From ed379e54cbbc4851196e708d70fea99295b11570 Mon Sep 17 00:00:00 2001 From: Lukas Zeller Date: Tue, 17 Sep 2024 14:28:54 +0200 Subject: [PATCH] pagekitec: add patch to fix use after free Observation: - programs using libpagekitec did crash with SIGSEGV on startup on RPi3,4 while having worked fine for years on RPi1+2 Explantation: - the final "judgement" test were done on pointers into the `copy` buffer freed on line 766 instead of on the safe copies of those strings in `kite` and `kite_r`. - this opened a very short race condition window, however the crash was caught happening while a tight loop (`pkb_start_blockers`) fired up 16 of those threads in rapid succession. So probably if the next thread got to allocate memory before the "judgements" tests, accessing the just freed `copy` would cause a segfault. Fix: - check the safe copies of the strings instead of pointers into freed `copy`. Signed-off-by: Lukas Zeller --- net/pagekitec/Makefile | 2 +- ...0003-fix-use-after-free-in-pkproto.c.patch | 45 +++++++++++++++++++ 2 files changed, 46 insertions(+), 1 deletion(-) create mode 100644 net/pagekitec/patches/0003-fix-use-after-free-in-pkproto.c.patch diff --git a/net/pagekitec/Makefile b/net/pagekitec/Makefile index 3da1782ef96b1c..795afdc320282d 100644 --- a/net/pagekitec/Makefile +++ b/net/pagekitec/Makefile @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=pagekitec PKG_REV:=0.91.201110 PKG_VERSION:=$(PKG_REV)C -PKG_RELEASE:=2 +PKG_RELEASE:=3 PKG_LICENSE:=Apache-2.0 PKG_SOURCE_SUBDIR:=$(PKG_NAME)-$(PKG_VERSION) PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.xz diff --git a/net/pagekitec/patches/0003-fix-use-after-free-in-pkproto.c.patch b/net/pagekitec/patches/0003-fix-use-after-free-in-pkproto.c.patch new file mode 100644 index 00000000000000..f1adab0e518490 --- /dev/null +++ b/net/pagekitec/patches/0003-fix-use-after-free-in-pkproto.c.patch @@ -0,0 +1,45 @@ +From ef75e4d5e517ed12d6057b2211d401fa1ce84f4a Mon Sep 17 00:00:00 2001 +From: Lukas Zeller +Date: Tue, 17 Sep 2024 00:53:40 +0200 +Subject: [PATCH] pkproto.c: fix use-after-free that did cause pagekite to + SIGSEGV occasionally, with higher probability on faster/multicore systems + +Observation: +- programs using libpagekitec did crash with SIGSEGV on startup on RPi3,4 + while having worked fine for years on RPi1+2 + +Explantation: +- the final "judgement" test were done on pointers into the `copy` buffer + freed on line 766 instead of on the safe copies of those strings in `kite` + and `kite_r`. +- this opened a very short race condition window, however the crash was + caught happening while a tight loop (`pkb_start_blockers`) fired up 16 + of those threads in rapid succession. + So probably if the next thread got to allocate memory before the + "judgements" tests, accessing the just freed `copy` would cause a segfault. + +Fix: +- check the safe copies of the strings instead of pointers into freed `copy`. + +Signed-off-by: Lukas Zeller +--- + libpagekite/pkproto.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/libpagekite/pkproto.c b/libpagekite/pkproto.c +index 3d4ccd6..4ee7e0f 100644 +--- a/libpagekite/pkproto.c ++++ b/libpagekite/pkproto.c +@@ -766,9 +766,9 @@ char *pk_parse_kite_request( + free(copy); + + /* Pass judgement */ +- if ('\0' == *public_domain) return pk_err_null(ERR_PARSE_NO_KITENAME); +- if ('\0' == *bsalt) return pk_err_null(ERR_PARSE_NO_BSALT); +- if ('\0' == *fsalt) return pk_err_null(ERR_PARSE_NO_FSALT); ++ if ('\0' == *(kite->public_domain)) return pk_err_null(ERR_PARSE_NO_KITENAME); ++ if ('\0' == *(kite_r->bsalt)) return pk_err_null(ERR_PARSE_NO_BSALT); ++ if ('\0' == *(kite_r->fsalt)) return pk_err_null(ERR_PARSE_NO_FSALT); + return kite->public_domain; + } +