summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJunling Zheng <zhengjunling@huawei.com>2015-06-07 07:52:19 +0000
committerRichard Purdie <richard.purdie@linuxfoundation.org>2015-06-11 23:59:14 +0100
commit47c4e763fb1bb6cdad229240e7a6996be1434135 (patch)
tree1a04798c1e3cf3db5a3585d318a00da9b08f34ff
parent7ab1ae677c5c2430acb879dee32a3bf313e61ab7 (diff)
downloadpoky-47c4e763fb1bb6cdad229240e7a6996be1434135.tar.gz
busybox: fix double free error for ifconfig
This patch backports a commit from upstream to fix a potential double free error when executing ifconfig circularly: http://git.busybox.net/busybox/commit/?id=a97777889328157bb7d06ec618bad16712a9c345. Thanks to Chen Gang for reporting and analyzing this bug. (From OE-Core rev: 66ec540dad77052bc2c1da3a87f875547600efad) Signed-off-by: Junling Zheng <zhengjunling@huawei.com> Signed-off-by: Chen Gang <cg.chen@huawei.com> Signed-off-by: Ross Burton <ross.burton@intel.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
-rw-r--r--meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch67
-rw-r--r--meta/recipes-core/busybox/busybox_1.23.2.bb1
-rw-r--r--meta/recipes-core/busybox/busybox_git.bb1
3 files changed, 69 insertions, 0 deletions
diff --git a/meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch b/meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch
new file mode 100644
index 0000000000..2d729b1b05
--- /dev/null
+++ b/meta/recipes-core/busybox/busybox/0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch
@@ -0,0 +1,67 @@
1From a97777889328157bb7d06ec618bad16712a9c345 Mon Sep 17 00:00:00 2001
2From: Denys Vlasenko <vda.linux@googlemail.com>
3Date: Tue, 3 Feb 2015 12:11:30 +0100
4Subject: [PATCH] ifconfig: fix double free fatal error in INET_sprint
5
6Derived from:
7http://git.busybox.net/busybox/commit/?id=a97777889328157bb7d06ec618bad16712a9c345.
8
9While INET_sprint or INET6_sprint is called circularly by keeping
10ifconfiging, sap->sa_family would be cleaned by other parallel processes
11such as dhclient sometimes, and then there would be a double free error
12like the following:
13
14 *** glibc detected *** ifconfig: double free or corruption (fasttop): 0x000a6008 ***
15 ======= Backtrace: =========
16 /lib/libc.so.6(+0x6bc84)[0x40133c84]
17 /lib/libc.so.6(cfree+0x94)[0x40138684]
18 ifconfig[0x1c460]
19 ifconfig[0x1c6a0]
20 ifconfig[0x1ccf4]
21 ifconfig[0x187c8]
22 ifconfig[0xd544]
23 ifconfig[0xd5dc]
24 ifconfig[0xdca8]
25 /lib/libc.so.6(__libc_start_main+0x110)[0x400df258]
26 ======= Memory map: ========
27 00008000-0009c000 r-xp 00000000 1f:05 444328 /bin/busybox
28 000a3000-000a4000 rw-p 00093000 1f:05 444328 /bin/busybox
29
30This patch moved free() two lines down to address this problem.
31
32Upstream-Status: Backport
33
34Signed-off-by: Denys Vlasenko <vda.linux@googlemail.com>
35---
36 networking/interface.c | 4 ++--
37 1 file changed, 2 insertions(+), 2 deletions(-)
38
39diff --git a/networking/interface.c b/networking/interface.c
40index bf7d2b1..b0572d0 100644
41--- a/networking/interface.c
42+++ b/networking/interface.c
43@@ -91,9 +91,9 @@ static const char* FAST_FUNC INET_sprint(struct sockaddr *sap, int numeric)
44 {
45 static char *buff; /* defaults to NULL */
46
47- free(buff);
48 if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
49 return "[NONE SET]";
50+ free(buff);
51 buff = INET_rresolve((struct sockaddr_in *) sap, numeric, 0xffffff00);
52 return buff;
53 }
54@@ -173,9 +173,9 @@ static const char* FAST_FUNC INET6_sprint(struct sockaddr *sap, int numeric)
55 {
56 static char *buff;
57
58- free(buff);
59 if (sap->sa_family == 0xFFFF || sap->sa_family == 0)
60 return "[NONE SET]";
61+ free(buff);
62 buff = INET6_rresolve((struct sockaddr_in6 *) sap, numeric);
63 return buff;
64 }
65--
661.8.3.4
67
diff --git a/meta/recipes-core/busybox/busybox_1.23.2.bb b/meta/recipes-core/busybox/busybox_1.23.2.bb
index b1b90327dd..f7bf8e2544 100644
--- a/meta/recipes-core/busybox/busybox_1.23.2.bb
+++ b/meta/recipes-core/busybox/busybox_1.23.2.bb
@@ -30,6 +30,7 @@ SRC_URI = "http://www.busybox.net/downloads/busybox-${PV}.tar.bz2;name=tarball \
30 file://login-utilities.cfg \ 30 file://login-utilities.cfg \
31 file://recognize_connmand.patch \ 31 file://recognize_connmand.patch \
32 file://busybox-cross-menuconfig.patch \ 32 file://busybox-cross-menuconfig.patch \
33 file://0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch \
33" 34"
34 35
35SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73" 36SRC_URI[tarball.md5sum] = "7925683d7dd105aabe9b6b618d48cc73"
diff --git a/meta/recipes-core/busybox/busybox_git.bb b/meta/recipes-core/busybox/busybox_git.bb
index cee5b9171d..675e56afd0 100644
--- a/meta/recipes-core/busybox/busybox_git.bb
+++ b/meta/recipes-core/busybox/busybox_git.bb
@@ -36,6 +36,7 @@ SRC_URI = "git://busybox.net/busybox.git \
36 file://login-utilities.cfg \ 36 file://login-utilities.cfg \
37 file://recognize_connmand.patch \ 37 file://recognize_connmand.patch \
38 file://busybox-cross-menuconfig.patch \ 38 file://busybox-cross-menuconfig.patch \
39 file://0001-ifconfig-fix-double-free-fatal-error-in-INET_sprint.patch \
39" 40"
40 41
41EXTRA_OEMAKE += "V=1 ARCH=${TARGET_ARCH} CROSS_COMPILE=${TARGET_PREFIX} SKIP_STRIP=y" 42EXTRA_OEMAKE += "V=1 ARCH=${TARGET_ARCH} CROSS_COMPILE=${TARGET_PREFIX} SKIP_STRIP=y"