You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Description
It is possible to crash rpcd using uci set method.
To do it we need to set a nonempty list to an empty string and make any other operation with the same section.
For example, change the value of any other option.
The bug is not fixed on the latest version(s) of rpcd/uci.
Successfully reproduced on OpenWrt release 19.07 (VirtualBox).
The bug can be reproduced on any device since it is not hardware dependent.
Steps to reproduce
On clean(after firstboot) openwrt release 19.07 run:
ubus call uci set '{"config":"firewall","section":"cfg02dc81","type":"zone","values":{"network":"","name":"iptv"}}}'
After that rpcd may crash.
Since the bug doesn't have 100% reproduce you may use such command in a loop to catch crash. cp /rom/etc/config/firewall /etc/config/firewall && ubus call uci set '{"config":"firewall","section":"cfg02dc81","type":"zone","values":{"network":"","name":"iptv"}}}' && ps | grep rpcd
Technical cause
If we set any value to list in UCI via rpcd it deletes the list first and then sets the provided value.
Since we provide an empty string it tries to delete this section once more. As it is already deleted it should be ignored.
However, due to the fact that flags in ptr were not cleared after calling to uci_delete, uci_set "think" that option exists and try to delete it.
Since the pointer to option is null uci_expand_ptr returns the pointer to section instead of an option. So that local section representation will be freed.
Any of the next operations on the same section may crash rpcd, because we get into use-after-free situation.
Proposed fix
Add cleaning of uci_ptr flag for the list after calling to uci_delete in rpc_uci_merge_set.
Please see attached patch.
Also, consider clearing ptr flags in uci_delete along with setting ptr to null for the local representation of section/option.
The text was updated successfully, but these errors were encountered:
olegio170:
The root cause of this bug is the same as for bug #3126:
https://bugs.openwrt.org/index.php?do=details&task_id=3126
Description
It is possible to crash rpcd using uci set method.
To do it we need to set a nonempty list to an empty string and make any other operation with the same section.
For example, change the value of any other option.
The bug is not fixed on the latest version(s) of rpcd/uci.
Successfully reproduced on OpenWrt release 19.07 (VirtualBox).
The bug can be reproduced on any device since it is not hardware dependent.
Steps to reproduce
On clean(after firstboot) openwrt release 19.07 run:
ubus call uci set '{"config":"firewall","section":"cfg02dc81","type":"zone","values":{"network":"","name":"iptv"}}}'
After that rpcd may crash.
Since the bug doesn't have 100% reproduce you may use such command in a loop to catch crash.
cp /rom/etc/config/firewall /etc/config/firewall && ubus call uci set '{"config":"firewall","section":"cfg02dc81","type":"zone","values":{"network":"","name":"iptv"}}}' && ps | grep rpcd
Technical cause
If we set any value to list in UCI via rpcd it deletes the list first and then sets the provided value.
Since we provide an empty string it tries to delete this section once more. As it is already deleted it should be ignored.
However, due to the fact that flags in ptr were not cleared after calling to uci_delete, uci_set "think" that option exists and try to delete it.
Since the pointer to option is null uci_expand_ptr returns the pointer to section instead of an option. So that local section representation will be freed.
Any of the next operations on the same section may crash rpcd, because we get into use-after-free situation.
Proposed fix
Add cleaning of uci_ptr flag for the list after calling to uci_delete in rpc_uci_merge_set.
Please see attached patch.
Also, consider clearing ptr flags in uci_delete along with setting ptr to null for the local representation of section/option.
The text was updated successfully, but these errors were encountered: