From 8bc76acc7c3665897a1b7e14574b379664f058d2 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Sun, 29 Aug 2021 18:55:38 +0200 Subject: [PATCH 1/2] Move vCallFlake into EvalState This fixes a use-after-free bug: 1. s = new EvalState(); 2. callFlake() 3. static vCallFlake now references s 4. delete s; 5. s2 = new EvalState(); 6. callFlake() 7. static vCallFlake still references s 8. crash Nix 2.3 did not have a problem with recreating EvalState. --- src/libexpr/eval.hh | 1 + src/libexpr/flake/flake.cc | 10 ++++------ 2 files changed, 5 insertions(+), 6 deletions(-) diff --git a/src/libexpr/eval.hh b/src/libexpr/eval.hh index 6f3474854..22b0a584b 100644 --- a/src/libexpr/eval.hh +++ b/src/libexpr/eval.hh @@ -100,6 +100,7 @@ public: /* Store used to build stuff. */ const ref buildStore; + RootValue vCallFlake = nullptr; private: SrcToStore srcToStore; diff --git a/src/libexpr/flake/flake.cc b/src/libexpr/flake/flake.cc index 9e00ff188..ee345bdbc 100644 --- a/src/libexpr/flake/flake.cc +++ b/src/libexpr/flake/flake.cc @@ -663,16 +663,14 @@ void callFlake(EvalState & state, mkString(*vRootSubdir, lockedFlake.flake.lockedRef.subdir); - static RootValue vCallFlake = nullptr; - - if (!vCallFlake) { - vCallFlake = allocRootValue(state.allocValue()); + if (!state.vCallFlake) { + state.vCallFlake = allocRootValue(state.allocValue()); state.eval(state.parseExprFromString( #include "call-flake.nix.gen.hh" - , "/"), **vCallFlake); + , "/"), **state.vCallFlake); } - state.callFunction(**vCallFlake, *vLocks, *vTmp1, noPos); + state.callFunction(**state.vCallFlake, *vLocks, *vTmp1, noPos); state.callFunction(*vTmp1, *vRootSrc, *vTmp2, noPos); state.callFunction(*vTmp2, *vRootSubdir, vRes, noPos); } From 8656b130ea6defe6a7ef04b564ff391caa64a450 Mon Sep 17 00:00:00 2001 From: Robert Hensing Date: Sun, 29 Aug 2021 19:31:52 +0200 Subject: [PATCH 2/2] Fix use after free with vImportedDrvToDerivation --- src/libexpr/eval.hh | 1 + src/libexpr/primops.cc | 11 +++++------ 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/libexpr/eval.hh b/src/libexpr/eval.hh index 22b0a584b..03dcfcf21 100644 --- a/src/libexpr/eval.hh +++ b/src/libexpr/eval.hh @@ -101,6 +101,7 @@ public: const ref buildStore; RootValue vCallFlake = nullptr; + RootValue vImportedDrvToDerivation = nullptr; private: SrcToStore srcToStore; diff --git a/src/libexpr/primops.cc b/src/libexpr/primops.cc index bfe41c9fa..0a4bce1d7 100644 --- a/src/libexpr/primops.cc +++ b/src/libexpr/primops.cc @@ -160,16 +160,15 @@ static void import(EvalState & state, const Pos & pos, Value & vPath, Value * vS } w.attrs->sort(); - static RootValue fun; - if (!fun) { - fun = allocRootValue(state.allocValue()); + if (!state.vImportedDrvToDerivation) { + state.vImportedDrvToDerivation = allocRootValue(state.allocValue()); state.eval(state.parseExprFromString( #include "imported-drv-to-derivation.nix.gen.hh" - , "/"), **fun); + , "/"), **state.vImportedDrvToDerivation); } - state.forceFunction(**fun, pos); - mkApp(v, **fun, w); + state.forceFunction(**state.vImportedDrvToDerivation, pos); + mkApp(v, **state.vImportedDrvToDerivation, w); state.forceAttrs(v, pos); }