From patchwork Wed Mar 11 19:08:29 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lev Stipakov X-Patchwork-Id: 1039 Return-Path: Delivered-To: patchwork@openvpn.net Delivered-To: patchwork@openvpn.net Received: from director7.mail.ord1d.rsapps.net ([172.30.191.6]) by backend30.mail.ord1d.rsapps.net with LMTP id wClDGW1Bal7SZwAAIUCqbw for ; Thu, 12 Mar 2020 10:04:29 -0400 Received: from proxy14.mail.ord1d.rsapps.net ([172.30.191.6]) by director7.mail.ord1d.rsapps.net with LMTP id mP/bGG1Bal4AbAAAovjBpQ ; Thu, 12 Mar 2020 10:04:29 -0400 Received: from smtp23.gate.ord1d ([172.30.191.6]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by proxy14.mail.ord1d.rsapps.net with LMTP id 4DxEF21Bal70EwAAtEH5vw ; Thu, 12 Mar 2020 10:04:29 -0400 X-Spam-Threshold: 95 X-Spam-Score: 0 X-Spam-Flag: NO X-Virus-Scanned: OK X-Orig-To: openvpnslackdevel@openvpn.net X-Originating-Ip: [216.105.38.7] Authentication-Results: smtp23.gate.ord1d.rsapps.net; iprev=pass policy.iprev="216.105.38.7"; spf=pass smtp.mailfrom="openvpn-devel-bounces@lists.sourceforge.net" smtp.helo="lists.sourceforge.net"; dkim=fail (signature verification failed) header.d=sourceforge.net; dkim=fail (signature verification failed) header.d=sf.net; dkim=fail (signature verification failed) header.d=gmail.com; dmarc=fail (p=none; dis=none) header.from=gmail.com X-Suspicious-Flag: YES X-Classification-ID: 632e62c4-646a-11ea-acba-525400bfb165-1-1 Received: from [216.105.38.7] ([216.105.38.7:43514] helo=lists.sourceforge.net) by smtp23.gate.ord1d.rsapps.net (envelope-from ) (ecelerity 4.2.38.62370 r(:)) with ESMTPS (cipher=DHE-RSA-AES256-GCM-SHA384) id 94/AB-17906-C614A6E5; Thu, 12 Mar 2020 10:04:28 -0400 Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.90_1) (envelope-from ) id 1jCOQt-0003is-Qh; Thu, 12 Mar 2020 14:03:31 +0000 Received: from [172.30.20.202] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.90_1) (envelope-from ) id 1jCOQt-0003id-0Q for openvpn-devel@lists.sourceforge.net; Thu, 12 Mar 2020 14:03:31 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To: MIME-Version:Content-Type:Content-Transfer-Encoding:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=31XgbmeaPSOWDwXeBfhUpMcZClcjwQDcPgziulRRwII=; b=TpsoID2ALodxjAOFyiZWu2q+9Q 90QjM/o6o7cCX7sR0J63i993qNuQ16imA/fD8JWtb3kaBbT1Kk8Cq2cVbpU62oiz607OuVidsgW8G WLYy5usgNtk3gfYKGPhISUJwtEo4Twn/fROywRvTsf3JkN2hdSfmX258JJXn5GCejhpI=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Message-Id:Date:Subject:Cc:To:From:Sender:Reply-To:MIME-Version: Content-Type:Content-Transfer-Encoding:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: In-Reply-To:References:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=31XgbmeaPSOWDwXeBfhUpMcZClcjwQDcPgziulRRwII=; b=P0C3wKkUyU1uKyD3fLnir+Z/UJ DjMKW2EATN6gnhc+Ukhl8ktySGuOTuluBRk4AKn8QjhceXbVQgLU1Ughn9C+IqrHlniwkPwT8VqsN 8EANzthwWa8DkoOqrDW7T3RtAiJ+86oI4nrZri2CdnLLQA0Ev4vsoG4IGS0+qOzDIOhA=; Received: from mail-wm1-f66.google.com ([209.85.128.66]) by sfi-mx-3.v28.lw.sourceforge.com with esmtps (TLSv1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.92.2) id 1jCOQp-005jBZ-2s for openvpn-devel@lists.sourceforge.net; Thu, 12 Mar 2020 14:03:30 +0000 Received: by mail-wm1-f66.google.com with SMTP id 6so6221913wmi.5 for ; Thu, 12 Mar 2020 07:03:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=31XgbmeaPSOWDwXeBfhUpMcZClcjwQDcPgziulRRwII=; b=KxEY+FvDfFdo6PBE8pDKlPrnknh1JqME+8vhnsSn3aARtAsIpo0vyL8s9RGJplcdFx JJOlv1Fb8xQQUBRSopiPI8yyqYG4/0ViQbNu8FSFEYrw5F8GuCkbGKUj53+LsLTlgQ3r HauXIUNbrvaN4bWGYoAoIp0d+U6oL1dHa6q0gz1G8ARnnT7p/GyCah6voXpJ1v1arizK tSkEKKKgfS0U5+VaiU8xwAohyqDFZSoj9/MUrKcdNwA7qbchNZTFUrunirq3pXj5QvpA 852+u0KjtGz4qPrboLoVSXTbAbp53IZAOdOQWAsDsZ8HuaNos76UZ+5ITlFVnjR0thZb wDIw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=31XgbmeaPSOWDwXeBfhUpMcZClcjwQDcPgziulRRwII=; b=bHodnRr3AlxLS21XzZBZRswbC/GeUHnplSQCOuUsiouKOb9SPYqbtWQ3QsbKEu/8uR UIHF4xbEfTeCrT38mMtTmGZRxuBRy3Plb7srh84hiYu1j4GJ7s/7tVz8tc7Q2blsEbDA YOLkbAToyA4T9qY4VNZJmBELPpRFGaWCBcOoGxwPSNIqt/DUsRmj78zwcGd6QMVVAYwZ 5V+/1QBlOhzDqdegAqP8OuW5Lpu7jWwQRR9TIQQXuNghuGzq+C2L/cc9e3nROnR3MouE rcPIeZ1rP3vBchqivkUWAhLFaHVL1XUThRS0kKKgGbDWgR5oecpLkq1Yi5BEqdrcYneB RMaA== X-Gm-Message-State: ANhLgQ1DtTLD/oR+b70hFnVNVCGw/ZM8qwGvW66sFuKdgbEYRSMGeDvW 9cwvoUpPqSeHoScTLzwLSGWniq7l X-Google-Smtp-Source: ADFU+vsGQUvpCXkZzMWdnNd6u+r6k79i/eIRg0U/v9iCYBa6L7QFdJCa266qg9MalyVTo/BQZINxhw== X-Received: by 2002:a7b:c5cd:: with SMTP id n13mr5020552wmk.172.1584021800078; Thu, 12 Mar 2020 07:03:20 -0700 (PDT) Received: from LAPTOP-4L3N7KFS.localdomain (nat2.panoulu.net. [185.38.2.2]) by smtp.gmail.com with ESMTPSA id b12sm48987529wro.66.2020.03.12.07.03.08 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 12 Mar 2020 07:03:13 -0700 (PDT) From: Lev Stipakov To: openvpn-devel@lists.sourceforge.net Date: Thu, 12 Mar 2020 08:08:29 +0200 Message-Id: <20200312060829.19468-1-lstipakov@gmail.com> X-Mailer: git-send-email 2.17.1 X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.128.66 listed in list.dnswl.org] 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (lstipakov[at]gmail.com) 1.1 DATE_IN_PAST_06_12 Date: is 6 to 12 hours before Received: date -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.128.66 listed in wl.mailspike.net] 0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked. See http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block for more information. [URIs: openvpn.net] 0.0 AWL AWL: Adjusted score from AWL reputation of From: address X-Headers-End: 1jCOQp-005jBZ-2s Subject: [Openvpn-devel] [PATCH] tun.c: fix "use after free" error X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Lev Stipakov MIME-Version: 1.0 Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox From: Lev Stipakov Commit 509c45f has factored out code blocks of open_tun() into separate functions and introduced "use after free" bug: Variable "device_guid" is allocated inside tun_open_device() function and used outside of it. Allocation happens with local gc_arena, which is freed at the end of tun_open_device(), making futher access to "device_guid" invalid. Fix by ensuring that gc_arena scope covers all access to "device_guid". Signed-off-by: Lev Stipakov Acked-by: Simon Rozman --- src/openvpn/tun.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/src/openvpn/tun.c b/src/openvpn/tun.c index 42193d97..c976055e 100644 --- a/src/openvpn/tun.c +++ b/src/openvpn/tun.c @@ -6226,12 +6226,11 @@ tun_try_open_device(struct tuntap *tt, const char *device_guid, const struct dev } static void -tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid) +tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_guid, struct gc_arena *gc) { - struct gc_arena gc = gc_new(); - const struct tap_reg *tap_reg = get_tap_reg(&gc); - const struct panel_reg *panel_reg = get_panel_reg(&gc); - const struct device_instance_id_interface *device_instance_id_interface = get_device_instance_id_interface(&gc); + const struct tap_reg *tap_reg = get_tap_reg(gc); + const struct panel_reg *panel_reg = get_panel_reg(gc); + const struct device_instance_id_interface *device_instance_id_interface = get_device_instance_id_interface(gc); char actual_buffer[256]; at_least_one_tap_win(tap_reg); @@ -6244,7 +6243,7 @@ tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_gui enum windows_driver_type windows_driver = WINDOWS_DRIVER_UNSPECIFIED; /* Get the device GUID for the device specified with --dev-node. */ - *device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), &windows_driver, tap_reg, panel_reg, &gc); + *device_guid = get_device_guid(dev_node, actual_buffer, sizeof(actual_buffer), &windows_driver, tap_reg, panel_reg, gc); if (!*device_guid) { @@ -6276,7 +6275,7 @@ tun_open_device(struct tuntap *tt, const char *dev_node, const char **device_gui tap_reg, panel_reg, &windows_driver, - &gc); + gc); if (!*device_guid) { @@ -6304,8 +6303,6 @@ next: msg(M_INFO, "%s device [%s] opened", print_windows_driver(tt->windows_driver), tt->actual_name); tt->adapter_index = get_adapter_index(*device_guid); - - gc_free(&gc); } static void @@ -6411,13 +6408,16 @@ open_tun(const char *dev, const char *dev_type, const char *dev_node, struct tun msg(M_FATAL|M_NOPREFIX, "Unknown virtual device type: '%s'", dev); } - tun_open_device(tt, dev_node, &device_guid); + struct gc_arena gc = gc_new(); /* used also for device_guid allocation */ + tun_open_device(tt, dev_node, &device_guid, &gc); if (tt->windows_driver == WINDOWS_DRIVER_TAP_WINDOWS6) { tuntap_post_open(tt, device_guid); } + gc_free(&gc); + /*netcmd_semaphore_release ();*/ }