From af53d7a178da3bf398fddb2ae3fffca63ed701bc Mon Sep 17 00:00:00 2001 From: guoshichao Date: Mon, 19 Jun 2023 17:52:39 +0800 Subject: [PATCH] libs/libc/aio/lio_listio: fix the heap use-after-free bug 1. the lio_sigsetup() method use a universal sighand instance across all aiocb instances, but inside the lio_sighandler() method, if one aiocb is handle finished, then this method will free the sighand instance that come along with current aiocb instance. thus when handle next aiocb instance, use-after-free crash will happen. in order to solve this problem, we make each aiocb instance have their own sighand instance 2. make the lio_listio implementation can pass the ltp/open_posix_testsuite/lio_listio testcases 3. the modification are referred to https://pubs.opengroup.org/onlinepubs/9699919799/functions/lio_listio.html Signed-off-by: guoshichao --- libs/libc/aio/lio_listio.c | 83 ++++++++++++++++++++------------------ 1 file changed, 44 insertions(+), 39 deletions(-) diff --git a/libs/libc/aio/lio_listio.c b/libs/libc/aio/lio_listio.c index ae1b2f4d13..d54e5e2526 100644 --- a/libs/libc/aio/lio_listio.c +++ b/libs/libc/aio/lio_listio.c @@ -215,55 +215,25 @@ static int lio_sigsetup(FAR struct aiocb * const *list, int nent, FAR struct sigevent *sig) { FAR struct aiocb *aiocbp; - FAR struct lio_sighand_s *sighand; + struct lio_sighand_s sighand; sigset_t set; struct sigaction act; int status; int i; - /* Allocate a structure to pass data to the signal handler */ - - sighand = lib_zalloc(sizeof(struct lio_sighand_s)); - if (!sighand) - { - ferr("ERROR: lib_zalloc failed\n"); - return -ENOMEM; - } - /* Initialize the allocated structure */ - sighand->list = list; - sighand->sig = *sig; - sighand->nent = nent; - sighand->pid = _SCHED_GETPID(); - - /* Save this structure as the private data attached to each aiocb */ - - for (i = 0; i < nent; i++) - { - /* Skip over NULL entries in the list */ - - aiocbp = list[i]; - if (aiocbp) - { - FAR void *priv = NULL; - - /* Check if I/O is pending for this entry */ - - if (aiocbp->aio_result == -EINPROGRESS) - { - priv = (FAR void *)sighand; - } - - aiocbp->aio_priv = priv; - } - } + memset(&sighand, 0, sizeof(struct lio_sighand_s)); + sighand.list = list; + sighand.sig = *sig; + sighand.nent = nent; + sighand.pid = _SCHED_GETPID(); /* Make sure that SIGPOLL is not blocked */ sigemptyset(&set); sigaddset(&set, SIGPOLL); - status = sigprocmask(SIG_UNBLOCK, &set, &sighand->oprocmask); + status = sigprocmask(SIG_UNBLOCK, &set, &sighand.oprocmask); if (status != OK) { int errcode = get_errno(); @@ -282,7 +252,7 @@ static int lio_sigsetup(FAR struct aiocb * const *list, int nent, sigfillset(&act.sa_mask); sigdelset(&act.sa_mask, SIGPOLL); - status = sigaction(SIGPOLL, &act, &sighand->oact); + status = sigaction(SIGPOLL, &act, &sighand.oact); if (status != OK) { int errcode = get_errno(); @@ -293,6 +263,36 @@ static int lio_sigsetup(FAR struct aiocb * const *list, int nent, return -errcode; } + /* Save this structure as the private data attached to each aiocb */ + + for (i = 0; i < nent; i++) + { + /* Skip over NULL entries in the list */ + + aiocbp = list[i]; + if (aiocbp) + { + FAR void *priv = NULL; + + /* Check if I/O is pending for this entry */ + + if (aiocbp->aio_result == -EINPROGRESS) + { + priv = lib_zalloc(sizeof(struct lio_sighand_s)); + if (!priv) + { + ferr("ERROR: lib_zalloc failed\n"); + return -ENOMEM; + } + + memcpy(priv, (FAR void *)&sighand, + sizeof(struct lio_sighand_s)); + } + + aiocbp->aio_priv = priv; + } + } + return OK; } @@ -517,7 +517,12 @@ int lio_listio(int mode, FAR struct aiocb * const list[], int nent, int ret; int i; - DEBUGASSERT(mode == LIO_WAIT || mode == LIO_NOWAIT); + if (mode != LIO_WAIT && mode != LIO_NOWAIT) + { + set_errno(EINVAL); + return ERROR; + } + DEBUGASSERT(list); nqueued = 0; /* No I/O operations yet queued */