From: Satoru Takeuchi <takeuchi_satoru@jp.fujitsu.com>
To: <linux-btrfs@vger.kernel.org>
Cc: Adam Buchbinder <abuchbinder@google.com>, <dave@jikos.cz>
Subject: [PATCH] Avoid double-free of fs_devices->list.
Date: Tue, 24 Jun 2014 16:30:21 +0900 [thread overview]
Message-ID: <53A9290D.6090202@jp.fujitsu.com> (raw)
I found the following patch is insufficient.
===============================================================================
commit 6e6b32ddf58db54f714d0f263c2589f4859e8b5e
Author: Adam Buchbinder <abuchbinder@google.com>
Date: Fri Jun 13 16:43:56 2014 -0700
btrfs-progs: Fix a use-after-free in the volumes code.
===============================================================================
"btrfs filesystem show <dev>" with this patch causes segmentation fault
if "<dev>" is a not-mounted Btrfs filesystem.
===============================================================================
# ./btrfs filesystem show /dev/sdd1
Label: none uuid: <cut here>
Total devices 1 FS bytes used 112.00KiB
devid 1 size 59.12GiB used 2.04GiB path /dev/sdd1
Segmentation fault (core dumped)
===============================================================================
It's due to double-free of fs_devices->list as follows.
===============================================================================
cmd_show
-> list_del(&fs_devices->list) # 1st one.
-> btrfs_close_devices(fs_devices)
-> list_del(&fs_devices->list) # <- 2nd one introduced at 6e6b32dd.
Double-free happens here.
===============================================================================
First list_del() can safely be removed because fs_devices->list will be
deleted by second one, soon.
Signed-off-by: Satoru Takeuchi <takeuchi_satoru@jp.fujitsu.com>
Cc: Adam Buchbinder <abuchbinder@google.com>
---
cmds-filesystem.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/cmds-filesystem.c b/cmds-filesystem.c
index b1ba508..14cb6e0 100644
--- a/cmds-filesystem.c
+++ b/cmds-filesystem.c
@@ -716,7 +716,6 @@ devs_only:
while (!list_empty(all_uuids)) {
fs_devices = list_entry(all_uuids->next,
struct btrfs_fs_devices, list);
- list_del(&fs_devices->list);
btrfs_close_devices(fs_devices);
}
out:
--
1.9.3
reply other threads:[~2014-06-24 7:32 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53A9290D.6090202@jp.fujitsu.com \
--to=takeuchi_satoru@jp.fujitsu.com \
--cc=abuchbinder@google.com \
--cc=dave@jikos.cz \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.