From: PanBian <bianpan2016@163.com>
To: Ilya Dryomov <idryomov@gmail.com>
Cc: "Yan, Zheng" <zyan@redhat.com>, Sage Weil <sage@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Ceph Development <ceph-devel@vger.kernel.org>,
netdev <netdev@vger.kernel.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH V2] libceph: fix use after free
Date: Wed, 28 Nov 2018 08:22:57 +0800 [thread overview]
Message-ID: <20181128002257.GA38329@bp> (raw)
In-Reply-To: <CAOi1vP8Ff9HLF_v93RwyW4LwQ5jYPWPaZhqBgx9FsxmXH6M4AQ@mail.gmail.com>
On Tue, Nov 27, 2018 at 11:17:26AM +0100, Ilya Dryomov wrote:
> On Tue, Nov 27, 2018 at 10:22 AM Pan Bian <bianpan2016@163.com> wrote:
> >
> > The function ceph_monc_handle_map calls kfree(old) to free the old
> > monitor map, old points to monc->monmap. However, after that, it reads
> > monc->monmap->epoch and passes it to __ceph_monc_got_map. This will
> > result in a use-after-free bug. The patch moves the free operation after
> > the call to __ceph_monc_got_map.
> >
> > Fixes: 82dcabad750 ("libceph: revamp subs code, switch to SUBSCRIBE2 protocol")
> >
> > Signed-off-by: Pan Bian <bianpan2016@163.com>
> > ---
> > V2: correct the format of the tag Fixes
> > ---
> > net/ceph/mon_client.c | 3 ++-
> > 1 file changed, 2 insertions(+), 1 deletion(-)
> >
> > diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c
> > index 18deb3d..05ef5aa 100644
> > --- a/net/ceph/mon_client.c
> > +++ b/net/ceph/mon_client.c
> > @@ -478,9 +478,10 @@ static void ceph_monc_handle_map(struct ceph_mon_client *monc,
> > }
> >
> > client->monc.monmap = monmap;
>
> monc->monmap is assigned here. It's not obvious, but monc->monmap and
> client->monc.monmap is the same pointer.
>
> > - kfree(old);
> >
> > __ceph_monc_got_map(monc, CEPH_SUB_MONMAP, monc->monmap->epoch);
>
> ceph_monmap_decode() returns the new map, kfree() frees the old map.
> I don't see a use-after-free here.
Got it. Thank you!
Pan
>
> Thanks,
>
> Ilya
prev parent reply other threads:[~2018-11-28 0:22 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-27 9:21 [PATCH V2] libceph: fix use after free Pan Bian
2018-11-27 10:17 ` Ilya Dryomov
2018-11-28 0:22 ` PanBian [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181128002257.GA38329@bp \
--to=bianpan2016@163.com \
--cc=ceph-devel@vger.kernel.org \
--cc=davem@davemloft.net \
--cc=idryomov@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=sage@redhat.com \
--cc=zyan@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.