From 71953970a23150594d2a7b1f91b783fa41867fd6 Mon Sep 17 00:00:00 2001 From: Niels de Vos Date: Wed, 18 Nov 2015 12:16:59 +0100 Subject: protocol/client: prevent use-after-free of frame->root A regression failure generated a coredump on the glusterfs-client side: (gdb) f 0 #0 0x00007fba6cd76432 in client_submit_request (this=0x7fba68006fc0, req=0x7fba6579aa70, frame=0x7fba5c0058cc, prog=0x7fba6cfb53c0 , procnum=41, cbkfn=0x7fba6cd9206d , iobref=0x0, rsphdr=0x0, rsphdr_count=0, rsp_payload=0x0, rsp_payload_count=0, rsp_iobref=0x0, xdrproc=0x7fba79801075 ) at /home/jenkins/root/workspace/rackspace-regression-2GB-triggered/xlators/protocol/client/src/client.c:324 324 frame->root->ngrps = ngroups; (gdb) l 319 gf_msg_debug (this->name, 0, "rpc_clnt_submit failed"); 320 } 321 322 if (!conf->send_gids) { 323 /* restore previous values */ 324 frame->root->ngrps = ngroups; 325 if (ngroups <= SMALL_GROUP_COUNT) 326 frame->root->groups_small[0] = gid; 327 } 328 (gdb) p *frame->root Cannot access memory at address 0x64185df000000000 After looking at this in more detail, the flow is like this: client_submit_request() | '- rpc_clnt_submit() // on line 314 | '- cbkfn() // = client3_3_release_cbk | :- STACK_DESTROY (frame->root); .----' .----' | :- frame->root->ngrps = ngroups; // on line 324 ' So, there is a use-after-free, and it is not needed to restore the previous groups in frame->root. Cherry picked from commit dc3aa7524e4974f9d02465e2e5dd6ed9b6d319e1: > Change-Id: I9e7d712183692ed92cfc2f75cd3c2781a9db20e2 > BUG: 1281285 (was incorrect in original patch) > Signed-off-by: Niels de Vos > Reviewed-on: http://review.gluster.org/12575 > Reviewed-by: Dan Lambright > Tested-by: NetBSD Build System > Reviewed-by: Jeff Darcy Change-Id: I9e7d712183692ed92cfc2f75cd3c2781a9db20e2 BUG: 1283138 Signed-off-by: Niels de Vos Reviewed-on: http://review.gluster.org/12639 Tested-by: Gluster Build System Tested-by: NetBSD Build System Reviewed-by: Dan Lambright Reviewed-by: Vijay Bellur --- xlators/protocol/client/src/client.c | 16 ++-------------- 1 file changed, 2 insertions(+), 14 deletions(-) (limited to 'xlators/protocol/client/src') diff --git a/xlators/protocol/client/src/client.c b/xlators/protocol/client/src/client.c index ccb26dd76aa..2e9fb4cb8a7 100644 --- a/xlators/protocol/client/src/client.c +++ b/xlators/protocol/client/src/client.c @@ -229,8 +229,6 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame, struct iobref *new_iobref = NULL; ssize_t xdr_size = 0; struct rpc_req rpcreq = {0, }; - uint64_t ngroups = 0; - uint64_t gid = 0; GF_VALIDATE_OR_GOTO ("client", this, out); GF_VALIDATE_OR_GOTO (this->name, prog, out); @@ -301,14 +299,11 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame, /* do not send all groups if they are resolved server-side */ if (!conf->send_gids) { - /* copy some values for restoring later */ - ngroups = frame->root->ngrps; - frame->root->ngrps = 1; - if (ngroups <= SMALL_GROUP_COUNT) { - gid = frame->root->groups_small[0]; + if (frame->root->ngrps <= SMALL_GROUP_COUNT) { frame->root->groups_small[0] = frame->root->gid; frame->root->groups = frame->root->groups_small; } + frame->root->ngrps = 1; } /* Send the msg */ @@ -320,13 +315,6 @@ client_submit_request (xlator_t *this, void *req, call_frame_t *frame, gf_msg_debug (this->name, 0, "rpc_clnt_submit failed"); } - if (!conf->send_gids) { - /* restore previous values */ - frame->root->ngrps = ngroups; - if (ngroups <= SMALL_GROUP_COUNT) - frame->root->groups_small[0] = gid; - } - ret = 0; if (new_iobref) -- cgit