From 26778d88f7d9d9d55f1761904c5c2d5ebf5e68c634ade3e18bdda497adcea523 Mon Sep 17 00:00:00 2001 From: Mark Post Date: Tue, 3 May 2022 18:31:04 +0000 Subject: [PATCH] Accepting request 974769 from home:markkp:branches:Base:System - Added s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch for bsc#1199128. zgetdump --info may lead to a core dump when issued for the device node (not a partition) right after installing multi-volume dump tool (without taking actual dump). OBS-URL: https://build.opensuse.org/request/show/974769 OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=135 --- ...dump-fix-segfault-due-to-double-free.patch | 70 +++++++++++++++++++ s390-tools.changes | 8 +++ s390-tools.spec | 3 +- 3 files changed, 80 insertions(+), 1 deletion(-) create mode 100644 s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch diff --git a/s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch b/s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch new file mode 100644 index 0000000..137a151 --- /dev/null +++ b/s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch @@ -0,0 +1,70 @@ +Subject: [PATCH] [BZ 197814] zdump/dfi: Fix segfault due to double free +From: Mikhail Zaslonko + +Description: zdump: segfault on zgetdump -i for multi-volume dump +Symptom: zgetdump --info may lead to the core dump when issued for + the device node (not a partition) right after installing + multi-volume dump tool (without taking actual dump). +Problem: Double free condition occurs on zg_close() call at the end of + the while loop in dfi_init() in scope of zgetdump processing. +Solution: Do not call zg_close() at the end of open_dump() function during + multi-volume dump initialization. +Reproduction: 1) Install multi-volume dump tool + 2) Run zgetdump -i using the device node of one of the dump + volumes as a parameter without taking actual dump. +Upstream-ID: c4e4b926b471da9c488a6468e6bd966512d1d14c +Problem-ID: 197814 + +Upstream-Description: + + zdump/dfi: Fix segfault due to double free + + The problem can happen when dfi_s390mv_init_gen() returns with an error + code to dfi_init() in dfi.c. + Double free condition occurs on zg_close() call at the end of the + while loop in dfi_init() if zg_close() has already been called for the + same file handle at the end of open_dump() function in scope of + dfi_s390mv_init_gen() processing. + This global file handle is not closed during init() call for any + other dump formats. Since it is not reopened/reused after open_dump() call + during multi-volume dump initialization, we should not close it at all. + + The problem can be reproduced in the following steps: + + 1) Install multi-volume dump tool + + # zipl -M mvdump.conf + Dump target: 2 partitions with a total size of 4732 MB. + Warning: All information on the following partitions will be lost! + /dev/dasdb2 + /dev/dasdb3 + Do you want to continue creating multi-volume dump partitions (y/n)?y + Done. + + 2) Run zgetdump -i using device (not partition) as a parameter without + taking actual dump. + + # zgetdump -i /dev/dasdb + free(): double free detected in tcache 2 + Aborted (core dumped) + + Signed-off-by: Mikhail Zaslonko + Reviewed-by: Alexander Egorenkov + Signed-off-by: Jan Hoeppner + + +Signed-off-by: Mikhail Zaslonko +--- + zdump/dfi_s390mv.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/zdump/dfi_s390mv.c ++++ b/zdump/dfi_s390mv.c +@@ -556,7 +556,6 @@ static int open_dump(void) + } + if (mv_dumper_read() != 0) + return -ENODEV; +- zg_close(g.fh); + return 0; + } + diff --git a/s390-tools.changes b/s390-tools.changes index 1aaca9f..3d91c8e 100644 --- a/s390-tools.changes +++ b/s390-tools.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Tue May 3 18:10:58 UTC 2022 - Mark Post + +- Added s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch + for bsc#1199128. zgetdump --info may lead to a core dump when + issued for the device node (not a partition) right after + installing multi-volume dump tool (without taking actual dump). + ------------------------------------------------------------------- Thu Apr 14 13:57:12 UTC 2022 - Mark Post diff --git a/s390-tools.spec b/s390-tools.spec index 3e5af80..c13283a 100644 --- a/s390-tools.spec +++ b/s390-tools.spec @@ -1,7 +1,7 @@ # # spec file for package s390-tools # -# Copyright (c) 2021-2022 SUSE LLC +# Copyright (c) 2001-2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -100,6 +100,7 @@ Patch004: s390-tools-sles15sp4-zdev-Fix-path-resolution-for-multi-mount-po Patch005: s390-tools-sles15sp4-01-genprotimg-remove-DigiCert-root-CA-pinning.patch Patch006: s390-tools-sles15sp4-02-genprotimg-check_hostkeydoc-relax-default-issuer-che.patch Patch007: s390-tools-sles15sp4-libseckey-Fix-re-enciphering-of-EP11-secure-key.patch +Patch008: s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch # SUSE patches Patch900: s390-tools-sles12-zipl_boot_msg.patch