eca4442e in compartment_stop daemon/compartment.c:1573
gyroidos#3 0x5577eca1d1b5 in cmld_container_stop daemon/cmld.c:1695
gyroidos#4 0x5577eca49771 in control_handle_message daemon/control.c:1170
gyroidos#5 0x5577eca50fb9 in control_cb_recv_message_local daemon/control.c:1679
gyroidos#6 0x5577ecaddc3d in event_epoll common/event.c:437
gyroidos#7 0x5577ecae2e13 in event_loop common/event.c:854
gyroidos#8 0x5577eca1a6ac in main daemon/main.c:146
gyroidos#9 0x7f2cab14f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
gyroidos#10 0x7f2cab14f90a in __libc_start_main_impl ../csu/libc-start.c:389
gyroidos#11 0x5577eca1c9d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
k0ch4lo
pushed a commit
that referenced
this pull request
Jan 30, 2025
While destroying a container, a use-after-free occurred, since
the used observer callback in cmld.c frees the container and
therefore also the compartment before all other registered observers
where called.
Similarly to the container reload, we now use the observer finish
callback to do a delayed free after all compartments observer
callbacks have been run.
This fixes asan error:
=================================================================
==203==ERROR: AddressSanitizer: heap-use-after-free on address \
0x511000000838 at pc 0x557253082656 bp 0x7ffe4cfee190 sp 0x7ffe4cfee180
READ of size 8 at 0x511000000838 thread T0
#0 0x557253082655 in compartment_notify_observers daemon/compartment.c:1681
#1 0x557253088149 in compartment_sigchld_handle_helpers daemon/compartment.c:705
#2 0x5572530886c9 in compartment_sigchld_cb daemon/compartment.c:787
#3 0x55725312e759 in event_signal_handler common/event.c:780
#4 0x55725312e759 in event_loop common/event.c:851
#5 0x5572530666ac in main daemon/main.c:146
#6 0x7ff708bd5863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7ff708bd590a in __libc_start_main_impl ../csu/libc-start.c:389
#8 0x5572530689d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
k0ch4lo
pushed a commit
that referenced
this pull request
Jan 30, 2025
Move event_remove_inoftify of watching dev dir from stop to cleanup hook.
This avoids following use-after-free:
=================================================================
==202==ERROR: AddressSanitizer: heap-use-after-free on address \
0x504000001fec at pc 0x5577ecae15da bp 0x7ffec417cda0 sp 0x7ffec417cd90
READ of size 4 at 0x504000001fec thread T0
#0 0x5577ecae15d9 in event_remove_inotify common/event.c:658
#1 0x5577ecad2ba6 in c_automount_stop daemon/c_automount.c:251
#2 0x5577eca4442e in compartment_stop daemon/compartment.c:1573
#3 0x5577eca1d1b5 in cmld_container_stop daemon/cmld.c:1695
#4 0x5577eca49771 in control_handle_message daemon/control.c:1170
#5 0x5577eca50fb9 in control_cb_recv_message_local daemon/control.c:1679
#6 0x5577ecaddc3d in event_epoll common/event.c:437
#7 0x5577ecae2e13 in event_loop common/event.c:854
#8 0x5577eca1a6ac in main daemon/main.c:146
#9 0x7f2cab14f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x7f2cab14f90a in __libc_start_main_impl ../csu/libc-start.c:389
#11 0x5577eca1c9d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
k0ch4lo
pushed a commit
that referenced
this pull request
Jan 31, 2025
While destroying a container, a use-after-free occurred, since
the used observer callback in cmld.c frees the container and
therefore also the compartment before all other registered observers
where called.
Similarly to the container reload, we now use the observer finish
callback to do a delayed free after all compartments observer
callbacks have been run.
This fixes asan error:
=================================================================
==203==ERROR: AddressSanitizer: heap-use-after-free on address \
0x511000000838 at pc 0x557253082656 bp 0x7ffe4cfee190 sp 0x7ffe4cfee180
READ of size 8 at 0x511000000838 thread T0
#0 0x557253082655 in compartment_notify_observers daemon/compartment.c:1681
#1 0x557253088149 in compartment_sigchld_handle_helpers daemon/compartment.c:705
#2 0x5572530886c9 in compartment_sigchld_cb daemon/compartment.c:787
#3 0x55725312e759 in event_signal_handler common/event.c:780
#4 0x55725312e759 in event_loop common/event.c:851
#5 0x5572530666ac in main daemon/main.c:146
#6 0x7ff708bd5863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#7 0x7ff708bd590a in __libc_start_main_impl ../csu/libc-start.c:389
#8 0x5572530689d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
k0ch4lo
pushed a commit
that referenced
this pull request
Jan 31, 2025
Move event_remove_inoftify of watching dev dir from stop to cleanup hook.
This avoids following use-after-free:
=================================================================
==202==ERROR: AddressSanitizer: heap-use-after-free on address \
0x504000001fec at pc 0x5577ecae15da bp 0x7ffec417cda0 sp 0x7ffec417cd90
READ of size 4 at 0x504000001fec thread T0
#0 0x5577ecae15d9 in event_remove_inotify common/event.c:658
#1 0x5577ecad2ba6 in c_automount_stop daemon/c_automount.c:251
#2 0x5577eca4442e in compartment_stop daemon/compartment.c:1573
#3 0x5577eca1d1b5 in cmld_container_stop daemon/cmld.c:1695
#4 0x5577eca49771 in control_handle_message daemon/control.c:1170
#5 0x5577eca50fb9 in control_cb_recv_message_local daemon/control.c:1679
#6 0x5577ecaddc3d in event_epoll common/event.c:437
#7 0x5577ecae2e13 in event_loop common/event.c:854
#8 0x5577eca1a6ac in main daemon/main.c:146
#9 0x7f2cab14f863 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58
#10 0x7f2cab14f90a in __libc_start_main_impl ../csu/libc-start.c:389
#11 0x5577eca1c9d4 in _start (/usr/sbin/cmld+0x13e9d4)
Signed-off-by: Michael Weiß <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.