[sssd/f21] Fix double free in monitor

Lukas Slebodnik lslebodn at fedoraproject.org
Thu Feb 12 21:08:53 UTC 2015 

commit e44e27dae93a44cd9053de4c26e2441614e65e34
Author: Lukas Slebodnik <lslebodn at redhat.com>
Date:   Thu Feb 12 21:58:28 2015 +0100

    Fix double free in monitor
    
    - Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort():
                            sssd killed by SIGABRT

 0004-MONITOR-Fix-double-free.patch |   61 ++++++++++++++++++++++++++++++++++++
 sssd.spec                          |    8 ++++-
 2 files changed, 68 insertions(+), 1 deletions(-)
---
diff --git a/0004-MONITOR-Fix-double-free.patch b/0004-MONITOR-Fix-double-free.patch
new file mode 100644
index 0000000..b6539aa
--- /dev/null
+++ b/0004-MONITOR-Fix-double-free.patch
@@ -0,0 +1,61 @@
+From 2aac87a3dfc12ba1187c7045635cac0647d397d9 Mon Sep 17 00:00:00 2001
+From: Lukas Slebodnik <lslebodn at redhat.com>
+Date: Thu, 12 Feb 2015 19:10:34 +0100
+Subject: [PATCH 4/4] MONITOR: Fix double free
+
+If kill timer was successfully executed then it will be released by libtevent.
+So we should not released it in mt_svc_exit_handler for the second time.
+
+[sssd] [mt_svc_exit_handler] (0x0040): Child [ifp] terminated with signal [9]
+[sssd] [talloc_log_fn] (0x0010): talloc: access after free error - first free
+                                         may be at ../tevent_timed.c:351
+[sssd] [talloc_log_fn] (0x0010): Bad talloc magic value - access after free
+
+==19129== Invalid read of size 4
+==19129==    at 0x50470CD: talloc_chunk_from_ptr (talloc.c:372)
+==19129==    by 0x50470CD: _talloc_free (talloc.c:1559)
+==19129==    by 0x11086C: mt_svc_exit_handler (monitor.c:2754)
+==19129==    by 0x8AF9B2F: sss_child_invoke_cb (child_common.c:181)
+==19129==    by 0x4E39823: tevent_common_loop_immediate (tevent_immediate.c:135)
+==19129==    by 0x4E3AF4D: poll_event_loop_once (tevent_poll.c:649)
+==19129==    by 0x4E38FEC: _tevent_loop_once (tevent.c:530)
+==19129==    by 0x4E3AA4A: poll_event_loop_wait (tevent_poll.c:677)
+==19129==    by 0x84C4B02: server_loop (server.c:668)
+==19129==    by 0x10D9A6: main (monitor.c:3028)
+==19129==  Address 0xb8a06c0 is 64 bytes inside a block of size 176 free'd
+==19129==    at 0x4C2ACE9: free (in /usr/lib64/valgrind/vgpreload_memcheck-amd64-linux.so)
+==19129==    by 0x50472F2: _talloc_free_internal (talloc.c:1057)
+==19129==    by 0x50472F2: _talloc_free (talloc.c:1581)
+==19129==    by 0x4E3D0A3: tevent_common_loop_timer_delay (tevent_timed.c:351)
+==19129==    by 0x4E3AF59: poll_event_loop_once (tevent_poll.c:653)
+==19129==    by 0x4E38FEC: _tevent_loop_once (tevent.c:530)
+==19129==    by 0x4E3AA4A: poll_event_loop_wait (tevent_poll.c:677)
+==19129==    by 0x84C4B02: server_loop (server.c:668)
+==19129==    by 0x10D9A6: main (monitor.c:3028)
+
+Resolves:
+https://fedorahosted.org/sssd/ticket/2572
+
+Reviewed-by: Stephen Gallagher <sgallagh at redhat.com>
+(cherry picked from commit 373946b540eaa5d97c6efb39629195dbe2a1f015)
+---
+ src/monitor/monitor.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/monitor/monitor.c b/src/monitor/monitor.c
+index afefe7f11c15ad343e8a79dceeff5a89e2787add..f171c05acd2c770ab9ffad2429d92c5041bcdb59 100644
+--- a/src/monitor/monitor.c
++++ b/src/monitor/monitor.c
+@@ -646,6 +646,9 @@ static void mt_svc_sigkill(struct tevent_context *ev,
+             "[%s][%d] is not responding to SIGTERM. Sending SIGKILL.\n",
+             svc->name, svc->pid);
+ 
++    /* timer was succesfully executed and it will be released by tevent */
++    svc->kill_timer = NULL;
++
+     ret = kill(svc->pid, SIGKILL);
+     if (ret != EOK) {
+         ret = errno;
+-- 
+2.1.0
+
diff --git a/sssd.spec b/sssd.spec
index bc4ac9d..ceb579c 100644
--- a/sssd.spec
+++ b/sssd.spec
@@ -27,7 +27,7 @@
 
 Name: sssd
 Version: 1.12.3
-Release: 4%{?dist}
+Release: 5%{?dist}
 Group: Applications/System
 Summary: System Security Services Daemon
 License: GPLv3+
@@ -39,6 +39,7 @@ BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
 Patch0001: 0001-logrotate-Fix-warning-file-size-changed-while-zippin.patch
 Patch0002: 0002-MAN-dyndns_iface-supports-only-one-interface.patch
 Patch0003: 0003-krb5-fix-entry-order-in-MEMORY-keytab.patch
+Patch0004: 0004-MONITOR-Fix-double-free.patch
 
 ### Dependencies ###
 Requires: sssd-common = %{version}-%{release}
@@ -886,6 +887,11 @@ if [ $1 -eq 0 ]; then
 fi
 
 %changelog
+* Thu Feb 12 2015 Lukas Slebodnik <lslebodn at redhat.com> - 1.12.3-5
+- Fix double free in monitor
+- Resolves: rhbz#1186887 [abrt] sssd-common: talloc_abort():
+                        sssd killed by SIGABRT
+
 * Thu Jan 22 2015 Lukas Slebodnik <lslebodn at redhat.com> - 1.12.3-4
 - Decrease priority of sssd-libwbclient 20 -> 5
 - It should be lower than priority of samba veriosn of libwbclient.

More information about the scm-commits mailing list