View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0001404SOGoSOPEpublic2011-08-01 14:422011-12-07 20:06
Reporterbuzzdee Assigned Toludovic  
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Product Version1.3.8 
Fixed in Version1.3.11 
Summary0001404: fix use after free resulting in segfault triggered by OGo
Description

In the OGo Web Interface, creating an appointment with Show companies checkbox active, and resulting in more than one name for a search, leads to a segfault:

The backtrace and OGo bug report can be found here:
https://sourceforge.net/apps/mantisbt/opengroupware/view.php?id=5

As it turned out, the array is accessed after it is already freed.

Additional Information

Attached patch retains the return values in WOKeyPathAssociation.m and then later releases it in WORepetition, after its use.

This now makes OGo very happy ;)

However, there may be more paths through the code, which may also now also get this retained return value, and don't release it after use??

TagsNo tags attached.

Activities

2011-08-01 14:42

 

fix-use-after-free-in-OGo-webinterface.diff (1,390 bytes)    
$OpenBSD$

release the object later, when it is really not in use anymore, fix for bug 5

--- sope-appserver/NGObjWeb/DynamicElements/WORepetition.m.orig	Mon Aug  1 16:27:43 2011
+++ sope-appserver/NGObjWeb/DynamicElements/WORepetition.m	Mon Aug  1 16:28:05 2011
@@ -840,7 +840,7 @@ _sapplyIndex(_WOSimpleRepetition *self, WOComponent *s
     WOResponse_AddCString(_response, "<!-- repetition with no contents -->");
   }
 #endif
-  
+  [array release];
   [pool release];
   
 #if DEBUG
$OpenBSD$

Fix use after free in OGo Webinterface, see bug: 5

--- sope-appserver/NGObjWeb/Associations/WOKeyPathAssociation.m.orig	Tue Nov  2 15:12:12 2010
+++ sope-appserver/NGObjWeb/Associations/WOKeyPathAssociation.m	Mon Aug  1 16:20:07 2011
@@ -727,7 +727,7 @@ _getValueN(WOKeyPathAssociation *self, unsigned _count
 
   //NSLog(@"object %@ for keyPath %@", object, [self keyPath]);
 
-  return object;
+  return [object retain];
 }
 
 static inline id _getValue(WOKeyPathAssociation *self, id root) {
@@ -742,8 +742,8 @@ static id _getOneValue(WOKeyPathAssociation *self, id 
   retValue = _getComponentValue(self, root, info);
 
   return (info->type == WOKeyType_method)
-    ? _objectify(info->retType, &retValue)
-    : retValue.object;
+    ? [_objectify(info->retType, &retValue) retain]
+    : [retValue.object retain];
 }
 
 static inline void _getSetSelName(register unsigned char *buf,
fix-use-after-free-in-OGo-webinterface.diff (1,390 bytes)   
buzzdee

buzzdee

2011-10-05 09:52

reporter   ~0002864

Could someone look into this patch here?
ludovic

ludovic

2011-10-05 13:38

reporter   ~0002869

I don't really like those changes. It's normally the responsability of the caller to retain the object. Methods should generally return "autoreleased" objects.
buzzdee

buzzdee

2011-10-05 14:02

reporter   ~0002870

Thanks for looking into it, also for the other two.

I'll need to look into it again, will report back, but may take a while, need to prepare a setup where I can test again...

2011-12-06 13:15

 

patch-sope-appserver_NGObjWeb_DynamicElements_WORepetition_m (769 bytes)    
$OpenBSD$

retain the array, to fix a use after free
see http://www.sogo.nu/bugs/view.php?id=1404

--- sope-appserver/NGObjWeb/DynamicElements/WORepetition.m.orig	Tue Dec  6 13:52:00 2011
+++ sope-appserver/NGObjWeb/DynamicElements/WORepetition.m	Tue Dec  6 13:53:35 2011
@@ -787,9 +787,9 @@ _sapplyIndex(_WOSimpleRepetition *self, WOComponent *s
   pool       = [[NSAutoreleasePool alloc] init];
   
   sComponent = [_ctx component];
-  array      = [self->list valueInContext:_ctx];
+  array      = [[self->list valueInContext:_ctx] retain];
   aCount     = [array count];
-  
+
   if (aCount > 0) {
     unsigned cnt;
 
@@ -841,6 +841,7 @@ _sapplyIndex(_WOSimpleRepetition *self, WOComponent *s
   }
 #endif
   
+  [array release];
   [pool release];
   
 #if DEBUG
patch-sope-appserver_NGObjWeb_DynamicElements_WORepetition_m (769 bytes)   
buzzdee

buzzdee

2011-12-06 13:17

reporter   ~0003119

This new patch retains the array in the caller, and releases it at the end.

Hope this is better now and can get included in the next SOPE release.
buzzdee

buzzdee

2011-12-06 13:31

reporter   ~0003121

I was chasing another bug, and found, its a similar problem with the array, in a different method.

Updated patch fixes now fixes both problems for me.

2011-12-06 13:31

 

patch-sope-appserver_NGObjWeb_DynamicElements_WORepetition_m-new (1,369 bytes)    
$OpenBSD$

retain the array, to fix a use after free
see http://www.sogo.nu/bugs/view.php?id=1404

--- sope-appserver/NGObjWeb/DynamicElements/WORepetition.m.orig	Tue Dec  6 13:52:00 2011
+++ sope-appserver/NGObjWeb/DynamicElements/WORepetition.m	Tue Dec  6 14:23:17 2011
@@ -479,7 +479,7 @@ _applyIndex(_WOComplexRepetition *self, WOComponent *s
 
   doRender   = ![_ctx isRenderingDisabled];
   sComponent = [_ctx component];
-  array      = [self->list valueInContext:_ctx];
+  array      = [[self->list valueInContext:_ctx] retain];
   aCount     = [array count];
   startIdx   = [self->startIndex unsignedIntValueInComponent:sComponent];
 
@@ -581,7 +581,7 @@ _applyIndex(_WOComplexRepetition *self, WOComponent *s
       WOResponse_AddCString(_response, "<!-- repetition with no contents -->");
   }
 #endif
-  
+  [array release];
   [pool release];
   
 #if DEBUG
@@ -787,9 +787,9 @@ _sapplyIndex(_WOSimpleRepetition *self, WOComponent *s
   pool       = [[NSAutoreleasePool alloc] init];
   
   sComponent = [_ctx component];
-  array      = [self->list valueInContext:_ctx];
+  array      = [[self->list valueInContext:_ctx] retain];
   aCount     = [array count];
-  
+
   if (aCount > 0) {
     unsigned cnt;
 
@@ -841,6 +841,7 @@ _sapplyIndex(_WOSimpleRepetition *self, WOComponent *s
   }
 #endif
   
+  [array release];
   [pool release];
   
 #if DEBUG
patch-sope-appserver_NGObjWeb_DynamicElements_WORepetition_m-new (1,369 bytes)   
buzzdee

buzzdee

2011-12-07 07:41

reporter   ~0003129

since I just read on the mailing list, OSGo 1.3.11 will be release very shortly, could this be considered for inclusion?
We'd want to release a rc1 of ogo 5.5 maybe even before christmas, and it would greatly help to get rid of those two bugs with this patch.

thanks,
Sebastian
ludovic

ludovic

2011-12-07 20:06

reporter   ~0003133

Fixed push, thanks!

See: http://mtn.inverse.ca/revision/diff/7ebce8df2ddbe7d6cbc534f7c1e7d64ebbc73a72/with/1f44a0d5895a6e34af5e973ae98a48b118eb7cd8

Issue History

Date Modified Username Field Change
2011-08-01 14:42 buzzdee New Issue
2011-08-01 14:42 buzzdee File Added: fix-use-after-free-in-OGo-webinterface.diff
2011-10-05 09:52 buzzdee Note Added: 0002864
2011-10-05 13:38 ludovic Note Added: 0002869
2011-10-05 14:02 buzzdee Note Added: 0002870
2011-12-06 13:15 buzzdee File Added: patch-sope-appserver_NGObjWeb_DynamicElements_WORepetition_m
2011-12-06 13:17 buzzdee Note Added: 0003119
2011-12-06 13:31 buzzdee Note Added: 0003121
2011-12-06 13:31 buzzdee File Added: patch-sope-appserver_NGObjWeb_DynamicElements_WORepetition_m-new
2011-12-07 07:41 buzzdee Note Added: 0003129
2011-12-07 20:06 ludovic Note Added: 0003133
2011-12-07 20:06 ludovic Status new => resolved
2011-12-07 20:06 ludovic Fixed in Version => 1.3.11
2011-12-07 20:06 ludovic Resolution open => fixed
2011-12-07 20:06 ludovic Assigned To => ludovic
2011-12-07 20:06 ludovic Status resolved => closed