| Message ID | 20170712214444.GA1880@uranus.lan |
|---|---|
| State | Accepted |
| Series | "files: Don't access value from stack in outer contex" |
| Headers | show |
diff --git a/criu/files.c b/criu/files.c index a36eb366eb8f..8d1fb732ae72 100644 --- a/criu/files.c +++ b/criu/files.c @@ -425,8 +425,11 @@ static const struct fdtype_ops *get_mem_dev_ops(struct fd_parms *p, int minor) static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img) { + struct fd_link *link_old = p->link; int maj = major(p->stat.st_rdev); const struct fdtype_ops *ops; + struct fd_link link; + int err; switch (maj) { case MEM_MAJOR: @@ -441,8 +444,6 @@ static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img) char more[32]; if (is_tty(p->stat.st_rdev, p->stat.st_dev)) { - struct fd_link link; - if (fill_fdlink(lfd, p, &link)) return -1; p->link = &link; @@ -451,11 +452,15 @@ static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img) } sprintf(more, "%d:%d", maj, minor(p->stat.st_rdev)); - return dump_unsupp_fd(p, lfd, img, "chr", more); + err = dump_unsupp_fd(p, lfd, img, "chr", more); + p->link = link_old; + return err; } } - return do_dump_gen_file(p, lfd, ops, img); + err = do_dump_gen_file(p, lfd, ops, img); + p->link = link_old; + return err; } static int dump_one_file(struct pid *pid, int fd, int lfd, struct fd_opts *opts,
Applied, thanks! On Thu, Jul 13, 2017 at 12:44:44AM +0300, Cyrill Gorcunov wrote: > The struct fd_link link allocated in inner context might be > freed before dump call (depending on compiler), instead > use a safer approach. > > Signed-off-by: Cyrill Gorcunov <gorcunov@virtuozzo.com> > --- > criu/files.c | 13 +++++++++---- > 1 file changed, 9 insertions(+), 4 deletions(-) > > diff --git a/criu/files.c b/criu/files.c > index a36eb366eb8f..8d1fb732ae72 100644 > --- a/criu/files.c > +++ b/criu/files.c > @@ -425,8 +425,11 @@ static const struct fdtype_ops *get_mem_dev_ops(struct fd_parms *p, int minor) > > static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img) > { > + struct fd_link *link_old = p->link; > int maj = major(p->stat.st_rdev); > const struct fdtype_ops *ops; > + struct fd_link link; > + int err; > > switch (maj) { > case MEM_MAJOR: > @@ -441,8 +444,6 @@ static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img) > char more[32]; > > if (is_tty(p->stat.st_rdev, p->stat.st_dev)) { > - struct fd_link link; > - > if (fill_fdlink(lfd, p, &link)) > return -1; > p->link = &link; > @@ -451,11 +452,15 @@ static int dump_chrdev(struct fd_parms *p, int lfd, struct cr_img *img) > } > > sprintf(more, "%d:%d", maj, minor(p->stat.st_rdev)); > - return dump_unsupp_fd(p, lfd, img, "chr", more); > + err = dump_unsupp_fd(p, lfd, img, "chr", more); > + p->link = link_old; > + return err; > } > } > > - return do_dump_gen_file(p, lfd, ops, img); > + err = do_dump_gen_file(p, lfd, ops, img); > + p->link = link_old; > + return err; > } > > static int dump_one_file(struct pid *pid, int fd, int lfd, struct fd_opts *opts, > -- > 2.7.5 >
The struct fd_link link allocated in inner context might be freed before dump call (depending on compiler), instead use a safer approach. Signed-off-by: Cyrill Gorcunov <gorcunov@virtuozzo.com> --- criu/files.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-)