-
Notifications
You must be signed in to change notification settings - Fork 302
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DAOS-16251 mgmt: Fix use-after-free in pool_list #15014
Conversation
Ticket title is 'DAOS 2.4.2-4: Errored DAOS engine 0 exited unexpectedly on daos_user' |
In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after calling crt_req_decref on rpc is a use-after-free. Signed-off-by: Li Wei <[email protected]> Required-githooks: true
Test stage Functional on EL 8.8 completed with status FAILURE. https://build.hpdd.intel.com//job/daos-stack/job/daos/view/change-requests/job/PR-15014/2/execution/node/1208/log |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after calling crt_req_decref on rpc is a use-after-free. Signed-off-by: Li Wei <[email protected]>
In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after calling crt_req_decref on rpc is a use-after-free. Signed-off-by: Li Wei <[email protected]> Required-githooks: true
* DAOS-16251 object: Fix obj_ec_singv_split overflow (#15045) It has been seen that obj_ec_singv_split may read beyond the end of sgl->sg_iovs[0].iov_buf: iod_size=8569 c_bytes=4288 id_shard=0 tgt_off=1 iov_len=8569 iov_buf_len=8569 The memmove read 4288 bytes from offset 4288, whereas the buffer only had 8569 - 4288 = 4281 bytes from offset 4288. This patch fixes the problem by adding the min(...) expression. Signed-off-by: Li Wei <[email protected]> Required-githooks: true * DAOS-16251 dtx: Fix dtx_req_send user-after-free (#15035) In dtx_req_send, since the crt_req_send releases the req reference, din may have been freed when dereferenced for the DL_CDEBUG call. Signed-off-by: Li Wei <[email protected]> Required-githooks: true * DAOS-16251 mgmt: Fix use-after-free in pool_list (#15014) In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after calling crt_req_decref on rpc is a use-after-free. Signed-off-by: Li Wei <[email protected]> Required-githooks: true * DAOS-16251 tests: Fix various buffer overflows (#15003) - vos: Fix vtx_pm buffer overflow - vos: Fix evt_ctl stack buffer overflow - object: Fix srv_checksum_tests buffer overflow - utils: Fix ddb_vos_tests buffer overflow etc Signed-off-by: Li Wei <[email protected]> Required-githooks: true * DAOS-16251 engine: Misc fixes and cleanups (#14983) - ivc_on_get stores random entry_priv_val into priv_entry for many ivc_ent_get implementations. Although not used, this should be avoided. - ds_iv_done stores pointer to stack variable rc in cb_info->future, which outlives the stack frame of ds_iv_done. Although not used, this pointer is confusing. - ds_pool_iv_map_update associates the input map buffer with the map version from ds_pool, rather than the input map version. Although this may be fine, we should really not ask for unnecessary trouble/concern. Signed-off-by: Li Wei <[email protected]> Required-githooks: true --------- Signed-off-by: Li Wei <[email protected]>
In dc_mgmt_pool_list, calling wipe_cred_iov on in->pli_cred after calling crt_req_decref on rpc is a use-after-free.
Before requesting gatekeeper:
Features:
(orTest-tag*
) commit pragma was used or there is a reason documented that there are no appropriate tags for this PR.Gatekeeper: