[#LU-6505] __proc_cpt_table use after free

[LU-6505] __proc_cpt_table use after free Created: 27/Apr/15 Updated: 29/Dec/15 Resolved: 07/Jul/15
Status:	Resolved
Project:	Lustre
Component/s:	None
Affects Version/s:	None
Fix Version/s:	Lustre 2.8.0

Type:

Bug

Priority:

Minor

Reporter:

Oleg Drokin

Assignee:

WC Triage

Resolution:

Fixed

Votes:

Labels:

None

Issue Links:

Related

Severity:

Rank (Obsolete):

9223372036854775807

Description

smatch highlighted this interesting bit in __proc_cpt_table:

        while (1) {
                LIBCFS_ALLOC(buf, len);
                if (buf == NULL)
                        return -ENOMEM;

                rc = cfs_cpt_table_print(cfs_cpt_table, buf, len);
                if (rc >= 0)
                        break;

                LIBCFS_FREE(buf, len);
                if (rc == -EFBIG) {
                        len <<= 1;
                        continue;
                }
                goto out;
        }
...
 out:
        if (buf != NULL)
                LIBCFS_FREE(buf, len);

This is a pretty obvious double free, so we need to move the free near EFBIG into the if branch.

Comments

Comment by Gerrit Updater [ 27/Apr/15 ]

Oleg Drokin (oleg.drokin@intel.com) uploaded a new patch: http://review.whamcloud.com/14602
Subject: ~~LU-6505~~ libcfs: Use after free in __proc_cpt_table
Project: fs/lustre-release
Branch: master
Current Patch Set: 1
Commit: 032b535e506dcd9ec0805fbe73f2722551b3f0b4

Comment by Gerrit Updater [ 20/May/15 ]

Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14602/
Subject: ~~LU-6505~~ libcfs: Use after free in __proc_cpt_table
Project: fs/lustre-release
Branch: master
Current Patch Set:
Commit: deb66c9831e82f75f7ce6e78d6db23353b64a490

Generated at Sat Feb 10 02:00:48 UTC 2024 using Jira 9.4.14#940014-sha1:734e6822bbf0d45eff9af51f82432957f73aa32c.

[LU-6505] __proc_cpt_table use after free Created: 27/Apr/15 Updated: 29/Dec/15 Resolved: 07/Jul/15