Attachment 364153 Details for Bug 603620

[patch] btrfsprogs: Fix use after free in close_ctree

btrfsprogs-fix-use-after-free (text/plain), 1.33 KB, created by Jeff Mahoney on 2010-05-24 13:58:50 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeff Mahoney

Created: 2010-05-24 13:58:50 UTC

Size: 1.33 KB

patch

obsolete

>From: Jeff Mahoney <jeffm@suse.com>
>Subject: btrfsprogs: Fix use after free in close_ctree
>References: bnc#603620
>
> After the roots are closed, root is freed. Yet close_ctree continues
> to use it. It works generally because no new memory is allocated in
> the interim, but with glibc malloc perturbing enabled, it crashes
> every time. This is because root->fs_info points to garbage.
>
> This patch uses the already-cached fs_info variable for the rest of
> the accesses and fixes the crash.
>
>
>Signed-off-by: Jeff Mahoney <jeffm@suse.com>
>---
> disk-io.c |   10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
>
>--- a/disk-io.c
>+++ b/disk-io.c
>@@ -971,13 +971,13 @@ int close_ctree(struct btrfs_root *root)
> 	if (fs_info->csum_root->node)
> 		free_extent_buffer(fs_info->csum_root->node);
> 
>-	if (root->fs_info->log_root_tree) {
>-		if (root->fs_info->log_root_tree->node)
>-			free_extent_buffer(root->fs_info->log_root_tree->node);
>-		free(root->fs_info->log_root_tree);
>+	if (fs_info->log_root_tree) {
>+		if (fs_info->log_root_tree->node)
>+			free_extent_buffer(fs_info->log_root_tree->node);
>+		free(fs_info->log_root_tree);
> 	}
> 
>-	close_all_devices(root->fs_info);
>+	close_all_devices(fs_info);
> 	extent_io_tree_cleanup(&fs_info->extent_cache);
> 	extent_io_tree_cleanup(&fs_info->free_space_cache);
> 	extent_io_tree_cleanup(&fs_info->block_group_cache);

Actions: View | Diff

Attachments on bug 603620: 360346 | 364153