| Summary: | VOP_REMOVE call is invoked with invalid cn_nameptr | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Base System | Reporter: | root | ||||||
| Component: | kern | Assignee: | freebsd-bugs (Nobody) <bugs> | ||||||
| Status: | New --- | ||||||||
| Severity: | Affects Only Me | Keywords: | patch | ||||||
| Priority: | --- | ||||||||
| Version: | 10.3-RELEASE | ||||||||
| Hardware: | Any | ||||||||
| OS: | Any | ||||||||
| Attachments: |
|
||||||||
Created attachment 178441 [details]
patch
It seems kern_rmdirat has the same problem. Updated attached patch.
|
Created attachment 178439 [details] patch In kern_unlinkat, VOP_REMOVE is invoked with invalid cn_nameptr, which was freed by iname. Since the memory region at cn_nameptr is already freed while VOP_REMOVE, uma_zalloc with namei_zone may return a block overwrapping cn_nameptr. Adding SAVENAME flag to NDINIT_ATRIGHTS(iname call) solves this problem.