Gitiles
Code Review Sign In
softwarefactory-project.io / fedora-test / systemd-distgit.git / 4877912f6e8284d80e7b88a76df3433c855385d7 / . / 0034-shared-fix-double-free-in-link.patch
blob: 4c5c2743b7d3b6aa4d61b494360744257550b1b1 [file] [log] [blame]
Zbigniew Jędrzejewski-Szmek5d6eedd2017-01-31 12:11:17 -0500[diff] [blame]1From a4ead9514b411945f9525ac33901db2b557ce9d0 Mon Sep 17 00:00:00 2001
Zbigniew Jędrzejewski-Szmek03e93e22017-01-29 17:22:41 -0500[diff] [blame]2From: Evgeny Vereshchagin <evvers@ya.ru>
3Date: Mon, 9 Jan 2017 04:46:11 +0000
4Subject: [PATCH] shared: fix double free in link
5
6Fixes:
7```
8touch hola.service
9systemctl link $(pwd)/hola.service $(pwd)/hola.service
10```
11
12```
13==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd):
14 #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00)
15 #1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83
16 #2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89
17 #3 0x55637c758c77 in strv_freep src/basic/strv.h:37
18 #4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960
19 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
20 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
21 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
22 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
23 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
24 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
25 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
26 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
27 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
28 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
29 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
30 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
31 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
32 #18 0x55637c6a2194 in main src/core/main.c:1920
33 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
34 #20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339)
35
360x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573)
37freed by thread T0 (systemd) here:
38 #0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00)
39 #1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630
40 #2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602
41 #3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996
42 #4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985
43 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
44 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
45 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
46 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
47 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
48 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
49 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
50 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
51 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
52 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
53 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
54 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
55 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
56 #18 0x55637c6a2194 in main src/core/main.c:1920
57 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
58
59previously allocated by thread T0 (systemd) here:
60 #0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160)
61 #1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552
62 #2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578
63 #3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600
64 #4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969
65 #5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
66 #6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
67 #7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
68 #8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
69 #9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
70 #10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
71 #11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
72 #12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
73 #13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
74 #14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
75 #15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
76 #16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
77 #17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
78 #18 0x55637c6a2194 in main src/core/main.c:1920
79 #19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
80
81SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free
82==1==ABORTING
83```
84
85Closes #5015
86
87(cherry picked from commit 8af35ba681116eb79a46e3dbd65b166c1efd6164)
88---
89 src/shared/install.c | 8 ++++++--
90 1 file changed, 6 insertions(+), 2 deletions(-)
91
92diff --git a/src/shared/install.c b/src/shared/install.c
93index 5f0eec3ccb..64fe522ebb 100644
94--- a/src/shared/install.c
95+++ b/src/shared/install.c
96@@ -1947,7 +1947,7 @@ int unit_file_link(
97 unsigned *n_changes) {
98
99 _cleanup_lookup_paths_free_ LookupPaths paths = {};
100- _cleanup_free_ char **todo = NULL;
101+ _cleanup_strv_free_ char **todo = NULL;
102 size_t n_todo = 0, n_allocated = 0;
103 const char *config_path;
104 char **i;
105@@ -1996,7 +1996,11 @@ int unit_file_link(
106 if (!GREEDY_REALLOC0(todo, n_allocated, n_todo + 2))
107 return -ENOMEM;
108
109- todo[n_todo++] = *i;
110+ todo[n_todo] = strdup(*i);
111+ if (!todo[n_todo])
112+ return -ENOMEM;
113+
114+ n_todo++;
115 }
116
117 strv_uniq(todo);