Paste number 147900: guix-daemon use-after-free fix

Index of paste annotations: 1

Paste number 147900: guix-daemon use-after-free fix
Pasted by: civodul
When:6 years, 6 months ago
Share:Tweet this! | http://paste.lisp.org/+364C
Channel:None
Paste contents:
Raw Source | XML | Display As
diff --git a/nix/libstore/build.cc b/nix/libstore/build.cc
index f38cd29..80785ef 100644
--- a/nix/libstore/build.cc
+++ b/nix/libstore/build.cc
@@ -2138,7 +2138,7 @@ void DerivationGoal::initChild()
         const char * * envArr = strings2CharPtrs(envStrs);
 
         Path program = drv.builder.c_str();
-        std::vector<const char *> args; /* careful with c_str()! */
+        Strings args;
         string user; /* must be here for its c_str()! */
 
         /* If we are running in `build-users' mode, then switch to the
@@ -2168,14 +2168,13 @@ void DerivationGoal::initChild()
         string builderBasename = baseNameOf(drv.builder);
         args.push_back(builderBasename.c_str());
         foreach (Strings::iterator, i, drv.args)
-            args.push_back(rewriteHashes(*i, rewritesToTmp).c_str());
-        args.push_back(0);
+            args.push_back(rewriteHashes(*i, rewritesToTmp));
 
         restoreSIGPIPE();
 
         /* Execute the program.  This should not return. */
         inSetup = false;
-        execve(program.c_str(), (char * *) &args[0], (char * *) envArr);
+        execve(program.c_str(), (char * *) strings2CharPtrs(args), (char * *) envArr);
 
         throw SysError(format("executing `%1%'") % drv.builder);
 

Annotations for this paste:

Annotation number 1: original Valgrind report
Pasted by: civodul
When:6 years, 6 months ago
Share:Tweet this! | http://paste.lisp.org/+364C/1
Paste contents:
Raw Source | Display As
==7071== Syscall param execve(argv[i]) points to unaddressable byte(s)
==7071==    at 0x5D1A1C7: execve (in /gnu/store/hy2hi0zj5hrqkmkhpdxf04c9bcnlnsf9-glibc-2.21/lib/libc-2.21.so)
==7071==    by 0x445C23: nix::DerivationGoal::initChild() (build.cc:2180)
==7071==    by 0x44E425: nix::DerivationGoal::startBuilder() (build.cc:1961)
==7071==    by 0x44F75A: nix::DerivationGoal::tryToBuild() (build.cc:1326)
==7071==    by 0x451091: nix::Worker::run(std::set<std::shared_ptr<nix::Goal>, std::less<std::shared_ptr<nix::Goal> >, std::allocator<std::shared_ptr<nix::Goal> > > const&) (build.cc:3121)
==7071==    by 0x4519F4: nix::LocalStore::buildPaths(std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, nix::BuildMode) (build.cc:3310)
==7071==    by 0x409C96: performOp (nix-daemon.cc:462)
==7071==    by 0x409C96: processConnection(bool) (nix-daemon.cc:730)
==7071==    by 0x40C8AA: daemonLoop() (nix-daemon.cc:904)
==7071==    by 0x40D43B: run(std::__cxx11::list<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >) (nix-daemon.cc:929)
==7071==    by 0x407403: main (guix-daemon.cc:345)
==7071==  Address 0x6721430 is 0 bytes inside a block of size 74 free'd
==7071==    at 0x4C28001: operator delete(void*) (in /gnu/store/jljnjcwvhs8klg6h7zrb2217rgskm51g-valgrind-3.10.1/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==7071==    by 0x445B68: deallocate (new_allocator.h:110)
==7071==    by 0x445B68: deallocate (alloc_traits.h:386)
==7071==    by 0x445B68: _M_destroy (basic_string.h:185)
==7071==    by 0x445B68: _M_dispose (basic_string.h:180)
==7071==    by 0x445B68: ~basic_string (basic_string.h:541)
==7071==    by 0x445B68: nix::DerivationGoal::initChild() (build.cc:2172)
==7071==    by 0x44E425: nix::DerivationGoal::startBuilder() (build.cc:1961)
==7071==    by 0x44F75A: nix::DerivationGoal::tryToBuild() (build.cc:1326)
==7071==    by 0x451091: nix::Worker::run(std::set<std::shared_ptr<nix::Goal>, std::less<std::shared_ptr<nix::Goal> >, std::allocator<std::shared_ptr<nix::Goal> > > const&) (build.cc:3121)
==7071==    by 0x4519F4: nix::LocalStore::buildPaths(std::set<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::less<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > > const&, nix::BuildMode) (build.cc:3310)
==7071==    by 0x409C96: performOp (nix-daemon.cc:462)
==7071==    by 0x409C96: processConnection(bool) (nix-daemon.cc:730)
==7071==    by 0x40C8AA: daemonLoop() (nix-daemon.cc:904)
==7071==    by 0x40D43B: run(std::__cxx11::list<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> >, std::allocator<std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > > >) (nix-daemon.cc:929)
==7071==    by 0x407403: main (guix-daemon.cc:345)

Colorize as:
Show Line Numbers

Lisppaste pastes can be made by anyone at any time. Imagine a fearsomely comprehensive disclaimer of liability. Now fear, comprehensively.