libnl: Fix random segfaults due to memory corruption

This is a backport from upstream fixes a severe problem w.r.t memory management, where it would result in random segfaults in applications depending on libnl (From OE-Core rev: c3fb18aac0de49dc3113296699d95be298d98140) Signed-off-by: Khem Raj <raj.khem@gmail.com> Signed-off-by: Robert Yang <liezhi.yang@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Khem Raj <raj.khem@gmail.com> 2013-11-11 20:15:53 -0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2013-12-12 17:00:15 +0000
commit: 75cf26a02f72357533c42ceddbb24daa1d45185f (patch)
tree: 066877af7ded6ab74477bbe6145ad7dcca2459eb /meta
parent: ff80e69648d062a3ad2935536cb6683243f8a6c2 (diff)
download: poky-75cf26a02f72357533c42ceddbb24daa1d45185f.tar.gz
2 files changed, 44 insertions, 1 deletions
diff --git a/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch b/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch
new file mode 100644
index 0000000000..6d2c8ff72d
--- /dev/null
+++ b/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch
@@ -0,0 +1,41 @@
+From 6f37b439af7e96104aadd8ec3ae8d3882df8d102 Mon Sep 17 00:00:00 2001
+From: Jiri Pirko <jiri@resnulli.us>
+Date: Wed, 21 Aug 2013 14:40:34 +0200
+Subject: [PATCH] fix double free caused by freeing link af_data in
+ rtnl_link_set_family()
+Introduced by commit 8026fe2e3a9089eff3f5a06ee6e3cc78d96334ed ("link:
+Free and realloc af specific data upon rtnl_link_set_family()")
+link->l_af_data[link->l_af_ops->ao_family] is freed here but not set to
+zero. That leads to double free made by link_free_data->do_foreach_af.
+Fix this by setting link->l_af_data[link->l_af_ops->ao_family] to zero
+rigth after free.
+Signed-off-by: Jiri Pirko <jiri@resnulli.us>
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+---
+ lib/route/link.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+diff --git a/lib/route/link.c b/lib/route/link.c
+index a73e1db..0bb90a0 100644
+--- a/lib/route/link.c
+++ b/lib/route/link.c
+@@ -1762,9 +1762,11 @@ void rtnl_link_set_family(struct rtnl_link *link, int family)
+        link->l_family = family;
+        link->ce_mask |= LINK_ATTR_FAMILY;
+ 
+-       if (link->l_af_ops)
+       if (link->l_af_ops) {
+                af_free(link, link->l_af_ops,
+                        link->l_af_data[link->l_af_ops->ao_family], NULL);
+               link->l_af_data[link->l_af_ops->ao_family] = NULL;
+       }
+ 
+        link->l_af_ops = af_lookup_and_alloc(link, family);
+ }
+-- 
+1.8.4
diff --git a/meta/recipes-support/libnl/libnl_3.2.22.bb b/meta/recipes-support/libnl/libnl_3.2.22.bb
index 30f85b2995..3c31b1ac86 100644
--- a/meta/recipes-support/libnl/libnl_3.2.22.bb
+++ b/meta/recipes-support/libnl/libnl_3.2.22.bb
@@ -12,7 +12,9 @@ DEPENDS = "flex-native bison-native"
 SRC_URI = "http://www.infradead.org/~tgr/${BPN}/files/${BP}.tar.gz \
           file://fix-pktloc_syntax_h-race.patch \
           file://fix-pc-file.patch \
-           file://fix-lib-cache_mngr.c-two-parentheses-bugs.patch"
+           file://fix-lib-cache_mngr.c-two-parentheses-bugs.patch \
+           file://0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch \
+          "
 SRC_URI[md5sum] = "2e1c889494d274aca24ce5f6a748e66e"
 SRC_URI[sha256sum] = "c7c5f267dfeae0c1a530bf96b71fb7c8dbbb07d54beef49b6712d8d6166f629b"
author	Khem Raj <raj.khem@gmail.com>	2013-11-11 20:15:53 -0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2013-12-12 17:00:15 +0000
commit	75cf26a02f72357533c42ceddbb24daa1d45185f (patch)
tree	066877af7ded6ab74477bbe6145ad7dcca2459eb /meta
parent	ff80e69648d062a3ad2935536cb6683243f8a6c2 (diff)
download	poky-75cf26a02f72357533c42ceddbb24daa1d45185f.tar.gz

diff --git a/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch b/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch new file mode 100644 index 0000000000..6d2c8ff72d --- /dev/null +++ b/meta/recipes-support/libnl/libnl/0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch
@@ -0,0 +1,41 @@
		1	From 6f37b439af7e96104aadd8ec3ae8d3882df8d102 Mon Sep 17 00:00:00 2001
		2	From: Jiri Pirko <jiri@resnulli.us>
		3	Date: Wed, 21 Aug 2013 14:40:34 +0200
		4	Subject: [PATCH] fix double free caused by freeing link af_data in
		5	rtnl_link_set_family()
		6
		7	Introduced by commit 8026fe2e3a9089eff3f5a06ee6e3cc78d96334ed ("link:
		8	Free and realloc af specific data upon rtnl_link_set_family()")
		9
		10	link->l_af_data[link->l_af_ops->ao_family] is freed here but not set to
		11	zero. That leads to double free made by link_free_data->do_foreach_af.
		12
		13	Fix this by setting link->l_af_data[link->l_af_ops->ao_family] to zero
		14	rigth after free.
		15
		16	Signed-off-by: Jiri Pirko <jiri@resnulli.us>
		17	Signed-off-by: Thomas Graf <tgraf@suug.ch>
		18	---
		19	lib/route/link.c \| 4 +++-
		20	1 file changed, 3 insertions(+), 1 deletion(-)
		21
		22	diff --git a/lib/route/link.c b/lib/route/link.c
		23	index a73e1db..0bb90a0 100644
		24	--- a/lib/route/link.c
		25	+++ b/lib/route/link.c
		26	@@ -1762,9 +1762,11 @@ void rtnl_link_set_family(struct rtnl_link *link, int family)
		27	link->l_family = family;
		28	link->ce_mask \|= LINK_ATTR_FAMILY;
		29
		30	- if (link->l_af_ops)
		31	+ if (link->l_af_ops) {
		32	af_free(link, link->l_af_ops,
		33	link->l_af_data[link->l_af_ops->ao_family], NULL);
		34	+ link->l_af_data[link->l_af_ops->ao_family] = NULL;
		35	+ }
		36
		37	link->l_af_ops = af_lookup_and_alloc(link, family);
		38	}
		39	--
		40	1.8.4
		41


diff --git a/meta/recipes-support/libnl/libnl_3.2.22.bb b/meta/recipes-support/libnl/libnl_3.2.22.bb index 30f85b2995..3c31b1ac86 100644 --- a/meta/recipes-support/libnl/libnl_3.2.22.bb +++ b/meta/recipes-support/libnl/libnl_3.2.22.bb
@@ -12,7 +12,9 @@ DEPENDS = "flex-native bison-native"
12	SRC_URI = "http://www.infradead.org/~tgr/${BPN}/files/${BP}.tar.gz \	12	SRC_URI = "http://www.infradead.org/~tgr/${BPN}/files/${BP}.tar.gz \
13	file://fix-pktloc_syntax_h-race.patch \	13	file://fix-pktloc_syntax_h-race.patch \
14	file://fix-pc-file.patch \	14	file://fix-pc-file.patch \
15	file://fix-lib-cache_mngr.c-two-parentheses-bugs.patch"	15	file://fix-lib-cache_mngr.c-two-parentheses-bugs.patch \
		16	file://0001-fix-double-free-caused-by-freeing-link-af_data-in-rt.patch \
		17	"
16		18
17	SRC_URI[md5sum] = "2e1c889494d274aca24ce5f6a748e66e"	19	SRC_URI[md5sum] = "2e1c889494d274aca24ce5f6a748e66e"
18	SRC_URI[sha256sum] = "c7c5f267dfeae0c1a530bf96b71fb7c8dbbb07d54beef49b6712d8d6166f629b"	20	SRC_URI[sha256sum] = "c7c5f267dfeae0c1a530bf96b71fb7c8dbbb07d54beef49b6712d8d6166f629b"