Date: Sun, 14 Jan 2018 17:49:05 +0000 From: bugzilla-noreply@freebsd.org To: freebsd-bugs@FreeBSD.org Subject: [Bug 225162] Source file zfs_acl.c, function zfs_aclset_common contains a use after end of the lifetime of a local variable Message-ID: <bug-225162-8-Nc8LLKg4Cy@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-225162-8@https.bugs.freebsd.org/bugzilla/> References: <bug-225162-8@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=225162 --- Comment #1 from WHR <msl0000023508@gmail.com> --- Source file https://svnweb.freebsd.org/base/head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_acl.c (latest version r323491 at this time), line 1220, in function zfs_aclset_common have a local variable definition "zfs_acl_phys_t acl_phys;". At line 1297, the pointer to this variable (&acl_phys) is stored into the array "bulk"; then the current code block and the lifetime of "acl_phys" is ended after this, but "bulk" is still got used at line 1314. This code resulted in undefined behavior, meaning this bug may not be generally noticeable. In my test, the clang 3.4.1 on FreeBSD 10.3 amd64 won't trigger wrong behavior; however gcc 4.7 4.8 4.9 at any optimization level (except "-O0") will resulting a buggy behavior which showing to the user as: [WHR@kmod-test /testpool]$ mkdir 35 [WHR@kmod-test /testpool]$ cd 35 -bash: cd: 35: Permission denied Due the ACL is failed to store. The attached patch will fix this bug by moving the definition of "acl_phys" to the top block of the function, thus its lifetime will cover the whole function. -- You are receiving this mail because: You are the assignee for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-225162-8-Nc8LLKg4Cy>