|
| From: | Philippe Mathieu-Daudé |
| Subject: | Re: [PATCH-for-5.0] tools/virtiofsd/passthrough_ll: Fix double close() |
| Date: | Sat, 21 Mar 2020 13:17:41 +0100 |
| User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 |
On 3/21/20 1:06 PM, Philippe Mathieu-Daudé wrote:
On success, the fdopendir() call closes fd. Later on the error path we try to close an already-closed fd. This can lead to use-after-free. Fix by only closing the fd if the fdopendir() call failed. Cc: address@hidden Fixes: 7c6b66027 (Import passthrough_ll from libfuse fuse-3.8.0)
libfuse is correct, the bug was introduced in commit b39bce121b, so: Fixes: b39bce121b (add dirp_map to hide lo_dirp pointers)
Reported-by: Coverity (CID 1421933 USE_AFTER_FREE)
Suggested-by: Peter Maydell <address@hidden>
Signed-off-by: Philippe Mathieu-Daudé <address@hidden>
---
tools/virtiofsd/passthrough_ll.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/tools/virtiofsd/passthrough_ll.c b/tools/virtiofsd/passthrough_ll.c
index 4f259aac70..4c35c95b25 100644
--- a/tools/virtiofsd/passthrough_ll.c
+++ b/tools/virtiofsd/passthrough_ll.c
@@ -1520,8 +1520,7 @@ out_err:
if (d) {
if (d->dp) {
closedir(d->dp);
- }
- if (fd != -1) {
+ } else if (fd != -1) {
close(fd);
}
free(d);
| [Prev in Thread] | Current Thread | [Next in Thread] |