From 50a665643268deb1e50f118a3dcfc3e6c0f821c5 Mon Sep 17 00:00:00 2001 From: Kirill Isakov Date: Sat, 24 Jul 2021 12:15:59 +0600 Subject: [PATCH] Fix use-after-free in final log message on tincd exit. Steps to reproduce: 0. build tincd with -fsanitize=address 1. start tincd: ./src/tincd -c . -D 2. capture log output in one tinc client ./src/tinc -c . log 3. this is optional, but seems to flush the bug more often: open another tinc client and issue the purge/retry commands: ./src/tinc -c . tinc> purge tinc> retry 4. stop tincd (using Ctrl+C or the stop command) Repeat until it fails with a bunch of error messages as below. ------------ ==1715850==ERROR: AddressSanitizer: heap-use-after-free on address 0x60300001d950 at pc 0x55a3fdba1fa5 bp 0x7fffbd250470 sp 0x7fffbd250468 READ of size 8 at 0x60300001d950 thread T0 0 0x55a3fdba1fa4 in real_logger tinc/src/logger.c:101:7 1 0x55a3fdba188b in logger tinc/src/logger.c:140:2 2 0x55a3fdc90c22 in main tinc/src/tincd.c:625:2 3 0x7f826a3eab24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) 4 0x55a3fda9087d in _start (tinc/src/tincd+0xd487d) 0x60300001d950 is located 0 bytes inside of 32-byte region [0x60300001d950,0x60300001d970) freed by thread T0 here: 0 0x55a3fdb377c9 in free (tinc/src/tincd+0x17b7c9) 1 0x55a3fdb9e1b4 in list_free tinc/src/list.c:36:2 2 0x55a3fdba0ed3 in list_delete_list tinc/src/list.c:192:2 3 0x55a3fdb8385f in exit_connections tinc/src/connection.c:47:2 4 0x55a3fdbf0427 in close_network_connections tinc/src/net_setup.c:1386:2 5 0x55a3fdc90c0d in main tinc/src/tincd.c:623:2 6 0x7f826a3eab24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) previously allocated by thread T0 here: 0 0x55a3fdb37c91 in calloc (tinc/src/tincd+0x17bc91) 1 0x55a3fdb9e157 in xzalloc tinc/src/./xalloc.h:37:12 2 0x55a3fdb9e065 in list_alloc tinc/src/list.c:29:17 3 0x55a3fdb82a43 in init_connections tinc/src/connection.c:40:20 4 0x55a3fdbea58c in setup_network tinc/src/net_setup.c:1304:2 5 0x55a3fdc90535 in main tinc/src/tincd.c:573:6 6 0x7f826a3eab24 in __libc_start_main (/usr/lib/libc.so.6+0x27b24) --- src/connection.c | 3 +++ src/logger.c | 2 +- 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/src/connection.c b/src/connection.c index 1c638a4d..2f35124e 100644 --- a/src/connection.c +++ b/src/connection.c @@ -45,7 +45,10 @@ void init_connections(void) { void exit_connections(void) { list_delete_list(connection_list); + connection_list = NULL; + free_connection(everyone); + everyone = NULL; } connection_t *new_connection(void) { diff --git a/src/logger.c b/src/logger.c index 9c02a3d8..21e04315 100644 --- a/src/logger.c +++ b/src/logger.c @@ -94,7 +94,7 @@ static void real_logger(int level, int priority, const char *message) { } } - if(logcontrol) { + if(logcontrol && connection_list) { suppress = true; logcontrol = false; -- 2.20.1