[CRIU] [PATCH] files-reg: fix use-after-free in open_remap_ghost()
Cyrill Gorcunov
gorcunov at gmail.com
Mon Jan 30 07:48:42 PST 2017
On Mon, Jan 30, 2017 at 06:18:13PM +0300, Andrey Ryabinin wrote:
> Ghost file entry used right after it has been freed:
> ERROR: AddressSanitizer: heap-use-after-free on address 0x60700000dc50
> READ of size 4 at 0x60700000dc50 thread T0
> #0 0x46e819 in open_remap_ghost criu/files-reg.c:312
> #1 0x46e819 in prepare_one_remap criu/files-reg.c:461
> #2 0x46e819 in prepare_remaps criu/files-reg.c:507
> #3 0x45af00 in root_prepare_shared criu/cr-restore.c:235
> #4 0x45af00 in restore_task_with_children criu/cr-restore.c:1421
> #5 0x7efc71e85f0c in clone (/lib64/libc.so.6+0xe7f0c)
>
> 0x60700000dc50 is located 32 bytes inside of 80-byte region [0x60700000dc30,0x60700000dc80)
> freed by thread T0 here:
> #0 0x7efc7305184a in __interceptor_free (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x9884a)
> #1 0x46e4df in open_remap_ghost criu/files-reg.c:309
> #2 0x46e4df in prepare_one_remap criu/files-reg.c:461
> #3 0x46e4df in prepare_remaps criu/files-reg.c:507
>
> previously allocated by thread T0 here:
> #0 0x7efc73051b82 in malloc (/usr/lib/gcc/x86_64-pc-linux-gnu/5.4.0/libasan.so.2+0x98b82)
> #1 0x7efc7277a8ea in protobuf_c_message_unpack (/usr/lib64/libprotobuf-c.so.1+0x48ea)
> #2 0xd528232002838017 (<unknown module>)
>
> Just move freeing after the last 'gfe' usage to fix this.
>
> Fixes: d0097b2db03a ("files: Support ghost directories restore")
> Signed-off-by: Andrey Ryabinin <aryabinin at virtuozzo.com>
Acked-by: Cyrill Gorcunov <gorcunov at openvz.org>
More information about the CRIU
mailing list