pagekitec: add patch to fix use after free leading to segfault #24982
Conversation
| --- a/libpagekite/pkproto.c | ||
| +++ b/libpagekite/pkproto.c |
There was a problem hiding this comment.
This patch is part of upstream repository or it was sent to upstream?
There was a problem hiding this comment.
Not yet part of upstream, but I made a PR: pagekite/libpagekite#79
But as it is a total dealbreaker for pagekite remote maintainance when it hits (and it does for example on Rpi 3), I had to fix it for my builds immediately and independently of the upstream integration timeline, and decided sharing the openwrt level patch makes sense.
There was a problem hiding this comment.
Could you backport the patch from this url: https://patch-diff.githubusercontent.com/raw/pagekite/libpagekite/pull/79.patch ? I just added .patch to the URL and keep the patch as it is? I mean, it adds Git header to this current situation. The Git header includes important details like who created the patch, who does those changes, commit subject, commit description, etc?
There was a problem hiding this comment.
Hi @BKPepe, I just updated the PR so that the patch within does contain the git headers.
Originally I created the patch using quilt configured as recommended for the "preferred format", apparently this is out of sync with current recommended format. Of course it makes total sense to have the context in the patch itself and not only in the metapatch.
Observation: - programs using libpagekitec did crash with SIGSEGV on startup on RPi3,4 while having worked fine for years on RPi1+2 Explantation: - the final "judgement" test were done on pointers into the `copy` buffer freed on line 766 instead of on the safe copies of those strings in `kite` and `kite_r`. - this opened a very short race condition window, however the crash was caught happening while a tight loop (`pkb_start_blockers`) fired up 16 of those threads in rapid succession. So probably if the next thread got to allocate memory before the "judgements" tests, accessing the just freed `copy` would cause a segfault. Fix: - check the safe copies of the strings instead of pointers into freed `copy`. Signed-off-by: Lukas Zeller <luz@plan44.ch>
plan44
force-pushed
the
PR/pagekitec-fix-use-after-free
branch
from
ad5d77c
to
ed379e5
Compare
Maintainer: Karl Palsson karlp@tweak.net.au
Compile tested: bcm27xx, Rpi3, 22.03.7
Run tested: bcm27xx, Rpi3, 22.03.7
Observation:
Explantation:
copybuffer freed on line 766 instead of on the safe copies of those strings inkiteandkite_r.pkb_start_blockers) fired up 16 of those threads in rapid succession. So probably if the next thread got to allocate memory before the "judgements" tests, accessing the just freedcopywould cause a segfault.Fix:
copy.