machine: fix use-after-free in Rename() DBus method

Fixes a bug introduced by 1ddb263d21099ae42195c2bc382bdf72a7f24f82.

Note, this requires the previous two commits, and cannot backport without them.

Note, before the previous commit, the use-after-free could be triggered
only by Rename() DBus method, and could not by RenameImage(), as we did not
cache Image object when RenameImage() method is called. And machinectl
always uses RenameImage(). Hence, the issue could be triggered only when
Rename() DBus method is explicitly called by e.g. busctl.

With the previous commit, the Image object passed to the function is
always cached. Hence, the issue could be triggered even with machinectl
command, and this fix is important.

diff --git a/src/machine/image-dbus.c b/src/machine/image-dbus.c
index 801ecd419a1a4f21c8b9fe5adafd2a9c3a003c9d..d8068cdfcd4c992b84509b5ccb3fa9639c2e6a93 100644 (file)
--- a/src/machine/image-dbus.c
+++ b/src/machine/image-dbus.c
@@ -127,9 +127,17 @@ int bus_image_method_rename(
         if (r == 0)
                 return 1; /* Will call us back */
 
+        /* The image is cached with its name, hence it is necessary to remove from the cache before renaming. */
+        assert_se(hashmap_remove_value(m->image_cache, image->name, image));
+
         r = image_rename(image, new_name);
-        if (r < 0)
+        if (r < 0) {
+                image_unref(image);
                 return r;
+        }
+
+        /* Then save the object again in the cache. */
+        assert_se(hashmap_put(m->image_cache, image->name, image) > 0);
 
         return sd_bus_reply_method_return(message, NULL);
 }