Summary: | [patch] use-after-free bug in pipe_dtor() | ||||||
---|---|---|---|---|---|---|---|
Product: | Base System | Reporter: | luke.tw | ||||
Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||
Status: | Closed FIXED | ||||||
Severity: | Affects Some People | CC: | op | ||||
Priority: | --- | ||||||
Version: | CURRENT | ||||||
Hardware: | Any | ||||||
OS: | Any | ||||||
Attachments: |
|
Hi! We (HardenedBSD) included the patch in our master tree: https://github.com/HardenedBSD/hardenedBSD/commit/18a1157f5916ba09ae4ad5796068e46078c97104 A commit references this bug: Author: kib Date: Tue Feb 3 10:29:41 UTC 2015 New revision: 278145 URL: https://svnweb.freebsd.org/changeset/base/278145 Log: Fix use after free in pipe_dtor(). PIPE_NAMED flag must be tested before pipeclose() is called, since for !PIPE_NAMED case, when peer is already closed, the pipe pair memory is freed. Submitted by: luke.tw@gmail.com PR: 197246 Tested by: pho MFC after: 3 days Changes: head/sys/kern/sys_pipe.c Committed as 278145. |
Created attachment 152442 [details] patch for pipd_dtor() There is a use-after-free bug in pipe_dtor(). This will result in kernel panic when memguard is enabled. * free pipeclose(dpipe) -> uma_zfree(pipe_zone, cpipe->pipe_pair); * use if (dpipe->pipe_state & PIPE_NAMED) { I attach a patch to fix this bug.