Actions
Bug #14696
closednvmeadm command dumps core when libumem.so is used
Start date:
Due date:
% Done:
100%
Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:
Description
# env LD_PRELOAD=libumem.so nvmeadm list nvme1: model: SAMSUNG MZVPV128HDGM-00000, serial: S1XVNYAGA00640, FW rev: BXW7300Q, NVMe v1.1 nvme1/1 (c1t1d0): Size = 122104 MB, Capacity = 122104 MB, Used = 121511 MB Abort (core dumped)
The culprit is this code in nvme_dskname():
path = di_dim_path_dev(dim, di_driver_name(child), di_instance(child), "c"); /* * Error out if we didn't get a path, or if it's too short for * the following operations to be safe. */ if (path == NULL || strlen(path) < 2) goto fail; /* Chop off 's0' and get everything past the last '/' */ path[strlen(path) - 2] = '\0'; path = strrchr(path, '/'); if (path == NULL) goto fail; path++;
When nvme_process() returns, it frees 'path', but 'path' points in the middle of the chunk of memory that was allocated by di_dim_path_dev().
Updated by Hans Rosenfeld about 2 months ago
Testing: This has been in Tintri's code since 2018 and has been in all releases of their products since.
Updated by Electric Monk about 2 months ago
- Status changed from New to Closed
- % Done changed from 0 to 100
git commit b602cbcd64fbbebf696bd7c8e03367bdfa19805d
commit b602cbcd64fbbebf696bd7c8e03367bdfa19805d Author: Manjith Gambhir <manjith.gambhir@tegile.com> Date: 2022-05-18T15:20:04.000Z 14696 nvmeadm command dumps core when libumem.so is used Reviewed by: Andy Giles <agiles@tintri.com> Reviewed by: Ben Jameson <bjameson@tintri.com> Reviewed by: Pete Shephard <pete.shephard@tegile.com> Reviewed by: Robert Mustacchi <rm+illumos@fingolfin.org> Reviewed by: Jason King <jason.brian.king+illumos@gmail.com> Approved by: Dan McDonald <danmcd@mnx.io>
Actions