Bug 231510 - use-after-free vulnerability in function g_raid_tr_iodone_raid0 (sys/geom/raid/tr_raid0.c)
Summary: use-after-free vulnerability in function g_raid_tr_iodone_raid0 (sys/geom/rai...
Status: Closed FIXED
Alias: None
Product: Base System
Classification: Unclassified
Component: kern (show other bugs)
Version: CURRENT
Hardware: Any Any
: --- Affects Only Me
Assignee: freebsd-bugs (Nobody)
URL:
Keywords: patch
Depends on:
Blocks:
 
Reported: 2018-09-20 12:00 UTC by Young
Modified: 2018-09-24 16:59 UTC (History)
1 user (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Young 2018-09-20 12:00:08 UTC
There is a use-after-free vulnerability in function g_raid_tr_iodone_raid0 (sys/geom/raid/tr_raid0.c)

313 static void
314 g_raid_tr_iodone_raid0(struct g_raid_tr_object *tr,
315     struct g_raid_subdisk *sd,struct bio *bp)
316 {
317         struct bio *pbp;
318 
319         pbp = bp->bio_parent;
320         if (pbp->bio_error == 0)
321                 pbp->bio_error = bp->bio_error;
322         g_destroy_bio(bp);
323         pbp->bio_inbed++;
324         if (pbp->bio_children == pbp->bio_inbed) {
325                 pbp->bio_completed = pbp->bio_length;
326                 g_raid_iodone(pbp, bp->bio_error);
327         }
328 }

bp is destroyed in line 322, while it is used in line 326 again.

the proposal patch should be like below.

        pbp->bio_inbed++;
        if (pbp->bio_children == pbp->bio_inbed) {
                pbp->bio_completed = pbp->bio_length;
-               g_raid_iodone(pbp, bp->bio_error);
+               g_raid_iodone(pbp, pbp->bio_error);
        }
 }
Comment 1 commit-hook freebsd_committer freebsd_triage 2018-09-24 16:59:11 UTC
A commit references this bug:

Author: mav
Date: Mon Sep 24 16:58:56 UTC 2018
New revision: 338913
URL: https://svnweb.freebsd.org/changeset/base/338913

Log:
  Fix use-after-free in RAID0 error reporting of GEOM_RAID.

  PR:		231510
  Submitted by:	yangx92@hotmail.com
  Approved by:	re (gjb)
  MFC after:	1 week

Changes:
  head/sys/geom/raid/tr_raid0.c
Comment 2 Alexander Motin freebsd_committer freebsd_triage 2018-09-24 16:59:47 UTC
Committed.  Thank you for your report.