[LU-6505] __proc_cpt_table use after free Created: 27/Apr/15 Updated: 29/Dec/15 Resolved: 07/Jul/15 |
|
| Status: | Resolved |
| Project: | Lustre |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | Lustre 2.8.0 |
| Type: | Bug | Priority: | Minor |
| Reporter: | Oleg Drokin | Assignee: | WC Triage |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | None | ||
| Issue Links: |
|
||||
| Severity: | 3 | ||||
| Rank (Obsolete): | 9223372036854775807 | ||||
| Description |
|
smatch highlighted this interesting bit in __proc_cpt_table: while (1) {
LIBCFS_ALLOC(buf, len);
if (buf == NULL)
return -ENOMEM;
rc = cfs_cpt_table_print(cfs_cpt_table, buf, len);
if (rc >= 0)
break;
LIBCFS_FREE(buf, len);
if (rc == -EFBIG) {
len <<= 1;
continue;
}
goto out;
}
...
out:
if (buf != NULL)
LIBCFS_FREE(buf, len);
This is a pretty obvious double free, so we need to move the free near EFBIG into the if branch. |
| Comments |
| Comment by Gerrit Updater [ 27/Apr/15 ] |
|
Oleg Drokin (oleg.drokin@intel.com) uploaded a new patch: http://review.whamcloud.com/14602 |
| Comment by Gerrit Updater [ 20/May/15 ] |
|
Oleg Drokin (oleg.drokin@intel.com) merged in patch http://review.whamcloud.com/14602/ |