[Bug 231510] use-after-free vulnerability in function g_raid_tr_iodone_raid0 (sys/geom/raid/tr_raid0.c)

Thu Sep 20 12:00:11 UTC 2018

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=231510

            Bug ID: 231510
           Summary: use-after-free vulnerability in function
                    g_raid_tr_iodone_raid0 (sys/geom/raid/tr_raid0.c)
           Product: Base System
           Version: CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: bugs at FreeBSD.org
          Reporter: yangx92 at hotmail.com

There is a use-after-free vulnerability in function g_raid_tr_iodone_raid0
(sys/geom/raid/tr_raid0.c)

313 static void
314 g_raid_tr_iodone_raid0(struct g_raid_tr_object *tr,
315     struct g_raid_subdisk *sd,struct bio *bp)
316 {
317         struct bio *pbp;
318 
319         pbp = bp->bio_parent;
320         if (pbp->bio_error == 0)
321                 pbp->bio_error = bp->bio_error;
322         g_destroy_bio(bp);
323         pbp->bio_inbed++;
324         if (pbp->bio_children == pbp->bio_inbed) {
325                 pbp->bio_completed = pbp->bio_length;
326                 g_raid_iodone(pbp, bp->bio_error);
327         }
328 }

bp is destroyed in line 322, while it is used in line 326 again.

the proposal patch should be like below.

        pbp->bio_inbed++;
        if (pbp->bio_children == pbp->bio_inbed) {
                pbp->bio_completed = pbp->bio_length;
-               g_raid_iodone(pbp, bp->bio_error);
+               g_raid_iodone(pbp, pbp->bio_error);
        }
 }

-- 
You are receiving this mail because:
You are the assignee for the bug.