libpagekite icon indicating copy to clipboard operation
libpagekite copied to clipboard
verified publisher icon pagekite

pkproto.c: fix use-after-free that did cause pagekite to SIGSEGV

Open plan44 opened this issue 1 year ago • 1 comments

  • occasionally, with higher probability on faster/multicore systems
  • like: never crashed in years on RPi B+, crashed 95% of all startup attempts on Rpi3 or Rpi4

plan44 avatar Sep 16 '24 22:09 plan44

Some more context:

Observation:

  • programs using libpagekitec did crash with SIGSEGV on startup on RPi3,4 while having worked fine for years on RPi1+2

Explantation:

  • the final "judgement" test were done on pointers into the copy buffer freed on line 766 instead of on the safe copies of those strings in kite and kite_r.
  • this opened a very short race condition window, however the crash was caught happening while a tight loop (pkb_start_blockers) fired up 16 of those threads in rapid succession. So probably if the next thread got to allocate memory before the "judgements" tests, accessing the just freed copy would cause a segfault.

Fix:

  • check the safe copies of the strings instead of pointers into copy.

plan44 avatar Sep 17 '24 09:09 plan44