From c6facd0358ae61849786dbbc0f4f5a07a25cb6f1 Mon Sep 17 00:00:00 2001 From: ShiruRen Date: Fri, 25 Jan 2019 15:01:55 -0800 Subject: Fix a nil pointer dereference bug in Container.Destroy() In Container.Destroy(), we call c.stop() before calling executeHooksBestEffort(), therefore, when we call executeHooksBestEffort(c.Spec.Hooks.Poststop, c.State()) to execute the poststop hook, it results in a nil pointer dereference since it reads c.Sandbox.Pid in c.State() after the sandbox has been destroyed. To fix this bug, we can change container's status to "stopped" before executing the poststop hook. Signed-off-by: ShiruRen Change-Id: I4d835e430066fab7e599e188f945291adfc521ef PiperOrigin-RevId: 230975505 --- runsc/container/container.go | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'runsc/container') diff --git a/runsc/container/container.go b/runsc/container/container.go index 6d88dff7f..1b410c63a 100644 --- a/runsc/container/container.go +++ b/runsc/container/container.go @@ -674,6 +674,8 @@ func (c *Container) Destroy() error { errs = append(errs, err.Error()) } + c.changeStatus(Stopped) + // "If any poststop hook fails, the runtime MUST log a warning, but the // remaining hooks and lifecycle continue as if the hook had succeeded" -OCI spec. // Based on the OCI, "The post-stop hooks MUST be called after the container is @@ -686,8 +688,6 @@ func (c *Container) Destroy() error { executeHooksBestEffort(c.Spec.Hooks.Poststop, c.State()) } - c.changeStatus(Stopped) - if len(errs) == 0 { return nil } -- cgit v1.2.3