From patchwork Tue Aug 16 11:23:50 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Venekamp X-Patchwork-Id: 1666799 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=s6+XOHsa; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4M6TP01xDzz1ygF for ; Tue, 16 Aug 2022 21:26:12 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=cXSXBwkkO8phxmqjf6tR5kpgml+yX7EtzYodsTzg1n8=; b=s6+XOHsa1483fa zUsxR784wbLZ4QtcNYSz24fyW77hlcMuaPKR8eXNBJGRDH3RI06O6RRQ63WnOqnzzwk3/PNhgjiWN DxS6e3sBPqyA8l/UChJXEZUSWfwXqMQ7glZLrn7XQdLKbqddSJN8c0HH/j8GflKnJdozceOc8AsZk 4bNg8h4Zw8iCJffwMJgCg88wJ3Pfu3yBDsAuRmzGoUxbgJUyLZZlSgg3wyWBsFF0Kmex6A5GIW+2Q fVP7I91MRRFUV+mOwvxh+N7H5F0b+jFXvo+rSBuwr2WoMYWL7s7LdHWJlJlYwfvqYQKBXpAABd2CJ cTR0OUhgGNSHwlF/uVDw==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oNugL-001WG2-K7; Tue, 16 Aug 2022 11:24:25 +0000 Received: from virt1.bvwebdesign.nl ([149.210.228.112]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oNug2-001W1j-J6 for openwrt-devel@lists.openwrt.org; Tue, 16 Aug 2022 11:24:08 +0000 Received: from localhost.localdomain (84-31-67-158.cable.dynamic.v4.ziggo.nl [84.31.67.158]) by virt1.bvwebdesign.nl (Postfix) with ESMTPSA id 5D6E191DB8E for ; Tue, 16 Aug 2022 13:23:59 +0200 (CEST) From: Jan Venekamp To: openwrt-devel@lists.openwrt.org Subject: [PATCH 1/9] uci: fix use-after-free uci_set on update option Date: Tue, 16 Aug 2022 13:23:50 +0200 Message-Id: <20220816112358.75801-2-jan@venekamp.net> X-Mailer: git-send-email 2.32.0 (Apple Git-132) In-Reply-To: <20220816112358.75801-1-jan@venekamp.net> References: <20220816112358.75801-1-jan@venekamp.net> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220816_042406_824300_6752FA53 X-CRM114-Status: UNSURE ( 9.81 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When uci_set is called with ptr->o set and ptr->option = NULL, then in uci_expand_ptr ptr->option is set to ptr->o->e.name. This will result in use-after-free because ptr->option is used in the call t [...] Content analysis details: (-0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org When uci_set is called with ptr->o set and ptr->option = NULL, then in uci_expand_ptr ptr->option is set to ptr->o->e.name. This will result in use-after-free because ptr->option is used in the call to uci_add_delta after uci_free_option(ptr->o). Signed-off-by: Jan Venekamp --- list.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/list.c b/list.c index 24ed2ee..ac3686c 100644 --- a/list.c +++ b/list.c @@ -725,15 +725,16 @@ int uci_set(struct uci_context *ctx, struct uci_ptr *ptr) ptr->s = uci_alloc_section(ptr->p, ptr->value, ptr->section); ptr->last = &ptr->s->e; } else if (ptr->o && ptr->option) { /* update option */ - struct uci_option *o; + struct uci_option *old = ptr->o; if ((ptr->o->type == UCI_TYPE_STRING) && !strcmp(ptr->o->v.string, ptr->value)) return 0; - o = ptr->o; ptr->o = uci_alloc_option(ptr->s, ptr->option, ptr->value); - uci_free_option(o); + if (ptr->option == old->e.name) + ptr->option = ptr->o->e.name; + uci_free_option(old); ptr->last = &ptr->o->e; } else if (ptr->s && ptr->section) { /* update section */ char *s = uci_strdup(ctx, ptr->value);