From: Aurelien DARRAGON Date: Mon, 4 Mar 2024 08:39:58 +0000 (+0100) Subject: BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load X-Git-Tag: v3.0-dev5~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=957852409177efb36171f718ffef2be0fd919588;p=thirdparty%2Fhaproxy.git BUG/MINOR: hlua: fix possible crash in hlua_filter_new() under load hlua_filter_new() handles memory allocation errors by jumping to the "end:" cleanup label in case of errors. Such errors may happen when the system is heavily loaded for instance. In hlua_filter_new(), we try to allocate two hlua contexts in a row before checking if one of them failed (in which case we jump to the cleanup part of the function), and only then we initialize them both. If a memory allocation failure happens for only one out of the two flt_ctx->hlua[] contexts pair, we still jump to the cleanup part. It means that the hlua context that was successfully allocated and wasn't initialized yet will be passed to hlua_ctx_destroy(), resulting in invalid reads in the cleanup function, which may ultimately cause the process to crash. To fix the issue: we make sure flt_ctx hlua contexts are initialized right after they are allocated, that is before any error handling condition that may force the cleanup. This bug was discovered when trying to reproduce GH #2467 with haproxy started with "-dMfail" argument. It should be backported up to 2.6. --- diff --git a/src/hlua.c b/src/hlua.c index fa0461186a..6c7a879134 100644 --- a/src/hlua.c +++ b/src/hlua.c @@ -11848,16 +11848,18 @@ static int hlua_filter_new(struct stream *s, struct filter *filter) ret = 0; goto end; } - flt_ctx->hlua[0] = pool_alloc(pool_head_hlua); - flt_ctx->hlua[1] = pool_alloc(pool_head_hlua); + + if ((flt_ctx->hlua[0] = pool_alloc(pool_head_hlua))) + HLUA_INIT(flt_ctx->hlua[0]); + if ((flt_ctx->hlua[1] = pool_alloc(pool_head_hlua))) + HLUA_INIT(flt_ctx->hlua[1]); if (!flt_ctx->hlua[0] || !flt_ctx->hlua[1]) { SEND_ERR(s->be, "Lua filter '%s': can't initialize filter Lua context.\n", conf->reg->name); ret = 0; goto end; } - HLUA_INIT(flt_ctx->hlua[0]); - HLUA_INIT(flt_ctx->hlua[1]); + if (!hlua_ctx_init(flt_ctx->hlua[0], reg_flt_to_stack_id(conf->reg), s->task) || !hlua_ctx_init(flt_ctx->hlua[1], reg_flt_to_stack_id(conf->reg), s->task)) { SEND_ERR(s->be, "Lua filter '%s': can't initialize filter Lua context.\n",