Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 14 Jan 2018 17:48:20 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 225162] Source file zfs_acl.c, function zfs_aclset_common contains a use after end of the lifetime of a local variable
Message-ID:  <bug-225162-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D225162

            Bug ID: 225162
           Summary: Source file zfs_acl.c, function zfs_aclset_common
                    contains a use after end of the lifetime of a local
                    variable
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: msl0000023508@gmail.com

Created attachment 189714
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D189714&action=
=3Dedit
Patch

Source file
https://svnweb.freebsd.org/base/head/sys/cddl/contrib/opensolaris/uts/commo=
n/fs/zfs/zfs_acl.c
(latest version r323491 at this time), line 1220, in function zfs_aclset_co=
mmon
have a local variable definition "zfs_acl_phys_t acl_phys;". At line 1297, =
the
pointer to this variable (&acl_phys) is stored into the array "bulk"; then =
the
current code block and the lifetime of "acl_phys" is ended after this, but
"bulk" is still got used at line 1314.

This code resulted in undefined behavior, meaning this bug may not be gener=
ally
noticeable. In my test, the clang 3.4.1 on FreeBSD 10.3 amd64 won't trigger
wrong behavior; however gcc 4.7 4.8 4.9 at any optimization level (except
"-O0") will resulting a buggy behavior which showing to the user as:

[WHR@kmod-test /testpool]$ mkdir 35
[WHR@kmod-test /testpool]$ cd 35
-bash: cd: 35: Permission denied

Due the ACL is failed to store.

The attached patch will fix this bug by moving the definition of "acl_phys"=
 to
the top block of the function, thus its lifetime will cover the whole funct=
ion.

--=20
You are receiving this mail because:
You are the assignee for the bug.=

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-225162-8>