OpenWrt/LEDE Project

  • Status Unconfirmed
  • Percent Complete
    0%
  • Task Type Bug Report
  • Category Base system
  • Assigned To No-one
  • Operating System All
  • Severity Low
  • Priority Very Low
  • Reported Version Trunk
  • Due in Version Undecided
  • Due Date Undecided
  • Private
Attached to Project: OpenWrt/LEDE Project
Opened by olegio170 - 23.12.2020

FS#3528 - rpcd may crash during list set

The root cause of this bug is the same as for bug #3126:
https://bugs.openwrt.org/index.php?do=details&task_id=3126

Description
It is possible to crash rpcd using uci set method.
To do it we need to set a nonempty list to an empty string and make any other operation with the same section.
For example, change the value of any other option.

The bug is not fixed on the latest version(s) of rpcd/uci.
Successfully reproduced on OpenWrt release 19.07 (VirtualBox).
The bug can be reproduced on any device since it is not hardware dependent.

Steps to reproduce
On clean(after firstboot) openwrt release 19.07 run:

ubus call uci set '{"config":"firewall","section":"cfg02dc81","type":"zone","values":{"network":"","name":"iptv"}}}'

After that rpcd may crash.

Since the bug doesn’t have 100% reproduce you may use such command in a loop to catch crash.

cp /rom/etc/config/firewall /etc/config/firewall && ubus call uci set '{"config":"firewall","section":"cfg02dc81","type":"zone","values":{"network":"","name":"iptv"}}}' && ps | grep rpcd

Technical cause
If we set any value to list in UCI via rpcd it deletes the list first and then sets the provided value.
Since we provide an empty string it tries to delete this section once more. As it is already deleted it should be ignored.
However, due to the fact that flags in ptr were not cleared after calling to uci_delete, uci_set “think” that option exists and try to delete it.
Since the pointer to option is null uci_expand_ptr returns the pointer to section instead of an option. So that local section representation will be freed.
Any of the next operations on the same section may crash rpcd, because we get into use-after-free situation.

Proposed fix
Add cleaning of uci_ptr flag for the list after calling to uci_delete in rpc_uci_merge_set.
Please see attached patch.

Also, consider clearing ptr flags in uci_delete along with setting ptr to null for the local representation of section/option.


Loading...

Available keyboard shortcuts

Tasklist

Task Details

Task Editing