Date: Sun, 14 Jan 2018 17:49:05 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 225162] Source file zfs_acl.c, function zfs_aclset_common contains a use after end of the lifetime of a local variable Message-ID: <bug-225162-8-Nc8LLKg4Cy@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-225162-8@https.bugs.freebsd.org/bugzilla/> References: <bug-225162-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D225162 --- Comment #1 from WHR <msl0000023508@gmail.com> --- Source file https://svnweb.freebsd.org/base/head/sys/cddl/contrib/opensolaris/uts/commo= n/fs/zfs/zfs_acl.c (latest version r323491 at this time), line 1220, in function zfs_aclset_co= mmon have a local variable definition "zfs_acl_phys_t acl_phys;". At line 1297, = the pointer to this variable (&acl_phys) is stored into the array "bulk"; then = the current code block and the lifetime of "acl_phys" is ended after this, but "bulk" is still got used at line 1314. This code resulted in undefined behavior, meaning this bug may not be gener= ally noticeable. In my test, the clang 3.4.1 on FreeBSD 10.3 amd64 won't trigger wrong behavior; however gcc 4.7 4.8 4.9 at any optimization level (except "-O0") will resulting a buggy behavior which showing to the user as: [WHR@kmod-test /testpool]$ mkdir 35 [WHR@kmod-test /testpool]$ cd 35 -bash: cd: 35: Permission denied Due the ACL is failed to store. The attached patch will fix this bug by moving the definition of "acl_phys"= to the top block of the function, thus its lifetime will cover the whole funct= ion. --=20 You are receiving this mail because: You are the assignee for the bug.=
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-225162-8-Nc8LLKg4Cy>