mdadm/0092-isuper-intel.c-fix-double-free-in-load_imsm_mpb.patch

64 lines
2.2 KiB
Diff
Raw Normal View History

Accepting request 1137473 from home:colyli:branches:Base:System - Update mdadm to latest upstream state upto commit 582945c2d3bb. (jsc#PED-7542) 1) The testing changes are not included here. 2) Code clean up, and more helper routines added for Manage.c, Monitor.c, mdadm.c, ReadMe.c, super-intel.c, super0.c, super1.c, Create.c, Incremental.c and so on. 3) Man page update for mdadm.8.in. 4) Several memory leak and double free fixes. 5) Check /etc/initrd-release for whether systemd running on an initrd. - Manage: Block unsafe member failing 0062-Manage-Block-unsafe-member-failing.patch - Mdmonitor: Split alert() into separate functions 0063-Mdmonitor-Split-alert-into-separate-functions.patch - Monitor: block if monitor modes are combined. 0064-Monitor-block-if-monitor-modes-are-combined.patch - Update mdadm Monitor manual. 0065-Update-mdadm-Monitor-manual.patch - mdadm: create ident_init() 0066-mdadm-create-ident_init.patch - mdadm: Add option validation for --update-subarray 0067-mdadm-Add-option-validation-for-update-subarray.patch - Fix --update-subarray on active volume 0068-Fix-update-subarray-on-active-volume.patch - Add code specific update options to enum. 0069-Add-code-specific-update-options-to-enum.patch - super-ddf: Remove update_super_ddf. 0070-super-ddf-Remove-update_super_ddf.patch - super0: refactor the code for enum 0071-super0-refactor-the-code-for-enum.patch - super1: refactor the code for enum OBS-URL: https://build.opensuse.org/request/show/1137473 OBS-URL: https://build.opensuse.org/package/show/Base:System/mdadm?expand=0&rev=231
2024-01-11 01:49:23 +01:00
From 50cd06b484bb99bfacdd4f9d2f8ee5e52bfc7bd3 Mon Sep 17 00:00:00 2001
From: Wu Guanghao <wuguanghao3@huawei.com>
Date: Sat, 4 Mar 2023 00:21:33 +0800
Subject: [PATCH] isuper-intel.c: fix double free in load_imsm_mpb()
In load_imsm_mpb() there is potential double free issue on super->buf.
The first location to free super->buf is from get_super_block() <==
load_and_parse_mpb() <== load_imsm_mpb():
4514 if (posix_memalign(&super->migr_rec_buf, MAX_SECTOR_SIZE,
4515 MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) {
4516 pr_err("could not allocate migr_rec buffer\n");
4517 free(super->buf);
4518 return 2;
4519 }
If the above error condition happens, super->buf is freed and value 2
is returned to get_super_block() eventually. Then in the following code
block inside load_imsm_mpb(),
5289 error:
5290 if (!err) {
5291 s->next = *super_list;
5292 *super_list = s;
5293 } else {
5294 if (s)
5295 free_imsm(s);
5296 close_fd(&dfd);
5297 }
at line 5295 when free_imsm() is called, super->buf is freed again from
the call chain free_imsm() <== __free_imsm(), in following code block,
4651 if (super->buf) {
4652 free(super->buf);
4653 super->buf = NULL;
4654 }
This patch sets super->buf as NULL after line 4517 in load_imsm_mpb()
to avoid the potential double free().
(Coly Li helps to re-compose the commit log)
Signed-off-by: Wu Guanghao <wuguanghao3@huawei.com>
Reviewed-by: Mariusz Tkaczyk <mariusz.tkaczyk@linux.intel.com>
Acked-by: Coly Li <colyli@suse.de>
Signed-off-by: Jes Sorensen <jes@trained-monkey.org>
---
super-intel.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/super-intel.c b/super-intel.c
index 89fac62..4a3da84 100644
--- a/super-intel.c
+++ b/super-intel.c
@@ -4515,6 +4515,7 @@ static int load_imsm_mpb(int fd, struct intel_super *super, char *devname)
MIGR_REC_BUF_SECTORS*MAX_SECTOR_SIZE) != 0) {
pr_err("could not allocate migr_rec buffer\n");
free(super->buf);
+ super->buf = NULL;
return 2;
}
super->clean_migration_record_by_mdmon = 0;
--
2.35.3