From patchwork Tue Aug 16 11:23:53 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jan Venekamp X-Patchwork-Id: 1666801 X-Patchwork-Delegate: hauke@hauke-m.de Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=tko2dw8i; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4M6TPV3V41z1ygF for ; Tue, 16 Aug 2022 21:26:38 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:References:In-Reply-To: Message-Id:Date:Subject:To:From:Reply-To:Cc:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=nImTT44Xwl3ByIWN4wPfqQPHjqjbmL7vKoq9MeTUSEM=; b=tko2dw8iG2Q3sY XrMUG8ogBORJrxG3cvosZOvYxMXQS8UR9tdAuZ+VX1VWOpwAqXF6taGNv5KwvpAz6Nks2qIbCO9dQ CI9bcHyjn/G8HYWLVB2nCkgSDM7FN8AQaOTW1OWjMS4K4KwHynxBObal+cRY6DkChqVmxgArwI7nq A/cI5asxW0lrUcQFDVDKnbJnTfz5UvCcMxUNOj6VTzsyB/eA2zH4wYDUfCuYmkx1SB2ED0VjeHwUY +/O91y+XoOpMcF/Nozq00IbCoEM3hK+DoOehpQtuciBzth7HqK0r8QpYnlfOvbUVeuj4AzYJuKPCB p/4PzorGqYw2yIV9/WCA==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oNugq-001WW3-8Q; Tue, 16 Aug 2022 11:24:56 +0000 Received: from virt1.bvwebdesign.nl ([149.210.228.112]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oNug2-001W1k-Pe for openwrt-devel@lists.openwrt.org; Tue, 16 Aug 2022 11:24:09 +0000 Received: from localhost.localdomain (84-31-67-158.cable.dynamic.v4.ziggo.nl [84.31.67.158]) by virt1.bvwebdesign.nl (Postfix) with ESMTPSA id AC68E96453F for ; Tue, 16 Aug 2022 13:23:59 +0200 (CEST) From: Jan Venekamp To: openwrt-devel@lists.openwrt.org Subject: [PATCH 4/9] uci: fix use-after-free uci_add_list Date: Tue, 16 Aug 2022 13:23:53 +0200 Message-Id: <20220816112358.75801-5-jan@venekamp.net> X-Mailer: git-send-email 2.32.0 (Apple Git-132) In-Reply-To: <20220816112358.75801-1-jan@venekamp.net> References: <20220816112358.75801-1-jan@venekamp.net> MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220816_042407_001805_6305E364 X-CRM114-Status: UNSURE ( 8.37 ) X-CRM114-Notice: Please train this message. X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: When uci_add_list is called with ptr->o set and ptr->option = NULL, then in uci_expand_ptr ptr->option is set to ptr->o->e.name. If ptr->o->type is UCI_TYPE_STRING then prev is set to ptr->o. This wil [...] Content analysis details: (-0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org When uci_add_list is called with ptr->o set and ptr->option = NULL, then in uci_expand_ptr ptr->option is set to ptr->o->e.name. If ptr->o->type is UCI_TYPE_STRING then prev is set to ptr->o. This will result in use-after-free because ptr->option is used in the call to uci_add_delta in uci_add_element_list after uci_free_option(prev). Signed-off-by: Jan Venekamp --- list.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/list.c b/list.c index 5148dfd..ba099b6 100644 --- a/list.c +++ b/list.c @@ -652,6 +652,8 @@ int uci_add_list(struct uci_context *ctx, struct uci_ptr *ptr) ptr->o = uci_alloc_list(ptr->s, ptr->option); if (prev) { uci_add_element_list(ctx, ptr, true); + if (ptr->option == prev->e.name) + ptr->option = ptr->o->e.name; uci_free_option(prev); ptr->value = value2; }