All of lore.kernel.org
 help / color / mirror / Atom feed
From: Bill O'Donnell <bodonnel@redhat.com>
To: Bill O'Donnell <bodonnel@redhat.com>
Cc: Eric Sandeen <sandeen@sandeen.net>,
	linux-xfs@vger.kernel.org, cem@kernel.org, djwong@kernel.org
Subject: Re: [PATCH] xfsdump: prevent use-after-free in fstab_commit()
Date: Thu, 29 Aug 2024 15:34:01 -0500	[thread overview]
Message-ID: <ZtDbOSVV8k__YxMx@redhat.com> (raw)
In-Reply-To: <ZtDQTKc336_Y_FcD@redhat.com>

On Thu, Aug 29, 2024 at 02:47:24PM -0500, Bill O'Donnell wrote:
> On Thu, Aug 29, 2024 at 02:35:27PM -0500, Eric Sandeen wrote:
> > On 8/29/24 12:59 PM, Bill O'Donnell wrote:
> > > Fix potential use-after-free of list pointer in fstab_commit().
> > > Use a copy of the pointer when calling invidx_commit().
> > 
> > I'm not sure how (or even if) the use after free happens -xfsdump is so hard
> > to read - but ...
> > 
> > > Coverity CID 1498039.
> > > 
> > > Signed-off-by: Bill O'Donnell <bodonnel@redhat.com>
> > > ---
> > >  invutil/fstab.c | 9 +++++++--
> > >  1 file changed, 7 insertions(+), 2 deletions(-)
> > > 
> > > diff --git a/invutil/fstab.c b/invutil/fstab.c
> > > index 88d849e..fe2b1f9 100644
> > > --- a/invutil/fstab.c
> > > +++ b/invutil/fstab.c
> > > @@ -66,6 +66,7 @@ fstab_commit(WINDOW *win, node_t *current, node_t *list)
> > >      data_t *d;
> > >      invt_fstab_t *fstabentry;
> > >      int fstabentry_idx;
> > > +    node_t *list_cpy = list;
> > >  
> > >      n = current;
> > >      if(n == NULL || n->data == NULL)
> > > @@ -77,8 +78,10 @@ fstab_commit(WINDOW *win, node_t *current, node_t *list)
> > >  
> > >      if(d->deleted == BOOL_TRUE && d->imported == BOOL_FALSE) {
> > >  	for(i = 0; i < d->nbr_children; i++) {
> > > -	    invidx_commit(win, d->children[i], list);
> > > +		list_cpy = list;
> > 
> > this copies the memory address stored in "list" into your new pointer var "list_cpy"
> > 
> > > +		invidx_commit(win, d->children[i], list_cpy);
> > 
> > If invidx_commit() frees the 2nd argument, it frees the memory address pointed
> > to by both list and list_cpy.
> > 
> > Storing the same memory address in 2 pointer variables does not prevent that memory
> > from being freed.
> > 
> > >  	}
> > > +	free(list_cpy);
> > 
> > and then this would double-free that same memory address.
> 
> I see that now. This code is indeed difficult to grok.
> 
> Perhaps (if this a legitimate finding of use after free), instead of having the memory
> freed in invidx_commit(), it should instead be freed once in fstab_commit() after the iterations
> of the for-loops in that function. I'll have a look at that possibility.

i.e., Removing what Coverity tags as the culprit (node_free(list_del(dst_n)) from
invidx_commit(), and adding free(list) following the for-loop iteration in fstab_commit() may be
a better solution.

> 
> 
> > 
> > 
> > >  	mark_all_children_commited(current);
> > >  
> > >  	fstabentry_idx = (int)(((long)fstabentry - (long)fstab_file[fidx].mapaddr - sizeof(invt_counter_t)) / sizeof(invt_fstab_t));
> > > @@ -101,8 +104,10 @@ fstab_commit(WINDOW *win, node_t *current, node_t *list)
> > >  	invt_fstab_t *dest;
> > >  
> > >  	for(i = 0; i < d->nbr_children; i++) {
> > > -	    invidx_commit(win, d->children[i], list);
> > > +		list_cpy = list;	
> > > +		invidx_commit(win, d->children[i], list_cpy);
> > >  	}
> > > +	free(list_cpy);
> > >  	mark_all_children_commited(current);
> > >  
> > >  	if(find_matching_fstab(0, fstabentry) >= 0) {
> > 
> 


  reply	other threads:[~2024-08-29 20:34 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-08-29 17:59 [PATCH] xfsdump: prevent use-after-free in fstab_commit() Bill O'Donnell
2024-08-29 19:35 ` Eric Sandeen
2024-08-29 19:47   ` Bill O'Donnell
2024-08-29 20:34     ` Bill O'Donnell [this message]
2024-08-29 21:56       ` Eric Sandeen
2024-08-29 22:48         ` Bill O'Donnell
     [not found]           ` <SA1PR10MB758637A0D3EE774C9DF5B94489972@SA1PR10MB7586.namprd10.prod.outlook.com>
2024-08-30 15:56             ` [External] : " Eric Sandeen
2024-08-30 15:48 ` Bill O'Donnell

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=ZtDbOSVV8k__YxMx@redhat.com \
    --to=bodonnel@redhat.com \
    --cc=cem@kernel.org \
    --cc=djwong@kernel.org \
    --cc=linux-xfs@vger.kernel.org \
    --cc=sandeen@sandeen.net \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.