[v2.0.14]可能的use after free(src/daemon/modules/image/oci/registry/registry.c:671)

【标题描述】
我们在使用异常注入与模糊测试结合的方式测试iSuald，期望发现错误处理代码中的内存破坏缺陷。
这个issue可能是一个潜在的use-after-free的bug。

我们的异常注入会强制触发在特定上下文的错误处理代码。例如malloc返回NULL（内存不足），open返回-1（文件突然被移动），fork返回-1（全局系统进程数达上限）等等情况，观察在这样情况下程序能否正确处理。所以没有我们的异常注入环境，比较难复现，这里我分析相关的代码如下（如果需要进一步信息请沟通）

// in src/daemon/modules/image/oci/registry/registry.c:671
 671 static int create_image(pull_descriptor *desc, char *image_id, bool *reuse)
 672 {

         // 在storage_img_create()中的变量img，加入全局map后，因异常可能被free，但是没有从map取出
 699     ret = storage_img_create(image_id, top_layer_id, NULL, &opts);
 700     if (ret != 0) {
             //在storage_get_img_top_layer()中从全局map中search出该变量img，use after free
 701         pre_top_layer = storage_get_img_top_layer(image_id);

 735     return ret;
 736 }

// storage_img_create() -> image_store_create()
// in src/daemon/modules/image/oci/storage/image_store/image_store.c:781
 781 char *image_store_create(...)
 783 {

 832     img = new_image(im, g_image_store->dir);
         // image_store_append_image()执行失败，如下分析
 840     if (image_store_append_image(dst_id, searchable_digest, img) != 0) {

 842         ret = -1;
 843         goto out;
 844     }

 857 out:
 858     if (ret != 0) {
             //在这里被free
 863         free_image_t(img);
 864         img = NULL;
 865     }

 868     return dst_id;
 869 }


 733 static int image_store_append_image(...)
 734 {

 739     item = util_smart_calloc_s(sizeof(struct linked_list), 1);

 744     linked_list_add_elem(item, img);
 745     linked_list_add_tail(&g_image_store->images_list, item);
 746     g_image_store->images_list_len++;

         // 成功加入map
 748     if (!map_insert(g_image_store->byid, (void *)id, (void *)img)) {
 752     }
         // append_image_according_to_digest()失败，goto out.
 754     if (append_image_according_to_digest(g_image_store->bydigest, searchable_digest, img) != 0) {
 756         ret = -1;
 757         goto out;
 758     }

 773 out:
 774     if (ret != 0) {
             // 释放item，unlink list，但是没有从map移出img
 775         linked_list_del(item);
 776         free(item);
 777     }
 778     return ret;
 779 }

// storage_get_img_top_layer() -> image_store_top_layer()
// in src/daemon/modules/image/oci/storage/image_store/image_store.c:1875
1875 char *image_store_top_layer(const char *id)
1876 {
         // lookup a freed img, use after free
1895     img = lookup(id);

1901     top_layer = util_strdup_s(img->simage->layer);

1903 out:
1904     image_ref_dec(img);
1905     image_store_unlock();
1906     return top_layer;
1907 }

【环境信息】
硬件信息：
1） Intel，x86_64

软件信息：

Ubuntu 20.04
iSulad v2.0.14
如果有特殊组网，请提供网络拓扑图

【预期结果】
不应出现内存破坏BUG

【附件信息】

==89896==ERROR: AddressSanitizer: heap-use-after-free on address 0x603000438950 at pc 0x55920149676b bp 0x7effc4d0b620 sp 0x7effc4d0b618
READ of size 8 at 0x603000438950 thread T13 (grpcpp_sync_ser)
#0 0x55920149676a in atomic_int_inc /home/r1/isulad/iSulad/src/utils/cutils/util_atomic.h:82:13
#1 0x55920149666d in image_ref_inc /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_type.c:123:5
#2 0x55920145de91 in lookup /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_store.c:470:5
#3 0x55920146e3fe in image_store_top_layer /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_store.c:1895:11
#4 0x5592014454ac in storage_get_img_top_layer /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/storage.c:898:12
#5 0x5592015f8b0e in create_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:701:25
#6 0x5592015d7475 in register_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:875:11

0x603000438950 is located 16 bytes inside of 24-byte region [0x603000438940,0x603000438958)
freed by thread T13 (grpcpp_sync_ser) here:
#0 0x559200352322 in free (/home/r1/isulad/iSulad/build/src/isulad+0x77c322)
#1 0x559201496d50 in free_image_t /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_type.c:152:5
#2 0x5592014598ae in image_store_create /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_store.c:863:9
#3 0x55920143f622 in storage_img_create /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/storage.c:350:16
#4 0x5592015f8aad in create_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:699:11
#5 0x5592015d7475 in register_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:875:11

previously allocated by thread T13 (grpcpp_sync_ser) here:
#0 0x559200352702 in calloc (/home/r1/isulad/iSulad/build/src/isulad+0x77c702)
#1 0x7effd2bafd5f in util_smart_calloc_s /home/r1/isulad/iSulad/src/utils/cutils/utils.c:269:12
#2 0x559201497676 in create_empty_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_type.c:33:25
#3 0x5592014963e5 in new_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_type.c:105:11
#4 0x559201459338 in image_store_create /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/image_store/image_store.c:832:11
#5 0x55920143f622 in storage_img_create /home/r1/isulad/iSulad/src/daemon/modules/image/oci/storage/storage.c:350:16
#6 0x5592015f8aad in create_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:699:11
#7 0x5592015d7475 in register_image /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:875:11
#8 0x5592015d2ecb in registry_pull /home/r1/isulad/iSulad/src/daemon/modules/image/oci/registry/registry.c:2047:15
#9 0x5592015a8be9 in pull_image

Hi xkt95, welcome to the openEuler Community.
I'm the Bot here serving you. You can find the instructions on how to interact with me at Here.
If you have any questions, please contact the SIG: iSulad, and any of the maintainers: @haomintsai , @lifeng_isula , @haozi007 , @jingxiaolu , @JingWoo

感谢，我们尽快修复。或者您这边也可以提pr修复一下

GVP openEuler / iSulad

内容风险标识

评论 (2)

GVPopenEuler / iSulad

内容风险标识