Project

General

Profile

Actions

Bug #14858

closed

use after free in pvscsi

Added by Garrett D'Amore 5 months ago. Updated 5 months ago.

Status:
Closed
Priority:
Urgent
Category:
driver - device drivers
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:

Description

There is a subtle use after free bug introduced in 14783 pvscsi modernization

This is unlikely to hit in a non-debug kernel, but it reliably crashes in a debug kernel (with kmem_flags = 0xf) and it is a potential corrupter even for non-debug builds.

Actions #1

Updated by Electric Monk 5 months ago

  • Gerrit CR set to 2265
Actions #2

Updated by Garrett D'Amore 5 months ago

Testing:

This bug reproduced instantly (panic at boot) if booting a debug build. Applied this fix, and verified normal boot, pool import, etc. Also verified that kmem_flags was 0xf at boot, which is required to easily trigger the crash.

Actions #3

Updated by Electric Monk 5 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 90 to 100

git commit 7a73cc88540259bf08ed9c7aab5983fd7aecb1a3

commit  7a73cc88540259bf08ed9c7aab5983fd7aecb1a3
Author: Garrett D'Amore <garrett@damore.org>
Date:   2022-07-27T03:24:07.000Z

    14858 use after free in pvscsi
    Reviewed by: Jerry Jelinek <gjelinek@gmail.com>
    Reviewed by: Joyce McIntosh <jmcintosh@racktopsystems.com>
    Reviewed by: Joshua M. Clulow <josh@sysmgr.org>
    Reviewed by: Andrew Stormont <andyjstormont@gmail.com>
    Approved by: Gordon Ross <gordon.w.ross@gmail.com>

Actions

Also available in: Atom PDF