BUG/MEDIUM: hlua/cli: fix cli applet UAF in hlua_applet_wakeup()

Recent commit e5e36ce09 ("BUG/MEDIUM: hlua/cli: Fix lua CLI commands
to work with applet's buffers") revealed a bug in hlua cli applet handling

Indeed, playing with Willy's lua tetris script on the cli, a segfault
would be encountered when forcefully closing the session by sending a
CTRL+C on the terminal.

In fact the crash was caused by a UAF: while the cli applet was already
freed, the lua task responsible for waking it up would still point to it.
Thus hlua_applet_wakeup() could be called even if the applet didn't exist
anymore.

To fix the issue, in hlua_cli_io_release_fct() we must also free the hlua
task linked to the applet, like we already do for
hlua_applet_tcp_release() and hlua_applet_http_release().

While this bug exists on stable versions (where it should be backported
too for precaution), it only seems to be triggered starting with 3.0.

diff --git a/src/hlua.c b/src/hlua.c
index 6d5074e2c49a4866247a14c8a71d638cbf8bdb3f..b9fee5f3c6d04239785e4338fcf626d60b283659 100644 (file)
--- a/src/hlua.c
+++ b/src/hlua.c
@@ -11880,6 +11880,8 @@ static void hlua_cli_io_release_fct(struct appctx *appctx)
 {
        struct hlua_cli_ctx *ctx = appctx->svcctx;
 
+       task_destroy(ctx->task);
+       ctx->task = NULL;
        hlua_ctx_destroy(ctx->hlua);
        ctx->hlua = NULL;
 }