[CRIU] [PATCH 3/8] cgroups: fix use_after_free issue

Andrey Vagin avagin at openvz.org
Fri Oct 31 07:50:45 PDT 2014


list_for_each_entry_safe() should be used, you we are going to delete
something from a list.

CID 73383 (#1 of 1): Read from pointer after free (USE_AFTER_FREE)
4. deref_after_free: Dereferencing freed pointer prop.

Cc: Tycho Andersen <tycho.andersen at canonical.com>
Signed-off-by: Andrey Vagin <avagin at openvz.org>
---
 cgroup.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/cgroup.c b/cgroup.c
index a4ea474..fb5c8ac 100644
--- a/cgroup.c
+++ b/cgroup.c
@@ -366,9 +366,10 @@ static void free_cgroup_prop(struct cgroup_prop *prop)
 
 static void free_all_cgroup_props(struct cgroup_dir *ncd)
 {
-	struct cgroup_prop *prop;
+	struct cgroup_prop *prop, *t;
 
-	list_for_each_entry(prop, &ncd->properties, list) {
+	list_for_each_entry_safe(prop, t, &ncd->properties, list) {
+		list_del(&prop->list);
 		free_cgroup_prop(prop);
 	}
 
-- 
1.9.3



More information about the CRIU mailing list