Fix double-free in NewModuleFromBufferArgs
#327
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
In aquasecurity@0238ec3 the freeing of C strings was changed to use defers. This can cause a double-free, which in the best case it will produce a crash. The reason why this happens is that the memory address at `defer` time is captured for later execution. If `KConfigFilePath` is less than 3, it was being freed and set to NULL. Once the defer executes on function return, the same address we already freed will be passed again. We observed this while upgrading libbpfgo in Parca Agent (parca-dev/parca-agent#1599). Test Plan ========= Verified it's a double free with ASAN ``` ================================================================= ==171270==ERROR: AddressSanitizer: attempting double-free on 0x602000000010 in thread T14: #0 0x4d6e68 in __interceptor_free.part.0 asan_malloc_linux.cpp.o aquasecurity#1 0x3004be2 in _cgo_38fdf0a0bedf_Cfunc_free (/home/javierhonduco/code/parca-agent/dist/parca-agent+0x3004be2) (BuildId: aebc1e250e9da366a49de9206c528fb67b730e0b) aquasecurity#2 0x58bac3 in runtime.asmcgocall.abi0 runtime/asm_amd64.s:848 0x602000000010 is located 0 bytes inside of 1-byte region [0x602000000010,0x602000000011) freed by thread T14 here: #0 0x4d6e68 in __interceptor_free.part.0 asan_malloc_linux.cpp.o aquasecurity#1 0x3004be2 in _cgo_38fdf0a0bedf_Cfunc_free (/home/javierhonduco/code/parca-agent/dist/parca-agent+0x3004be2) (BuildId: aebc1e250e9da366a49de9206c528fb67b730e0b) aquasecurity#2 0x58bac3 in runtime.asmcgocall.abi0 runtime/asm_amd64.s:848 previously allocated by thread T14 here: #0 0x4d7e37 in __interceptor_malloc (/home/javierhonduco/code/parca-agent/dist/parca-agent+0x4d7e37) (BuildId: aebc1e250e9da366a49de9206c528fb67b730e0b) aquasecurity#1 0x2ff3ff2 in _cgo_38fdf0a0bedf_Cfunc__Cmalloc (/home/javierhonduco/code/parca-agent/dist/parca-agent+0x2ff3ff2) (BuildId: aebc1e250e9da366a49de9206c528fb67b730e0b) aquasecurity#2 0x58bac3 in runtime.asmcgocall.abi0 runtime/asm_amd64.s:848 ``` And that there are no issues with this patch applied, both while running the Agent with and without ASAN as well as while running the cpu profiling integration tests which exercise this code path. Signed-off-by: Francisco Javier Honduvilla Coto <javierhonduco@gmail.com>
|
Awesome. Thanks for reporting this! Will merge shortly. |
|
Thanks, Rafael! Would you mind cutting a release? 🙏 |
|
Awesome, @javierhonduco thanks for this PR. Since github is having issues right now, I'm going to review this here.
Shouldn't we let the
This can be freeing a null pointer when |
I think that should work too!
Good catch! I had a slightly different change before and when updating I forgot to check this case |
In aquasecurity@0238ec3 the freeing of C strings was changed to use defers. This can cause a double-free, which in the best case it will produce a crash. The reason why this happens is that the memory address at `defer` time is captured for later execution. If `KConfigFilePath` is less than 3, it was being freed and set to NULL. Once the defer executes on function return, the same address we already freed will be passed again. We observed this while upgrading libbpfgo in Parca Agent (parca-dev/parca-agent#1599). Test Plan ========= Verified it's a double free with ASAN ``` ================================================================= ==171270==ERROR: AddressSanitizer: attempting double-free on 0x602000000010 in thread T14: #0 0x4d6e68 in __interceptor_free.part.0 asan_malloc_linux.cpp.o aquasecurity#1 0x3004be2 in _cgo_38fdf0a0bedf_Cfunc_free (/home/javierhonduco/code/parca-agent/dist/parca-agent+0x3004be2) (BuildId: aebc1e250e9da366a49de9206c528fb67b730e0b) aquasecurity#2 0x58bac3 in runtime.asmcgocall.abi0 runtime/asm_amd64.s:848 0x602000000010 is located 0 bytes inside of 1-byte region [0x602000000010,0x602000000011) freed by thread T14 here: #0 0x4d6e68 in __interceptor_free.part.0 asan_malloc_linux.cpp.o aquasecurity#1 0x3004be2 in _cgo_38fdf0a0bedf_Cfunc_free (/home/javierhonduco/code/parca-agent/dist/parca-agent+0x3004be2) (BuildId: aebc1e250e9da366a49de9206c528fb67b730e0b) aquasecurity#2 0x58bac3 in runtime.asmcgocall.abi0 runtime/asm_amd64.s:848 previously allocated by thread T14 here: #0 0x4d7e37 in __interceptor_malloc (/home/javierhonduco/code/parca-agent/dist/parca-agent+0x4d7e37) (BuildId: aebc1e250e9da366a49de9206c528fb67b730e0b) aquasecurity#1 0x2ff3ff2 in _cgo_38fdf0a0bedf_Cfunc__Cmalloc (/home/javierhonduco/code/parca-agent/dist/parca-agent+0x2ff3ff2) (BuildId: aebc1e250e9da366a49de9206c528fb67b730e0b) aquasecurity#2 0x58bac3 in runtime.asmcgocall.abi0 runtime/asm_amd64.s:848 ``` And that there are no issues with this patch applied, both while running the Agent with and without ASAN as well as while running the cpu profiling integration tests which exercise this code path. Signed-off-by: Francisco Javier Honduvilla Coto <javierhonduco@gmail.com>
javierhonduco
force-pushed
the
fix-double-free-new-module
branch
from
6d77c03 to
6f33a81
Compare
|
@geyslan and @yanivagman should we cut a libbpfgo release with this fix, bump tracee to include it, and release tracee afterwards ? Cutting a release of libbpfgo for @javierhonduco seems a nice thing to do. |
👍🏼 fix week. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In
0238ec3 the freeing of C strings was changed to use defers. This can cause a double-free, which in the best case it will produce a crash. The reason why this happens is that the memory address at
defertime is captured for later execution. IfKConfigFilePathis less than 3, it was being freed and set to NULL. Once the defer executes on function return, the same address we already freed will be passed again.We observed this while upgrading libbpfgo in Parca Agent (parca-dev/parca-agent#1599).
Test Plan
Verified it's a double free with ASAN
And that there are no issues with this patch applied, both while running the Agent with and without ASAN as well as while running the cpu profiling integration tests which exercise this code path.