[PATCH]: vfs_glusterfs: Use after free.
Jeremy Allison
jra at samba.org
Sat Mar 5 04:55:02 UTC 2016
On Fri, Mar 04, 2016 at 06:18:27PM -0500, Ira Cooper wrote:
> This is a pure crash bug as far as I can see, but one that needs to be
> fixed.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11774
>
> Patch is enclosed.
>
> I'll provide backports as soon as a final version is accepted.
OK, took me a lot of staring to understand,
but I finally did :-).
LGTM. Pushed.
> From 42e3d35883a78eebf4c765a83d6dc87758595730 Mon Sep 17 00:00:00 2001
> From: Ira Cooper <ira at samba.org>
> Date: Fri, 4 Mar 2016 18:00:07 -0500
> Subject: [PATCH] vfs_glusterfs: Fix use after free in AIO callback.
>
> The wrapper->state pointer is not getting NULLed during free
> allowing use of freed memory, causing a crash.
>
> Thanks to Red Hat for discovering this issue.
>
> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11774
>
> Signed-off-by: Ira Copper <ira at samba.org>
> Reviewed-by: Poornima G <pgurusid at redhat.com>
> Tested-by: Christopher Blum <cblum at redhat.com>
> ---
> source3/modules/vfs_glusterfs.c | 15 +++++++--------
> 1 file changed, 7 insertions(+), 8 deletions(-)
>
> diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c
> index c98e480..2008342 100644
> --- a/source3/modules/vfs_glusterfs.c
> +++ b/source3/modules/vfs_glusterfs.c
> @@ -507,7 +507,9 @@ struct glusterfs_aio_state {
>
> static int aio_wrapper_destructor(struct glusterfs_aio_wrapper *wrap)
> {
> - wrap->state->cancelled = true;
> + if (wrap->state != NULL) {
> + wrap->state->cancelled = true;
> + }
>
> return 0;
> }
> @@ -744,7 +746,6 @@ static struct tevent_req *vfs_gluster_pwrite_send(struct vfs_handle_struct
> static ssize_t vfs_gluster_recv(struct tevent_req *req,
> struct vfs_aio_state *vfs_aio_state)
> {
> - struct glusterfs_aio_state *state = NULL;
> struct glusterfs_aio_wrapper *wrapper = NULL;
> int ret = 0;
>
> @@ -754,9 +755,7 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req,
> return -1;
> }
>
> - state = wrapper->state;
> -
> - if (state == NULL) {
> + if (wrapper->state == NULL) {
> return -1;
> }
>
> @@ -764,12 +763,12 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req,
> return -1;
> }
>
> - *vfs_aio_state = state->vfs_aio_state;
> - ret = state->ret;
> + *vfs_aio_state = wrapper->state->vfs_aio_state;
> + ret = wrapper->state->ret;
>
> /* Clean up the state, it is in a NULL context. */
>
> - TALLOC_FREE(state);
> + TALLOC_FREE(wrapper->state);
>
> return ret;
> }
> --
> 2.5.0
>
More information about the samba-technical
mailing list