pool/s390-tools
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
e780a71f2a
s390-tools/s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch
Mark Post 26778d88f7 Accepting request 974769 from home:markkp:branches:Base:System 
- Added s390-tools-sles15sp4-zdump-fix-segfault-due-to-double-free.patch
  for bsc#1199128. zgetdump --info may lead to a core dump when
  issued for the device node (not a partition) right after
  installing multi-volume dump tool (without taking actual dump).

OBS-URL: https://build.opensuse.org/request/show/974769
OBS-URL: https://build.opensuse.org/package/show/Base:System/s390-tools?expand=0&rev=135
2022-05-03 18:31:04 +00:00

71 lines
2.9 KiB
Diff
Raw Blame History

Subject: [PATCH] [BZ 197814] zdump/dfi: Fix segfault due to double free
From: Mikhail Zaslonko <zaslonko@linux.ibm.com>
Description: zdump: segfault on zgetdump -i for multi-volume dump
Symptom: zgetdump --info may lead to the core dump when issued for
the device node (not a partition) right after installing
multi-volume dump tool (without taking actual dump).
Problem: Double free condition occurs on zg_close() call at the end of
the while loop in dfi_init() in scope of zgetdump processing.
Solution: Do not call zg_close() at the end of open_dump() function during
multi-volume dump initialization.
Reproduction: 1) Install multi-volume dump tool
2) Run zgetdump -i using the device node of one of the dump
volumes as a parameter without taking actual dump.
Upstream-ID: c4e4b926b471da9c488a6468e6bd966512d1d14c
Problem-ID: 197814
Upstream-Description:
zdump/dfi: Fix segfault due to double free
The problem can happen when dfi_s390mv_init_gen() returns with an error
code to dfi_init() in dfi.c.
Double free condition occurs on zg_close() call at the end of the
while loop in dfi_init() if zg_close() has already been called for the
same file handle at the end of open_dump() function in scope of
dfi_s390mv_init_gen() processing.
This global file handle is not closed during init() call for any
other dump formats. Since it is not reopened/reused after open_dump() call
during multi-volume dump initialization, we should not close it at all.
The problem can be reproduced in the following steps:
1) Install multi-volume dump tool
# zipl -M mvdump.conf
Dump target: 2 partitions with a total size of 4732 MB.
Warning: All information on the following partitions will be lost!
/dev/dasdb2
/dev/dasdb3
Do you want to continue creating multi-volume dump partitions (y/n)?y
Done.
2) Run zgetdump -i using device (not partition) as a parameter without
taking actual dump.
# zgetdump -i /dev/dasdb
free(): double free detected in tcache 2
Aborted (core dumped)
Signed-off-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
Reviewed-by: Alexander Egorenkov <egorenar@linux.ibm.com>
Signed-off-by: Jan Hoeppner <hoeppner@linux.ibm.com>
Signed-off-by: Mikhail Zaslonko <zaslonko@linux.ibm.com>
---
zdump/dfi_s390mv.c | 1 -
1 file changed, 1 deletion(-)
--- a/zdump/dfi_s390mv.c
+++ b/zdump/dfi_s390mv.c
@@ -556,7 +556,6 @@ static int open_dump(void)
}
if (mv_dumper_read() != 0)
return -ENODEV;
- zg_close(g.fh);
return 0;
}
Reference in New Issue View Git Blame Copy Permalink