Skip to content
Permalink
Browse files

fix invalid pointer dereference banned_cpumask_from_ui

The memory of cpu_ban_string was release in sock_handle function,
so the banned_cpumask_from_ui will dereference an invalid memory.

Fix this issue by delay release memory.

Reproduce:
echo "settings cpus 0-3" | nc -U `find /var/run/irqbalance/ -name *sock`

Signed-off-by: Weiping Zhang <zhangweiping@didiglobal.com>
  • Loading branch information...
Weiping Zhang
Weiping Zhang committed Nov 8, 2019
1 parent 4577d31 commit 6c350eb9af2e36c40f4c1f2122e4b5b270c011b2
Showing with 24 additions and 4 deletions.
  1. +6 −1 cputree.c
  2. +18 −3 irqbalance.c
@@ -39,6 +39,7 @@
#include "irqbalance.h"

extern char *banned_cpumask_from_ui;
extern char *cpu_ban_string;

GList *cpus;
GList *cache_domains;
@@ -104,9 +105,13 @@ static void setup_banned_cpus(void)
cpus_clear(nohz_full);

/* A manually specified cpumask overrides auto-detection. */
if (banned_cpumask_from_ui != NULL) {
if (cpu_ban_string != NULL && banned_cpumask_from_ui != NULL) {
cpulist_parse(banned_cpumask_from_ui,
strlen(banned_cpumask_from_ui), banned_cpus);
/* release it safety, it was allocated in sock_handle */
free(cpu_ban_string);
cpu_ban_string = NULL;
banned_cpumask_from_ui = NULL;
goto out;
}
if (getenv("IRQBALANCE_BANNED_CPUS")) {
@@ -65,6 +65,7 @@ int sleep_interval = SLEEP_INTERVAL;
int last_interval;
GMainLoop *main_loop;

char *cpu_ban_string = NULL;
char *banned_cpumask_from_ui = NULL;

static void sleep_approx(int seconds)
@@ -469,7 +470,14 @@ gboolean sock_handle(gint fd, GIOCondition condition, gpointer user_data __attri
free(irq_string);
} else if (!(strncmp(buff + strlen("settings "), "cpus ",
strlen("cpus")))) {
char *cpu_ban_string = malloc(
/*
* if cpu_ban_string has not been consumed,
* just ignore this request.
*/
if (cpu_ban_string != NULL)
goto out_close;

cpu_ban_string = malloc(
sizeof(char) * (recv_size - strlen("settings cpus ")));

if (!cpu_ban_string)
@@ -479,9 +487,16 @@ gboolean sock_handle(gint fd, GIOCondition condition, gpointer user_data __attri
banned_cpumask_from_ui = strtok(cpu_ban_string, " ");
if (!strncmp(banned_cpumask_from_ui, "NULL", strlen("NULL"))) {
banned_cpumask_from_ui = NULL;
free(cpu_ban_string);
cpu_ban_string = NULL;;
} else {
/*
* don't free cpu_ban_string at here, it will be
* released after we have store it to @banned_cpus
* in setup_banned_cpus function.
*/
need_rescan = 1;
}
need_rescan = 1;
free(cpu_ban_string);
}
}
if (!strncmp(buff, "setup", strlen("setup"))) {

0 comments on commit 6c350eb

Please sign in to comment.
You can’t perform that action at this time.