197246 – [patch] use-after-free bug in pipe_dtor()

Bug 197246 - [patch] use-after-free bug in pipe_dtor()

Summary: [patch] use-after-free bug in pipe_dtor()

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	CURRENT
Hardware:	Any Any

Importance:	--- Affects Some People
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	2015-02-01 17:23 UTC by luke.tw
Modified:	2015-03-10 01:58 UTC (History)
CC List:	1 user (show)

See Also:

Attachments
patch for pipd_dtor() (573 bytes, patch) 2015-02-01 17:23 UTC, luke.tw	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description luke.tw 2015-02-01 17:23:08 UTC

Created attachment 152442 [details]
patch for pipd_dtor()

There is a use-after-free bug in pipe_dtor(). This will result in kernel panic when memguard is enabled.

* free
  pipeclose(dpipe)
  -> uma_zfree(pipe_zone, cpipe->pipe_pair);

* use
  if (dpipe->pipe_state & PIPE_NAMED) {


I attach a patch to fix this bug.

Comment 1 Oliver Pinter freebsd_committer

2015-02-01 21:10:28 UTC

Hi!

We (HardenedBSD) included the patch in our master tree: https://github.com/HardenedBSD/hardenedBSD/commit/18a1157f5916ba09ae4ad5796068e46078c97104

Comment 2 commit-hook freebsd_committer

2015-02-03 10:30:24 UTC

A commit references this bug:

Author: kib
Date: Tue Feb  3 10:29:41 UTC 2015
New revision: 278145
URL: https://svnweb.freebsd.org/changeset/base/278145

Log:
  Fix use after free in pipe_dtor().  PIPE_NAMED flag must be tested
  before pipeclose() is called, since for !PIPE_NAMED case, when peer is
  already closed, the pipe pair memory is freed.

  Submitted by:	luke.tw@gmail.com
  PR:	197246
  Tested by:	pho
  MFC after:	3 days

Changes:
  head/sys/kern/sys_pipe.c

Comment 3 Mark Linimon freebsd_committer

2015-03-10 01:58:37 UTC

Committed as 278145.