There is a use-after-free vulnerability in function g_raid_tr_iodone_raid0 (sys/geom/raid/tr_raid0.c) 313 static void 314 g_raid_tr_iodone_raid0(struct g_raid_tr_object *tr, 315 struct g_raid_subdisk *sd,struct bio *bp) 316 { 317 struct bio *pbp; 318 319 pbp = bp->bio_parent; 320 if (pbp->bio_error == 0) 321 pbp->bio_error = bp->bio_error; 322 g_destroy_bio(bp); 323 pbp->bio_inbed++; 324 if (pbp->bio_children == pbp->bio_inbed) { 325 pbp->bio_completed = pbp->bio_length; 326 g_raid_iodone(pbp, bp->bio_error); 327 } 328 } bp is destroyed in line 322, while it is used in line 326 again. the proposal patch should be like below. pbp->bio_inbed++; if (pbp->bio_children == pbp->bio_inbed) { pbp->bio_completed = pbp->bio_length; - g_raid_iodone(pbp, bp->bio_error); + g_raid_iodone(pbp, pbp->bio_error); } }
A commit references this bug: Author: mav Date: Mon Sep 24 16:58:56 UTC 2018 New revision: 338913 URL: https://svnweb.freebsd.org/changeset/base/338913 Log: Fix use-after-free in RAID0 error reporting of GEOM_RAID. PR: 231510 Submitted by: yangx92@hotmail.com Approved by: re (gjb) MFC after: 1 week Changes: head/sys/geom/raid/tr_raid0.c
Committed. Thank you for your report.