[libhilti] Fix use-after-free on container timers

On map/set/list/vector entry insertion, a timer is created and its ref_cnt = 1 but after the GC_DTOR, the timer is unreferenced and ref_cnt = 0 When a safepoint is done, __hlt_memory_nullbuffer_flush is executed and a free is done on the timer address whereas it does not necessary expire yet. Then when the timer expires, it manipule a pointer that contains bad value (used by another malloc of the program) that produce unexcepted behaviour (segfault). I removed the DC_DTOR, it should be unreferenced only after its expiration and it is the case in the __hlt_timer_fire function. TODO: check if timers are well deleted on container clear or when a entry is deleted.
FrozenCaribou · Jun 24, 2016 · a6f7434 · a6f7434
1 parent 5cf9395
commit a6f7434
Show file tree

Hide file tree

Showing 3 changed files with 0 additions and 4 deletions.
diff --git a/libhilti/list.c b/libhilti/list.c
@@ -152,7 +152,6 @@ static __hlt_list_node* _make_node(hlt_list* l, void *val, hlt_exception** excpt
         GC_CCTOR(cookie, hlt_iterator_list, ctx);
         n->timer = __hlt_timer_new_list(cookie, excpt, ctx);
         hlt_timer_mgr_schedule(l->tmgr, t, n->timer, excpt, ctx);
-        GC_DTOR(n->timer, hlt_timer, ctx); // Not memory-managed on our end.
     }
 
     else

diff --git a/libhilti/map_set.c b/libhilti/map_set.c
@@ -419,7 +419,6 @@ void hlt_map_insert(hlt_map* m, const hlt_type_info* tkey, void* key, const hlt_
             kh_value(m, i).timer = __hlt_timer_new_map(cookie, excpt, ctx);
             hlt_time t = hlt_timer_mgr_current(m->tmgr, excpt, ctx) + m->timeout;
             hlt_timer_mgr_schedule(m->tmgr, t, kh_value(m, i).timer, excpt, ctx);
-            GC_DTOR(kh_value(m, i).timer, hlt_timer, ctx); // Not memory-managed on our end.
         }
         else
             kh_value(m, i).timer = 0;
@@ -812,7 +811,6 @@ void hlt_set_insert(hlt_set* m, const hlt_type_info* tkey, void* key, hlt_except
             kh_value(m, i) = __hlt_timer_new_set(cookie, excpt, ctx);
             hlt_interval t = hlt_timer_mgr_current(m->tmgr, excpt, ctx) + m->timeout;
             hlt_timer_mgr_schedule(m->tmgr, t, kh_value(m, i), excpt, ctx);
-            GC_DTOR(kh_value(m, i), hlt_timer, ctx); // Not memory-managed on our end.
         }
         else
             kh_value(m, i) = 0;

diff --git a/libhilti/vector.c b/libhilti/vector.c
@@ -99,7 +99,6 @@ static inline void _set_entry(hlt_vector* v, hlt_vector_idx i, void *val, int dt
         v->timers[i] = __hlt_timer_new_vector(cookie, excpt, ctx); // Not memory-managed on our end.
         hlt_time t = hlt_timer_mgr_current(v->tmgr, excpt, ctx) + v->timeout;
         hlt_timer_mgr_schedule(v->tmgr, t, v->timers[i], excpt, ctx);
-        GC_DTOR(v->timers[i], hlt_timer, ctx); // Not memory-managed on our end.
     }
 }