[FS#3528] rpcd may crash during list set (Attachment added)

Wed Dec 23 11:03:09 EST 2020

THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - olegio170 (olegio170) 

Attached to Project - OpenWrt/LEDE Project
Summary - rpcd may crash during list set
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Low
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - The root cause of this bug is the same as for bug #3126:
https://bugs.openwrt.org/index.php?do=details&task_id=3126

**Description**  
It is possible to crash rpcd using uci set method. 
To do it we need to set a nonempty list to an empty string and make any other operation with the same section.
For example, change the value of any other option.

The bug is not fixed on the latest version(s) of rpcd/uci.
Successfully reproduced on OpenWrt release 19.07 (VirtualBox).
The bug can be reproduced on any device since it is not hardware dependent.

**Steps to reproduce**  
On clean(after firstboot) openwrt release 19.07 run:

ubus call uci set '{"config":"firewall","section":"cfg02dc81","type":"zone","values":{"network":"","name":"iptv"}}}'
After that rpcd may crash.

Since the bug doesn't have 100% reproduce you may use such command in a loop to catch crash.
cp /rom/etc/config/firewall /etc/config/firewall && ubus call uci set '{"config":"firewall","section":"cfg02dc81","type":"zone","values":{"network":"","name":"iptv"}}}' && ps | grep rpcd

**Technical cause**  
If we set any value to list in UCI via rpcd it deletes the list first and then sets the provided value.
Since we provide an empty string it tries to delete this section once more. As it is already deleted it should be ignored.
However, due to the fact that flags in ptr were not cleared after calling to uci_delete, uci_set "think" that option exists and try to delete it.
Since the pointer to option is null uci_expand_ptr returns the pointer to section instead of an option. So that local section representation will be freed.
Any of the next operations on the same section may crash rpcd, because we get into use-after-free situation.

**Proposed fix**  
Add cleaning of uci_ptr flag for the list after calling to uci_delete in rpc_uci_merge_set.
Please see attached patch.

Also, consider clearing ptr flags in uci_delete along with setting ptr to null for the local representation of section/option.

One or more files have been attached.

More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=3528

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.