Skip to content

Commit

Permalink
Fix double-free in crun exec
Browse files Browse the repository at this point in the history
The process struct cleanup in crun_command_exec was doubly freeing the
process->user pointer, which was previously freed by the container struct
cleanup in libcrun_container_exec_with_options.

Signed-off-by: Brandon Duffany <brandon@buildbuddy.io>
  • Loading branch information
bduffany committed Sep 2, 2024
1 parent 7dba7fc commit f72483a
Showing 1 changed file with 25 additions and 1 deletion.
26 changes: 25 additions & 1 deletion src/libcrun/container.c
Original file line number Diff line number Diff line change
Expand Up @@ -537,6 +537,30 @@ make_container (runtime_spec_schema_config_schema *container_def, const char *pa
return container;
}

runtime_spec_schema_config_schema_process_user *
process_user_dup (const runtime_spec_schema_config_schema_process_user *const src)
{
runtime_spec_schema_config_schema_process_user *const dst = xmalloc0 (sizeof (runtime_spec_schema_config_schema_process_user));

dst->uid = src->uid;
dst->uid_present = src->uid_present;
dst->gid = src->gid;
dst->gid_present = src->gid_present;
dst->umask = src->umask;
dst->umask_present = src->umask_present;

if (src->additional_gids)
{
const size_t additional_gids_size = src->additional_gids_len * sizeof (gid_t);
dst->additional_gids = xmalloc (additional_gids_size);
memcpy (dst->additional_gids, src->additional_gids, additional_gids_size);
}

dst->username = xstrdup (src->username);

return dst;
}

libcrun_container_t *
libcrun_container_load_from_memory (const char *json, libcrun_error_t *err)
{
Expand Down Expand Up @@ -3620,7 +3644,7 @@ libcrun_container_exec_with_options (libcrun_context_t *context, const char *id,
process->apparmor_profile = xstrdup (container->container_def->process->apparmor_profile);

if (process->user == NULL && container->container_def->process->user)
process->user = container->container_def->process->user;
process->user = process_user_dup (container->container_def->process->user);
}

ret = initialize_security (process, err);
Expand Down

0 comments on commit f72483a

Please sign in to comment.