Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/dev/pci Fix use-after-free. If we're not polling, virtio...
details: https://anonhg.NetBSD.org/src/rev/89a22fa102f2
branches: trunk
changeset: 450410:89a22fa102f2
user: maxv <maxv%NetBSD.org@localhost>
date: Sat Apr 13 06:17:33 2019 +0000
description:
Fix use-after-free. If we're not polling, virtio_enqueue_commit() will send
the transaction, and it means 'xs' can be immediately freed. So, save the
value of xs_control beforehand.
Detected by KASAN, ok jdolecek@.
Fixes PR/54008
Reported-by: syzbot+6513c4afe66237d7207f%syzkaller.appspotmail.com@localhost
diffstat:
sys/dev/pci/vioscsi.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diffs (38 lines):
diff -r 5816d9610433 -r 89a22fa102f2 sys/dev/pci/vioscsi.c
--- a/sys/dev/pci/vioscsi.c Sat Apr 13 03:15:25 2019 +0000
+++ b/sys/dev/pci/vioscsi.c Sat Apr 13 06:17:33 2019 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: vioscsi.c,v 1.20 2018/06/10 14:59:23 jakllsch Exp $ */
+/* $NetBSD: vioscsi.c,v 1.21 2019/04/13 06:17:33 maxv Exp $ */
/* $OpenBSD: vioscsi.c,v 1.3 2015/03/14 03:38:49 jsg Exp $ */
/*
@@ -18,7 +18,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: vioscsi.c,v 1.20 2018/06/10 14:59:23 jakllsch Exp $");
+__KERNEL_RCSID(0, "$NetBSD: vioscsi.c,v 1.21 2019/04/13 06:17:33 maxv Exp $");
#include <sys/param.h>
#include <sys/systm.h>
@@ -270,6 +270,7 @@
struct virtio_scsi_req_hdr *req;
struct virtqueue *vq = &sc->sc_vqs[VIOSCSI_VQ_REQUEST];
int slot, error;
+ bool dopoll;
DPRINTF(("%s: enter\n", __func__));
@@ -418,9 +419,10 @@
sizeof(struct virtio_scsi_res_hdr), 0);
if (xs->xs_control & XS_CTL_DATA_IN)
virtio_enqueue(vsc, vq, slot, vr->vr_data, 0);
+ dopoll = (xs->xs_control & XS_CTL_POLL) != 0;
virtio_enqueue_commit(vsc, vq, slot, 1);
- if ((xs->xs_control & XS_CTL_POLL) == 0)
+ if (!dopoll)
return;
DPRINTF(("%s: polling...\n", __func__));
Home |
Main Index |
Thread Index |
Old Index