rpms / ostree

Clone
Source Code
GIT

Blame libmount-unref.patch

el6 f18 f19 f20 f21 f22 f23 f24 f25 f26 f27 f28 f29 f30 f31 f32 f33 f34 f35 f36 f37 f38 f39 f40 main pr/delete-libexec pr/disable-http2 rawhide
  1.   f24
  2.   libmount-unref.patch
Blob History Raw
Colin Walters 1708966 
From 4c3ef23b59c870281a75424c74ec0b6b5a4ae5e8 Mon Sep 17 00:00:00 2001
Colin Walters 1708966 
From: Colin Walters <walters@verbum.org>
Colin Walters 1708966 
Date: Thu, 23 Feb 2017 09:40:17 -0500
Colin Walters 1708966 
Subject: [PATCH] deploy: Correctly use libmount unref() calls rather than
Colin Walters 1708966 
 free()
Colin Walters 1708966
Colin Walters 1708966 
We saw a random ostree SEGV start popping up in our CI environment:
Colin Walters 1708966 
https://github.com/projectatomic/rpm-ostree/pull/641#issuecomment-281870424
Colin Walters 1708966
Colin Walters 1708966 
Looking at this code more and comparing it to what util-linux does, I noticed we
Colin Walters 1708966 
had a write-after-free, since `mnt_unref_table()` will invoke
Colin Walters 1708966 
`mnt_unref_cache()` on its cache, and that function does:
Colin Walters 1708966
Colin Walters 1708966 
```
Colin Walters 1708966 
	if (cache) {
Colin Walters 1708966 
		cache->rfcount--;
Colin Walters 1708966 
```
Colin Walters 1708966
Colin Walters 1708966 
unconditionally.
Colin Walters 1708966
Colin Walters 1708966 
Fix this by using `unref()`.
Colin Walters 1708966 
---
Colin Walters 1708966 
 src/libostree/ostree-sysroot-deploy.c | 4 ++--
Colin Walters 1708966 
 1 file changed, 2 insertions(+), 2 deletions(-)
Colin Walters 1708966
Colin Walters 1708966 
diff --git a/src/libostree/ostree-sysroot-deploy.c b/src/libostree/ostree-sysroot-deploy.c
Colin Walters 1708966 
index cb5a461..5a3f6d8 100644
Colin Walters 1708966 
--- a/src/libostree/ostree-sysroot-deploy.c
Colin Walters 1708966 
+++ b/src/libostree/ostree-sysroot-deploy.c
Colin Walters 1708966 
@@ -1692,8 +1692,8 @@ is_ro_mount (const char *path)
Colin Walters 1708966
Colin Walters 1708966 
   fs = mnt_table_find_target(tb, path, MNT_ITER_BACKWARD);
Colin Walters 1708966 
   is_mount = fs && mnt_fs_get_target (fs);
Colin Walters 1708966 
-  mnt_free_cache (cache);
Colin Walters 1708966 
-  mnt_free_table (tb);
Colin Walters 1708966 
+  mnt_unref_cache (cache);
Colin Walters 1708966 
+  mnt_unref_table (tb);
Colin Walters 1708966
Colin Walters 1708966 
   if (!is_mount)
Colin Walters 1708966 
     return FALSE;
Colin Walters 1708966 
--
Colin Walters 1708966 
2.9.3
Colin Walters 1708966
Powered by Pagure 5.13.3
DocumentationFile an IssueAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.