Bug 215705 - VOP_REMOVE call is invoked with invalid cn_nameptr
Summary: VOP_REMOVE call is invoked with invalid cn_nameptr
Status: New
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: 10.3-RELEASE
Hardware: Any Any
: --- Affects Only Me
Assignee: FreeBSD bugs mailing list
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2017-01-02 00:43 UTC by root
Modified: 2017-01-04 20:19 UTC (History)
0 users

See Also:


Attachments
patch (830 bytes, application/x-download)
2017-01-02 00:43 UTC, root
no flags Details
patch (1.31 KB, patch)
2017-01-02 04:00 UTC, root
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description root 2017-01-02 00:43:46 UTC
Created attachment 178439 [details]
patch

In kern_unlinkat, VOP_REMOVE is invoked with invalid cn_nameptr, which was freed by iname.
Since the memory region at cn_nameptr is already freed while VOP_REMOVE, uma_zalloc with namei_zone may return a block overwrapping cn_nameptr.

Adding SAVENAME flag to NDINIT_ATRIGHTS(iname call) solves this problem.
Comment 1 root 2017-01-02 04:00:50 UTC
Created attachment 178441 [details]
patch

It seems kern_rmdirat has the same problem. Updated attached patch.