!12 fix use after free in verto_free

From: @willwolf Reviewed-by: @hanxinke Signed-off-by: @hanxinke
2022-03-31 11:12:17 +00:00 · 2022-03-31 11:12:17 +00:00 · ef1aa3df0c
commit ef1aa3df0c
parent 58102d0c4e 69055464fe
2 changed files with 52 additions and 1 deletions
--- a/backport-fix-use-after-free-in-verto_free.patch
+++ b/backport-fix-use-after-free-in-verto_free.patch
@ -0,0 +1,47 @@
 From 60b276cf4ce4ab244670dfac1301704b28498805 Mon Sep 17 00:00:00 2001
 From: Robbie Harwood <rharwood@redhat.com>
 Date: Mon, 15 Mar 2021 14:27:18 -0400
 Subject: [PATCH] Fix use-after-free in verto_free()
 Instead of freeing all events, verto_free() would spin trying to free
 the same one.
 Discovered by scan-build.
 Signed-off-by: Robbie Harwood <rharwood@redhat.com>
 Signed-off-by: hanxinke <hanxinke@huawei.com>
 ---
 src/verto.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)
 diff --git a/src/verto.c b/src/verto.c
 index 71eaffa..c06c92b 100644
 --- a/src/verto.c
 +++ b/src/verto.c
@@ -583,6 +583,8 @@ verto_set_allocator(void *(*resize)(void *mem, size_t size),
 void
 verto_free(verto_ctx *ctx)
 {
 +    verto_ev *cur, *next;
 +
     if (!ctx)
         return;
@@ -591,8 +593,12 @@ verto_free(verto_ctx *ctx)
         return;
     /* Cancel all pending events */
 -    while (ctx->events)
 -        verto_del(ctx->events);
 +    next = NULL;
 +    for (cur = ctx->events; cur != NULL; cur = next) {
 +        next = cur->next;
 +        verto_del(cur);
 +    }
 +    ctx->events = NULL;
     /* Free the private */
     if (!ctx->deflt || !ctx->module->funcs->ctx_default)
 -- 
 1.8.3.1
--- a/libverto.spec
+++ b/libverto.spec
@ -1,12 +1,13 @@
 Name:           libverto
 Version:        0.3.1
-Release:        3
+Release:        4
 Summary:        Main loop abstraction library
 License:        MIT
 URL:            https://github.com/latchset/libverto
 Source0:        https://github.com/latchset/libverto/releases/download/%{version}/%{name}-%{version}.tar.gz
 Patch6000:      backport-re-order-pkgconfig-for-expected-dependencies.patch
 Patch6001:      backport-fix-use-after-free-in-verto_free.patch
 BuildRequires:  autoconf automake libtool glib2-devel
 BuildRequires:  libevent-devel libev-devel git
@ -91,6 +92,9 @@ find  %{buildroot} -name '*.la' -exec rm -f {} ';'
 %{_libdir}/pkgconfig/%{name}-libev.pc
 %changelog
 * Thu Mar 31 2022 hehuazhen <hehuazhen@huawei.com> - 0.3.1-4
 - fix use after free in verto_free
 * Thu Mar 31 2022 hehuazhen <hehuazhen@huawei.com> - 0.3.1-3
 - fix broken pkgconfig files