Bug 215705

Summary:

VOP_REMOVE call is invoked with invalid cn_nameptr

Product:

Base System

Reporter:

root

Component:

kern

Assignee:

freebsd-bugs (Nobody) <bugs>

Status:

Closed Unable to Reproduce

Severity:

Affects Only Me

Priority:

---

Version:

10.3-RELEASE

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
patch	none
patch	none

Description root 2017-01-02 00:43:46 UTC

Created attachment 178439 [details]
patch

In kern_unlinkat, VOP_REMOVE is invoked with invalid cn_nameptr, which was freed by iname.
Since the memory region at cn_nameptr is already freed while VOP_REMOVE, uma_zalloc with namei_zone may return a block overwrapping cn_nameptr.

Adding SAVENAME flag to NDINIT_ATRIGHTS(iname call) solves this problem.

Comment 1 root 2017-01-02 04:00:50 UTC

Created attachment 178441 [details]
patch

It seems kern_rmdirat has the same problem. Updated attached patch.

Comment 2 Mark Linimon freebsd_committer

2024-09-28 00:13:19 UTC

^Triage: clear the now obsolete 'patch' keyword.

To submitter: is this aging PR still relevant?

Comment 3 root 2024-09-28 13:11:47 UTC

Thanks.
Since I don't have reproducing environment now, closing as "Unable to Reproduce".