Ubuntu
net-snmp package

Merge ~ahasenack/ubuntu/+source/net-snmp:focal-snmp-double-free-2012926 into ubuntu/+source/net-snmp:ubuntu/focal-devel

  1. Git
  2. lp:~ahasenack/ubuntu/+source/net-snmp
  3. focal-snmp-double-free-2012926
  4. Merge into ubuntu/focal-devel
Proposed by Andreas Hasenack
Status: Merged
Approved by: git-ubuntu bot
Approved revision: not available
Merged at revision: c9c7d7288ea02d39599a07ae48565d6da1d9530f
Proposed branch: ~ahasenack/ubuntu/+source/net-snmp:focal-snmp-double-free-2012926
Merge into: ubuntu/+source/net-snmp:ubuntu/focal-devel
Diff against target: 207 lines (+167/-0)
6 files modified
debian/changelog (+14/-0)
debian/patches/double-free-agentx_got_response.patch (+36/-0)
debian/patches/double-free-delegated-cache.patch (+33/-0)
debian/patches/double-free-failed-transport.patch (+40/-0)
debian/patches/double-free-when-NETSNMP_CALLBACK_OP_RESEND-is-set.patch (+40/-0)
debian/patches/series (+4/-0)
Reviewer Review Type Date Requested Status
git-ubuntu bot Approve
Sergio Durigan Junior (community) Approve
Canonical Server Reporter Pending
Review via email: mp+445445@code.launchpad.net

Description of the change

Multiple double free fixes for net-snmp in focal.

The easiest and most reliable way to reproduce the snmpd crash was to use a custom agentx subagent in python and inject an artificial delay just over the snmpd agentx timeout of 1s.

Testing instructions are in the bug.

PPA: https://launchpad.net/~ahasenack/+archive/ubuntu/net-snmp-double-free/

The DEP8 test is trivial/superficial, I ran it once but didn't bother in keeping it up-to-date with my PPA iterations.

To post a comment you must log in.
Revision history for this message
Sergio Durigan Junior (sergiodj) wrote :

Thanks, Andreas.

Package builds fine. dep8 is too superficial to be considered useful here, as you said. I verified each patch, did some investigation to make sure that they are minimally correct, and everything seems OK. As you said, there are other commits fixing double frees in the repository, but they're unrelated to agentx.

A small comment about the PPA: you did not enable all architectures there. I really think it's useful to at least make sure nothing strange happens when building on other arches, especially if it's an SRU like this one.

So, in a nutshell: LGTM assuming that the package builds fine on all supported architectures. +1

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Agreed wrt ppa, enabled the remaining arches and triggered a rebuild.

Revision history for this message
git-ubuntu bot (git-ubuntu-bot) wrote :

Approvers: ahasenack, sergiodj
Uploaders: ahasenack, sergiodj
MP auto-approved

review: Approve
Revision history for this message
Andreas Hasenack (ahasenack) wrote :

Builds in other arches are green, (superficial) tests are also green. Uploading:

Uploading net-snmp_5.8+dfsg-2ubuntu2.8.dsc
Uploading net-snmp_5.8+dfsg-2ubuntu2.8.debian.tar.xz
Uploading net-snmp_5.8+dfsg-2ubuntu2.8_source.buildinfo
Uploading net-snmp_5.8+dfsg-2ubuntu2.8_source.changes

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1diff --git a/debian/changelog b/debian/changelog
2index f02c42c..8640dcd 100644
3--- a/debian/changelog
4+++ b/debian/changelog
5@@ -1,3 +1,17 @@
6+net-snmp (5.8+dfsg-2ubuntu2.8) focal; urgency=medium
7+
8+ * Fix multiple double free() bugs (LP: #2012926):
9+ - d/p/double-free-agentx_got_response.patch: fix double free of
10+ delegated cache in agentx_got_response()
11+ - d/p/double-free-failed-transport.patch: fix use-after-free in
12+ agentx when the transport fails
13+ - d/p/double-free-delegated-cache.patch: fix double free in the
14+ delegated cache
15+ - d/p/double-free-when-NETSNMP_CALLBACK_OP_RESEND-is-set.patch: fix
16+ double free when NETSNMP_CALLBACK_OP_RESEND is set to the callback
17+
18+ -- Andreas Hasenack <andreas@canonical.com> Fri, 16 Jun 2023 17:04:58 -0300
19+
20 net-snmp (5.8+dfsg-2ubuntu2.7) focal; urgency=medium
21
22 * Fix snmptrapd reconnection issue after hitting MySQL wait_timeout
23diff --git a/debian/patches/double-free-agentx_got_response.patch b/debian/patches/double-free-agentx_got_response.patch
24new file mode 100644
25index 0000000..4ec5005
26--- /dev/null
27+++ b/debian/patches/double-free-agentx_got_response.patch
28@@ -0,0 +1,36 @@
29+commit 33f8e2e1d63ad5932ade885ffbff379cab1e50bd
30+Author: Shogo Matsumoto <shogo.matsumoto@jp.fujitsu.com>
31+Date: Tue May 7 09:41:13 2019 +0900
32+
33+ agent/mibgroup/agentx: Fix double free of delegated cache in agentx_got_response()
34+
35+ If snmpd receives a response from subagent immediately after the agentx
36+ session closed, agentx_got_response() frees delegated cache twice.
37+
38+ This patch changes return value of "response too late on session"
39+ in agentx_got_response function to make the caller of this function
40+ remove the request in order to prevent double free.
41+
42+ See also https://sourceforge.net/p/net-snmp/patches/1392/.
43+
44+ Signed-off-by: Shogo Matsumoto <shogo.matsumoto@jp.fujitsu.com>
45+ [ bvanassche: added patch tracker URL ]
46+
47+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/33f8e2e1d63ad5932ade885ffbff379cab1e50bd
48+Bug: https://sourceforge.net/p/net-snmp/bugs/2943/
49+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926
50+Applied-Upstream: v5.8.1.pre1
51+Last-Update: 2023-06-16
52+diff --git a/agent/mibgroup/agentx/master.c b/agent/mibgroup/agentx/master.c
53+index b7a51dfef1..93d562122c 100644
54+--- a/agent/mibgroup/agentx/master.c
55++++ b/agent/mibgroup/agentx/master.c
56+@@ -221,7 +221,7 @@ agentx_got_response(int operation,
57+ /* response is too late, free the cache */
58+ if (magic)
59+ netsnmp_free_delegated_cache((netsnmp_delegated_cache*) magic);
60+- return 0;
61++ return 1;
62+ }
63+ requests = cache->requests;
64+
65diff --git a/debian/patches/double-free-delegated-cache.patch b/debian/patches/double-free-delegated-cache.patch
66new file mode 100644
67index 0000000..00595a7
68--- /dev/null
69+++ b/debian/patches/double-free-delegated-cache.patch
70@@ -0,0 +1,33 @@
71+commit f3e80746fde826cf4665fb959bda78cce061c883
72+Author: Bart Van Assche <bvanassche@acm.org>
73+Date: Mon Aug 5 20:15:37 2019 -0700
74+
75+ AgentX: Fix a use-after-free
76+
77+ When calling snmp_async_send(), the callback function is called whether or
78+ not sending succeeds. Since the agentx_got_response() callback function
79+ frees the cache unconditionally, calling netsnmp_free_delegated_cache()
80+ explicitly after snmp_async_send() is wrong.
81+
82+ See also https://sourceforge.net/p/net-snmp/bugs/2943/.
83+
84+ Fixes: f9304c83f762 ("CHANGES: PATCH 1633670: fixed snmpd crashing when an AgentX subagent disconnect in the middle of processing of a request.") # v5.8.
85+
86+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/f3e80746fde826cf4665fb959bda78cce061c883
87+Bug: https://sourceforge.net/p/net-snmp/bugs/2943/
88+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926
89+Applied-Upstream: v5.8.1.pre1
90+Last-Update: 2023-06-16
91+diff --git a/agent/mibgroup/agentx/master.c b/agent/mibgroup/agentx/master.c
92+index e3ff8aecb3..a9c29da783 100644
93+--- a/agent/mibgroup/agentx/master.c
94++++ b/agent/mibgroup/agentx/master.c
95+@@ -616,8 +616,6 @@ agentx_master_handler(netsnmp_mib_handler *handler,
96+ result = snmp_async_send(ax_session, pdu, agentx_got_response, cb_data);
97+ if (result == 0) {
98+ snmp_free_pdu(pdu);
99+- if (cb_data)
100+- netsnmp_free_delegated_cache((netsnmp_delegated_cache*) cb_data);
101+ }
102+
103+ return SNMP_ERR_NOERROR;
104diff --git a/debian/patches/double-free-failed-transport.patch b/debian/patches/double-free-failed-transport.patch
105new file mode 100644
106index 0000000..0804963
107--- /dev/null
108+++ b/debian/patches/double-free-failed-transport.patch
109@@ -0,0 +1,40 @@
110+commit d73ebccfe45be49f70ab0a3f5dd298db78c99f6d
111+Author: Bart Van Assche <bvanassche@acm.org>
112+Date: Thu May 16 13:48:03 2019 +0200
113+
114+ AgentX: Fix two use-after-free issues
115+
116+ snmp_add_full() frees the transport if it fails. This was detected by Coverity.
117+
118+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/d73ebccfe45be49f70ab0a3f5dd298db78c99f6d
119+Bug: https://sourceforge.net/p/net-snmp/bugs/2943/
120+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926
121+Applied-Upstream: v5.8.1.pre1
122+Last-Update: 2023-06-16
123+diff --git a/agent/mibgroup/agentx/master.c b/agent/mibgroup/agentx/master.c
124+index 93d562122c..e3ff8aecb3 100644
125+--- a/agent/mibgroup/agentx/master.c
126++++ b/agent/mibgroup/agentx/master.c
127+@@ -185,6 +185,9 @@ real_init_master(void)
128+ session =
129+ snmp_add_full(&sess, t, NULL, agentx_parse, NULL, NULL,
130+ agentx_realloc_build, agentx_check_packet, NULL);
131++ /* snmp_add_full() frees 't' upon failure. */
132++ if (!session)
133++ t = NULL;
134+ }
135+ if (session == NULL) {
136+ netsnmp_transport_free(t);
137+diff --git a/agent/mibgroup/agentx/subagent.c b/agent/mibgroup/agentx/subagent.c
138+index cf0bf62cf7..c11f56dd46 100644
139+--- a/agent/mibgroup/agentx/subagent.c
140++++ b/agent/mibgroup/agentx/subagent.c
141+@@ -870,6 +870,8 @@ subagent_open_master_session(void)
142+ agentx_realloc_build, agentx_check_packet, NULL);
143+
144+ if (main_session == NULL) {
145++ /* snmp_add_full() frees 't' upon failure. */
146++ t = NULL;
147+ if (!netsnmp_ds_get_boolean(NETSNMP_DS_APPLICATION_ID,
148+ NETSNMP_DS_AGENT_NO_CONNECTION_WARNINGS)) {
149+ char buf[1024];
150diff --git a/debian/patches/double-free-when-NETSNMP_CALLBACK_OP_RESEND-is-set.patch b/debian/patches/double-free-when-NETSNMP_CALLBACK_OP_RESEND-is-set.patch
151new file mode 100644
152index 0000000..212ad26
153--- /dev/null
154+++ b/debian/patches/double-free-when-NETSNMP_CALLBACK_OP_RESEND-is-set.patch
155@@ -0,0 +1,40 @@
156+commit 7f88b06bf0f4140bc03cabacd35eaeffdf21d722
157+Author: Anders Wallin <wallinux@gmail.com>
158+Date: Sun Apr 7 18:31:16 2019 -0400
159+
160+ agentx/master: Return when NETSNMP_CALLBACK_OP_RESEND is set to the callback
161+
162+ snmpd is terminated abnormally due to the double free for the
163+ request cache after the request is resend.
164+
165+ That is because the callback for NETSNMP_CALLBACK_OP_RESEND isn't
166+ cared and the cache is freed wrongly.
167+
168+ Let's just return if NETSNMP_CALLBACK_OP_RESEND is set on the
169+ callback.
170+
171+ Fixes: b7b50bbac ("snmp_send callback updates")
172+
173+ Signed-off-by: Anders Wallin <wallinux@gmail.com>
174+
175+Origin: upstream, https://github.com/net-snmp/net-snmp/commit/7f88b06bf0f4140bc03cabacd35eaeffdf21d722
176+Bug: https://sourceforge.net/p/net-snmp/bugs/2943/
177+Bug-Ubuntu: https://bugs.launchpad.net/ubuntu/+source/net-snmp/+bug/2012926
178+Applied-Upstream: v5.8.1.pre1
179+Last-Update: 2023-06-16
180+diff --git a/agent/mibgroup/agentx/master.c b/agent/mibgroup/agentx/master.c
181+index 99c4123ed3..b7a51dfef1 100644
182+--- a/agent/mibgroup/agentx/master.c
183++++ b/agent/mibgroup/agentx/master.c
184+@@ -280,6 +280,11 @@ agentx_got_response(int operation,
185+ netsnmp_free_delegated_cache(cache);
186+ return 0;
187+
188++ case NETSNMP_CALLBACK_OP_RESEND:
189++ DEBUGMSGTL(("agentx/master", "resend on session %8p req=0x%x\n",
190++ session, (unsigned)reqid));
191++ return 0;
192++
193+ case NETSNMP_CALLBACK_OP_RECEIVED_MESSAGE:
194+ /*
195+ * This session is alive
196diff --git a/debian/patches/series b/debian/patches/series
197index f4992f8..80ccd38 100644
198--- a/debian/patches/series
199+++ b/debian/patches/series
200@@ -53,3 +53,7 @@ CVE-2022-4479x-2.patch
201 CVE-2022-4479x-3.patch
202 snmptrapd-mysql-reconnection-after-hitting-wait_timeout.patch
203 snmptrapd-mysql-fix-build-error.patch
204+double-free-agentx_got_response.patch
205+double-free-failed-transport.patch
206+double-free-delegated-cache.patch
207+double-free-when-NETSNMP_CALLBACK_OP_RESEND-is-set.patch

Subscribers

People subscribed via source and target branches