diff options
author | Junling Zheng <zhengjunling@huawei.com> | 2015-06-07 07:52:19 +0000 |
---|---|---|
committer | Richard Purdie <richard.purdie@linuxfoundation.org> | 2015-06-11 23:59:14 +0100 |
commit | 47c4e763fb1bb6cdad229240e7a6996be1434135 (patch) | |
tree | 1a04798c1e3cf3db5a3585d318a00da9b08f34ff | |
parent | 7ab1ae677c5c2430acb879dee32a3bf313e61ab7 (diff) | |
download | poky-47c4e763fb1bb6cdad229240e7a6996be1434135.tar.gz |
busybox: fix double free error for ifconfig
This patch backports a commit from upstream to fix a potential double
free error when executing ifconfig circularly:
http://git.busybox.net/busybox/commit/?id=a97777889328157bb7d06ec618bad16712a9c345.
Thanks to Chen Gang for reporting and analyzing this bug.
(From OE-Core rev: 66ec540dad77052bc2c1da3a87f875547600efad)
Signed-off-by: Junling Zheng <zhengjunling@huawei.com>
Signed-off-by: Chen Gang <cg.chen@huawei.com>
Signed-off-by: Ross Burton <ross.burton@intel.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
3 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch b/meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch new file mode 100644 index 0000000000..2d729b1b05 --- /dev/null +++ b/meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch | |||
@@ -0,0 +1,67 @@ | |||
1 | From a97777889328157bb7d06ec618bad16712a9c345 Mon Sep 17 00:00:00 2001 | ||
2 | From: Denys Vlasenko <vda.linux@googlemail.com> | ||
3 | Date: Tue, 3 Feb 2015 12:11:30 +0100 | ||
4 | Subject: [PATCH] ifconfig: fix double free fatal error in INET_sprint | ||
5 | |||
6 | Derived from: | ||
7 | http://git.busybox.net/busybox/commit/?id=a97777889328157bb7d06ec618bad16712a9c345. | ||
8 | |||
9 | While INET_sprint or INET6_sprint is called circularly by keeping | ||
10 | ifconfiging, sap->sa_family would be cleaned by other parallel processes | ||
11 | such as dhclient sometimes, and then there would be a double free error | ||
12 | like the following: | ||
13 | |||
14 | *** glibc detected *** ifconfig: double free or corruption (fasttop): 0x000a6008 *** | ||
15 | ======= Backtrace: ========= | ||
16 | /lib/libc.so.6(+0x6bc84)[0x40133c84] | ||
17 | /lib/libc.so.6(cfree+0x94)[0x40138684] | ||
18 | ifconfig[0x1c460] | ||
19 | ifconfig[0x1c6a0] | ||
20 | ifconfig[0x1ccf4] | ||
21 | ifconfig[0x187c8] | ||
22 | ifconfig[0xd544] | ||
23 | ifconfig[0xd5dc] | ||
24 | ifconfig[0xdca8] | ||
25 | /lib/libc.so.6(__libc_start_main+0x110)[0x400df258] | ||
26 | ======= Memory map: ======== | ||
27 | 00008000-0009c000 r-xp 00000000 1f:05 444328 /bin/busybox | ||
28 | 000a3000-000a4000 rw-p 00093000 1f:05 444328 /bin/busybox | ||
29 | |||
30 | This patch moved free() two lines down to address this problem. | ||
31 | |||
32 | Upstream-Status: Backport | ||
33 | |||
34 | Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com> | ||
35 | --- | ||
36 | networking/interface.c | 4 ++-- | ||
37 | 1 file changed, 2 insertions(+), 2 deletions(-) | ||
38 | |||
39 | diff --git a/networking/interface.c b/networking/interface.c | ||
40 | index bf7d2b1..b0572d0 100644 | ||
41 | --- a/networking/interface.c | ||
42 | +++ b/networking/interface.c | ||
43 | @@ -91,9 +91,9 @@ static const char* FAST_FUNC INET_sprint(struct sockaddr *sap, int numeric) | ||
44 | { | ||
45 | static char *buff; /* defaults to NULL */ | ||
46 | |||
47 | - free(buff); | ||
48 | if (sap->sa_family == 0xFFFF || sap->sa_family == 0) | ||
49 | return "[NONE SET]"; | ||
50 | + free(buff); | ||
51 | buff = INET_rresolve((struct sockaddr_in *) sap, numeric, 0xffffff00); | ||
52 | return buff; | ||
53 | } | ||
54 | @@ -173,9 +173,9 @@ static const char* FAST_FUNC INET6_sprint(struct sockaddr *sap, int numeric) | ||
55 | { | ||
56 | static char *buff; | ||
57 | |||
58 | - free(buff); | ||
59 | if (sap->sa_family == 0xFFFF || sap->sa_family == 0) | ||
60 | return "[NONE SET]"; | ||
61 | + free(buff); | ||
62 | buff = INET6_rresolve((struct sockaddr_in6 *) sap, numeric); | ||
63 | return buff; | ||
64 | } | ||
65 | -- | ||
66 | 1.8.3.4 | ||
67 | |||
diff --git a/meta/recipes-core/busybox/busybox_1.23.2.bb b/meta/recipes-core/busybox/busybox_1.23.2.bb index b1b90327dd..f7bf8e2544 100644 --- a/meta/recipes-core/busybox/busybox_1.23.2.bb +++ b/meta/recipes-core/busybox/busybox_1.23.2.bb | |||
@@ -30,6 +30,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \ | |||
30 | file://login-utilities.cfg \ | 30 | file://login-utilities.cfg \ |
31 | file://recognize_connmand.patch \ | 31 | file://recognize_connmand.patch \ |
32 | file://busybox-cross-menuconfig.patch \ | 32 | file://busybox-cross-menuconfig.patch \ |
33 | file://0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch \ | ||
33 | " | 34 | " |
34 | 35 | ||
35 | SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73" | 36 | SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73" |
diff --git a/meta/recipes-core/busybox/busybox_git.bb b/meta/recipes-core/busybox/busybox_git.bb index cee5b9171d..675e56afd0 100644 --- a/meta/recipes-core/busybox/busybox_git.bb +++ b/meta/recipes-core/busybox/busybox_git.bb | |||
@@ -36,6 +36,7 @@ SRC_URI = "git://busybox.net/busybox.git \ | |||
36 | file://login-utilities.cfg \ | 36 | file://login-utilities.cfg \ |
37 | file://recognize_connmand.patch \ | 37 | file://recognize_connmand.patch \ |
38 | file://busybox-cross-menuconfig.patch \ | 38 | file://busybox-cross-menuconfig.patch \ |
39 | file://0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch \ | ||
39 | " | 40 | " |
40 | 41 | ||
41 | EXTRA_OEMAKE += "V=1 ARCH=${TARGET_ARCH} CROSS_COMPILE=${TARGET_PREFIX} SKIP_STRIP=y" | 42 | EXTRA_OEMAKE += "V=1 ARCH=${TARGET_ARCH} CROSS_COMPILE=${TARGET_PREFIX} SKIP_STRIP=y" |