FreeBSD Mail Archives

Date:      Tue, 1 Nov 2022 20:33:47 GMT
From:      Mark Johnston <markj@FreeBSD.org>
To:        src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org
Subject:   git: 8838c650cb59 - releng/13.1 - Fix use-after-free in btree code
Message-ID:  <202211012033.2A1KXltY026424@gitrepo.freebsd.org>

next in thread | raw e-mail | index | archive | help

The branch releng/13.1 has been updated by markj:

URL: https://cgit.FreeBSD.org/src/commit/?id=8838c650cb59a1fc998e9f47424c53e030f457b9

commit 8838c650cb59a1fc998e9f47424c53e030f457b9
Author:     Richard Yao <richard.yao@alumni.stonybrook.edu>
AuthorDate: 2022-09-12 18:22:15 +0000
Commit:     Mark Johnston <markj@FreeBSD.org>
CommitDate: 2022-11-01 18:03:25 +0000

    Fix use-after-free in btree code
    
    Coverty static analysis found these.
    
    Reviewed-by: Alexander Motin <mav@FreeBSD.org>
    Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov>
    Reviewed-by: Neal Gompa <ngompa@datto.com>
    Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu>
    Closes #10989
    Closes #13861
    
    Approved by:    so
    Security:       FreeBSD-EN-22:21.zfs
    
    (cherry picked from commit 8131a96544fd19411c23424af85140e91e41c001)
---
 sys/contrib/openzfs/module/zfs/btree.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/sys/contrib/openzfs/module/zfs/btree.c b/sys/contrib/openzfs/module/zfs/btree.c
index 57b9dbbb2b50..77cb2543e93d 100644
--- a/sys/contrib/openzfs/module/zfs/btree.c
+++ b/sys/contrib/openzfs/module/zfs/btree.c
@@ -1536,8 +1536,8 @@ zfs_btree_remove_from_node(zfs_btree_t *tree, zfs_btree_core_t *node,
 	zfs_btree_poison_node_at(tree, keep_hdr, keep_hdr->bth_count);
 
 	new_rm_hdr->bth_count = 0;
-	zfs_btree_node_destroy(tree, new_rm_hdr);
 	zfs_btree_remove_from_node(tree, parent, new_rm_hdr);
+	zfs_btree_node_destroy(tree, new_rm_hdr);
 }
 
 /* Remove the element at the specific location. */
@@ -1769,6 +1769,7 @@ zfs_btree_remove_idx(zfs_btree_t *tree, zfs_btree_index_t *where)
 	zfs_btree_node_destroy(tree, rm_hdr);
 	/* Remove the emptied node from the parent. */
 	zfs_btree_remove_from_node(tree, parent, rm_hdr);
+	zfs_btree_node_destroy(tree, rm_hdr);
 	zfs_btree_verify(tree);
 }

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202211012033.2A1KXltY026424>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation