proxy: Avoid invalid memory access when unloading proxy module

When loading and unloading p11-kit-proxy.so with pkcs11-tool, it
accesses already free'd memory area:

$ valgrind pkcs11-tool --module p11-kit-proxy.so -L
==25173== Invalid read of size 8
==25173==    at 0x64BF493: p11_proxy_module_cleanup (proxy.c:1724)
==25173==    by 0x64BD028: _p11_kit_fini (proxy-init.c:65)
==25173==    by 0x401477C: _dl_close_worker (in /usr/lib64/ld-2.27.so)
==25173==    by 0x4014E1D: _dl_close (in /usr/lib64/ld-2.27.so)
==25173==    by 0x5E08C4E: _dl_catch_exception (in /usr/lib64/libc-2.27.so)
==25173==    by 0x5E08CDE: _dl_catch_error (in /usr/lib64/libc-2.27.so)
==25173==    by 0x58B1724: _dlerror_run (in /usr/lib64/libdl-2.27.so)
==25173==    by 0x58B1113: dlclose (in /usr/lib64/libdl-2.27.so)
==25173==    by 0x11E5A7: ??? (in /usr/bin/pkcs11-tool)
==25173==    by 0x110023: ??? (in /usr/bin/pkcs11-tool)
==25173==    by 0x5CF624A: (below main) (in /usr/lib64/libc-2.27.so)
==25173==  Address 0x61231c8 is 552 bytes inside a block of size 584 free'd
==25173==    at 0x4C2FDAC: free (vg_replace_malloc.c:530)
==25173==    by 0x6548492: p11_virtual_unwrap (virtual.c:2902)
==25173==    by 0x64BF492: p11_proxy_module_cleanup (proxy.c:1723)

diff --git a/p11-kit/proxy.c b/p11-kit/proxy.c
index 31b9bb22c15dc69952b2d658a3bfdcb283a95c28..b7fb63d9cac5f45be58196423ce37e73ffafa6dc 100644 (file)
--- a/p11-kit/proxy.c
+++ b/p11-kit/proxy.c
@@ -1720,8 +1720,8 @@ p11_proxy_module_cleanup (void)
 
        for (; state != NULL; state = next) {
                next = state->next;
-               p11_virtual_unwrap (state->wrapped);
                p11_kit_modules_release (state->loaded);
+               p11_virtual_unwrap (state->wrapped);
        }
 }
 
@@ -1731,16 +1731,6 @@ p11_proxy_module_check (CK_FUNCTION_LIST_PTR module)
        return (module->C_WaitForSlotEvent == module_C_WaitForSlotEvent);
 }
 
-static void
-proxy_module_free (p11_virtual *virt)
-{
-       State *state = (State *)virt;
-
-       p11_virtual_unwrap (state->wrapped);
-       p11_kit_modules_release (state->loaded);
-       free (state);
-}
-
 CK_RV
 p11_proxy_module_create (CK_FUNCTION_LIST_PTR *module,
                         CK_FUNCTION_LIST_PTR *modules)
@@ -1758,9 +1748,10 @@ p11_proxy_module_create (CK_FUNCTION_LIST_PTR *module,
        p11_virtual_init (&state->virt, &proxy_functions, state, NULL);
        state->last_handle = FIRST_HANDLE;
        state->loaded = modules_dup (modules);
-       state->wrapped = p11_virtual_wrap (&state->virt, (p11_destroyer)proxy_module_free);
+       state->wrapped = p11_virtual_wrap (&state->virt, (p11_destroyer)p11_virtual_uninit);
        if (state->wrapped == NULL) {
-               proxy_module_free (&state->virt);
+               p11_kit_modules_release (state->loaded);
+               free (state);
                return CKR_GENERAL_ERROR;
        }