The Samba-Bugzilla – Attachment 11902 Details for
Bug 11774
Use after free in vfs_glusterfs AIO code.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
patch for 4.2, 4.3 and 4.4.
0001-vfs_glusterfs-Fix-use-after-free-in-AIO-callback.patch (text/plain), 1.94 KB, created by
Ira Cooper
on 2016-03-07 22:57:42 UTC
(
hide
)
Description:
patch for 4.2, 4.3 and 4.4.
Filename:
MIME Type:
Creator:
Ira Cooper
Created:
2016-03-07 22:57:42 UTC
Size:
1.94 KB
patch
obsolete
>From cf7c4b7c4f1eecd168c39466755e4434dd8e24e6 Mon Sep 17 00:00:00 2001 >From: Ira Cooper <ira@samba.org> >Date: Fri, 4 Mar 2016 08:01:25 -0500 >Subject: [PATCH] vfs_glusterfs: Fix use after free in AIO callback. > >The wrapper->state pointer is not getting NULLed during free >allowing us to do a use after free. > >Thanks to Red Hat for discovering this issue. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=11774 > >Signed-off-by: Ira Copper <ira@samba.org> >Reviewed-by: Poornima G <pgurusid@redhat.com> >Tested-by: Christopher Blum <cblum@redhat.com> >Reviewed-by: Jeremy Allison <jra@samba.org> >--- > source3/modules/vfs_glusterfs.c | 17 ++++++++--------- > 1 file changed, 8 insertions(+), 9 deletions(-) > >diff --git a/source3/modules/vfs_glusterfs.c b/source3/modules/vfs_glusterfs.c >index 427b985..84530a8 100644 >--- a/source3/modules/vfs_glusterfs.c >+++ b/source3/modules/vfs_glusterfs.c >@@ -503,7 +503,9 @@ struct glusterfs_aio_state { > > static int aio_wrapper_destructor(struct glusterfs_aio_wrapper *wrap) > { >- wrap->state->cancelled = true; >+ if (wrap->state != NULL) { >+ wrap->state->cancelled = true; >+ } > > return 0; > } >@@ -736,7 +738,6 @@ static struct tevent_req *vfs_gluster_pwrite_send(struct vfs_handle_struct > > static ssize_t vfs_gluster_recv(struct tevent_req *req, int *err) > { >- struct glusterfs_aio_state *state = NULL; > struct glusterfs_aio_wrapper *wrapper = NULL; > int ret = 0; > >@@ -746,24 +747,22 @@ static ssize_t vfs_gluster_recv(struct tevent_req *req, int *err) > return -1; > } > >- state = wrapper->state; >- >- if (state == NULL) { >+ if (wrapper->state == NULL) { > return -1; > } > > if (tevent_req_is_unix_error(req, err)) { > return -1; > } >- if (state->ret == -1) { >- *err = state->err; >+ if (wrapper->state->ret == -1) { >+ *err = wrapper->state->err; > } > >- ret = state->ret; >+ ret = wrapper->state->ret; > > /* Clean up the state, it is in a NULL context. */ > >- TALLOC_FREE(state); >+ TALLOC_FREE(wrapper->state); > > return ret; > } >-- >2.5.0 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jra
:
review+
obnox
:
review+
Actions:
View
Attachments on
bug 11774
: 11902