[prev in list] [next in list] [prev in thread] [next in thread] 

List:       hurd-bug
Subject:    Re: [PATCH 1/1] procfs: Fix use-after-free
From:       Samuel Thibault <samuel.thibault () gnu ! org>
Date:       2021-05-24 15:55:48
Message-ID: 20210524155548.tjyzy2ruwafz53pu () begin
[Download RAW message or body]

Applied, thanks!

Sergey Bugaev, le lun. 24 mai 2021 18:43:40 +0300, a ecrit:
> Fix several issues with reference counting in
> rootdir_make_translated_node ():
> 
> * Grab an additional reference while still holding the lock.
> 
> * Give the node an additional reference for being pointed to
> by the ops.
> 
> * Reference the existing node if we find it on the second try,
> not only if we find it on the first try.
> 
> * Dereference, not just clean, the created node if it turns out
> to be unneeded.
> 
> Fixes a crash with the following backtrace:
> 
> #2  0x010855c8 in __assert_fail_backtrace (
> assertion=0x1051148 "! (r.hard == 1 && r.weak == 0) || !\"refcount detected \
> use-after-free!\"", file=0x1050cec "../../libshouldbeinlibc/refcount.h", line=170, \
> function=0x1051220 <__PRETTY_FUNCTION__.3> "refcounts_ref") at \
> ../../libshouldbeinlibc/assert-backtrace.c:64 #3  0x01050358 in refcounts_ref \
> (result=0x0, ref=0x15009a0) at ../../libshouldbeinlibc/refcount.h:170 #4  \
> netfs_nref (np=0x15008f0) at ../../libnetfs/nref.c:26 #5  0x0804c9f4 in \
> rootdir_make_translated_node (dir_hook=0x10001990, entry_hook=0x8055180 \
> <__compound_literal.8>) at ../../procfs/rootdir.c:674
> #6  0x0804ace3 in procfs_dir_lookup (hook=0x10001c10, name=0x2857efc "mounts", \
> np=0x2855d68) at ../../procfs/procfs_dir.c:88 #7  0x0804a410 in procfs_lookup \
> (np=0x10001c40, name=0x2857efc "mounts", npp=0x2855d68) at \
> ../../procfs/procfs.c:185 #8  0x0804cae5 in dircat_lookup (hook=0x10001d50, \
> name=0x2857efc "mounts", np=0x2855d68) at ../../procfs/dircat.c:76 #9  0x0804a410 \
> in procfs_lookup (np=0x10001d80, name=0x2857efc "mounts", npp=0x2855d68) at \
> ../../procfs/procfs.c:185 #10 0x0804a96f in netfs_attempt_lookup (user=0x1401c60, \
> dir=0x10001d80, name=0x2857efc "mounts", np=0x2855d68) at ../../procfs/netfs.c:212
> #11 0x0103fd5b in netfs_S_dir_lookup (dircred=<optimized out>, filename=<optimized \
> out>, flags=<optimized out>, mode=<optimized out>, do_retry=<optimized out>, \
> retry_name=<optimized out>, retry_port=<optimized out>, retry_port_type=<optimized \
>                 out>) at ../../libnetfs/dir-lookup.c:175
> ---
> procfs/rootdir.c | 10 +++++-----
> 1 file changed, 5 insertions(+), 5 deletions(-)
> 
> diff --git a/procfs/rootdir.c b/procfs/rootdir.c
> index 9f860a91..0e7c05c0 100644
> --- a/procfs/rootdir.c
> +++ b/procfs/rootdir.c
> @@ -667,13 +667,12 @@ rootdir_make_translated_node (void *dir_hook, const void \
> *entry_hook) 
> pthread_spin_lock (&rootdir_translated_node_lock);
> np = *ops->npp;
> +  if (np != NULL)
> +    netfs_nref (np);
> pthread_spin_unlock (&rootdir_translated_node_lock);
> 
> if (np != NULL)
> -    {
> -      netfs_nref (np);
> -      return np;
> -    }
> +    return np;
> 
> np = procfs_make_node (entry_hook, (void *) entry_hook);
> if (np == NULL)
> @@ -686,11 +685,12 @@ rootdir_make_translated_node (void *dir_hook, const void \
> *entry_hook) prev = *ops->npp;
> if (*ops->npp == NULL)
> *ops->npp = np;
> +  netfs_nref (*ops->npp);
> pthread_spin_unlock (&rootdir_translated_node_lock);
> 
> if (prev != NULL)
> {
> -      procfs_cleanup (np);
> +      netfs_nrele (np);
> np = prev;
> }
> 
> -- 
> 2.31.1
> 
> 

-- 
Samuel
<D> I hated the Mighty Mouse in the Apple Store every time I played with it. I hated \
the Mighty Mouse at work whenever I set up a Mac for somebody. <D> I decided to give \
it one last chance when I set up my new Mac <D> And golly, I like it at home.
<D> Maybe mine is defective in a way that makes it good.


[prev in list] [next in list] [prev in thread] [next in thread]