mirrors/systemd
0
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2024-11-27 20:23:36 +08:00
Code Issues Packages Projects Releases Wiki Activity

udev: use interface before the string that interface points to is freed by device_add_property_internal (#6105)

Browse Source 
This prevents udev from reading the data after freeing it.

See https://github.com/systemd/systemd/issues/6040#issuecomment-306589836
==264== Invalid read of size 1
==264==    at 0x4C2E112: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==264==    by 0x5943EBD: strdup (in /usr/lib/libc-2.25.so)
==264==    by 0x13E263: device_add_property_aux (sd-device.c:122)
==264==    by 0x14788C: device_add_property_internal (sd-device.c:150)
==264==    by 0x14788C: device_rename (device-private.c:786)
==264==    by 0x120DB6: udev_device_rename (libudev-device-private.c:213)
==264==    by 0x120DB6: udev_event_execute_rules (udev-event.c:895)
==264==    by 0x120DB6: worker_spawn (udevd.c:456)
==264==    by 0x1216E5: event_run (udevd.c:584)
==264==    by 0x1216E5: event_queue_start (udevd.c:823)
==264==    by 0x122213: on_uevent (udevd.c:927)
==264==    by 0x141F2F: source_dispatch (sd-event.c:2272)
==264==    by 0x142D52: sd_event_dispatch (sd-event.c:2631)
==264==    by 0x142D52: sd_event_run (sd-event.c:2690)
==264==    by 0x142D52: sd_event_loop (sd-event.c:2710)
==264==    by 0x1159CB: run (udevd.c:1643)
==264==    by 0x1159CB: main (udevd.c:1772)
==264==  Address 0x7b251a0 is 0 bytes inside a block of size 5 free'd
==264==    at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==264==    by 0x13E2A2: freep (alloc-util.h:57)
==264==    by 0x13E2A2: device_add_property_aux (sd-device.c:111)
==264==    by 0x147873: device_add_property_internal (sd-device.c:150)
==264==    by 0x147873: device_rename (device-private.c:781)
==264==    by 0x120DB6: udev_device_rename (libudev-device-private.c:213)
==264==    by 0x120DB6: udev_event_execute_rules (udev-event.c:895)
==264==    by 0x120DB6: worker_spawn (udevd.c:456)
==264==    by 0x1216E5: event_run (udevd.c:584)
==264==    by 0x1216E5: event_queue_start (udevd.c:823)
==264==    by 0x122213: on_uevent (udevd.c:927)
==264==    by 0x141F2F: source_dispatch (sd-event.c:2272)
==264==    by 0x142D52: sd_event_dispatch (sd-event.c:2631)
==264==    by 0x142D52: sd_event_run (sd-event.c:2690)
==264==    by 0x142D52: sd_event_loop (sd-event.c:2710)
==264==    by 0x1159CB: run (udevd.c:1643)
==264==    by 0x1159CB: main (udevd.c:1772)
==264==  Block was alloc'd at
==264==    at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==264==    by 0x5943EC9: strdup (in /usr/lib/libc-2.25.so)
==264==    by 0x13E263: device_add_property_aux (sd-device.c:122)
==264==    by 0x143B45: device_add_property_internal (sd-device.c:150)
==264==    by 0x143B45: device_amend.lto_priv.235 (device-private.c:454)
==264==    by 0x1387B7: device_append (device-private.c:516)
==264==    by 0x1387B7: device_new_from_nulstr (device-private.c:620)
==264==    by 0x1387B7: udev_device_new_from_nulstr (libudev-device-private.c:268)
==264==    by 0x1387B7: udev_monitor_receive_device (libudev-monitor.c:682)
==264==    by 0x11FC69: worker_spawn (udevd.c:509)
==264==    by 0x1216E5: event_run (udevd.c:584)
==264==    by 0x1216E5: event_queue_start (udevd.c:823)
==264==    by 0x122213: on_uevent (udevd.c:927)
==264==    by 0x141F2F: source_dispatch (sd-event.c:2272)
==264==    by 0x142D52: sd_event_dispatch (sd-event.c:2631)
==264==    by 0x142D52: sd_event_run (sd-event.c:2690)
==264==    by 0x142D52: sd_event_loop (sd-event.c:2710)
==264==    by 0x1159CB: run (udevd.c:1643)
==264==    by 0x1159CB: main (udevd.c:1772)
==264==
This commit is contained in:
Evgeny Vereshchagin 2017-06-18 12:31:30 +03:00 committed by Lennart Poettering
parent d4bf82fcac
commit f7b1c8d1fc
1 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
src/libsystemd/sd-device/device-private.c
View File

@ -778,12 +778,12 @@ int device_rename(sd_device *device, const char *name) {
r = sd_device_get_property_value(device, "INTERFACE", &interface);
if (r >= 0) {
r = device_add_property_internal(device, "INTERFACE", name);
/* like DEVPATH_OLD, INTERFACE_OLD is not saved to the db, but only stays around for the current event */
r = device_add_property_internal(device, "INTERFACE_OLD", interface);
if (r < 0)
return r;
/* like DEVPATH_OLD, INTERFACE_OLD is not saved to the db, but only stays around for the current event */
r = device_add_property_internal(device, "INTERFACE_OLD", interface);
r = device_add_property_internal(device, "INTERFACE", name);
if (r < 0)
return r;
} else if (r != -ENOENT)