From: Luca Boccassi <bluca@debian.org>
Date: Thu, 19 Oct 2023 11:24:19 +0000 (+0100)
Subject: executor: fix double free of MountOptions
X-Git-Tag: v255-rc1~202
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9dc6a6af28d93f7bf5e0c07cccb34d41bb265b32;p=thirdparty%2Fsystemd.git

executor: fix double free of MountOptions

This list is owned by ExecContext, which is cleaned up when sd-executor
fails, but it is also cleaned up when namespace setup exits, so we get
a double free.

Fixes https://github.com/systemd/systemd/issues/29610

Follow-up for bb5232b6a3
---

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 273eb962b53..7161ac64060 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -97,7 +97,7 @@ typedef struct MountEntry {
         char *options_malloc;
         unsigned long flags;      /* Mount flags used by EMPTY_DIR and TMPFS. Do not include MS_RDONLY here, but please use read_only. */
         unsigned n_followed;
-        LIST_HEAD(MountOptions, image_options);
+        LIST_HEAD(MountOptions, image_options_const);
 } MountEntry;
 
 typedef struct MountList {
@@ -327,7 +327,6 @@ static void mount_entry_done(MountEntry *p) {
         p->unprefixed_path_malloc = mfree(p->unprefixed_path_malloc);
         p->source_malloc = mfree(p->source_malloc);
         p->options_malloc = mfree(p->options_malloc);
-        p->image_options = mount_options_free_all(p->image_options);
 }
 
 static void mount_list_done(MountList *ml) {
@@ -445,7 +444,7 @@ static int append_mount_images(MountList *ml, const MountImage *mount_images, si
                         .path_const = m->destination,
                         .mode = MOUNT_IMAGES,
                         .source_const = m->source,
-                        .image_options = m->mount_options,
+                        .image_options_const = m->mount_options,
                         .ignore = m->ignore_enoent,
                 };
         }
@@ -523,7 +522,7 @@ static int append_extensions(
 
                 *me = (MountEntry) {
                         .path_malloc = TAKE_PTR(mount_point),
-                        .image_options = m->mount_options,
+                        .image_options_const = m->mount_options,
                         .ignore = m->ignore_enoent,
                         .source_const = m->source,
                         .mode = EXTENSION_IMAGES,
@@ -1350,7 +1349,7 @@ static int mount_image(
                         /* src_fd= */ -1,
                         mount_entry_source(m),
                         mount_entry_path(m),
-                        m->image_options,
+                        m->image_options_const,
                         image_policy,
                         host_os_release_id,
                         host_os_release_version_id,