From: Kai Lüke Date: Fri, 24 Apr 2026 16:49:09 +0000 (+0900) Subject: machine-register: don't unref borrowed varlink reply X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F41813%2Fhead;p=thirdparty%2Fsystemd.git machine-register: don't unref borrowed varlink reply ASAN showed a use-after-free error for systemd-vmspawn's machine_register call because the reply got accessed and freed again through _cleanup. The same problem exists in two verb_machine_control_one/unregister_machine. Fix these call sites to not set up _cleanup. --- diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c index e8a30a89592..ae5473aa99d 100644 --- a/src/machine/machinectl.c +++ b/src/machine/machinectl.c @@ -1242,7 +1242,7 @@ static int verb_machine_control_one(const char *machine_name, const char *method if (r < 0) return log_error_errno(r, "Failed to connect to machine control socket: %m"); - _cleanup_(sd_json_variant_unrefp) sd_json_variant *reply = NULL; + sd_json_variant *reply = NULL; const char *error_id = NULL; r = sd_varlink_call(vl, method, /* parameters= */ NULL, &reply, &error_id); if (r < 0) diff --git a/src/shared/machine-register.c b/src/shared/machine-register.c index a161d1b0508..9637793fe54 100644 --- a/src/shared/machine-register.c +++ b/src/shared/machine-register.c @@ -170,8 +170,7 @@ int register_machine( } if (r < 0) return log_debug_errno(r, "Failed to connect to machined on %s: %m", strna(p)); - - _cleanup_(sd_json_variant_unrefp) sd_json_variant *reply = NULL; + sd_json_variant *reply = NULL; const char *error_id = NULL; r = sd_varlink_callbo( vl, @@ -306,7 +305,7 @@ int unregister_machine(sd_bus *bus, const char *machine_name, RuntimeScope scope if (r >= 0) r = sd_varlink_connect_address(&vl, p); if (r >= 0) { - _cleanup_(sd_json_variant_unrefp) sd_json_variant *reply = NULL; + sd_json_variant *reply = NULL; const char *error_id = NULL; r = sd_varlink_callbo( vl,