From 869e74f46e1f176a3d68cc143158d830eb8580c8 Mon Sep 17 00:00:00 2001
From: Krzysztof Jackiewicz <k.jackiewicz@samsung.com>
Date: Mon, 17 Jun 2019 12:18:06 +0200
Subject: [PATCH] Fix uses after free starring c_str()

Change-Id: I94af1d2e129c23c1538076cb135a2c36fc1bab16
---
 server/engine/encryption/dmcrypt-engine.cpp  |  3 ++-
 server/engine/encryption/ecryptfs-engine.cpp |  5 +++--
 server/external-encryption.cpp               | 10 +++-------
 server/internal-encryption.cpp               | 10 +++-------
 server/progress-bar.cpp                      | 20 ++++++++++++++++++--
 server/progress-bar.h                        |  6 +++---
 server/secure-erase.cpp                      |  5 +----
 server/server.cpp                            |  3 ++-
 8 files changed, 35 insertions(+), 27 deletions(-)

diff --git a/server/engine/encryption/dmcrypt-engine.cpp b/server/engine/encryption/dmcrypt-engine.cpp
index 358dbe7..f95dc67 100644
--- a/server/engine/encryption/dmcrypt-engine.cpp
+++ b/server/engine/encryption/dmcrypt-engine.cpp
@@ -157,11 +157,12 @@ const std::string createCryptoBlkDev(const std::string &realBlkDev,
 
 	// Store cryptParams
 	size_t cryptParamsSize = DM_MAX_BUFFER_SIZE - (cryptParams - dmBuf);
+	std::string keyHex = convertToHex(key);
 	int ret = snprintf(cryptParams,
 	                   cryptParamsSize,
 	                   "%s %s 0 %s 0",
 	                   cryptoTypeName.c_str(),
-	                   convertToHex(key).c_str(),
+	                   keyHex.c_str(),
 	                   realBlkDev.c_str());
 	if (ret < 0) {
 		throw runtime::Exception("snprintf() failed");
diff --git a/server/engine/encryption/ecryptfs-engine.cpp b/server/engine/encryption/ecryptfs-engine.cpp
index 18f3ba9..66ff753 100644
--- a/server/engine/encryption/ecryptfs-engine.cpp
+++ b/server/engine/encryption/ecryptfs-engine.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2015 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2015-2019 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -286,8 +286,9 @@ void ecryptfsMount(const std::string &source, const std::string &destination, co
 	for (int i = key.size(); i < ECRYPTFS_SIGNATURE_SIZE / 2; i++) {
 		signature << (unsigned int) 0;
 	}
+	std::string signatureStr = signature.str();
 	::memcpy((char *)payload.token.password.signature,
-				signature.str().c_str(), ECRYPTFS_SIGNATURE_SIZE);
+				signatureStr.c_str(), ECRYPTFS_SIGNATURE_SIZE);
 
 	if (KernelKeyRing::search(KEY_SPEC_USER_KEYRING, ECRYPTFS_AUTH_TOKEN_TYPE,
 					(char *)payload.token.password.signature, 0) < 0) {
diff --git a/server/external-encryption.cpp b/server/external-encryption.cpp
index a58dd23..ccae537 100644
--- a/server/external-encryption.cpp
+++ b/server/external-encryption.cpp
@@ -204,13 +204,9 @@ ExternalEncryptionServer::ExternalEncryptionServer(ServerContext &srv,
 
 	server.createNotification("ExternalEncryptionServer::mount");
 
-	engine.reset(new EXTERNAL_ENGINE(
-		EXTERNAL_PATH, EXTERNAL_PATH,
-		ProgressBar([](unsigned v) {
-		::vconf_set_str(VCONFKEY_SDE_ENCRYPT_PROGRESS,
-						std::to_string(v).c_str());
-		})
-	));
+	engine.reset(new EXTERNAL_ENGINE(EXTERNAL_PATH,
+	                                 EXTERNAL_PATH,
+	                                 ProgressBar(VCONFKEY_SDE_ENCRYPT_PROGRESS)));
 
 	externalAddEventReceiver();
 }
diff --git a/server/internal-encryption.cpp b/server/internal-encryption.cpp
index 901396a..20449e5 100644
--- a/server/internal-encryption.cpp
+++ b/server/internal-encryption.cpp
@@ -461,13 +461,9 @@ InternalEncryptionServer::InternalEncryptionServer(ServerContext& srv,
 		}
 	}
 
-	engine.reset(new INTERNAL_ENGINE(
-		source, INTERNAL_PATH,
-		ProgressBar([](unsigned v) {
-			::vconf_set_str(VCONFKEY_ODE_ENCRYPT_PROGRESS,
-							std::to_string(v).c_str());
-		})
-	));
+	engine.reset(new INTERNAL_ENGINE(source,
+	                                 INTERNAL_PATH,
+	                                 ProgressBar(VCONFKEY_ODE_ENCRYPT_PROGRESS)));
 
 	try {
 		dbus::Connection &systemDBus = dbus::Connection::getSystem();
diff --git a/server/progress-bar.cpp b/server/progress-bar.cpp
index cc9ea47..ea5aa89 100644
--- a/server/progress-bar.cpp
+++ b/server/progress-bar.cpp
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2017-2019 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -15,15 +15,31 @@
  */
 
 #include "progress-bar.h"
+#include <cassert>
+#include <vconf.h>
+#include "logger.h"
 
 namespace ode {
 
 ProgressBar::ProgressBar(UpdateFunc const &updater)
-	: updater(updater), updateValue(0)
+	: updater(updater)
 {
 	updater(0);
 }
 
+ProgressBar::ProgressBar(const char *vconfKey)
+{
+	assert(vconfKey != NULL);
+
+	updater = [vconfKey](unsigned v) {
+		std::string vStr = std::to_string(v);
+		int ret = ::vconf_set_str(vconfKey, vStr.c_str());
+		if (ret != 0)
+			ERROR(SINK, "vconf_set_str() failed with " << ret);
+	};
+	updater(0);
+}
+
 ProgressBar::~ProgressBar()
 {
 }
diff --git a/server/progress-bar.h b/server/progress-bar.h
index e28778a..716b827 100644
--- a/server/progress-bar.h
+++ b/server/progress-bar.h
@@ -1,5 +1,5 @@
 /*
- *  Copyright (c) 2017 Samsung Electronics Co., Ltd All Rights Reserved
+ *  Copyright (c) 2017-2019 Samsung Electronics Co., Ltd All Rights Reserved
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -29,6 +29,7 @@ public:
 
 	ProgressBar() = delete;
 	explicit ProgressBar(UpdateFunc const &updater);
+	explicit ProgressBar(const char *vconfKey);
 	~ProgressBar();
 
 	void update(unsigned value);
@@ -40,10 +41,9 @@ public:
 
 private:
 	UpdateFunc updater;
-	unsigned updateValue;
+	unsigned updateValue = 0;
 };
 
-
 template <typename T>
 void ProgressBar::update(T count, T totalCount)
 {
diff --git a/server/secure-erase.cpp b/server/secure-erase.cpp
index 94a34f8..099b5d8 100644
--- a/server/secure-erase.cpp
+++ b/server/secure-erase.cpp
@@ -54,10 +54,7 @@ SecureEraseServer::SecureEraseServer(ServerContext &srv) :
 {
 	server.expose(this, PRIVILEGE_PLATFORM, (int)(SecureEraseServer::clean)(std::string));
 
-	engine.reset(new ERASE_ENGINE(ProgressBar([](unsigned v) {
-			::vconf_set_str(VCONFKEY_ODE_ERASE_PROGRESS, std::to_string(v).c_str());
-		}))
-	);
+	engine.reset(new ERASE_ENGINE(ProgressBar(VCONFKEY_ODE_ERASE_PROGRESS)));
 }
 
 SecureEraseServer::~SecureEraseServer()
diff --git a/server/server.cpp b/server/server.cpp
index 521e6f3..47a881f 100644
--- a/server/server.cpp
+++ b/server/server.cpp
@@ -147,8 +147,9 @@ bool ServerContext::checkPeerPrivilege(const rmi::Credentials& cred, const std::
 		return false;
 	}
 
+	std::string uid = std::to_string(cred.uid);
 	if (::cynara_check(p_cynara, cred.security.c_str(), "",
-					   std::to_string(cred.uid).c_str(),
+					   uid.c_str(),
 					   privilege.c_str()) != CYNARA_API_ACCESS_ALLOWED) {
 		::cynara_finish(p_cynara);
 		ERROR(SINK, "Access denied: " + cred.security + " : " + privilege);
-- 
2.34.1