[systemd-devel] [PATCH 1/5] [use after free] Avoid using m->kdbus after freeing it.
Lennart Poettering
lennart at poettering.net
Wed Oct 22 09:01:44 PDT 2014
On Wed, 10.09.14 12:20, philippedeswert at gmail.com (philippedeswert at gmail.com) wrote:
> From: Philippe De Swert <philippedeswert at gmail.com>
>
> m->kdbus could be freed before it is released. Changing the
> order fixes the issue.
David applied this now, but actually, just for the sakes of archives,
this is a false positive. The KDBUS_CMD_FREE ioctl and the free() are
never invoked at the same time. Either the message is stored in a
kdbus buffer in which case we issue KDUS_CMD_FREE, or it's stored in a
malloc()ed area, in which case we call free().
This commit hence was entirely bogus, but of course doesn't matter.
>
> Found with Coverity. Fixes: CID#1237798
>
> Signed-off-by: Philippe De Swert <philippedeswert at gmail.com>
> ---
> src/libsystemd/sd-bus/bus-message.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
> index d00455a..bfb14fc 100644
> --- a/src/libsystemd/sd-bus/bus-message.c
> +++ b/src/libsystemd/sd-bus/bus-message.c
> @@ -127,9 +127,6 @@ static void message_free(sd_bus_message *m) {
>
> message_reset_parts(m);
>
> - if (m->free_kdbus)
> - free(m->kdbus);
> -
> if (m->release_kdbus) {
> uint64_t off;
>
> @@ -137,6 +134,9 @@ static void message_free(sd_bus_message *m) {
> ioctl(m->bus->input_fd, KDBUS_CMD_FREE, &off);
> }
>
> + if (m->free_kdbus)
> + free(m->kdbus);
> +
> sd_bus_unref(m->bus);
>
> if (m->free_fds) {
> --
> 1.8.3.2
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list