Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FS#3528 - rpcd may crash during list set #8559

Open
openwrt-bot opened this issue Dec 23, 2020 · 0 comments
Open

FS#3528 - rpcd may crash during list set #8559

openwrt-bot opened this issue Dec 23, 2020 · 0 comments
Labels

Comments

@openwrt-bot
Copy link

olegio170:

The root cause of this bug is the same as for bug #3126:
https://bugs.openwrt.org/index.php?do=details&task_id=3126

Description
It is possible to crash rpcd using uci set method.
To do it we need to set a nonempty list to an empty string and make any other operation with the same section.
For example, change the value of any other option.

The bug is not fixed on the latest version(s) of rpcd/uci.
Successfully reproduced on OpenWrt release 19.07 (VirtualBox).
The bug can be reproduced on any device since it is not hardware dependent.

Steps to reproduce
On clean(after firstboot) openwrt release 19.07 run:

ubus call uci set '{"config":"firewall","section":"cfg02dc81","type":"zone","values":{"network":"","name":"iptv"}}}'
After that rpcd may crash.

Since the bug doesn't have 100% reproduce you may use such command in a loop to catch crash.
cp /rom/etc/config/firewall /etc/config/firewall && ubus call uci set '{"config":"firewall","section":"cfg02dc81","type":"zone","values":{"network":"","name":"iptv"}}}' && ps | grep rpcd

Technical cause
If we set any value to list in UCI via rpcd it deletes the list first and then sets the provided value.
Since we provide an empty string it tries to delete this section once more. As it is already deleted it should be ignored.
However, due to the fact that flags in ptr were not cleared after calling to uci_delete, uci_set "think" that option exists and try to delete it.
Since the pointer to option is null uci_expand_ptr returns the pointer to section instead of an option. So that local section representation will be freed.
Any of the next operations on the same section may crash rpcd, because we get into use-after-free situation.

Proposed fix
Add cleaning of uci_ptr flag for the list after calling to uci_delete in rpc_uci_merge_set.
Please see attached patch.

Also, consider clearing ptr flags in uci_delete along with setting ptr to null for the local representation of section/option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant