Bug 2005790

Summary: Backport upstream PR #20670
Product: Red Hat Enterprise Linux 8 Reporter: Michal Sekletar <msekleta>
Component: systemdAssignee: Michal Sekletar <msekleta>
Status: CLOSED DUPLICATE QA Contact: Frantisek Sumsal <fsumsal>
Severity: medium Docs Contact:
Priority: unspecified    
Version: 8.4CC: dtardon, systemd-maint-list
Target Milestone: rcKeywords: Bugfix, Reproducer, Triaged
Target Release: ---Flags: pm-rhel: mirror+
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-06-01 08:25:03 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Reproducer none

Description Michal Sekletar 2021-09-20 07:45:36 UTC 
Description of problem:
We should backport fix addressed in #20670 in order to prevent potential use-after-free bugs.


Version-Release number of selected component (if applicable):
systemd-239-45.el8

How reproducible:
unknown

Steps to Reproduce:
1. There are no clear steps to trigger this issue in systemd (as in service manager) context, but it should be possible to write synthetic reproducer in C that would use the sd-event APIs in a way that triggers the bug.

Actual results:
Use after free of sd-event object.

Expected results:
Reference count for sd-event is not dropped to 0 by user-provided callback and main sd-event loop object is not freed prematurely.

Additional info:
https://github.com/systemd/systemd/pull/20670
Comment 2 Michal Sekletar 2021-09-20 08:56:35 UTC 
Created attachment 1824565 [details]
Reproducer

This short C program demonstrates the problem. Compile it and run under valgrind to see errors reported when run against unpatched version of libsystemd.

gcc -ggdb3 -O0 -o bz2005790 bz2005790.c -lsystemd