summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorFrantisek Sumsal <frantisek@sumsal.cz>2023-05-16 08:18:32 +0200
committerFrantisek Sumsal <frantisek@sumsal.cz>2023-05-16 11:27:10 +0200
commit825210d4e5d52655ff893d600da2d2c8e5c0c8e1 (patch)
tree98ce965eb0b3ed93dbd2e5ec7c4aeca33bef3c2d /src
parentnspawn: file system namespace -> mount namespace (diff)
downloadsystemd-825210d4e5d52655ff893d600da2d2c8e5c0c8e1.tar.xz
systemd-825210d4e5d52655ff893d600da2d2c8e5c0c8e1.zip
nspawn: avoid NULL pointer dereference
When merging the settings we take the pointer to the array of extra devices, but don't reset the array counter to zero. This later leads to a NULL pointer dereference, where device_node_array_free() attempts to loop over a NULL pointer: + systemd-nspawn --oci-bundle=/var/lib/machines/testsuite-13.oci-bundle.Npo ../src/nspawn/nspawn-settings.c:118:29: runtime error: member access within null pointer of type 'struct DeviceNode' #0 0x4b91ee in device_node_array_free ../src/nspawn/nspawn-settings.c:118 #1 0x4ba42a in settings_free ../src/nspawn/nspawn-settings.c:161 #2 0x410b79 in settings_freep ../src/nspawn/nspawn-settings.h:249 #3 0x446ce8 in load_oci_bundle ../src/nspawn/nspawn.c:4733 #4 0x44ff42 in run ../src/nspawn/nspawn.c:5476 #5 0x455296 in main ../src/nspawn/nspawn.c:5919 #6 0x7f0cb7a4a50f in __libc_start_call_main (/lib64/libc.so.6+0x2750f) #7 0x7f0cb7a4a5c8 in __libc_start_main@GLIBC_2.2.5 (/lib64/libc.so.6+0x275c8) #8 0x40d284 in _start (/usr/bin/systemd-nspawn+0x40d284) SUMMARY: UndefinedBehaviorSanitizer: undefined-behavior ../src/nspawn/nspawn-settings.c:118:29 in Also, add an appropriate assert to catch such issues in the future.
Diffstat (limited to 'src')
-rw-r--r--src/nspawn/nspawn-settings.c2
-rw-r--r--src/nspawn/nspawn.c1
2 files changed, 3 insertions, 0 deletions
diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c
index 7500eabd18..94a4c80ed6 100644
--- a/src/nspawn/nspawn-settings.c
+++ b/src/nspawn/nspawn-settings.c
@@ -114,6 +114,8 @@ static void free_oci_hooks(OciHook *h, size_t n) {
void device_node_array_free(DeviceNode *node, size_t n) {
size_t i;
+ assert(node || n == 0);
+
for (i = 0; i < n; i++)
free(node[i].path);
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 49802d6fdf..5d49e05064 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -4651,6 +4651,7 @@ static int merge_settings(Settings *settings, const char *path) {
device_node_array_free(arg_extra_nodes, arg_n_extra_nodes);
arg_extra_nodes = TAKE_PTR(settings->extra_nodes);
arg_n_extra_nodes = settings->n_extra_nodes;
+ settings->n_extra_nodes = 0;
return 0;
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-29 20:28:23 +0100