[lxc-devel] [lxc/lxc] a3b4f3: fix handler use-after-free
GitHub
noreply at github.com
Thu Mar 15 15:52:42 UTC 2018
Branch: refs/heads/master
Home: https://github.com/lxc/lxc
Commit: a3b4f3d68054eb31b86a7192bfc8ffabba011bff
https://github.com/lxc/lxc/commit/a3b4f3d68054eb31b86a7192bfc8ffabba011bff
Author: Tycho Andersen <tycho at tycho.ws>
Date: 2018-03-15 (Thu, 15 Mar 2018)
Changed paths:
M src/lxc/execute.c
M src/lxc/lxc.h
M src/lxc/lxccontainer.c
M src/lxc/start.c
M src/lxc/start.h
Log Message:
-----------
fix handler use-after-free
The problem here is that __lxc_start frees the handler, so any use
afterwards is invalid. Since we don't have access to the actual struct
lxc_container object in __lxc_start, let's pass a pointer to error_num in
so it can be returned.
Unfortunately, I'm a little too paranoid to change the return type of
lxc_start, since it returns failure if some of the cleanup fails, which
may be useful in some cases. So let's keep this out of band.
Closes #2218
Closes #2219
Reported-by: Felix Abecassis <fabecassis at nvidia.com>
Signed-off-by: Tycho Andersen <tycho at tycho.ws>
Commit: 0e83121caad4c1e4edd117f2079f19d56edd4cc8
https://github.com/lxc/lxc/commit/0e83121caad4c1e4edd117f2079f19d56edd4cc8
Author: Christian Brauner <christian.brauner at ubuntu.com>
Date: 2018-03-15 (Thu, 15 Mar 2018)
Changed paths:
M src/lxc/execute.c
M src/lxc/lxc.h
M src/lxc/lxccontainer.c
M src/lxc/start.c
M src/lxc/start.h
Log Message:
-----------
Merge pull request #2221 from tych0/fix-use-after-free
fix handler use-after-free
Compare: https://github.com/lxc/lxc/compare/d61bda5fcb96...0e83121caad4
More information about the lxc-devel
mailing list