fix use after free in verto_free

2022-03-31 17:25:14 +08:00 · 2022-03-31 17:25:14 +08:00 · 69055464fe
commit 69055464fe
parent df9fca836f
2 changed files with 52 additions and 1 deletions
--- a/backport-fix-use-after-free-in-verto_free.patch
+++ b/backport-fix-use-after-free-in-verto_free.patch
@ -0,0 +1,47 @@
+From 60b276cf4ce4ab244670dfac1301704b28498805 Mon Sep 17 00:00:00 2001
+From: Robbie Harwood <rharwood@redhat.com>
+Date: Mon, 15 Mar 2021 14:27:18 -0400
+Subject: [PATCH] Fix use-after-free in verto_free()
+
+Instead of freeing all events, verto_free() would spin trying to free
+the same one.
+
+Discovered by scan-build.
+
+Signed-off-by: Robbie Harwood <rharwood@redhat.com>
+Signed-off-by: hanxinke <hanxinke@huawei.com>
+---
+ src/verto.c | 10 ++++++++--
+ 1 file changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/verto.c b/src/verto.c
+index 71eaffa..c06c92b 100644
+--- a/src/verto.c
+++ b/src/verto.c
+@@ -583,6 +583,8 @@ verto_set_allocator(void *(*resize)(void *mem, size_t size),
+ void
+ verto_free(verto_ctx *ctx)
+ {
+    verto_ev *cur, *next;
+
+     if (!ctx)
+         return;
+ 
+@@ -591,8 +593,12 @@ verto_free(verto_ctx *ctx)
+         return;
+ 
+     /* Cancel all pending events */
+-    while (ctx->events)
+-        verto_del(ctx->events);
+    next = NULL;
+    for (cur = ctx->events; cur != NULL; cur = next) {
+        next = cur->next;
+        verto_del(cur);
+    }
+    ctx->events = NULL;
+ 
+     /* Free the private */
+     if (!ctx->deflt || !ctx->module->funcs->ctx_default)
+-- 
+1.8.3.1
+
--- a/libverto.spec
+++ b/libverto.spec
@ -1,12 +1,13 @@
 Name:           libverto
 Version:        0.3.1
-Release:        3
+Release:        4
 Summary:        Main loop abstraction library
 License:        MIT
 URL:            https://github.com/latchset/libverto
 Source0:        https://github.com/latchset/libverto/releases/download/%{version}/%{name}-%{version}.tar.gz

 Patch6000:      backport-re-order-pkgconfig-for-expected-dependencies.patch
+Patch6001:      backport-fix-use-after-free-in-verto_free.patch

 BuildRequires:  autoconf automake libtool glib2-devel
 BuildRequires:  libevent-devel libev-devel git
@ -91,6 +92,9 @@ find  %{buildroot} -name '*.la' -exec rm -f {} ';'
 %{_libdir}/pkgconfig/%{name}-libev.pc

 %changelog
+* Thu Mar 31 2022 hehuazhen <hehuazhen@huawei.com> - 0.3.1-4
+- fix use after free in verto_free
+
 * Thu Mar 31 2022 hehuazhen <hehuazhen@huawei.com> - 0.3.1-3
 - fix broken pkgconfig files