diff options
| author | Niels de Vos <ndevos@redhat.com> | 2015-11-19 16:20:40 +0100 |
|---|---|---|
| committer | Raghavendra Bhat <raghavendra@redhat.com> | 2015-11-24 22:38:47 -0800 |
| commit | 5d264dbcb7cd08337105417014dccc8fda6f169a (patch) | |
| tree | 2878b9cc56861f6fc253a6e7e64c58161883da54 | |
| parent | 73527a122ceb50c47812f4d3f50faf0172697d6f (diff) | |
protocol/client: prevent use-after-free of frame->rootv3.6.7
A regression failure generated a coredump on the glusterfs-client side:
(gdb) f 0
#0 0x00007fba6cd76432 in client_submit_request (this=0x7fba68006fc0,
req=0x7fba6579aa70, frame=0x7fba5c0058cc,
prog=0x7fba6cfb53c0 <clnt3_3_fop_prog>, procnum=41,
cbkfn=0x7fba6cd9206d <client3_3_release_cbk>,
iobref=0x0, rsphdr=0x0, rsphdr_count=0,
rsp_payload=0x0, rsp_payload_count=0, rsp_iobref=0x0,
xdrproc=0x7fba79801075 <xdr_gfs3_release_req>) at
/home/jenkins/root/workspace/rackspace-regression-2GB-triggered/xlators/protocol/client/src/client.c:324
324 frame->root->ngrps = ngroups;
(gdb) l
319 gf_msg_debug (this->name, 0, "rpc_clnt_submit failed");
320 }
321
322 if (!conf->send_gids) {
323 /* restore previous values */
324 frame->root->ngrps = ngroups;
325 if (ngroups <= SMALL_GROUP_COUNT)
326 frame->root->groups_small[0] = gid;
327 }
328
(gdb) p *frame->root
Cannot access memory at address 0x64185df000000000
After looking at this in more detail, the flow is like this:
client_submit_request()
|
'- rpc_clnt_submit() // on line 314
|
'- cbkfn() // = client3_3_release_cbk
|
:- STACK_DESTROY (frame->root);
.----'
.----'
|
:- frame->root->ngrps = ngroups; // on line 324
'
So, there is a use-after-free, and it is not needed to restore the
previous groups in frame->root.
Cherry picked from commit dc3aa7524e4974f9d02465e2e5dd6ed9b6d319e1:
> Change-Id: I9e7d712183692ed92cfc2f75cd3c2781a9db20e2
> BUG: 1281285 (was incorrect in original patch)
> Signed-off-by: Niels de Vos <ndevos@redhat.com>
> Reviewed-on: http://review.gluster.org/12575
> Reviewed-by: Dan Lambright <dlambrig@redhat.com>
> Tested-by: NetBSD Build System <jenkins@build.gluster.org>
> Reviewed-by: Jeff Darcy <jdarcy@redhat.com>
Change-Id: I9e7d712183692ed92cfc2f75cd3c2781a9db20e2
BUG: 1283690
Signed-off-by: Niels de Vos <ndevos@redhat.com>
Reviewed-on: http://review.gluster.org/12665
Tested-by: Gluster Build System <jenkins@build.gluster.com>
Reviewed-by: Dan Lambright <dlambrig@redhat.com>
Reviewed-by: Raghavendra Bhat <raghavendra@redhat.com>
| -rw-r--r-- | xlators/protocol/client/src/client.c | 16 |
1 files changed, 2 insertions, 14 deletions
diff --git a/xlators/protocol/client/src/client.c b/xlators/protocol/client/src/client.c index 25565925a5d..ac0e65fedc6 100644 --- a/xlators/protocol/client/src/client.c +++ b/xlators/protocol/client/src/client.c @@ -158,8 +158,6 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame, struct iobref *new_iobref = NULL; ssize_t xdr_size = 0; struct rpc_req rpcreq = {0, }; - uint64_t ngroups = 0; - uint64_t gid = 0; GF_VALIDATE_OR_GOTO ("client", this, out); GF_VALIDATE_OR_GOTO (this->name, prog, out); @@ -228,14 +226,11 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame, /* do not send all groups if they are resolved server-side */ if (!conf->send_gids) { - /* copy some values for restoring later */ - ngroups = frame->root->ngrps; - frame->root->ngrps = 1; - if (ngroups <= SMALL_GROUP_COUNT) { - gid = frame->root->groups_small[0]; + if (frame->root->ngrps <= SMALL_GROUP_COUNT) { frame->root->groups_small[0] = frame->root->gid; frame->root->groups = frame->root->groups_small; } + frame->root->ngrps = 1; } /* Send the msg */ @@ -247,13 +242,6 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame, gf_log (this->name, GF_LOG_DEBUG, "rpc_clnt_submit failed"); } - if (!conf->send_gids) { - /* restore previous values */ - frame->root->ngrps = ngroups; - if (ngroups <= SMALL_GROUP_COUNT) - frame->root->groups_small[0] = gid; - } - ret = 0; if (new_iobref) |