diff --git a/0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch b/0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch new file mode 100644 index 0000000..4370350 --- /dev/null +++ b/0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch @@ -0,0 +1,52 @@ +From 26e33b1984cce3549df170f58f8221201ad54cfd Mon Sep 17 00:00:00 2001 +From: Alexey Tikhonov +Date: Tue, 7 Jan 2020 16:29:05 +0100 +Subject: [PATCH] util/sss_ptr_hash: fixed double free in + sss_ptr_hash_delete_cb() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Calling data->callback(value->ptr) in sss_ptr_hash_delete_cb() could lead +to freeing of value->ptr and thus to destruction of value->spy that is +attached to value->ptr. +In turn sss_ptr_hash_spy_destructor() calls sss_ptr_hash_delete() -> +hash_delete() -> sss_ptr_hash_delete_cb() again and in this recursive +execution hash entry was actually deleted and value was freed. +When stack was unwound back to "first" sss_ptr_hash_delete_cb() it tried +to free value again => double free. + +To prevent this bug value and hence spy are now freed before execution of +data->callback(value->ptr). + +Resolves: https://pagure.io/SSSD/sssd/issue/4135 + +Reviewed-by: Pavel Březina +--- + src/util/sss_ptr_hash.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/src/util/sss_ptr_hash.c b/src/util/sss_ptr_hash.c +index c7403ffa6..8f9762cb9 100644 +--- a/src/util/sss_ptr_hash.c ++++ b/src/util/sss_ptr_hash.c +@@ -154,13 +154,13 @@ sss_ptr_hash_delete_cb(hash_entry_t *item, + callback_entry.value.type = HASH_VALUE_PTR; + callback_entry.value.ptr = value->ptr; + ++ /* Free value, this also will disable spy */ ++ talloc_free(value); ++ + /* Switch to the input value and call custom callback. */ + if (data->callback != NULL) { + data->callback(&callback_entry, deltype, data->pvt); + } +- +- /* Free value. */ +- talloc_free(value); + } + + hash_table_t *sss_ptr_hash_create(TALLOC_CTX *mem_ctx, +-- +2.20.1 + diff --git a/sssd.spec b/sssd.spec index ede046f..2ad3d15 100644 --- a/sssd.spec +++ b/sssd.spec @@ -36,7 +36,7 @@ Name: sssd Version: 2.2.3 -Release: 6%{?dist} +Release: 7%{?dist} Summary: System Security Services Daemon License: GPLv3+ URL: https://pagure.io/SSSD/sssd/ @@ -52,6 +52,7 @@ Patch0006: 0006-util-watchdog-fixed-watchdog-implementation.patch Patch0007: 0007-providers-krb5-got-rid-of-unused-code.patch Patch0008: 0008-data_provider_be-got-rid-of-duplicating-SIGTERM-hand.patch Patch0009: 0009-util-server-improved-debug-at-shutdown.patch +Patch0010: 0010-util-sss_ptr_hash-fixed-double-free-in-sss_ptr_hash_.patch ### Downstream only patches ### Patch0502: 0502-SYSTEMD-Use-capabilities.patch @@ -1080,6 +1081,9 @@ fi %{_libdir}/%{name}/modules/libwbclient.so %changelog +* Wed Feb 26 2020 Michal Židek - 2.2.3-7 +- Resolves: upstream#4135 - util/sss_ptr_hash.c: potential double free in + `sss_ptr_hash_delete_cb()` * Wed Feb 26 2020 Michal Židek - 2.2.3-6 - Resolves: upstream#4088 - server/be: SIGTERM handling is incorrect