From: Benjamin Marzinski <bmarzins@redhat.com>
To: Christophe Varoqui <christophe.varoqui@opensvc.com>
Cc: device-mapper development <dm-devel@redhat.com>,
Chongyun Wu <wucy11@chinatelecom.cn>,
Martin Wilck <Martin.Wilck@suse.com>
Subject: [dm-devel] [PATCH 1/2] libmultipath: fix use-after-free in uev_add_path
Date: Mon, 8 Feb 2021 23:19:26 -0600 [thread overview]
Message-ID: <1612847967-8813-2-git-send-email-bmarzins@redhat.com> (raw)
In-Reply-To: <1612847967-8813-1-git-send-email-bmarzins@redhat.com>
if ev_remove_path() returns success the path has very likely been
deleted. However, if pathinfo() returned something besides PATHINFO_OK,
but ev_remove_path() succeeded, uev_add_path() was still accessing the
the path afterwards, which would likely cause a use-after-free error.
Insted, uev_add_path() should only continue to access the path if
ev_remove_path() didn't succeed.
Signed-off-by: Benjamin Marzinski <bmarzins@redhat.com>
---
multipathd/main.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/multipathd/main.c b/multipathd/main.c
index 425492a9..19679848 100644
--- a/multipathd/main.c
+++ b/multipathd/main.c
@@ -890,13 +890,7 @@ uev_add_path (struct uevent *uev, struct vectors * vecs, int need_do_map)
*/
pp->mpp = prev_mpp;
ret = ev_remove_path(pp, vecs, true);
- if (r == PATHINFO_OK && !ret)
- /*
- * Path successfully freed, move on to
- * "new path" code path below
- */
- pp = NULL;
- else {
+ if (ret != 0) {
/*
* Failure in ev_remove_path will keep
* path in pathvec in INIT_REMOVED state
@@ -907,7 +901,12 @@ uev_add_path (struct uevent *uev, struct vectors * vecs, int need_do_map)
dm_fail_path(pp->mpp->alias, pp->dev_t);
condlog(1, "%s: failed to re-add path still mapped in %s",
pp->dev, pp->mpp->alias);
- }
+ } else if (r == PATHINFO_OK)
+ /*
+ * Path successfully freed, move on to
+ * "new path" code path below
+ */
+ pp = NULL;
} else if (r == PATHINFO_SKIPPED) {
condlog(3, "%s: remove blacklisted path",
uev->kernel);
--
2.17.2
--
dm-devel mailing list
dm-devel@redhat.com
https://www.redhat.com/mailman/listinfo/dm-devel
next prev parent reply other threads:[~2021-02-09 5:19 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-09 5:19 [dm-devel] [PATCH 0/2] Handle remapped LUNs better Benjamin Marzinski
2021-02-09 5:19 ` Benjamin Marzinski [this message]
2021-02-09 20:57 ` [dm-devel] [PATCH 1/2] libmultipath: fix use-after-free in uev_add_path Martin Wilck
2021-02-09 5:19 ` [dm-devel] [PATCH 2/2] multipathd: add recheck_wwid_time option to verify the path wwid Benjamin Marzinski
2021-02-09 22:19 ` Martin Wilck
2021-02-10 18:09 ` Benjamin Block
2021-02-10 19:57 ` Martin Wilck
2021-02-11 11:25 ` Benjamin Block
2021-02-11 4:48 ` Benjamin Marzinski
2021-02-11 12:14 ` Martin Wilck
2021-02-18 3:22 ` Chongyun Wu
2021-02-19 10:46 ` Martin Wilck
2021-02-27 6:02 ` Benjamin Marzinski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1612847967-8813-2-git-send-email-bmarzins@redhat.com \
--to=bmarzins@redhat.com \
--cc=Martin.Wilck@suse.com \
--cc=christophe.varoqui@opensvc.com \
--cc=dm-devel@redhat.com \
--cc=wucy11@chinatelecom.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).