Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp714562imu; Tue, 27 Nov 2018 05:21:04 -0800 (PST) X-Google-Smtp-Source: AFSGD/VC9fqDdWSDf7uwC3kCko7EBW7hEJXaVMmh6e5JvzCGAwaZbVvdXs/6m1tfbyD2RSiX6ln8 X-Received: by 2002:a17:902:227:: with SMTP id 36mr32562627plc.140.1543324864164; Tue, 27 Nov 2018 05:21:04 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543324864; cv=none; d=google.com; s=arc-20160816; b=o+r8oVp3L3tzoyFz0ul6XgcNfNu1pBJa354Kk4eHCSDJIBRRy/B6Zv37hBeEGttIgK 15RYwY/UfccRtOhZJu3M/IIiiSbKcEH5NhpcNboLo76V8W1thMbrxSu0zOyET9JdowRW kx1Mc3L6rcmJbV2lDJQQRHv60AZt0P75P1XXw8YQe+S6fp8JU3wivl+7OFmaz8SDX4fa zsCnb4NOJDTAJ4/9EJkkH1xEMEJ+twWIYdFmtGGtlrt63qXx9qfG6beQkORaOTBQOG6i QY2OdG/0VwS8CM3xGeU7a6mDP8Z97ZE+5+WbW1WUA/jtSdfIg4XUvUL00j2mP8QH7W2E 2thA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=VzQzFsZsVFmr1NzmqUcEjcivJzT3KsUE4+tZJ3j5oZw=; b=ZvUXLEak/D9JOaxcMYNgDyg+b135Z004n8oET0r1n8SPWdz1lPMDBCVvRlSO4pnupq CJf/JJeMUceeLaeRTs2JwGZVU8F5CjbBUF6M9KlN5NmWzuHBxPuuJ/f8Z/jcRsmbgZjC t0liYJ16FHizcfYBTbmvFnWbNFMtAaYSWHGOVd9p7swNqZ+2Va7Xdj2onHcBofyC9wfm 11y3yMcpunT88Uiiu2cyoq13egFI7mVJQMwekeG/+QwPFeoQfxfaFbhhayy+K0HqI54g zcqHbKmVXkFEOnLGgwipDWK6vEpGEVZoMPm2pT8HU3KnHHKUFUcR+1Bh4iNBJ+GSaZgm qnFg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UbSSgUrp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e4si3786409pgk.127.2018.11.27.05.19.23; Tue, 27 Nov 2018 05:21:04 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=UbSSgUrp; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730603AbeK0VPC (ORCPT + 99 others); Tue, 27 Nov 2018 16:15:02 -0500 Received: from mail-it1-f194.google.com ([209.85.166.194]:53776 "EHLO mail-it1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726437AbeK0VPC (ORCPT ); Tue, 27 Nov 2018 16:15:02 -0500 Received: by mail-it1-f194.google.com with SMTP id g85so33352287ita.3; Tue, 27 Nov 2018 02:17:37 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=VzQzFsZsVFmr1NzmqUcEjcivJzT3KsUE4+tZJ3j5oZw=; b=UbSSgUrpl5R8QdhVyinW6uL0jnmrbLfVOYHmaJHmbFN0UWFPLjMbEyni393xiH+QqW HL2aiP//qU76ZK/23eweXHEMnUGGWT64xZ5yQtbvd52LwRLqCquCDlCX4Yev3/8Yvgrc mahCGYnz254JfYCvEG0fmeAL97xy0gZlxSwezHaUSd5jwyJRz/TKH2QaSCQsTN9FIo9n ID8LIQMMmpaucMxOE67M2SnFm4+f/J6rfY3whIuoShX56HuR5QBgx1oSxlH3mNl+VO4I rg7VPgZnPhNryq6oiWtoi5qVdOZ1Ij6mILuxXJvkmhR7UX2YQ2jLkmv2HDSEtQSjeTDa Azlw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=VzQzFsZsVFmr1NzmqUcEjcivJzT3KsUE4+tZJ3j5oZw=; b=QiesHCOhaiqrUvffkcCIkoop7BDBNlNYP27/zdYZOkMfUc7k0deAPHoxt1h8x0udJc Lq+uuCPV5oI+r/2gOUCSN1Ou3n4MD/vEHHynIViB6Y9v9r/hJI4m3EV78BjMruo7v6BO zJLeqPvtX6Ugd6zVAduF15sxS/vdZvzKrOLuapnEVlvwrvEhrrqIM55X8bMdl6bM/lg/ WWHZ1GQ/IewxbhD6plbltu24wid5H8P0ZQMGblWbA3JJDAGESCxpqCy+7gTQv6tXamdj 7ULjzX8dZE7ybDBVTyS0Q+TIyIc2F0FTkArE+rM78RL48y+7j7gHcICZsDzFpQrkSOKy UlLQ== X-Gm-Message-State: AGRZ1gJqDE9NWVnrwI0IY7jzz3nTRnFsnBFkaZedLWoiAYs4j2BLHCJz goBKKPKpmGVnxqwOtEUsnZYsmGcMYHK9dyXWTXQ= X-Received: by 2002:a24:57c4:: with SMTP id u187-v6mr26234091ita.73.1543313857085; Tue, 27 Nov 2018 02:17:37 -0800 (PST) MIME-Version: 1.0 References: <1543310472-31861-1-git-send-email-bianpan2016@163.com> In-Reply-To: <1543310472-31861-1-git-send-email-bianpan2016@163.com> From: Ilya Dryomov Date: Tue, 27 Nov 2018 11:17:26 +0100 Message-ID: Subject: Re: [PATCH V2] libceph: fix use after free To: bianpan2016@163.com Cc: "Yan, Zheng" , Sage Weil , "David S. Miller" , Ceph Development , netdev , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Nov 27, 2018 at 10:22 AM Pan Bian wrote: > > The function ceph_monc_handle_map calls kfree(old) to free the old > monitor map, old points to monc->monmap. However, after that, it reads > monc->monmap->epoch and passes it to __ceph_monc_got_map. This will > result in a use-after-free bug. The patch moves the free operation after > the call to __ceph_monc_got_map. > > Fixes: 82dcabad750 ("libceph: revamp subs code, switch to SUBSCRIBE2 protocol") > > Signed-off-by: Pan Bian > --- > V2: correct the format of the tag Fixes > --- > net/ceph/mon_client.c | 3 ++- > 1 file changed, 2 insertions(+), 1 deletion(-) > > diff --git a/net/ceph/mon_client.c b/net/ceph/mon_client.c > index 18deb3d..05ef5aa 100644 > --- a/net/ceph/mon_client.c > +++ b/net/ceph/mon_client.c > @@ -478,9 +478,10 @@ static void ceph_monc_handle_map(struct ceph_mon_client *monc, > } > > client->monc.monmap = monmap; monc->monmap is assigned here. It's not obvious, but monc->monmap and client->monc.monmap is the same pointer. > - kfree(old); > > __ceph_monc_got_map(monc, CEPH_SUB_MONMAP, monc->monmap->epoch); ceph_monmap_decode() returns the new map, kfree() frees the old map. I don't see a use-after-free here. Thanks, Ilya