From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp2 ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id ALVKAA/Vc2F8AQAAgWs5BA (envelope-from ) for ; Sat, 23 Oct 2021 11:25:35 +0200 Received: from aspmx1.migadu.com ([2001:41d0:8:6d80::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp2 with LMTPS id OPKONw7Vc2GDWAAAB5/wlQ (envelope-from ) for ; Sat, 23 Oct 2021 09:25:34 +0000 Received: from mail.notmuchmail.org (nmbug.tethera.net [144.217.243.247]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 8ADC715B12 for ; Sat, 23 Oct 2021 11:25:34 +0200 (CEST) Received: from nmbug.tethera.net (localhost [127.0.0.1]) by mail.notmuchmail.org (Postfix) with ESMTP id EA8F92C1BB; Sat, 23 Oct 2021 05:25:12 -0400 (EDT) Received: from fethera.tethera.net (fethera.tethera.net [IPv6:2607:5300:60:c5::1]) by mail.notmuchmail.org (Postfix) with ESMTP id ACCB62C186 for ; Sat, 23 Oct 2021 05:25:01 -0400 (EDT) Received: by fethera.tethera.net (Postfix, from userid 1001) id 75AC35FC50; Sat, 23 Oct 2021 05:25:01 -0400 (EDT) Received: (nullmailer pid 1403464 invoked by uid 1000); Sat, 23 Oct 2021 09:24:54 -0000 From: David Bremner To: Austin Ray , notmuch@notmuchmail.org Cc: David Bremner Subject: [PATCH 2/5] lib/open: fix potential double-free, ensure *database=NULL on error Date: Sat, 23 Oct 2021 06:24:48 -0300 Message-Id: <20211023092451.1403141-3-david@tethera.net> X-Mailer: git-send-email 2.33.0 In-Reply-To: <20211023092451.1403141-1-david@tethera.net> References: <20211023042225.xt36nzpsukqs6kid@athena> <20211023092451.1403141-1-david@tethera.net> MIME-Version: 1.0 Message-ID-Hash: TK3GVVYBSZXAT645QBP42XQVFDKRIUU5 X-Message-ID-Hash: TK3GVVYBSZXAT645QBP42XQVFDKRIUU5 X-MailFrom: bremner@tethera.net X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-notmuch.notmuchmail.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; suspicious-header X-Mailman-Version: 3.2.1 Precedence: list List-Id: "Use and development of the notmuch mail system." List-Help: List-Post: List-Subscribe: List-Unsubscribe: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1634981134; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:list-id:list-help: list-unsubscribe:list-subscribe:list-post; bh=cTykMnGI7XL85T2v+pPvBhFsyXaCtCW8gRIj/t2fF1k=; b=qzH8RmhV06j1OtKnkUSF3RTpVX3DUsuzrFuxkajfPZG69XIZS9xKZ+6NPe8zyVDVs42YYi wTyjI0pwH1RJtBH8bRrl60g090NcoiRSphlh3Zv6pC7UvOM6Sd5xwDHFT3bYe6EqwMzHWb dETRf5wqI4iaMJ9FAhB4MaKIhqQShv8okZ9c0fholJI0n8FNcPBWOw8CHEHYE71929nSwg 23AITCuJDzuNRuMJeE1c65sOcWUDd2Jtu7agBV4pPunLvj17KKxTR5a8nj832t8mD6fPaN 2scKTP9uuea0Zuj61SIThC4TlGoU45BBZYL0sVh2w2EibSBF4UXEyzVwaiD8FQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1634981134; a=rsa-sha256; cv=none; b=sW15wzDxD10FW6J4OlmLpU2fgGhEjcsKH0EDUqSYu0ZGQWvFqswSGFf9jUC6fnj/oglozA 2ToiSZI5Ce+jYkFtbu8uXAR23ctKRB4GRouc+YkNnkGXlZD4TcijiaQgyfE60DcOBtHDZD mmKc3gkA8TgcTp+HYeF/DH7hECPDyYmBrGp8WaN8YsCBtAK7z1jV9J/mPu0DjJmKxwIk2X nMLJT94tuYgQdSIB+rzvmJog/aZByZ4uRGheSWMUomsr3HS5tbBU8S242x0IWG3U7ZQXgi ZzViznhgOv3BjzNS3NAE5FYDanuY3nyoMt4hzPFdFDPdwEC347yBDZxOcT7NEQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 144.217.243.247 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Migadu-Spam-Score: -1.15 Authentication-Results: aspmx1.migadu.com; dkim=none; dmarc=none; spf=pass (aspmx1.migadu.com: domain of notmuch-bounces@notmuchmail.org designates 144.217.243.247 as permitted sender) smtp.mailfrom=notmuch-bounces@notmuchmail.org X-Migadu-Queue-Id: 8ADC715B12 X-Spam-Score: -1.15 X-Migadu-Scanner: scn0.migadu.com X-TUID: yU1anmzjr1HY During refactoring for 0.32, the code that set notmuch=NULL on various errors was moved into _finish_open. This meant that the the code which relied on that to set *database to NULL on error was no longer correct. It also introduced a potential double free, since the notmuch struct was deallocated inside _finish_open (via n_d_destroy). In this commit we revert to "allocator frees", and leave any cleanup to the caller of _finish_open. This allows us to get back the behaviour of setting *database to NULL with a small change. Other callers of _finish_open will need free notmuch on errors. --- lib/open.cc | 13 +++++-------- test/T590-libconfig.sh | 2 -- 2 files changed, 5 insertions(+), 10 deletions(-) diff --git a/lib/open.cc b/lib/open.cc index 8a835e98..77f01f72 100644 --- a/lib/open.cc +++ b/lib/open.cc @@ -396,8 +396,6 @@ _finish_open (notmuch_database_t *notmuch, " has a newer database format version (%u) than supported by this\n" " version of notmuch (%u).\n", database_path, version, NOTMUCH_DATABASE_VERSION)); - notmuch_database_destroy (notmuch); - notmuch = NULL; status = NOTMUCH_STATUS_FILE_ERROR; goto DONE; } @@ -414,8 +412,6 @@ _finish_open (notmuch_database_t *notmuch, " requires features (%s)\n" " not supported by this version of notmuch.\n", database_path, incompat_features)); - notmuch_database_destroy (notmuch); - notmuch = NULL; status = NOTMUCH_STATUS_FILE_ERROR; goto DONE; } @@ -489,8 +485,6 @@ _finish_open (notmuch_database_t *notmuch, } catch (const Xapian::Error &error) { IGNORE_RESULT (asprintf (&message, "A Xapian exception occurred opening database: %s\n", error.get_msg ().c_str ())); - notmuch_database_destroy (notmuch); - notmuch = NULL; status = NOTMUCH_STATUS_XAPIAN_EXCEPTION; } DONE: @@ -559,10 +553,13 @@ notmuch_database_open_with_config (const char *database_path, free (message); } + if (status && notmuch) { + notmuch_database_destroy (notmuch); + notmuch = NULL; + } + if (database) *database = notmuch; - else - talloc_free (notmuch); if (notmuch) notmuch->open = true; diff --git a/test/T590-libconfig.sh b/test/T590-libconfig.sh index d2ea4a2b..ca70642c 100755 --- a/test/T590-libconfig.sh +++ b/test/T590-libconfig.sh @@ -850,7 +850,6 @@ EOF test_expect_equal_file EXPECTED OUTPUT test_begin_subtest "open: database set to null on missing config" -test_subtest_known_broken test_C ${MAIL_DIR} "/nonexistent" < int main (int argc, char **argv) { @@ -871,7 +870,6 @@ EOF test_expect_equal_file EXPECTED OUTPUT test_begin_subtest "open: database set to null on missing config (env)" -test_subtest_known_broken old_NOTMUCH_CONFIG=${NOTMUCH_CONFIG} NOTMUCH_CONFIG="/nonexistent" test_C ${MAIL_DIR} <