Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 14 Jan 2018 17:48:20 +0000
From:      bugzilla-noreply@freebsd.org
To:        freebsd-bugs@FreeBSD.org
Subject:   [Bug 225162] Source file zfs_acl.c, function zfs_aclset_common contains a use after end of the lifetime of a local variable
Message-ID:  <bug-225162-8@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help 

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225162

            Bug ID: 225162
           Summary: Source file zfs_acl.c, function zfs_aclset_common
                    contains a use after end of the lifetime of a local
                    variable
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: msl0000023508@gmail.com

Created attachment 189714
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=189714&action=edit
Patch

Source file
https://svnweb.freebsd.org/base/head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_acl.c
(latest version r323491 at this time), line 1220, in function zfs_aclset_common
have a local variable definition "zfs_acl_phys_t acl_phys;". At line 1297, the
pointer to this variable (&acl_phys) is stored into the array "bulk"; then the
current code block and the lifetime of "acl_phys" is ended after this, but
"bulk" is still got used at line 1314.

This code resulted in undefined behavior, meaning this bug may not be generally
noticeable. In my test, the clang 3.4.1 on FreeBSD 10.3 amd64 won't trigger
wrong behavior; however gcc 4.7 4.8 4.9 at any optimization level (except
"-O0") will resulting a buggy behavior which showing to the user as:

[WHR@kmod-test /testpool]$ mkdir 35
[WHR@kmod-test /testpool]$ cd 35
-bash: cd: 35: Permission denied

Due the ACL is failed to store.

The attached patch will fix this bug by moving the definition of "acl_phys" to
the top block of the function, thus its lifetime will cover the whole function.

-- 
You are receiving this mail because:
You are the assignee for the bug.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-225162-8>