On Wed, Aug 07, 2013 at 11:36:37PM +0200, Pavel Březina wrote:
On 08/07/2013 11:59 AM, Jakub Hrozek wrote:
>On Wed, Aug 07, 2013 at 09:53:13AM +0200, Pavel Březina wrote:
>>On 08/06/2013 09:25 PM, Jakub Hrozek wrote:
>>>https://fedorahosted.org/sssd/ticket/1932
>>>
>>>There is a rather strange workaround in the nested groups processing
>>>code that calls tevent_req_post outside _send(). However, it broke in
>>>certain situations where the tevent_req_call resulted in req being freed,
>>>which freed state by extension and then the subsequent _post call was a
>>>use-after-free. This patch saves the two variables used outside state so
>>>that it's safe to use them even after the callback.
>>
>>Hi,
>>great catch! Sometimes I wish tevent_req_done() would schedule
>>immediate event, instead of firing the callback directly.
>>
>>Nack to the patch but ack to the solution. The same code is also in
>>sdap_nested_group_lookup_user(). Can you fix it as well? It maybe
>>can't be triggered, but who knows...
>
>I think it can be triggered if all users are out of all search bases.
>New patch is attached.
Ack.
Pushed to sssd-1-9
BTW there was lately several use-after-free issues found by users.
We should start testing our patches with TALLOC_FREE_FILL=0 - this
will overwrite freed memory with zeros on talloc_free() so if there
is anything like that in covered code, we will hit that.
Yep :-)
We should also be using MALLOC_PERTURB, which does the same thing for
mallocated memory, making it easier to detect uninitialized access to
heap memory.
Can you add a note about TALLOC_FREE_FILL to
https://fedorahosted.org/sssd/wiki/DevelTips ?