fix possible access memory after free

For tasks created by clone_VM, they share the memory with parent,
so when parent frees the stack, children may still access to this
stack. so don't free stack when children is still using the stack.

Signed-off-by: Gao feng <[email protected]>

Author: gao-feng

src/exec.c

@@ -430,7 +430,6 @@ static int hyper_do_exec_cmd(void *data)
 
 		if (hyper_get_type(pipe[0], &type) < 0 || type != READY) {
 			fprintf(stderr, "hyper init doesn't get execcmd ready message\n");
-			hyper_send_type(arg->pipe[1], ERROR);
 			goto out;
 		}
 
@@ -461,13 +460,14 @@ static int hyper_do_exec_cmd(void *data)
 
 	ret = 0;
 exit:
+	close(pipe[0]);
+	close(pipe[1]);
 	hyper_send_type(pipe[1], ERROR);
 	_exit(ret);
-
 out:
-	hyper_send_type(arg->pipe[1], ret ? ERROR : READY);
 	close(pipe[0]);
 	close(pipe[1]);
+	hyper_send_type(arg->pipe[1], ret ? ERROR : READY);
 	_exit(ret);
 }
 
@@ -534,7 +534,6 @@ int hyper_exec_cmd(char *json, int length)
 
 	pid = clone(hyper_do_exec_cmd, stack + stacksize, CLONE_VM| CLONE_FILES| SIGCHLD, &arg);
 	fprintf(stdout, "do_exec_cmd pid %d\n", pid);
-	free(stack);
 	if (pid < 0) {
 		perror("clone hyper_do_exec_cmd failed");
 		goto close_tty;
@@ -550,6 +549,7 @@ int hyper_exec_cmd(char *json, int length)
 out:
 	close(arg.pipe[0]);
 	close(arg.pipe[1]);
+	free(stack);
 	return ret;
 close_tty:
 	close(exec->ptyfd);

src/init.c

@@ -402,13 +402,14 @@ static int hyper_container_stage0(void *data)
 
 	ret = hyper_start_container(c, utsns, ipcns, pod);
 out:
+	close(pidns);
+	close(utsns);
+	close(ipcns);
+
 	if (hyper_send_type(arg->ctl_pipe[1], ret ? ERROR : READY) < 0) {
 		fprintf(stderr, "container init send ready message failed\n");
 	}
 
-	close(pidns);
-	close(utsns);
-	close(ipcns);
 	/* hyper_container_stage0 shares fd table with init, let init closes pipe. */
 	//close(arg->ctl_pipe[0]);
 	//close(arg->ctl_pipe[1]);
@@ -440,7 +441,6 @@ int hyper_start_container_stage0(struct hyper_container *c, struct hyper_pod *po
 	}
 
 	pid = clone(hyper_container_stage0, stack + stacksize, CLONE_VM| CLONE_FILES| SIGCHLD, &arg);
-	free(stack);
 	if (pid < 0) {
 		perror("enter container pid ns failed");
 		goto out;
@@ -464,6 +464,8 @@ int hyper_start_container_stage0(struct hyper_container *c, struct hyper_pod *po
 out:
 	close(arg.ctl_pipe[0]);
 	close(arg.ctl_pipe[1]);
+
+	free(stack);
 	return ret;
 }
 
@@ -916,7 +918,7 @@ static int hyper_do_cmd_read_file(void *data)
 	ret = 0;
 err:
 	hyper_send_type(arg->pipe[1], ret ? ERROR : READY);
-	return ret;
+	_exit(ret);
 }
 
 static int hyper_cmd_read_file(char *json, int length, uint32_t *datalen, uint8_t **data)
@@ -967,7 +969,6 @@ static int hyper_cmd_read_file(char *json, int length, uint32_t *datalen, uint8_
 	}
 
 	pid = clone(hyper_do_cmd_read_file, stack + stacksize, CLONE_VM| SIGCHLD, &arg);
-	free(stack);
 	if (pid < 0) {
 		perror("fail to fork writter process");
 		goto out;
@@ -984,6 +985,7 @@ static int hyper_cmd_read_file(char *json, int length, uint32_t *datalen, uint8_
 	close(arg.pipe[1]);
 	free(reader.id);
 	free(reader.file);
+	free(stack);
 
 	return ret;
 }