[Bug 215705] VOP_REMOVE call with invalid cn_nameptr

bugzilla-noreply Sun, 01 Jan 2017 16:45:06 -0800

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=215705


            Bug ID: 215705
           Summary: VOP_REMOVE call with invalid cn_nameptr
           Product: Base System
           Version: 10.3-RELEASE
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: r...@linkage.white-void.net

Created attachment 178439
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=178439&action=edit
patch

In kern_unlinkat, VOP_REMOVE is invoked with invalid cn_nameptr, which was
freed by iname.
Since the memory region at cn_nameptr is already freed while VOP_REMOVE,
uma_zalloc with namei_zone may return a block overwrapping cn_nameptr.

Adding SAVENAME flag to NDINIT_ATRIGHTS(iname call) solves this problem.

-- 
You are receiving this mail because:
You are the assignee for the bug.
_______________________________________________
freebsd-bugs@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-bugs
To unsubscribe, send any mail to "freebsd-bugs-unsubscr...@freebsd.org"

[Bug 215705] VOP_REMOVE call with invalid cn_nameptr

Reply via email to