From owner-svn-src-head@FreeBSD.ORG Tue Mar 10 21:08:59 2015 Return-Path: Delivered-To: svn-src-head@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id BE32B929; Tue, 10 Mar 2015 21:08:59 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8F365F81; Tue, 10 Mar 2015 21:08:59 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t2AL8xfb044556; Tue, 10 Mar 2015 21:08:59 GMT (envelope-from markj@FreeBSD.org) Received: (from markj@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t2AL8xnM044555; Tue, 10 Mar 2015 21:08:59 GMT (envelope-from markj@FreeBSD.org) Message-Id: <201503102108.t2AL8xnM044555@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: markj set sender to markj@FreeBSD.org using -f From: Mark Johnston Date: Tue, 10 Mar 2015 21:08:59 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r279864 - head/cddl/contrib/opensolaris/common/ctf X-SVN-Group: head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.18-1 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 10 Mar 2015 21:08:59 -0000 Author: markj Date: Tue Mar 10 21:08:58 2015 New Revision: 279864 URL: https://svnweb.freebsd.org/changeset/base/279864 Log: CTF containers use the ctf_dtoldid field as a threshold type index which indicates the range of type indices which have been committed to the container by ctf_update(). However, the top bit of the dtd_type field is not part of the type index; rather, it is a flag used to indicate that the corresponding CTF container is a parent. This is why the maximum CTF type index is 2^15 - 1 rather than 2^16 - 1. Therefore, this flag must be masked off (using the CTF_TYPE_TO_INDEX macro) when comparing a type index with the ctf_dtoldid field of a container. This bug was causing libctf to erroneously free committed type definitions in ctf_discard(). libdtrace holds some references to such types, resulting in a use-after-free. MFC after: 2 weeks Sponsored by: EMC / Isilon Storage Division Modified: head/cddl/contrib/opensolaris/common/ctf/ctf_create.c Modified: head/cddl/contrib/opensolaris/common/ctf/ctf_create.c ============================================================================== --- head/cddl/contrib/opensolaris/common/ctf/ctf_create.c Tue Mar 10 21:05:17 2015 (r279863) +++ head/cddl/contrib/opensolaris/common/ctf/ctf_create.c Tue Mar 10 21:08:58 2015 (r279864) @@ -584,7 +584,7 @@ ctf_discard(ctf_file_t *fp) for (dtd = ctf_list_prev(&fp->ctf_dtdefs); dtd != NULL; dtd = ntd) { ntd = ctf_list_prev(dtd); - if (dtd->dtd_type <= fp->ctf_dtoldid) + if (CTF_TYPE_TO_INDEX(dtd->dtd_type) <= fp->ctf_dtoldid) continue; /* skip types that have been committed */ ctf_dtd_delete(fp, dtd); @@ -1328,7 +1328,7 @@ ctf_add_type(ctf_file_t *dst_fp, ctf_fil */ if (dst_type == CTF_ERR && name[0] != '\0') { for (dtd = ctf_list_prev(&dst_fp->ctf_dtdefs); dtd != NULL && - dtd->dtd_type > dst_fp->ctf_dtoldid; + CTF_TYPE_TO_INDEX(dtd->dtd_type) > dst_fp->ctf_dtoldid; dtd = ctf_list_prev(dtd)) { if (CTF_INFO_KIND(dtd->dtd_data.ctt_info) == kind && dtd->dtd_name != NULL &&