[v2] files: Don't access value from stack in outer contex

Submitted by Cyrill Gorcunov on July 12, 2017, 9:44 p.m.

Details

Message ID 20170712214444.GA1880@uranus.lan
State Accepted
Series "files: Don't access value from stack in outer contex"
Headers show

Commit Message

Cyrill Gorcunov July 12, 2017, 9:44 p.m.
The struct fd_link link allocated in inner context might be
freed before dump call (depending on compiler), instead
use a safer approach.

Signed-off-by: Cyrill Gorcunov <gorcunov@virtuozzo.com>
---
 criu/files.c | 13 +++++++++----
 1 file changed, 9 insertions(+), 4 deletions(-)

Patch hide | download patch | download mbox

diff --git a/criu/files.c b/criu/files.c
index a36eb366eb8f..8d1fb732ae72 100644
--- a/criu/files.c
+++ b/criu/files.c
@@ -425,8 +425,11 @@  static const struct fdtype_ops *get_mem_dev_ops(struct fd_parms *p, int minor)
 
 static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img)
 {
+	struct fd_link *link_old = p->link;
 	int maj = major(p->stat.st_rdev);
 	const struct fdtype_ops *ops;
+	struct fd_link link;
+	int err;
 
 	switch (maj) {
 	case MEM_MAJOR:
@@ -441,8 +444,6 @@  static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img)
 		char more[32];
 
 		if (is_tty(p->stat.st_rdev, p->stat.st_dev)) {
-			struct fd_link link;
-
 			if (fill_fdlink(lfd, p, &link))
 				return -1;
 			p->link = &link;
@@ -451,11 +452,15 @@  static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img)
 		}
 
 		sprintf(more, "%d:%d", maj, minor(p->stat.st_rdev));
-		return dump_unsupp_fd(p, lfd, img, "chr", more);
+		err = dump_unsupp_fd(p, lfd, img, "chr", more);
+		p->link = link_old;
+		return err;
 	}
 	}
 
-	return do_dump_gen_file(p, lfd, ops, img);
+	err = do_dump_gen_file(p, lfd, ops, img);
+	p->link = link_old;
+	return err;
 }
 
 static int dump_one_file(struct pid *pid, int fd, int lfd, struct fd_opts *opts,

Comments

Andrey Vagin July 13, 2017, 5:34 p.m.
Applied, thanks!

On Thu, Jul 13, 2017 at 12:44:44AM +0300, Cyrill Gorcunov wrote:
> The struct fd_link link allocated in inner context might be
> freed before dump call (depending on compiler), instead
> use a safer approach.
> 
> Signed-off-by: Cyrill Gorcunov <gorcunov@virtuozzo.com>
> ---
>  criu/files.c | 13 +++++++++----
>  1 file changed, 9 insertions(+), 4 deletions(-)
> 
> diff --git a/criu/files.c b/criu/files.c
> index a36eb366eb8f..8d1fb732ae72 100644
> --- a/criu/files.c
> +++ b/criu/files.c
> @@ -425,8 +425,11 @@ static const struct fdtype_ops *get_mem_dev_ops(struct fd_parms *p, int minor)
>  
>  static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img)
>  {
> +	struct fd_link *link_old = p->link;
>  	int maj = major(p->stat.st_rdev);
>  	const struct fdtype_ops *ops;
> +	struct fd_link link;
> +	int err;
>  
>  	switch (maj) {
>  	case MEM_MAJOR:
> @@ -441,8 +444,6 @@ static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img)
>  		char more[32];
>  
>  		if (is_tty(p->stat.st_rdev, p->stat.st_dev)) {
> -			struct fd_link link;
> -
>  			if (fill_fdlink(lfd, p, &link))
>  				return -1;
>  			p->link = &link;
> @@ -451,11 +452,15 @@ static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img)
>  		}
>  
>  		sprintf(more, "%d:%d", maj, minor(p->stat.st_rdev));
> -		return dump_unsupp_fd(p, lfd, img, "chr", more);
> +		err = dump_unsupp_fd(p, lfd, img, "chr", more);
> +		p->link = link_old;
> +		return err;
>  	}
>  	}
>  
> -	return do_dump_gen_file(p, lfd, ops, img);
> +	err = do_dump_gen_file(p, lfd, ops, img);
> +	p->link = link_old;
> +	return err;
>  }
>  
>  static int dump_one_file(struct pid *pid, int fd, int lfd, struct fd_opts *opts,
> -- 
> 2.7.5
>