[OE-core] [PATCH 2/3] busybox: fix double free error for ifconfig

Junling Zheng zhengjunling at huawei.com
Sun Jun 7 07:52:19 UTC 2015 

This patch backports a commit from upstream to fix a potential double
free error when executing ifconfig circularly:
http://git.busybox.net/busybox/commit/?id=a97777889328157bb7d06ec618bad16712a9c345.

Thanks to Chen Gang for reporting and analyzing this bug.

Signed-off-by: Junling Zheng <zhengjunling at huawei.com>
Signed-off-by: Chen Gang <cg.chen at huawei.com>
---
 ...ix-double-free-fatal-error-in-INET_sprint.patch | 67 ++++++++++++++++++++++
 meta/recipes-core/busybox/busybox_1.23.2.bb        |  1 +
 meta/recipes-core/busybox/busybox_git.bb           |  1 +
 3 files changed, 69 insertions(+)
 create mode 100644 meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch

diff --git a/meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch b/meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch
new file mode 100644
index 0000000..2d729b1
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch
@@ -0,0 +1,67 @@
+From a97777889328157bb7d06ec618bad16712a9c345 Mon Sep 17 00:00:00 2001
+From: Denys Vlasenko <vda.linux at googlemail.com>
+Date: Tue, 3 Feb 2015 12:11:30 +0100
+Subject: [PATCH] ifconfig: fix double free fatal error in INET_sprint
+
+Derived from:
+http://git.busybox.net/busybox/commit/?id=a97777889328157bb7d06ec618bad16712a9c345.
+
+While INET_sprint or INET6_sprint is called circularly by keeping
+ifconfiging, sap->sa_family would be cleaned by other parallel processes
+such as dhclient sometimes, and then there would be a double free error
+like the following:
+
+  *** glibc detected *** ifconfig: double free or corruption (fasttop): 0x000a6008 ***
+  ======= Backtrace: =========
+  /lib/libc.so.6(+0x6bc84)[0x40133c84]
+  /lib/libc.so.6(cfree+0x94)[0x40138684]
+  ifconfig[0x1c460]
+  ifconfig[0x1c6a0]
+  ifconfig[0x1ccf4]
+  ifconfig[0x187c8]
+  ifconfig[0xd544]
+  ifconfig[0xd5dc]
+  ifconfig[0xdca8]
+  /lib/libc.so.6(__libc_start_main+0x110)[0x400df258]
+  ======= Memory map: ========
+  00008000-0009c000 r-xp 00000000 1f:05 444328     /bin/busybox
+  000a3000-000a4000 rw-p 00093000 1f:05 444328     /bin/busybox
+
+This patch moved free() two lines down to address this problem.
+
+Upstream-Status: Backport
+
+Signed-off-by: Denys Vlasenko <vda.linux at googlemail.com>
+---
+ networking/interface.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/networking/interface.c b/networking/interface.c
+index bf7d2b1..b0572d0 100644
+--- a/networking/interface.c
++++ b/networking/interface.c
+@@ -91,9 +91,9 @@ static const char* FAST_FUNC INET_sprint(struct sockaddr *sap, int numeric)
+ {
+ 	static char *buff; /* defaults to NULL */
+ 
+-	free(buff);
+ 	if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
+ 		return "[NONE SET]";
++	free(buff);
+ 	buff = INET_rresolve((struct sockaddr_in *) sap, numeric, 0xffffff00);
+ 	return buff;
+ }
+@@ -173,9 +173,9 @@ static const char* FAST_FUNC INET6_sprint(struct sockaddr *sap, int numeric)
+ {
+ 	static char *buff;
+ 
+-	free(buff);
+ 	if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
+ 		return "[NONE SET]";
++	free(buff);
+ 	buff = INET6_rresolve((struct sockaddr_in6 *) sap, numeric);
+ 	return buff;
+ }
+-- 
+1.8.3.4
+
diff --git a/meta/recipes-core/busybox/busybox_1.23.2.bb b/meta/recipes-core/busybox/busybox_1.23.2.bb
index b1b9032..f7bf8e2 100644
--- a/meta/recipes-core/busybox/busybox_1.23.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.23.2.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
            file://login-utilities.cfg \
            file://recognize_connmand.patch \
            file://busybox-cross-menuconfig.patch \
+           file://0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch \
 "
 
 SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73"
diff --git a/meta/recipes-core/busybox/busybox_git.bb b/meta/recipes-core/busybox/busybox_git.bb
index cee5b91..675e56a 100644
--- a/meta/recipes-core/busybox/busybox_git.bb
+++ b/meta/recipes-core/busybox/busybox_git.bb
@@ -36,6 +36,7 @@ SRC_URI = "git://busybox.net/busybox.git \
            file://login-utilities.cfg \
            file://recognize_connmand.patch \
            file://busybox-cross-menuconfig.patch \
+           file://0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch \
 "
 
 EXTRA_OEMAKE += "V=1 ARCH=${TARGET_ARCH} CROSS_COMPILE=${TARGET_PREFIX} SKIP_STRIP=y"
-- 
1.8.3.4

More information about the Openembedded-core mailing list