[CRIU] [PATCH] cg: props -- Handle use after free on error path in cgp_handle_props caller
Cyrill Gorcunov
gorcunov at openvz.org
Tue May 17 11:51:31 PDT 2016
| *** CID 161427: Memory - corruptions (USE_AFTER_FREE)
| /criu/cgroup-props.c: 352 in cgp_parse_stream()
| 346
| 347 ret = 0;
| 348 out:
| 349 return ret;
| 350
| 351 err_parse:
| >>> CID 161427: Memory - corruptions (USE_AFTER_FREE)
| >>> Calling "cgp_free" frees pointer "cgp_entry" which has already been freed.
| 352 cgp_free(cgp_entry);
| 353 ret = -EINVAL;
| 354 goto out;
| 355 }
| 356
| 357 static int cgp_parse_file(char *path)
Signed-off-by: Cyrill Gorcunov <gorcunov at openvz.org>
---
criu/cgroup-props.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/criu/cgroup-props.c b/criu/cgroup-props.c
index 0111ee50f931..b056427bc9b9 100644
--- a/criu/cgroup-props.c
+++ b/criu/cgroup-props.c
@@ -81,24 +81,26 @@ static int cgp_merge_props(cgp_list_entry_t *d, cgp_list_entry_t *s)
return 0;
}
-static int cgp_handle_props(cgp_list_entry_t *p, int strategy)
+static int cgp_handle_props(cgp_list_entry_t **p, int strategy)
{
+ cgp_list_entry_t *s = *p;
cgp_list_entry_t *t;
list_for_each_entry(t, &cgp_list, list) {
- if (strcmp(t->cgp.name, p->cgp.name))
+ if (strcmp(t->cgp.name, s->cgp.name))
continue;
pr_debug("%s \"%s\" controller properties\n",
strategy == CGP_MERGE ?
"Merging" : "Replacing",
- p->cgp.name);
+ s->cgp.name);
if (strategy == CGP_MERGE) {
int ret;
- ret = cgp_merge_props(t, p);
- cgp_free(p);
+ ret = cgp_merge_props(t, s);
+ cgp_free(s);
+ *p = NULL;
return ret;
} else if (strategy == CGP_REPLACE) {
/*
@@ -114,7 +116,8 @@ static int cgp_handle_props(cgp_list_entry_t *p, int strategy)
/*
* New controller, simply add it.
*/
- list_add(&p->list, &cgp_list);
+ list_add(&s->list, &cgp_list);
+ *p = NULL;
return 0;
}
@@ -338,7 +341,7 @@ static int cgp_parse_stream(char *stream, size_t len)
goto err_parse;
}
- if (cgp_handle_props(cgp_entry, strategy))
+ if (cgp_handle_props(&cgp_entry, strategy))
goto err_parse;
cgp_entry = NULL;
--
2.5.5
More information about the CRIU
mailing list