Add upstream patch for an invalid read bug

2020-10-13 11:11:22 +02:00 · 2020-10-13 11:11:22 +02:00 · 511e6ce6d4
parent 1ab9d3859f
commit 511e6ce6d4
2 changed files with 45 additions and 1 deletions
--- a/0002-hooklib-Proper-freeing-of-backtrace.patch
+++ b/0002-hooklib-Proper-freeing-of-backtrace.patch
@ -0,0 +1,40 @@
+From 5fa7b1f84fb02ca5dcf50d27f4bc14563c1918f6 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Mat=C4=9Bj=20Grabovsk=C3=BD?= <mgrabovs@redhat.com>
+Date: Mon, 12 Oct 2020 19:14:03 +0200
+Subject: [PATCH] hooklib: Proper freeing of backtrace
+
+Improper bracing caused the bt variable to be freed every time in every
+iteration no matter what. This would then lead to an invalid (freed)
+pointer being returned by the function.
+
+The mistake was made in 1f2963b0 and reported by Jeff Law.
+---
+ src/lib/hooklib.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+diff --git a/src/lib/hooklib.c b/src/lib/hooklib.c
+index 56b77bc3..fc2a6a00 100644
+--- a/src/lib/hooklib.c
+++ b/src/lib/hooklib.c
+@@ -361,13 +361,17 @@ char *abrt_get_backtrace(struct dump_dir *dd, unsigned timeout_sec, const char *
+ 
+         bt_depth /= 2;
+         if (bt)
+        {
+             log_warning("Backtrace is too big (%u bytes), reducing depth to %u",
+                         (unsigned)strlen(bt), bt_depth);
+        }
+         else
+        {
+             /* (NB: in fact, current impl. of exec_vp() never returns NULL) */
+             log_warning("Failed to generate backtrace, reducing depth to %u",
+                         bt_depth);
+-            free(bt);
+            g_clear_pointer(&bt, free);
+        }
+ 
+         /* Replace -ex disassemble (which disasms entire function $pc points to)
+          * to a version which analyzes limited, small patch of code around $pc.
+-- 
+2.26.2
+
--- a/abrt.spec
+++ b/abrt.spec
@ -49,12 +49,13 @@
 Summary: Automatic bug detection and reporting tool
 Name: abrt
 Version: 2.14.4
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: GPLv2+
 URL: https://abrt.readthedocs.org/
 Source: https://github.com/abrt/%{name}/archive/%{version}/%{name}-%{version}.tar.gz

 Patch0: 0001-hooklib-Don-t-g_autofree-backtrace.patch
+Patch1: 0002-hooklib-Proper-freeing-of-backtrace.patch

 BuildRequires: git-core
 BuildRequires: %{dbus_devel}
@ -1010,6 +1011,9 @@ killall abrt-dbus >/dev/null 2>&1 || :
 %config(noreplace) %{_sysconfdir}/profile.d/abrt-console-notification.sh

 %changelog
+* Tue Oct 13 2020 Matěj Grabovský <mgrabovs@redhat.com> - 2.14.4-3
+- Add upstream patch for an invalid read bug
+
 * Thu Sep 24 2020 Matěj Grabovský <mgrabovs@redhat.com> - 2.14.4-2
 - Add fix for https://bugzilla.redhat.com/show_bug.cgi?id=1881745