1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
|
From 97ed37c7d3ed8ae7d816284ae6128735cfaa816c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Petr=20P=C3=ADsa=C5=99?= <ppisar@redhat.com>
Date: Thu, 1 Aug 2024 15:49:21 +0200
Subject: [PATCH] Fix a use-after-free in EmitterEmail::notify()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
When "dnf5 automatic" was configured to send e-mails via SMTP
("emit_via = email" in automatic.conf), it sometimes crashed:
#0 0x00007ff7fb955184 __memcpy_avx_unaligned_erms (libc.so.6 + 0x147184)
#1 0x00007ff7fb873bd4 fmemopen_read (libc.so.6 + 0x65bd4)
#2 0x00007ff7fb875813 _IO_file_underflow@@GLIBC_2.2.5 (libc.so.6 + 0x67813)
#3 0x00007ff7fb877e45 _IO_default_xsgetn (libc.so.6 + 0x69e45)
#4 0x00007ff7fb869a40 _IO_fread (libc.so.6 + 0x5ba40)
#5 0x00007ff7faceb1f7 cr_in_read (libcurl.so.4 + 0x541f7)
#6 0x00007ff7facf8608 cr_eob_read (libcurl.so.4 + 0x61608)
#7 0x00007ff7facf0f20 Curl_client_read (libcurl.so.4 + 0x59f20)
#8 0x00007ff7facf103d Curl_req_send_more (libcurl.so.4 + 0x5a03d)
#9 0x00007ff7fad068da Curl_readwrite (libcurl.so.4 + 0x6f8da)
#10 0x00007ff7face6258 multi_runsingle.lto_priv.0 (libcurl.so.4 + 0x4f258)
#11 0x00007ff7face8c64 curl_multi_perform (libcurl.so.4 + 0x51c64)
#12 0x00007ff7facbb8a3 curl_easy_perform (libcurl.so.4 + 0x248a3)
#13 0x00007ff7f9ee30ad _ZN4dnf512EmitterEmail6notifyEv (automatic_cmd_plugin.so + 0x170ad)
#14 0x00007ff7f9ed61f5 _ZN4dnf516AutomaticCommand3runEv (automatic_cmd_plugin.so + 0xa1f5)
#15 0x0000557b633d5f78 main (dnf5 + 0x39f78)
#16 0x00007ff7fb811248 __libc_start_call_main (libc.so.6 + 0x3248)
#17 0x00007ff7fb81130b __libc_start_main@@GLIBC_2.34 (libc.so.6 + 0x330b)
#18 0x0000557b633d88e5 _start (dnf5 + 0x3c8e5)
or sent an e-mail without a body and some headers (e.g. Subject):
From root@fedora-41.localdomain Thu Aug 1 14:49:36 2024
Return-Path: <root@fedora-41.localdomain>
X-Original-To: test
Delivered-To: test@fedora-41.localdomain
Received: from fedora-41 (localhost [IPv6:::1])
by fedora-41.localdomain (Postfix) with ESMTP id E5A1E51
for <test>; Thu, 01 Aug 2024 14:49:36 +0200 (CEST)
Message-Id: <20240801124936.E5A1E51@fedora-41.localdomain>
Date: Thu, 01 Aug 2024 14:49:36 +0200 (CEST)
From: root@fedora-41.localdomain
The cause was that a FILE * structure registered to curl as CURLOPT_READDATA
and freed before curl_easy_perform() processed it.
This patch fixes it.
Resolves: https://bugzilla.redhat.com/show_bug.cgi?id=2298385
Signed-off-by: Petr Písař <ppisar@redhat.com>
---
dnf5-plugins/automatic_plugin/emitters.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/dnf5-plugins/automatic_plugin/emitters.cpp b/dnf5-plugins/automatic_plugin/emitters.cpp
index 987070e4..6af0aca9 100644
--- a/dnf5-plugins/automatic_plugin/emitters.cpp
+++ b/dnf5-plugins/automatic_plugin/emitters.cpp
@@ -218,11 +218,11 @@ void EmitterEmail::notify() {
FILE * payload_file = fmemopen(payload.data(), payload.size(), "r");
curl_easy_setopt(curl, CURLOPT_READDATA, payload_file);
- fclose(payload_file);
curl_easy_setopt(curl, CURLOPT_UPLOAD, 1L);
res = curl_easy_perform(curl);
+ fclose(payload_file);
if (res != CURLE_OK) {
std::cerr << "libcurl error while sending e-mail: " << curl_easy_strerror(res) << std::endl;
}
--
2.45.2
|
