Project

General

Profile

Bug #8966

Source file zfs_acl.c, function zfs_aclset_common contains a use after end of the lifetime of a local variable

Added by Yuri Pankov over 1 year ago. Updated over 1 year ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
zfs - Zettabyte File System
Start date:
2018-01-14
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:

Description

From FreeBSD PR:

Source file https://svnweb.freebsd.org/base/head/sys/cddl/contrib/opensolaris/uts/common/fs/zfs/zfs_acl.c (latest version r323491 at this time), line 1220, in function zfs_aclset_common have a local variable definition "zfs_acl_phys_t acl_phys;". At line 1297, the pointer to this variable (&acl_phys) is stored into the array "bulk"; then the current code block and the lifetime of "acl_phys" is ended after this, but "bulk" is still got used at line 1314.

This code resulted in undefined behavior, meaning this bug may not be generally noticeable. In my test, the clang 3.4.1 on FreeBSD 10.3 amd64 won't trigger wrong behavior; however gcc 4.7 4.8 4.9 at any optimization level (except "-O0") will resulting a buggy behavior which showing to the user as:

[WHR@kmod-test /testpool]$ mkdir 35
[WHR@kmod-test /testpool]$ cd 35
-bash: cd: 35: Permission denied

Due the ACL is failed to store.

History

#1

Updated by Yuri Pankov over 1 year ago

  • Description updated (diff)
#2

Updated by Electric Monk over 1 year ago

  • Status changed from In Progress to Closed
  • % Done changed from 50 to 100

git commit 82693e09cc02331fa1b3b73b54b1060e73507a8d

commit  82693e09cc02331fa1b3b73b54b1060e73507a8d
Author: WHR <msl0000023508@gmail.com>
Date:   2018-02-06T17:36:37.000Z

    8966 Source file zfs_acl.c, function zfs_aclset_common contains a use after end of the lifetime of a local variable
    Reviewed by: Matt Ahrens <mahrens@delphix.com>
    Reviewed by: Andriy Gapon <avg@FreeBSD.org>
    Approved by: Richard Lowe <richlowe@richlowe.net>

Also available in: Atom PDF