diff options
| author | Daiki Ueno <dueno@redhat.com> | 2018-08-13 15:23:03 +0200 |
|---|---|---|
| committer | Daiki Ueno <ueno@gnu.org> | 2018-08-15 13:28:23 +0200 |
| commit | 34416ed787d804e0d293e47f2d10dc62ddea407c (patch) | |
| tree | ba61dd52b50dd745784469820e5c0a2f6215a237 /p11-kit | |
| parent | 541d79cb651cfd3238b9aa41fce70208df8e9496 (diff) | |
proxy: Avoid invalid memory access when unloading proxy module
When loading and unloading p11-kit-proxy.so with pkcs11-tool, it
accesses already free'd memory area:
$ valgrind pkcs11-tool --module p11-kit-proxy.so -L
==25173== Invalid read of size 8
==25173== at 0x64BF493: p11_proxy_module_cleanup (proxy.c:1724)
==25173== by 0x64BD028: _p11_kit_fini (proxy-init.c:65)
==25173== by 0x401477C: _dl_close_worker (in /usr/lib64/ld-2.27.so)
==25173== by 0x4014E1D: _dl_close (in /usr/lib64/ld-2.27.so)
==25173== by 0x5E08C4E: _dl_catch_exception (in /usr/lib64/libc-2.27.so)
==25173== by 0x5E08CDE: _dl_catch_error (in /usr/lib64/libc-2.27.so)
==25173== by 0x58B1724: _dlerror_run (in /usr/lib64/libdl-2.27.so)
==25173== by 0x58B1113: dlclose (in /usr/lib64/libdl-2.27.so)
==25173== by 0x11E5A7: ??? (in /usr/bin/pkcs11-tool)
==25173== by 0x110023: ??? (in /usr/bin/pkcs11-tool)
==25173== by 0x5CF624A: (below main) (in /usr/lib64/libc-2.27.so)
==25173== Address 0x61231c8 is 552 bytes inside a block of size 584 free'd
==25173== at 0x4C2FDAC: free (vg_replace_malloc.c:530)
==25173== by 0x6548492: p11_virtual_unwrap (virtual.c:2902)
==25173== by 0x64BF492: p11_proxy_module_cleanup (proxy.c:1723)
Diffstat (limited to 'p11-kit')
| -rw-r--r-- | p11-kit/proxy.c | 17 |
1 files changed, 4 insertions, 13 deletions
diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c index 31b9bb2..b7fb63d 100644 --- a/p11-kit/proxy.c +++ b/p11-kit/proxy.c @@ -1720,8 +1720,8 @@ p11_proxy_module_cleanup (void) for (; state != NULL; state = next) { next = state->next; - p11_virtual_unwrap (state->wrapped); p11_kit_modules_release (state->loaded); + p11_virtual_unwrap (state->wrapped); } } @@ -1731,16 +1731,6 @@ p11_proxy_module_check (CK_FUNCTION_LIST_PTR module) return (module->C_WaitForSlotEvent == module_C_WaitForSlotEvent); } -static void -proxy_module_free (p11_virtual *virt) -{ - State *state = (State *)virt; - - p11_virtual_unwrap (state->wrapped); - p11_kit_modules_release (state->loaded); - free (state); -} - CK_RV p11_proxy_module_create (CK_FUNCTION_LIST_PTR *module, CK_FUNCTION_LIST_PTR *modules) @@ -1758,9 +1748,10 @@ p11_proxy_module_create (CK_FUNCTION_LIST_PTR *module, p11_virtual_init (&state->virt, &proxy_functions, state, NULL); state->last_handle = FIRST_HANDLE; state->loaded = modules_dup (modules); - state->wrapped = p11_virtual_wrap (&state->virt, (p11_destroyer)proxy_module_free); + state->wrapped = p11_virtual_wrap (&state->virt, (p11_destroyer)p11_virtual_uninit); if (state->wrapped == NULL) { - proxy_module_free (&state->virt); + p11_kit_modules_release (state->loaded); + free (state); return CKR_GENERAL_ERROR; } |