git: 8838c650cb59 - releng/13.1 - Fix use-after-free in btree code
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 01 Nov 2022 20:33:47 UTC
The branch releng/13.1 has been updated by markj: URL: https://cgit.FreeBSD.org/src/commit/?id=8838c650cb59a1fc998e9f47424c53e030f457b9 commit 8838c650cb59a1fc998e9f47424c53e030f457b9 Author: Richard Yao <richard.yao@alumni.stonybrook.edu> AuthorDate: 2022-09-12 18:22:15 +0000 Commit: Mark Johnston <markj@FreeBSD.org> CommitDate: 2022-11-01 18:03:25 +0000 Fix use-after-free in btree code Coverty static analysis found these. Reviewed-by: Alexander Motin <mav@FreeBSD.org> Reviewed-by: Brian Behlendorf <behlendorf1@llnl.gov> Reviewed-by: Neal Gompa <ngompa@datto.com> Signed-off-by: Richard Yao <richard.yao@alumni.stonybrook.edu> Closes #10989 Closes #13861 Approved by: so Security: FreeBSD-EN-22:21.zfs (cherry picked from commit 8131a96544fd19411c23424af85140e91e41c001) --- sys/contrib/openzfs/module/zfs/btree.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/sys/contrib/openzfs/module/zfs/btree.c b/sys/contrib/openzfs/module/zfs/btree.c index 57b9dbbb2b50..77cb2543e93d 100644 --- a/sys/contrib/openzfs/module/zfs/btree.c +++ b/sys/contrib/openzfs/module/zfs/btree.c @@ -1536,8 +1536,8 @@ zfs_btree_remove_from_node(zfs_btree_t *tree, zfs_btree_core_t *node, zfs_btree_poison_node_at(tree, keep_hdr, keep_hdr->bth_count); new_rm_hdr->bth_count = 0; - zfs_btree_node_destroy(tree, new_rm_hdr); zfs_btree_remove_from_node(tree, parent, new_rm_hdr); + zfs_btree_node_destroy(tree, new_rm_hdr); } /* Remove the element at the specific location. */ @@ -1769,6 +1769,7 @@ zfs_btree_remove_idx(zfs_btree_t *tree, zfs_btree_index_t *where) zfs_btree_node_destroy(tree, rm_hdr); /* Remove the emptied node from the parent. */ zfs_btree_remove_from_node(tree, parent, rm_hdr); + zfs_btree_node_destroy(tree, rm_hdr); zfs_btree_verify(tree); }