[lxc-devel] [lxc/master] start: set exit status in lxc_fini()

brauner on Github lxc-bot at linuxcontainers.org
Thu Mar 15 09:49:38 UTC 2018 

A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 1830 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20180315/2052355a/attachment.bin>
-------------- next part --------------
From 3368f58d22ac7757a21d7de46aef0edb03c9ece5 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner at ubuntu.com>
Date: Thu, 15 Mar 2018 10:43:52 +0100
Subject: [PATCH] start: set exit status in lxc_fini()

Felix reported a use-after free when setting the exit status:

 Breakpoint 1, lxc_free_handler (handler=handler at entry=0x62b2d0) at start.c:635
 635     {
 (gdb) bt
 #0  lxc_free_handler (handler=handler at entry=0x62b2d0) at start.c:635
 #1  0x00007ffff7b5e28a in lxc_fini (name=name at entry=0x60ae50 "ubuntu", handler=handler at entry=0x62b2d0) at start.c:1001
 #2  0x00007ffff7b5e866 in __lxc_start (name=name at entry=0x60ae50 "ubuntu", handler=handler at entry=0x62b2d0, ops=ops at entry=0x7ffff7dd5840 <execute_start_ops>, data=data at entry=0x7fffffffc7e0,
     lxcpath=lxcpath at entry=0x627ac0 "/home/fabecassis/.local/share/lxc", backgrounded=backgrounded at entry=false) at start.c:1931
 #3  0x00007ffff7b6035c in lxc_execute (name=0x60ae50 "ubuntu", argv=argv at entry=0x7fffffffe278, quiet=quiet at entry=1, handler=handler at entry=0x62b2d0, lxcpath=0x627ac0 "/home/fabecassis/.local/share/lxc",
     backgrounded=backgrounded at entry=false) at execute.c:131
 #4  0x00007ffff7ba2113 in do_lxcapi_start (c=c at entry=0x627cf0, useinit=useinit at entry=1, argv=argv at entry=0x7fffffffe278) at lxccontainer.c:1069
 #5  0x00007ffff7ba29ee in lxcapi_start (c=0x627cf0, useinit=1, argv=0x7fffffffe278) at lxccontainer.c:1105
 #6  0x0000000000402705 in main (argc=<optimized out>, argv=<optimized out>) at tools/lxc_execute.c:241

Fix this by setting c->error_num in lxc_fini() before we free the handler.

Closes #2218.

Reported-by: Felix Abecassis <fabecassis at nvidia.com>
Signed-off-by: Christian Brauner <christian.brauner at ubuntu.com>
---
 src/lxc/lxccontainer.c | 1 -
 src/lxc/start.c        | 1 +
 2 files changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c
index ede0be58f..dbf464070 100644
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1069,7 +1069,6 @@ static bool do_lxcapi_start(struct lxc_container *c, int useinit, char * const a
 		ret = lxc_execute(c->name, argv, 1, handler, c->config_path, daemonize);
 	else
 		ret = lxc_start(c->name, argv, handler, c->config_path, daemonize);
-	c->error_num = handler->exit_status;
 
 	if (conf->reboot == 1) {
 		INFO("Container requested reboot");
diff --git a/src/lxc/start.c b/src/lxc/start.c
index 4e2f8a433..97e01ace2 100644
--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -1920,6 +1920,7 @@ int __lxc_start(const char *name, struct lxc_handler *handler,
 
 	lxc_monitor_send_exit_code(name, status, handler->lxcpath);
 	lxc_error_set_and_log(handler->pid, status);
+	c->error_num = handler->exit_status;
 
 out_fini:
 	lxc_delete_network(handler);

More information about the lxc-devel mailing list