215705 – VOP_REMOVE call is invoked with invalid cn_nameptr

Bug 215705 - VOP_REMOVE call is invoked with invalid cn_nameptr

Summary: VOP_REMOVE call is invoked with invalid cn_nameptr

Status:	New

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	10.3-RELEASE
Hardware:	Any Any

Importance:	--- Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:	patch

Depends on:
Blocks:

Reported:	2017-01-02 00:43 UTC by root
Modified:	2017-01-04 20:19 UTC (History)
CC List:	0 users

See Also:

Attachments
patch (830 bytes, application/x-download) 2017-01-02 00:43 UTC, root	no flags	Details
patch (1.31 KB, patch) 2017-01-02 04:00 UTC, root	no flags	Details \| Diff
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description root 2017-01-02 00:43:46 UTC

Created attachment 178439 [details]
patch

In kern_unlinkat, VOP_REMOVE is invoked with invalid cn_nameptr, which was freed by iname.
Since the memory region at cn_nameptr is already freed while VOP_REMOVE, uma_zalloc with namei_zone may return a block overwrapping cn_nameptr.

Adding SAVENAME flag to NDINIT_ATRIGHTS(iname call) solves this problem.

Comment 1 root 2017-01-02 04:00:50 UTC

Created attachment 178441 [details]
patch

It seems kern_rmdirat has the same problem. Updated attached patch.