Date: Thu, 20 Sep 2018 12:00:08 +0000 From: bugzilla-noreply@freebsd.org To: bugs@FreeBSD.org Subject: [Bug 231510] use-after-free vulnerability in function g_raid_tr_iodone_raid0 (sys/geom/raid/tr_raid0.c) Message-ID: <bug-231510-227@https.bugs.freebsd.org/bugzilla/>
next in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D231510 Bug ID: 231510 Summary: use-after-free vulnerability in function g_raid_tr_iodone_raid0 (sys/geom/raid/tr_raid0.c) Product: Base System Version: CURRENT Hardware: Any OS: Any Status: New Severity: Affects Only Me Priority: --- Component: kern Assignee: bugs@FreeBSD.org Reporter: yangx92@hotmail.com There is a use-after-free vulnerability in function g_raid_tr_iodone_raid0 (sys/geom/raid/tr_raid0.c) 313 static void 314 g_raid_tr_iodone_raid0(struct g_raid_tr_object *tr, 315 struct g_raid_subdisk *sd,struct bio *bp) 316 { 317 struct bio *pbp; 318=20 319 pbp =3D bp->bio_parent; 320 if (pbp->bio_error =3D=3D 0) 321 pbp->bio_error =3D bp->bio_error; 322 g_destroy_bio(bp); 323 pbp->bio_inbed++; 324 if (pbp->bio_children =3D=3D pbp->bio_inbed) { 325 pbp->bio_completed =3D pbp->bio_length; 326 g_raid_iodone(pbp, bp->bio_error); 327 } 328 } bp is destroyed in line 322, while it is used in line 326 again. the proposal patch should be like below. pbp->bio_inbed++; if (pbp->bio_children =3D=3D pbp->bio_inbed) { pbp->bio_completed =3D pbp->bio_length; - g_raid_iodone(pbp, bp->bio_error); + g_raid_iodone(pbp, pbp->bio_error); } } --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-231510-227>