[LU-6505] __proc_cpt_table use after free - Whamcloud Community JIRA

Details

Type: Bug
Resolution: Fixed
Priority: Minor
Fix Version/s: Lustre 2.8.0
Affects Version/s: None
Labels:
None

Severity:
3
Rank (Obsolete):
9223372036854775807

Description

smatch highlighted this interesting bit in __proc_cpt_table:

        while (1) {
                LIBCFS_ALLOC(buf, len);
                if (buf == NULL)
                        return -ENOMEM;

                rc = cfs_cpt_table_print(cfs_cpt_table, buf, len);
                if (rc >= 0)
                        break;

                LIBCFS_FREE(buf, len);
                if (rc == -EFBIG) {
                        len <<= 1;
                        continue;
                }
                goto out;
        }
...
 out:
        if (buf != NULL)
                LIBCFS_FREE(buf, len);

This is a pretty obvious double free, so we need to move the free near EFBIG into the if branch.

Attachments

Activity

People

Assignee:: WC Triage

Reporter:: Oleg Drokin

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 27/Apr/15 2:43 AM

Updated:: 29/Dec/15 9:53 PM

Resolved:: 07/Jul/15 12:33 AM