[OE-core] [for-dora][for-master][PATCH] libnl: Fix random segfaults due to memory corruption
Robert Yang
liezhi.yang at windriver.com
Wed Nov 13 06:52:45 UTC 2013
Thanks, I will put it in the queue.
// Robert
On 11/12/2013 12:15 PM, Khem Raj wrote:
> This is a backport from upstream fixes a severe problem
> w.r.t memory management, where it would result in random
> segfaults in applications depending on libnl
>
> Signed-off-by: Khem Raj <raj.khem at gmail.com>
> ---
> ...free-caused-by-freeing-link-af_data-in-rt.patch | 41 ++++++++++++++++++++++
> meta/recipes-support/libnl/libnl_3.2.22.bb | 4 ++-
> 2 files changed, 44 insertions(+), 1 deletion(-)
> create mode 100644 meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch
>
> diff --git a/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch b/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch
> new file mode 100644
> index 0000000..6d2c8ff
> --- /dev/null
> +++ b/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch
> @@ -0,0 +1,41 @@
> +From 6f37b439af7e96104aadd8ec3ae8d3882df8d102 Mon Sep 17 00:00:00 2001
> +From: Jiri Pirko <jiri at resnulli.us>
> +Date: Wed, 21 Aug 2013 14:40:34 +0200
> +Subject: [PATCH] fix double free caused by freeing link af_data in
> + rtnl_link_set_family()
> +
> +Introduced by commit 8026fe2e3a9089eff3f5a06ee6e3cc78d96334ed ("link:
> +Free and realloc af specific data upon rtnl_link_set_family()")
> +
> +link->l_af_data[link->l_af_ops->ao_family] is freed here but not set to
> +zero. That leads to double free made by link_free_data->do_foreach_af.
> +
> +Fix this by setting link->l_af_data[link->l_af_ops->ao_family] to zero
> +rigth after free.
> +
> +Signed-off-by: Jiri Pirko <jiri at resnulli.us>
> +Signed-off-by: Thomas Graf <tgraf at suug.ch>
> +---
> + lib/route/link.c | 4 +++-
> + 1 file changed, 3 insertions(+), 1 deletion(-)
> +
> +diff --git a/lib/route/link.c b/lib/route/link.c
> +index a73e1db..0bb90a0 100644
> +--- a/lib/route/link.c
> ++++ b/lib/route/link.c
> +@@ -1762,9 +1762,11 @@ void rtnl_link_set_family(struct rtnl_link *link, int family)
> + link->l_family = family;
> + link->ce_mask |= LINK_ATTR_FAMILY;
> +
> +- if (link->l_af_ops)
> ++ if (link->l_af_ops) {
> + af_free(link, link->l_af_ops,
> + link->l_af_data[link->l_af_ops->ao_family], NULL);
> ++ link->l_af_data[link->l_af_ops->ao_family] = NULL;
> ++ }
> +
> + link->l_af_ops = af_lookup_and_alloc(link, family);
> + }
> +--
> +1.8.4
> +
> diff --git a/meta/recipes-support/libnl/libnl_3.2.22.bb b/meta/recipes-support/libnl/libnl_3.2.22.bb
> index 30f85b2..3c31b1a 100644
> --- a/meta/recipes-support/libnl/libnl_3.2.22.bb
> +++ b/meta/recipes-support/libnl/libnl_3.2.22.bb
> @@ -12,7 +12,9 @@ DEPENDS = "flex-native bison-native"
> SRC_URI = "http://www.infradead.org/~tgr/${BPN}/files/${BP}.tar.gz \
> file://fix-pktloc_syntax_h-race.patch \
> file://fix-pc-file.patch \
> - file://fix-lib-cache_mngr.c-two-parentheses-bugs.patch"
> + file://fix-lib-cache_mngr.c-two-parentheses-bugs.patch \
> + file://0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch \
> + "
>
> SRC_URI[md5sum] = "2e1c889494d274aca24ce5f6a748e66e"
> SRC_URI[sha256sum] = "c7c5f267dfeae0c1a530bf96b71fb7c8dbbb07d54beef49b6712d8d6166f629b"
>
More information about the Openembedded-core
mailing list