[FS#4070] netifd: potential use-after-free bug?

OpenWrt Bugs openwrt-bugs at lists.openwrt.org
Thu Oct 7 18:15:16 PDT 2021


THIS IS AN AUTOMATED MESSAGE, DO NOT REPLY.

A new Flyspray task has been opened.  Details are below. 

User who did this - Chris Nisbet (ChrisNisbet01) 

Attached to Project - OpenWrt/LEDE Project
Summary - netifd: potential use-after-free bug?
Task Type - Bug Report
Category - Base system
Status - Unconfirmed
Assigned To - 
Operating System - All
Severity - Low
Priority - Very Low
Reported Version - Trunk
Due in Version - Undecided
Due Date - Undecided
Details - While investigating an issue with an older version of netifd I came upon what appears to be a use-after free bug in the latest version of netifd (commit id: 448ffc15) in interfaces.c::interface_proto_event_cb() when handling the IFPEV_DOWN event.

Within this case there is a call to interface_handle_config_change(iface)

	case IFPEV_DOWN:
		if (iface->state == IFS_DOWN)
			return;

		netifd_log_message(L_NOTICE, "Interface '%s' is now down\n", iface->name);
		mark_interface_down(iface);
		if (iface->main_dev.dev)
			device_release(&iface->main_dev);
		if (iface->l3_dev.dev)
			device_remove_user(&iface->l3_dev);
		interface_handle_config_change(iface);
		break;


, which will free 'iface' if iface->config_state == IFC_REMOVE.


	case IFC_REMOVE:
		interface_do_free(iface);
		return;


'iface' will be invalid if this happens.

However, after this call is made the code will drop to the bottom of interface_proto_event_cb() and call

	interface_write_resolv_conf(iface->jail);

with the potentially invalid 'iface' pointer.

I haven't investigated to see if it's actually possible for iface to be in the correct state to be freed when handling this event, but it certainly looks like it has the potential to be a bug. I thought it might be wise to alert somebody to this issue. If it's 'impossible' for iface to be freed at this point, perhaps it'd be worth at least adding a comment to that effect.
Regards



More information can be found at the following URL:
https://bugs.openwrt.org/index.php?do=details&task_id=4070

You are receiving this message because you have requested it from the Flyspray bugtracking system.  If you did not expect this message or don't want to receive mails in future, you can change your notification settings at the URL shown above.



More information about the openwrt-bugs mailing list