From 7691f5c4a87d5fbc0f48fa96bba70b4ab9b52c65 Mon Sep 17 00:00:00 2001 From: yangjiaqi Date: Thu, 25 Nov 2021 14:45:12 +0800 Subject: [PATCH 07/17] set-null-after-free --- src/cgroup_fuse.c | 26 +++++++++++++++++++++----- src/cgroups/cgfsng.c | 5 ++++- src/cgroups/cgroup_utils.c | 4 +++- src/lxcfs.c | 4 ++++ src/memory_utils.h | 4 +++- src/proc_loadavg.c | 5 ++++- 6 files changed, 39 insertions(+), 9 deletions(-) diff --git a/src/cgroup_fuse.c b/src/cgroup_fuse.c index 5c22fd1..b396bbc 100644 --- a/src/cgroup_fuse.c +++ b/src/cgroup_fuse.c @@ -179,7 +179,7 @@ static bool is_child_cgroup(const char *controller, const char *cgroup, static bool caller_may_see_dir(pid_t pid, const char *contrl, const char *cg) { bool answer = false; - char *c2, *task_cg; + char *c2 = NULL, *task_cg = NULL; size_t target_len, task_len; if (strcmp(cg, "/") == 0 || strcmp(cg, "./") == 0) @@ -221,6 +221,7 @@ static bool caller_may_see_dir(pid_t pid, const char *contrl, const char *cg) out: free(c2); + c2 = NULL; return answer; } @@ -260,8 +261,8 @@ static char *get_next_cgroup_dir(const char *taskcg, const char *querycg) static bool caller_is_in_ancestor(pid_t pid, const char *contrl, const char *cg, char **nextcg) { bool answer = false; - char *c2; - char *linecmp; + char *c2 = NULL; + char *linecmp = NULL; c2 = get_pid_cgroup_handle_named(pid, contrl); if (!c2) @@ -291,6 +292,7 @@ static bool caller_is_in_ancestor(pid_t pid, const char *contrl, const char *cg, out: free(c2); + c2 = NULL; return answer; } @@ -612,6 +614,7 @@ __lxcfs_fuse_ops int cg_getattr(const char *path, struct stat *sb) out: free(cgdir); + cgdir = NULL; return ret; } @@ -734,7 +737,9 @@ __lxcfs_fuse_ops int cg_mkdir(const char *path, mode_t mode) out: free(cgdir); + cgdir = NULL; free(next); + next = NULL; return ret; } @@ -869,7 +874,9 @@ __lxcfs_fuse_ops int cg_rmdir(const char *path) out: free(cgdir); + cgdir = NULL; free(next); + next = NULL; return ret; } @@ -958,6 +965,7 @@ __lxcfs_fuse_ops int cg_chmod(const char *path, mode_t mode) out: free_key(k); free(cgdir); + cgdir = NULL; return ret; } @@ -1067,7 +1075,7 @@ __lxcfs_fuse_ops int cg_chown(const char *path, uid_t uid, gid_t gid) out: free_key(k); free(cgdir); - + cgdir = NULL; return ret; } @@ -1139,6 +1147,7 @@ __lxcfs_fuse_ops int cg_open(const char *path, struct fuse_file_info *fi) out: free(cgdir); + cgdir = NULL; return ret; } @@ -1280,6 +1289,7 @@ static bool do_read_pids(pid_t tpid, const char *contrl, const char *cg, if (socketpair(AF_UNIX, SOCK_DGRAM, 0, sock) < 0) { perror("socketpair"); free(tmpdata); + tmpdata = NULL; return false; } @@ -1331,6 +1341,7 @@ next: out: free(tmpdata); + tmpdata = NULL; if (cpid != -1) wait_for_pid(cpid); if (sock[0] != -1) { @@ -1408,6 +1419,7 @@ __lxcfs_fuse_ops int cg_read(const char *path, char *buf, size_t size, out: free(data); + data = NULL; return ret; } @@ -1989,6 +2001,7 @@ __lxcfs_fuse_ops int cg_readdir(const char *path, void *buf, if (nextcg) { ret = DIR_FILLER(filler, buf, nextcg, NULL, 0); free(nextcg); + nextcg = NULL; if (ret != 0) { ret = -EIO; goto out; @@ -2024,8 +2037,10 @@ __lxcfs_fuse_ops int cg_readdir(const char *path, void *buf, out: free_keys(list); if (clist) { - for (i = 0; clist[i]; i++) + for (i = 0; clist[i]; i++) { free(clist[i]); + clist[i] = NULL; + } free(clist); } return ret; @@ -2095,5 +2110,6 @@ __lxcfs_fuse_ops int cg_access(const char *path, int mode) out: free(cgdir); + cgdir = NULL; return ret; } diff --git a/src/cgroups/cgfsng.c b/src/cgroups/cgfsng.c index 3eb4227..781923c 100644 --- a/src/cgroups/cgfsng.c +++ b/src/cgroups/cgfsng.c @@ -875,7 +875,7 @@ static int cg_hybrid_init(struct cgroup_ops *ops) prune_init_scope(base_cgroup); if (type == CGROUP2_SUPER_MAGIC) { - char *cgv2_ctrl_path; + char *cgv2_ctrl_path = NULL; cgv2_ctrl_path = must_make_path(mountpoint, base_cgroup, "cgroup.controllers", @@ -883,6 +883,7 @@ static int cg_hybrid_init(struct cgroup_ops *ops) controller_list = cg_unified_get_controllers(cgv2_ctrl_path); free(cgv2_ctrl_path); + cgv2_ctrl_path = NULL; if (!controller_list) controller_list = cg_unified_make_empty_controller(); } @@ -897,7 +898,9 @@ static int cg_hybrid_init(struct cgroup_ops *ops) next: free_string_list(controller_list); free(mountpoint); + mountpoint = NULL; free(base_cgroup); + base_cgroup = NULL; } free_string_list(klist); diff --git a/src/cgroups/cgroup_utils.c b/src/cgroups/cgroup_utils.c index 1224971..d32a520 100644 --- a/src/cgroups/cgroup_utils.c +++ b/src/cgroups/cgroup_utils.c @@ -701,7 +701,7 @@ bool mkdir_p(const char *dir, mode_t mode) { const char *tmp = dir; const char *orig = dir; - char *makeme; + char *makeme = NULL; do { dir = tmp + strspn(tmp, "/"); @@ -713,9 +713,11 @@ bool mkdir_p(const char *dir, mode_t mode) lxcfs_error("Failed to create directory '%s': %s.\n", makeme, strerror(errno)); free(makeme); + makeme = NULL; return false; } free(makeme); + makeme = NULL; } while(tmp != dir); return true; diff --git a/src/lxcfs.c b/src/lxcfs.c index e24ebed..361ce71 100644 --- a/src/lxcfs.c +++ b/src/lxcfs.c @@ -1237,10 +1237,12 @@ int main(int argc, char *argv[]) if (append_comma_separate(&new_fuse_opts, token)) { lxcfs_error("Failed to copy fuse argument \"%s\"", token); free(dup); + dup = NULL; goto out; } } free(dup); + dup = NULL; } if (append_comma_separate(&new_fuse_opts, "allow_other,entry_timeout=0.5,attr_timeout=0.5")) { @@ -1306,7 +1308,9 @@ out: if (pidfile) unlink(pidfile); free(new_fuse_opts); + new_fuse_opts = NULL; free(opts); + opts = NULL; close_prot_errno_disarm(pidfile_fd); exit(ret); } diff --git a/src/memory_utils.h b/src/memory_utils.h index c689c8e..a7e4a58 100644 --- a/src/memory_utils.h +++ b/src/memory_utils.h @@ -67,8 +67,10 @@ static inline void free_disarm_function(void *ptr) static inline void free_string_list(char **list) { if (list) { - for (int i = 0; list[i]; i++) + for (int i = 0; list[i]; i++) { free(list[i]); + list[i] = NULL; + } free_disarm(list); } } diff --git a/src/proc_loadavg.c b/src/proc_loadavg.c index 5f9bec7..c8daf35 100644 --- a/src/proc_loadavg.c +++ b/src/proc_loadavg.c @@ -436,10 +436,13 @@ static int refresh_load(struct load_node *p, const char *path) p->last_pid = last_pid; err_out: - for (; i > 0; i--) + for (; i > 0; i--) { free(idbuf[i - 1]); + idbuf[i - 1] = NULL; + } out: free(idbuf); + idbuf = NULL; return sum; } -- 2.27.0